pwnable.kr - input

0x00 Puzzle

关于linux编程的技巧，包含5种不同的输入

0x01 Overview

首先查看input.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main(int argc, char* argv[], char* envp[]){
	int tmp=0;

    printf("Welcome to pwnable.kr\n");
    printf("Let's see if you know how to give input to program\n");
    printf("Just give me correct inputs then you will get the flag :)\n");

    // argv
    if(argc != 100) return 0;
    if(strcmp(argv['A'],"\x00")) return 0;
    if(strcmp(argv['B'],"\x20\x0a\x0d")) return 0;
    printf("Stage 1 clear!\n");

    // stdio
    char buf[4];
    read(0, buf, 4);
    if(memcmp(buf, "\x00\x0a\x00\xff", 4)) return 0;
    read(2, buf, 4);
    if(memcmp(buf, "\x00\x0a\x02\xff", 4)) return 0;
    printf("Stage 2 clear!\n");

    // env
    if(strcmp("\xca\xfe\xba\xbe", getenv("\xde\xad\xbe\xef"))) return 0;
    printf("Stage 3 clear!\n");

    // file
    FILE* fp = fopen("\x0a", "r");
    if(!fp) return 0;
    if( fread(buf, 4, 1, fp)!=1 ) return 0;
    if( memcmp(buf, "\x00\x00\x00\x00", 4) ) return 0;
    fclose(fp);
    printf("Stage 4 clear!\n");

    // network
    int sd, cd;
    struct sockaddr_in saddr, caddr;
    sd = socket(AF_INET, SOCK_STREAM, 0);
    if(sd == -1){
            printf("socket error, tell admin\n");
            return 0;
    }
    saddr.sin_family = AF_INET;
    saddr.sin_addr.s_addr = INADDR_ANY;
    saddr.sin_port = htons( atoi(argv['C']) );
    if(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){
            printf("bind error, use another port\n");
            return 1;
    }
    listen(sd, 1);
    int c = sizeof(struct sockaddr_in);
    cd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);
    if(cd < 0){
            printf("accept error, tell admin\n");
            return 0;
    }

    if( recv(cd, buf, 4, 0) != 4 ) return 0;
    if(memcmp(buf, "\xde\xad\xbe\xef", 4)) return 0;
    printf("Stage 5 clear!\n");

    // here's your flag
    system("/bin/cat flag");
    return 0;
}

0x02 Stage1 - argv

程序需要100个参数

python :

args = ["0"] * 99
args[ord("A")-1] = "\x00"
args[ord("B")-1] = "\x20\x0a\x0d"

os.fork() 运行input

pid = os.fork()
if pid == 0:	# child
	os.execv("/home/input2/input", ["input"]+args)

还可以用subprocess

subprocess.Popen(["/home/input2/input"]+args)

c :

使用execve() 运行input

int execve(const char *filename, char *const argv[], char *const envp[]);

	char *args[]={"/home/input2/input", [1...99]="A", NULL};
	args["A"]="\x00";
	args["B"]="\x20\x0a\x0d";

	execve(args[0], args, NULL);

0x03 Stage2 - stdio

程序需要从stdin中读”\x00\x0a\x00\xff”, 从stderr中读”\x00\x0a\x02\xff” 使用 pipe 实现:

• 创建两个管道: pipe2stdin 和 pipe2stderr
• fork子进程
• 子进程：映射stdin和stderr到pipe2stdin和pipe2stderr
• 父进程：写”\x00\x0a\x00\xff”和”\x00\x0a\x02\xff”到pipe2stdin和pipe2stderr

参考：Mapping UNIX pipe descriptors to stdin and stdout in C

python :

stdinr, stdinw = os.pipe()
stderrr, stderrw = os.pipe()

os.write(stdinw, "\x00\x0a\x00\xff")
os.write(stderrw, "\x00\x0a\x02\xff")

subprocess.Popen(["/home/input2/input"]+args, stdin=stdinr, stderr=stderrr)

c :

	int pipe2stdin[2] = {-1,-1};
	int pipe2stderr[2] = {-1,-1};
	pid_t childpid;

	if (pipe(pipe2stdin)<0 || pipe(pipe2stderr)<0) {
		perror("Cannot create the pipe");
		exit(1);
	}

	childpid=fork();

	if (childpid == 0) {
		close(pipe2stdin[1]);
		close(pipe2stderr[1]);
		dup2(pipe2stdin[0], 0);
		dup2(pipe2stderr[0], 2);
		close(pipe2stdin[0]);
		close(pipe2stderr[0]);

		execve("/home/input2/input", args, NULL);
	}
	else
	{
		close(pipe2stdin[0]);
        close(pipe2stderr[0]);
        write(pipe2stdin[1],"\x00\x0a\x00\xff",4);
        write(pipe2stderr[1],"\x00\x0a\x02\xff",4);
	}

0x04 Stage3 - env

python :

environ = {"\xde\xad\xbe\xef" : "\xca\xfe\xba\xbe"}
subprocess.Popen(["/home/input2/input"]+args, stdin=stdinr, stderr=stderrr, env=environ)

or

os.putenv(b'\xde\xad\xbe\xef', b'\xca\xfe\xba\xbe')

c :

	char *env[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe", NULL};
	execve("/home/input/input",argv,env);

0x05 Stage4 - file

python :

with open("\x0a", "wb") as f:
    f.write(b"\x00\x00\x00\x00")

c :

FILE* fp = fopen("\x0a","w");
fwrite("\x00\x00\x00\x00",4,1,fp);
fclose(fp);

0x06 Stage5 - network

python :

port = random.randrange(10000, 20000)
args[ord("C")-1]=str(port)

s.connect(("127.0.0.1", port))
s.send("\xde\xad\xbe\xef")
s.close()

c :

	int sockfd;
	struct sockaddr_in server;
	sockfd = socket(AF_INET, SOCK_STREAM, 0);
	if(sockfd<0) {
	        perror("Cannot create the socket");
	        exit(1);
	}
	server.sin_family = AF_INET;
	server.sin_addr.s_addr = inet_addr("127.0.0.1");
	server.sin_port = htons(4444);
	if(connect(sockfd, (struct sockaddr*) &server, sizeof(server))<0) {
	        perror("Problem connecting");
	        exit(1);
	}
	char buf[4]="\xde\xad\xbe\xef";
	write(sockfd, buf, 4);
	close(sockfd);
}

0x07 End

用ln命令将flag链接到当前目录：

ln -s /home/inpu2/flag flag

最后附上完整的代码：

python :

import os
import random
import socket
import time
import subprocess

os.system("ln -s /home/input2/flag flag")
port = random.randrange(10000, 20000)
args = ["0"] * 99
args[ord("A")-1] = ""
args[ord("B")-1] = "\x20\x0a\x0d"
args[ord("C")-1] = str(port)

stdinr, stdinw = os.pipe()
stderrr, stderrw = os.pipe()

os.write(stdinw, "\x00\x0a\x00\xff")
os.write(stderrw, "\x00\x0a\x02\xff")

environ = {"\xde\xad\xbe\xef" : "\xca\xfe\xba\xbe"}

with open("\x0a", "wb") as f:
    f.write(b"\x00\x00\x00\x00")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

pro = subprocess.Popen(["/home/input2/input"]+args, stdin=stdinr, stderr=stderrr, env=environ)

time.sleep(2)
s.connect(("127.0.0.1", port))
s.send("\xde\xad\xbe\xef")
s.close()

c :

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(void) {
    char *env[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe", NULL};
    char *argv[101] = {"/home/input2/input", [1 ... 99] = "A", NULL};
    argv['A'] = "\x00";
    argv['B'] = "\x20\x0a\x0d";
    argv['C'] = "4444";

    int pipe2stdin[2] = {-1,-1};
    int pipe2stderr[2] = {-1,-1};
    pid_t childpid;

    if (pipe(pipe2stdin)<0 || pipe(pipe2stderr)<0) {
            perror("Cannot create the pipe");
            exit(1);
    }

    FILE *fp = fopen("\x0a", "w+");
    fwrite("\x00\x00\x00\x00", 4, 1, fp);
    fclose(fp);

    childpid=fork();

    if (childpid == 0) {
            close(pipe2stdin[1]);
            close(pipe2stderr[1]);
            dup2(pipe2stdin[0], 0);
            dup2(pipe2stderr[0], 2);
            close(pipe2stdin[0]);

            execve(argv[0], argv, env);
    }
    else
    {
            close(pipe2stdin[0]);
            close(pipe2stderr[0]);
            write(pipe2stdin[1],"\x00\x0a\x00\xff",4);
            write(pipe2stderr[1],"\x00\x0a\x02\xff",4);
    }

    sleep(2);
    int sockfd;
    struct sockaddr_in server;
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if(sockfd<0) {
            perror("Cannot create the socket");
            exit(1);
    }
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = inet_addr("127.0.0.1");
    server.sin_port = htons(4444);
    if(connect(sockfd, (struct sockaddr*) &server, sizeof(server))<0) {
            perror("Problem connecting");
            exit(1);
    }
    char buf[4]="\xde\xad\xbe\xef";
    write(sockfd, buf, 4);
    close(sockfd);

    return 0;
}

Reference

• http://xhyumiracle.com/pwnable-kr-input/
• https://werewblog.wordpress.com/2016/01/11/pwnable-kr-input/