house-of-cat学习以及复现

字数统计: 994字   |   阅读时长≈ 5分

house of cat

只要可以largebin(任意地址写入可控地址)就可以实现,要求很低
同house of emma,前面的利用链仍然是__fxprintf --> locked_vfxprinf --> __vfprintf_internal --> _IO_default_xsputn,然后利用去调用_IO_default_xsputn时修改vtable在合理范围的偏移去执行我们想要的内容,house of cat利用的是_IO_wfile_seekoff,当然也可以通过FSOP来完成这一步

_IO_wfile_seekoff ----> _IO_switch_to_wget_mode:
rdi = stderr ---> rax1 = stderr + 0xa0 ----> rax2 = rax1 + 0xe0 ----> call rax2 + 0x18
img
因为rdi是可控的,所以程序流可控且rdx可控,就可以去执行setcontext+orw了

强网杯2022|house of cat

IDA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  char s[72]; // [rsp+0h] [rbp-50h] BYREF
  unsigned __int64 v4; // [rsp+48h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  sub_1583();
  while ( 1 )
  {
    sub_155E();
    c_write("mew mew mew~~~~~~\n");
    memset(s, 0, 0x3CuLL);
    read(0, s, 0x3BuLL);
    sub_19D6(s);
  }
}

需要绕过的判断:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
__int64 __fastcall sub_1A50(char *a1, __int64 a2)
{
  char *s; // [rsp+18h] [rbp-28h]
  char *v4; // [rsp+20h] [rbp-20h]
  char *v5; // [rsp+20h] [rbp-20h]
  char *v6; // [rsp+20h] [rbp-20h]
  const char *s2; // [rsp+28h] [rbp-18h]
  char *v8; // [rsp+30h] [rbp-10h]
  const char *s1; // [rsp+38h] [rbp-8h]

  v4 = strstr(a1, "QWB");                       // 如果没找到返回null
  if ( !v4 )
    return 0LL;
  *v4 = 0;
  v4[1] = 0;
  v4[2] = ' ';
  v5 = v4 + 3;
  s2 = strtok(a1, " ");
  if ( !strcmp("LOGIN", s2) )
  {
    *(a2 + 8) = 1;                              // 登录状态
  }
  else if ( *(a2 + 8) || strcmp("DOG", s2) )
  {
    if ( *(a2 + 8) || strcmp("CAT", s2) )
    {
      if ( *(a2 + 8) || strcmp("MONKEY", s2) )
      {
        if ( *(a2 + 8) || strcmp("FISH", s2) )
        {
          if ( *(a2 + 8) || strcmp("PIG", s2) )
          {
            if ( *(a2 + 8) || strcmp("WOLF", s2) )
            {
              if ( *(a2 + 8) || strcmp("DUCK", s2) )
              {
                if ( *(a2 + 8) || strcmp("GOLF", s2) )
                {
                  if ( *(a2 + 8) || strcmp("TIGER", s2) )
                    return 0LL;
                  *(a2 + 8) = 10;
                }
                else
                {
                  *(a2 + 8) = 9;
                }
              }
              else
              {
                *(a2 + 8) = 8;
              }
            }
            else
            {
              *(a2 + 8) = 7;
            }
          }
          else
          {
            *(a2 + 8) = 6;
          }
        }
        else
        {
          *(a2 + 8) = 5;
        }
      }
      else
      {
        *(a2 + 8) = 4;
      }
    }
    else
    {
      *(a2 + 8) = 3;
    }
  }
  else
  {
    *(a2 + 8) = 2;
  }
  v8 = strtok(0LL, " ");
  if ( v8 != strchr(v8, '|') )
    return 0LL;
  *a2 = v8;
  s1 = strtok(0LL, " ");
  if ( strcmp(s1, "r00t") )
    return 0LL;
  s = v5 + 5;
  v6 = strstr(v5, "QWXF");
  if ( !v6 )
    return 0LL;
  *v6 = 0;
  v6[1] = 0;
  v6[2] = 0;
  v6[3] = 32;
  *(a2 + 16) = s;
  return 1LL;
}
ssize_t __fastcall sub_1DF3(__int64 a1)
{
  ssize_t result; // rax
  unsigned int v2; // eax
  char *v3; // [rsp+18h] [rbp-8h]

  if ( *(a1 + 8) == 1 && !strcmp(*(a1 + 16), "admin") )
    admin_use[0] = 1;
  result = *(a1 + 8);                           // CAT
  if ( result == 3 )
  {
    result = strtok(*(a1 + 16), "$");
    v3 = result;
    if ( result )
    {
      result = dword_4014;
      if ( *v3 == dword_4014 )
      {
        result = admin_use[0];
        if ( admin_use[0] )
        {
          menu();
          v2 = c_read_0x17();
          if ( v2 == 4 )
          {
            return edit();                      // 固定写0x30
          }
          else
          {
            if ( v2 <= 4 )
            {
              switch ( v2 )
              {
                case 3u:
                  return show();
                case 1u:
                  return add();
                case 2u:
                  return delete();              // uaf
              }
            }
            return c_write("error!\n");
          }
        }
      }
    }
  }
  return result;
}

逆了挺久也没搞清楚,是我太菜了 orz
后面就是看了网上师傅的逆向结果img

add:用的calloc 限制了size大小 0x418~0x46F

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ssize_t add()
{
  unsigned __int64 v1; // [rsp+0h] [rbp-10h]
  size_t size; // [rsp+8h] [rbp-8h]

  c_write("plz input your cat idx:\n");
  v1 = c_read_0x17();
  if ( v1 > 0xF || *(&chunk_ptr + v1) )
    return c_write("invalid!\n");
  c_write("plz input your cat size:\n");
  size = c_read_0x17();
  if ( size <= 0x417 || size > 0x46F )
    return c_write("invalid size!\n");
  *(&chunk_ptr + v1) = calloc(1uLL, size);
  if ( !*(&chunk_ptr + v1) )
    return c_write("error!\n");
  chunk_size[v1] = size;
  c_write("plz input your content:\n");
  return read(0, *(&chunk_ptr + v1), chunk_size[v1]);
}

delete:存在uaf
show:正常
edit:固定写入0x30,限制了2次次数(开始自己做的时候就没注意这里qwq)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ssize_t sub_1916()
{
  unsigned __int64 v1; // [rsp+8h] [rbp-8h]

  if ( dword_4010 <= 0 )
    return c_write("nonono!!!!\n");
  --dword_4010;
  c_write("plz input your cat idx:\n");
  v1 = c_read_0x17();
  if ( v1 > 0xF || !*(&chunk_ptr + v1) )
    return c_write("invalid!\n");
  c_write("plz input your content:\n");
  return read(0, *(&chunk_ptr + v1), 0x30uLL);
}

思路及过程

因为和house of emma挺相似的,思路还是差不多的,不过house of cat不用去修改 __pointer_chk_guard
1、先泄露地址
2、然后利用 largebin attack去修改stderr
3、然后利用 largebin attack去修改top_chunk
4、触发assert
伪造的vtable
img

偏移跳转到_IO_wfile_seekoff
img

之后会跳转到_IO_switch_to_wget_mode,到这里就是我们要利用的地方了

img
img

rdi = stderr ---> rax1 = stderr + 0xa0 ----> rax2 = rax1 + 0xe0 ----> call rax2 + 0x18
同时rdx = rax1 + 0x20
所以可以伪造IO:
img

然后就会进入setcontext+61去执行rdx+0xe0–>orw
imgimg

扫一扫,分享到微信

小小pwner,可笑可笑