mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
fix
This commit is contained in:
parent
5089993f80
commit
571cc031eb
@ -256,6 +256,9 @@ Bingo!!!
|
|||||||
```
|
```
|
||||||
$ python2 exp_angr.py
|
$ python2 exp_angr.py
|
||||||
FLAG SHOULD BE: Code_Talkers
|
FLAG SHOULD BE: Code_Talkers
|
||||||
|
$ ./entry_language
|
||||||
|
Enter the password: Code_Talkers
|
||||||
|
Nice!
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
@ -386,6 +386,10 @@ while count != 42:
|
|||||||
```
|
```
|
||||||
hxp{k3eP_C4lM_AnD_D0n't_P4n1c__G0_i5_S4F3}
|
hxp{k3eP_C4lM_AnD_D0n't_P4n1c__G0_i5_S4F3}
|
||||||
```
|
```
|
||||||
|
```
|
||||||
|
$ ./dont_panic "hxp{k3eP_C4lM_AnD_D0n't_P4n1c__G0_i5_S4F3}"
|
||||||
|
Seems like you got a flag...
|
||||||
|
```
|
||||||
|
|
||||||
参考资料里的 gdb 脚本就快得多:
|
参考资料里的 gdb 脚本就快得多:
|
||||||
```Python
|
```Python
|
||||||
|
@ -7,11 +7,11 @@
|
|||||||
## 题目解析
|
## 题目解析
|
||||||
看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。
|
看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。
|
||||||
```
|
```
|
||||||
$ file angrybird
|
$ file angrybird_org
|
||||||
angrybird: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=089c3a14bcd7ffb08e94645cea46f1162b171445, stripped
|
angrybird: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=089c3a14bcd7ffb08e94645cea46f1162b171445, stripped
|
||||||
```
|
```
|
||||||
```
|
```
|
||||||
$ ./angrybird
|
$ ./angrybird_org
|
||||||
$
|
$
|
||||||
```
|
```
|
||||||
一运行就退出,应该是需要程序流上有问题。
|
一运行就退出,应该是需要程序流上有问题。
|
||||||
@ -47,7 +47,7 @@ $
|
|||||||
| 0x004007d0 89ce mov esi, ecx ; esi = 21
|
| 0x004007d0 89ce mov esi, ecx ; esi = 21
|
||||||
| 0x004007d2 4889c7 mov rdi, rax
|
| 0x004007d2 4889c7 mov rdi, rax
|
||||||
| 0x004007d5 e8f6fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) ; patch 成功后就能调用 fgets
|
| 0x004007d5 e8f6fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) ; patch 成功后就能调用 fgets
|
||||||
| 0x004007da 0fb655b0 movzx edx, byte [local_50h] ; 读入的第一个字符 ; fgets 的下一个地址
|
| 0x004007da 0fb655b0 movzx edx, byte [local_50h] ; 读入的第一个字符
|
||||||
| 0x004007de 0fb645b1 movzx eax, byte [local_4fh] ; 读入的第二个字符
|
| 0x004007de 0fb645b1 movzx eax, byte [local_4fh] ; 读入的第二个字符
|
||||||
| 0x004007e2 31d0 xor eax, edx
|
| 0x004007e2 31d0 xor eax, edx
|
||||||
| 0x004007e4 8845d0 mov byte [local_30h], al
|
| 0x004007e4 8845d0 mov byte [local_30h], al
|
||||||
@ -119,6 +119,15 @@ $
|
|||||||
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
|
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
|
||||||
0x00606060 1500 0000 0000 0000 0000 0000 0000 0000 ................
|
0x00606060 1500 0000 0000 0000 0000 0000 0000 0000 ................
|
||||||
```
|
```
|
||||||
|
另外该函数结尾处指令是 `pop rbp`,而不是正确情况下的 `leave`,我们把它改过来:
|
||||||
|
```
|
||||||
|
[0x00606060]> s 0x0040070a
|
||||||
|
[0x0040070a]> pd 1
|
||||||
|
| 0x0040070a 5d pop rbp
|
||||||
|
[0x0040070a]> wx c9
|
||||||
|
[0x0040070a]> pd 1
|
||||||
|
| 0x0040070a c9 leave
|
||||||
|
```
|
||||||
第三处 patch,将调用 `sub.stack_check_70c` 的指令直接 `nop` 掉:
|
第三处 patch,将调用 `sub.stack_check_70c` 的指令直接 `nop` 掉:
|
||||||
```
|
```
|
||||||
[0x00606060]> pdf @ sub.stack_check_70c
|
[0x00606060]> pdf @ sub.stack_check_70c
|
||||||
@ -171,12 +180,22 @@ $
|
|||||||
| 0x0040075f c9 leave
|
| 0x0040075f c9 leave
|
||||||
\ 0x00400760 c3 ret
|
\ 0x00400760 c3 ret
|
||||||
```
|
```
|
||||||
|
总的来说就是修改了下面几个地方:
|
||||||
|
```
|
||||||
|
$ radiff2 angrybird_org angrybird_mod
|
||||||
|
0x0000070a 5d => c9 0x0000070a
|
||||||
|
0x00000722 85 => 84 0x00000722
|
||||||
|
0x00000752 74 => 75 0x00000752
|
||||||
|
0x0000077c 84 => 85 0x0000077c
|
||||||
|
0x000007b3 e854ffffff => 9090909090 0x000007b3
|
||||||
|
0x00006060 01 => 15 0x00006060
|
||||||
|
```
|
||||||
|
|
||||||
这样程序的运行就正常了,它从标准输入读入字符,进行一系列的判断,由于程序执行流非常长,我们不可能一个一个地去 patch。radare2 里输入命令 `VV @ main` 可以看到下面的东西:
|
这样程序的运行就正常了,它从标准输入读入字符,进行一系列的判断,由于程序执行流非常长,我们不可能一个一个地去 patch。radare2 里输入命令 `VV @ main` 可以看到下面的东西:
|
||||||
|
|
||||||
![](../pic/6.2.3_graph.png)
|
![](../pic/6.2.3_graph.png)
|
||||||
|
|
||||||
使用 angr 来解决它,指定好目标地址,让它运行到那儿,在大多数情况下,这种方法都是有效的。
|
不如使用 angr 来解决它,指定好目标地址,让它运行到那儿,在大多数情况下,这种方法都是有效的。
|
||||||
```
|
```
|
||||||
[0x00400761]> pd -20 @ main+18555
|
[0x00400761]> pd -20 @ main+18555
|
||||||
| 0x00404f8e d00f ror byte [rdi], 1
|
| 0x00404f8e d00f ror byte [rdi], 1
|
||||||
@ -193,28 +212,30 @@ $
|
|||||||
| 0x00404fb2 bf9b504000 mov edi, str.you_typed_:__s_n ; 0x40509b ; "you typed : %s\n"
|
| 0x00404fb2 bf9b504000 mov edi, str.you_typed_:__s_n ; 0x40509b ; "you typed : %s\n"
|
||||||
| 0x00404fb7 b800000000 mov eax, 0
|
| 0x00404fb7 b800000000 mov eax, 0
|
||||||
| 0x00404fbc e8efb5ffff call sym.imp.printf ; int printf(const char *format)
|
| 0x00404fbc e8efb5ffff call sym.imp.printf ; int printf(const char *format)
|
||||||
| 0x00404fc1 b800000000 mov eax, 0 ; 选择一个目标地址
|
| 0x00404fc1 b800000000 mov eax, 0
|
||||||
| 0x00404fc6 488b4df8 mov rcx, qword [local_8h]
|
| 0x00404fc6 488b4df8 mov rcx, qword [local_8h]
|
||||||
| 0x00404fca 6448330c2528. xor rcx, qword fs:[0x28]
|
| 0x00404fca 6448330c2528. xor rcx, qword fs:[0x28]
|
||||||
| ,=< 0x00404fd3 7405 je 0x404fda
|
| ,=< 0x00404fd3 7405 je 0x404fda
|
||||||
| | 0x00404fd5 e8c6b5ffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
| | 0x00404fd5 e8c6b5ffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||||
| | ; JMP XREF from 0x00404fd3 (main)
|
| | ; JMP XREF from 0x00404fd3 (main)
|
||||||
| `-> 0x00404fda c9 leave
|
| `-> 0x00404fda c9 leave ; 选择一个目标地址
|
||||||
\ 0x00404fdb c3 ret
|
\ 0x00404fdb c3 ret
|
||||||
```
|
```
|
||||||
|
因为每次错误退出之前,都会调用 `puts` 函数,所以应该避免其出现,将地址设置为参数 avoid。
|
||||||
```
|
```
|
||||||
[0x00400600]> is~puts
|
[0x00400600]> is~puts
|
||||||
vaddr=0x00400590 paddr=0x00000590 ord=002 fwd=NONE sz=16 bind=GLOBAL type=FUNC name=imp.puts
|
vaddr=0x00400590 paddr=0x00000590 ord=002 fwd=NONE sz=16 bind=GLOBAL type=FUNC name=imp.puts
|
||||||
```
|
```
|
||||||
完整的 exp 如下:
|
|
||||||
|
对于使用 angr 来说,上面的 patch 完全没有必要,只要选择一个合适的初始化地址,如 `0x004007da`,也就是 `fget` 函数的下一条指令,就可以跑出结果:
|
||||||
```python
|
```python
|
||||||
import angr
|
import angr
|
||||||
|
|
||||||
main = 0x004007da
|
main = 0x004007da
|
||||||
find = 0x00404fc1
|
find = 0x00404fda # leave;ret
|
||||||
avoid = 0x00400590 # puts@plt
|
avoid = 0x00400590 # puts@plt
|
||||||
|
|
||||||
p = angr.Project('./angrybird_mod')
|
p = angr.Project('./angrybird_org')
|
||||||
init = p.factory.blank_state(addr=main)
|
init = p.factory.blank_state(addr=main)
|
||||||
pg = p.factory.simgr(init, threads=4)
|
pg = p.factory.simgr(init, threads=4)
|
||||||
ex = pg.explore(find=find, avoid=avoid)
|
ex = pg.explore(find=find, avoid=avoid)
|
||||||
@ -232,7 +253,16 @@ WARNING | 2017-12-03 17:33:58,544 | angr.state_plugins.symbolic_memory | Concret
|
|||||||
Flag: you typed : Im_so_cute&pretty_:)<29>
|
Flag: you typed : Im_so_cute&pretty_:)<29>
|
||||||
```
|
```
|
||||||
|
|
||||||
其他文件在 [github](../src/writeup/6.2.3_re_codegate2017_angrybird) 相应文件夹中。
|
然后用我们 patch 过的程序来验证 flag:
|
||||||
|
```
|
||||||
|
$ ./angrybird_mod
|
||||||
|
you should return 21 not 1 :(
|
||||||
|
Im_so_cute&pretty_:)
|
||||||
|
you typed : Im_so_cute&pretty_:)
|
||||||
|
```
|
||||||
|
同样需要一定的运气才能通过,祝好运:)
|
||||||
|
|
||||||
|
所有文件在 [github](../src/writeup/6.2.3_re_codegate2017_angrybird) 相应文件夹中。
|
||||||
|
|
||||||
|
|
||||||
## 参考资料
|
## 参考资料
|
||||||
|
Binary file not shown.
@ -1,10 +1,10 @@
|
|||||||
import angr
|
import angr
|
||||||
|
|
||||||
main = 0x004007da
|
main = 0x004007da
|
||||||
find = 0x00404fc1
|
find = 0x00404fda # leave;ret
|
||||||
avoid = 0x00400590 # puts@plt
|
avoid = 0x00400590 # puts@plt
|
||||||
|
|
||||||
p = angr.Project('./angrybird_mod')
|
p = angr.Project('./angrybird_org')
|
||||||
init = p.factory.blank_state(addr=main)
|
init = p.factory.blank_state(addr=main)
|
||||||
pg = p.factory.simgr(init, threads=4)
|
pg = p.factory.simgr(init, threads=4)
|
||||||
ex = pg.explore(find=find, avoid=avoid)
|
ex = pg.explore(find=find, avoid=avoid)
|
||||||
|
Loading…
Reference in New Issue
Block a user