中等难度CTF 提权获取flag 小白已经尝试的思路
本帖最后由 wwr2128 于 2019-3-8 09:09 编辑题目要求:在仅使用程序允许输入的情况下获取高权限shell并获取flag。(不允许使用radare2或者其他可更改程序流的软件,可以注入shellcode)
已经尝试的思路:
根据初步观察, 应该不属于格式化字符串的bufferoverflow类问题,且文件里面包含一个已经存在的debug function (000006c4 <debug>)(详见底下objdump),不知道如何通过更改对应的值使程序执行流到达debug的function。
曾经想通过格式化字符串运行高权限shell获取flag,但是payload不知道应该如何写。通过ida看出程序执行会更改一个hashtable:
Linux下运行程序:
objdump:
./be1: file format elf32-i386
Disassembly of section .init:
00000494 <_init>:
494: 53 push %ebx
495: 83 ec 08 sub $0x8,%esp
498: e8 f3 00 00 00 call 590 <__x86.get_pc_thunk.bx>
49d: 81 c3 83 16 00 00 add $0x1683,%ebx
4a3: 8b 83 f4 ff ff ff mov -0xc(%ebx),%eax
4a9: 85 c0 test %eax,%eax
4ab: 74 05 je 4b2 <_init+0x1e>
4ad: e8 96 00 00 00 call 548 <__gmon_start__@plt>
4b2: 83 c4 08 add $0x8,%esp
4b5: 5b pop %ebx
4b6: c3 ret
Disassembly of section .plt:
000004c0 <.plt>:
4c0: ff b3 04 00 00 00 pushl0x4(%ebx)
4c6: ff a3 08 00 00 00 jmp *0x8(%ebx)
4cc: 00 00 add %al,(%eax)
...
000004d0 <printf@plt>:
4d0: ff a3 0c 00 00 00 jmp *0xc(%ebx)
4d6: 68 00 00 00 00 push $0x0
4db: e9 e0 ff ff ff jmp 4c0 <.plt>
000004e0 <fwrite@plt>:
4e0: ff a3 10 00 00 00 jmp *0x10(%ebx)
4e6: 68 08 00 00 00 push $0x8
4eb: e9 d0 ff ff ff jmp 4c0 <.plt>
000004f0 <puts@plt>:
4f0: ff a3 14 00 00 00 jmp *0x14(%ebx)
4f6: 68 10 00 00 00 push $0x10
4fb: e9 c0 ff ff ff jmp 4c0 <.plt>
00000500 <strtoul@plt>:
500: ff a3 18 00 00 00 jmp *0x18(%ebx)
506: 68 18 00 00 00 push $0x18
50b: e9 b0 ff ff ff jmp 4c0 <.plt>
00000510 <__libc_start_main@plt>:
510: ff a3 1c 00 00 00 jmp *0x1c(%ebx)
516: 68 20 00 00 00 push $0x20
51b: e9 a0 ff ff ff jmp 4c0 <.plt>
00000520 <execl@plt>:
520: ff a3 20 00 00 00 jmp *0x20(%ebx)
526: 68 28 00 00 00 push $0x28
52b: e9 90 ff ff ff jmp 4c0 <.plt>
00000530 <strtol@plt>:
530: ff a3 24 00 00 00 jmp *0x24(%ebx)
536: 68 30 00 00 00 push $0x30
53b: e9 80 ff ff ff jmp 4c0 <.plt>
Disassembly of section .plt.got:
00000540 <__cxa_finalize@plt>:
540: ff a3 f0 ff ff ff jmp *-0x10(%ebx)
546: 66 90 xchg %ax,%ax
00000548 <__gmon_start__@plt>:
548: ff a3 f4 ff ff ff jmp *-0xc(%ebx)
54e: 66 90 xchg %ax,%ax
Disassembly of section .text:
00000550 <_start>:
550: 31 ed xor %ebp,%ebp
552: 5e pop %esi
553: 89 e1 mov %esp,%ecx
555: 83 e4 f0 and $0xfffffff0,%esp
558: 50 push %eax
559: 54 push %esp
55a: 52 push %edx
55b: e8 22 00 00 00 call 582 <_start+0x32>
560: 81 c3 c0 15 00 00 add $0x15c0,%ebx
566: 8d 83 f0 ec ff ff lea -0x1310(%ebx),%eax
56c: 50 push %eax
56d: 8d 83 90 ec ff ff lea -0x1370(%ebx),%eax
573: 50 push %eax
574: 51 push %ecx
575: 56 push %esi
576: ff b3 f8 ff ff ff pushl-0x8(%ebx)
57c: e8 8f ff ff ff call 510 <__libc_start_main@plt>
581: f4 hlt
582: 8b 1c 24 mov (%esp),%ebx
585: c3 ret
586: 66 90 xchg %ax,%ax
588: 66 90 xchg %ax,%ax
58a: 66 90 xchg %ax,%ax
58c: 66 90 xchg %ax,%ax
58e: 66 90 xchg %ax,%ax
00000590 <__x86.get_pc_thunk.bx>:
590: 8b 1c 24 mov (%esp),%ebx
593: c3 ret
594: 66 90 xchg %ax,%ax
596: 66 90 xchg %ax,%ax
598: 66 90 xchg %ax,%ax
59a: 66 90 xchg %ax,%ax
59c: 66 90 xchg %ax,%ax
59e: 66 90 xchg %ax,%ax
000005a0 <deregister_tm_clones>:
5a0: e8 e4 00 00 00 call 689 <__x86.get_pc_thunk.dx>
5a5: 81 c2 7b 15 00 00 add $0x157b,%edx
5ab: 8d 8a 4c 00 00 00 lea 0x4c(%edx),%ecx
5b1: 8d 82 4c 00 00 00 lea 0x4c(%edx),%eax
5b7: 39 c8 cmp %ecx,%eax
5b9: 74 1d je 5d8 <deregister_tm_clones+0x38>
5bb: 8b 82 ec ff ff ff mov -0x14(%edx),%eax
5c1: 85 c0 test %eax,%eax
5c3: 74 13 je 5d8 <deregister_tm_clones+0x38>
5c5: 55 push %ebp
5c6: 89 e5 mov %esp,%ebp
5c8: 83 ec 14 sub $0x14,%esp
5cb: 51 push %ecx
5cc: ff d0 call *%eax
5ce: 83 c4 10 add $0x10,%esp
5d1: c9 leave
5d2: c3 ret
5d3: 90 nop
5d4: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
5d8: f3 c3 repz ret
5da: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
000005e0 <register_tm_clones>:
5e0: e8 a4 00 00 00 call 689 <__x86.get_pc_thunk.dx>
5e5: 81 c2 3b 15 00 00 add $0x153b,%edx
5eb: 55 push %ebp
5ec: 8d 8a 4c 00 00 00 lea 0x4c(%edx),%ecx
5f2: 8d 82 4c 00 00 00 lea 0x4c(%edx),%eax
5f8: 29 c8 sub %ecx,%eax
5fa: 89 e5 mov %esp,%ebp
5fc: 53 push %ebx
5fd: c1 f8 02 sar $0x2,%eax
600: 89 c3 mov %eax,%ebx
602: 83 ec 04 sub $0x4,%esp
605: c1 eb 1f shr $0x1f,%ebx
608: 01 d8 add %ebx,%eax
60a: d1 f8 sar %eax
60c: 74 14 je 622 <register_tm_clones+0x42>
60e: 8b 92 fc ff ff ff mov -0x4(%edx),%edx
614: 85 d2 test %edx,%edx
616: 74 0a je 622 <register_tm_clones+0x42>
618: 83 ec 08 sub $0x8,%esp
61b: 50 push %eax
61c: 51 push %ecx
61d: ff d2 call *%edx
61f: 83 c4 10 add $0x10,%esp
622: 8b 5d fc mov -0x4(%ebp),%ebx
625: c9 leave
626: c3 ret
627: 89 f6 mov %esi,%esi
629: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
00000630 <__do_global_dtors_aux>:
630: 55 push %ebp
631: 89 e5 mov %esp,%ebp
633: 53 push %ebx
634: e8 57 ff ff ff call 590 <__x86.get_pc_thunk.bx>
639: 81 c3 e7 14 00 00 add $0x14e7,%ebx
63f: 83 ec 04 sub $0x4,%esp
642: 80 bb 54 00 00 00 00 cmpb $0x0,0x54(%ebx)
649: 75 27 jne 672 <__do_global_dtors_aux+0x42>
64b: 8b 83 f0 ff ff ff mov -0x10(%ebx),%eax
651: 85 c0 test %eax,%eax
653: 74 11 je 666 <__do_global_dtors_aux+0x36>
655: 83 ec 0c sub $0xc,%esp
658: ff b3 2c 00 00 00 pushl0x2c(%ebx)
65e: e8 dd fe ff ff call 540 <__cxa_finalize@plt>
663: 83 c4 10 add $0x10,%esp
666: e8 35 ff ff ff call 5a0 <deregister_tm_clones>
66b: c6 83 54 00 00 00 01 movb $0x1,0x54(%ebx)
672: 8b 5d fc mov -0x4(%ebp),%ebx
675: c9 leave
676: c3 ret
677: 89 f6 mov %esi,%esi
679: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
00000680 <frame_dummy>:
680: 55 push %ebp
681: 89 e5 mov %esp,%ebp
683: 5d pop %ebp
684: e9 57 ff ff ff jmp 5e0 <register_tm_clones>
00000689 <__x86.get_pc_thunk.dx>:
689: 8b 14 24 mov (%esp),%edx
68c: c3 ret
0000068d <loadTable>:
68d: 55 push %ebp
68e: 89 e5 mov %esp,%ebp
690: 83 ec 04 sub $0x4,%esp
693: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)
69a: eb 1f jmp 6bb <loadTable+0x2e>
69c: 8b 45 fc mov -0x4(%ebp),%eax
69f: 8d 14 85 00 00 00 00 lea 0x0(,%eax,4),%edx
6a6: 8b 45 08 mov 0x8(%ebp),%eax
6a9: 01 c2 add %eax,%edx
6ab: 8b 45 fc mov -0x4(%ebp),%eax
6ae: 8b 04 85 50 1b 00 00 mov 0x1b50(,%eax,4),%eax
6b5: 89 02 mov %eax,(%edx)
6b7: 83 45 fc 01 addl $0x1,-0x4(%ebp)
6bb: 83 7d fc 06 cmpl $0x6,-0x4(%ebp)
6bf: 7e db jle 69c <loadTable+0xf>
6c1: 90 nop
6c2: c9 leave
6c3: c3 ret
000006c4 <debug>:
6c4: 55 push %ebp
6c5: 89 e5 mov %esp,%ebp
6c7: 6a 00 push $0x0
6c9: 6a 00 push $0x0
6cb: 6a 00 push $0x0
6cd: 6a 00 push $0x0
6cf: 68 30 08 00 00 push $0x830
6d4: e8 fc ff ff ff call 6d5 <debug+0x11>
6d9: 83 c4 14 add $0x14,%esp
6dc: 90 nop
6dd: c9 leave
6de: c3 ret
000006df <main>:
6df: 55 push %ebp
6e0: 89 e5 mov %esp,%ebp
6e2: 83 ec 28 sub $0x28,%esp
6e5: 83 7d 08 02 cmpl $0x2,0x8(%ebp)
6e9: 7f 21 jg 70c <main+0x2d>
6eb: a1 00 00 00 00 mov 0x0,%eax
6f0: 50 push %eax
6f1: 6a 10 push $0x10
6f3: 6a 01 push $0x1
6f5: 68 38 08 00 00 push $0x838
6fa: e8 fc ff ff ff call 6fb <main+0x1c>
6ff: 83 c4 10 add $0x10,%esp
702: b8 ff ff ff ff mov $0xffffffff,%eax
707: e9 9e 00 00 00 jmp 7aa <main+0xcb>
70c: 8d 45 d8 lea -0x28(%ebp),%eax
70f: 50 push %eax
710: e8 78 ff ff ff call 68d <loadTable>
715: 83 c4 04 add $0x4,%esp
718: 8b 45 0c mov 0xc(%ebp),%eax
71b: 83 c0 04 add $0x4,%eax
71e: 8b 00 mov (%eax),%eax
720: 6a 0a push $0xa
722: 6a 00 push $0x0
724: 50 push %eax
725: e8 fc ff ff ff call 726 <main+0x47>
72a: 83 c4 0c add $0xc,%esp
72d: 89 45 fc mov %eax,-0x4(%ebp)
730: 8b 45 0c mov 0xc(%ebp),%eax
733: 83 c0 08 add $0x8,%eax
736: 8b 00 mov (%eax),%eax
738: 6a 10 push $0x10
73a: 6a 00 push $0x0
73c: 50 push %eax
73d: e8 fc ff ff ff call 73e <main+0x5f>
742: 83 c4 0c add $0xc,%esp
745: 89 45 f8 mov %eax,-0x8(%ebp)
748: 8b 45 fc mov -0x4(%ebp),%eax
74b: 8b 44 85 d8 mov -0x28(%ebp,%eax,4),%eax
74f: 50 push %eax
750: ff 75 f8 pushl-0x8(%ebp)
753: ff 75 fc pushl-0x4(%ebp)
756: 68 4c 08 00 00 push $0x84c
75b: e8 fc ff ff ff call 75c <main+0x7d>
760: 83 c4 10 add $0x10,%esp
763: 8b 45 fc mov -0x4(%ebp),%eax
766: 8b 55 f8 mov -0x8(%ebp),%edx
769: 89 54 85 d8 mov %edx,-0x28(%ebp,%eax,4)
76d: 68 8d 08 00 00 push $0x88d
772: e8 fc ff ff ff call 773 <main+0x94>
777: 83 c4 04 add $0x4,%esp
77a: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)
781: eb 1c jmp 79f <main+0xc0>
783: 8b 45 fc mov -0x4(%ebp),%eax
786: 8b 44 85 d8 mov -0x28(%ebp,%eax,4),%eax
78a: 50 push %eax
78b: ff 75 fc pushl-0x4(%ebp)
78e: 68 a3 08 00 00 push $0x8a3
793: e8 fc ff ff ff call 794 <main+0xb5>
798: 83 c4 0c add $0xc,%esp
79b: 83 45 fc 01 addl $0x1,-0x4(%ebp)
79f: 83 7d fc 06 cmpl $0x6,-0x4(%ebp)
7a3: 7e de jle 783 <main+0xa4>
7a5: b8 00 00 00 00 mov $0x0,%eax
7aa: c9 leave
7ab: c3 ret
7ac: 66 90 xchg %ax,%ax
7ae: 66 90 xchg %ax,%ax
000007b0 <__libc_csu_init>:
7b0: 55 push %ebp
7b1: 57 push %edi
7b2: 56 push %esi
7b3: 53 push %ebx
7b4: e8 d7 fd ff ff call 590 <__x86.get_pc_thunk.bx>
7b9: 81 c3 67 13 00 00 add $0x1367,%ebx
7bf: 83 ec 0c sub $0xc,%esp
7c2: 8b 6c 24 28 mov 0x28(%esp),%ebp
7c6: 8d b3 e8 fe ff ff lea -0x118(%ebx),%esi
7cc: e8 c3 fc ff ff call 494 <_init>
7d1: 8d 83 e4 fe ff ff lea -0x11c(%ebx),%eax
7d7: 29 c6 sub %eax,%esi
7d9: c1 fe 02 sar $0x2,%esi
7dc: 85 f6 test %esi,%esi
7de: 74 25 je 805 <__libc_csu_init+0x55>
7e0: 31 ff xor %edi,%edi
7e2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
7e8: 83 ec 04 sub $0x4,%esp
7eb: 55 push %ebp
7ec: ff 74 24 2c pushl0x2c(%esp)
7f0: ff 74 24 2c pushl0x2c(%esp)
7f4: ff 94 bb e4 fe ff ff call *-0x11c(%ebx,%edi,4)
7fb: 83 c7 01 add $0x1,%edi
7fe: 83 c4 10 add $0x10,%esp
801: 39 fe cmp %edi,%esi
803: 75 e3 jne 7e8 <__libc_csu_init+0x38>
805: 83 c4 0c add $0xc,%esp
808: 5b pop %ebx
809: 5e pop %esi
80a: 5f pop %edi
80b: 5d pop %ebp
80c: c3 ret
80d: 8d 76 00 lea 0x0(%esi),%esi
00000810 <__libc_csu_fini>:
810: f3 c3 repz ret
Disassembly of section .fini:
00000814 <_fini>:
814: 53 push %ebx
815: 83 ec 08 sub $0x8,%esp
818: e8 73 fd ff ff call 590 <__x86.get_pc_thunk.bx>
81d: 81 c3 03 13 00 00 add $0x1303,%ebx
823: 83 c4 08 add $0x8,%esp
826: 5b pop %ebx
827: c3 ret
链接:https://pan.baidu.com/s/1W1I32Viaf4Avw6XbhhNLWw
提取码:8dq0 谢谢楼主分享:lol
谢谢楼主分享 漂亮,也太费劲了
学习高手,谢谢楼主的分享 {:1_908:}ctf 题做得我眼冒金星,去年参加ctf比赛。。。。。心真的好痛 萝卜哥哥 发表于 2019-3-15 08:54
ctf 题做得我眼冒金星,去年参加ctf比赛。。。。。心真的好痛
哈哈哈 我能理解 我是新手,学习了!!
页:
[1]