cover

最近在为awd pwn题写checker,然后我写了个能检测pwn题全部功能是否可以正常使用的脚本,被反馈还需要改进下:

  • 不可以用pwntools库
  • 不能让选手直接nop free,要不选手体验差

pwntools禁用

对我这种fw pwn手来说,没了pwntools就是没了胳膊,干啥啥不行。不过对于checker来说,只要有网络通信功能就行,于是找到了一个平替,zio

from zio import *

is_local = True

if is_local:
    io = zio('./buggy-server')            # used for local pwning development
else:
    io = zio(('1.2.3.4', 1337))           # used to exploit remote service

io.read_until(b'Welcome Banner')
io.write(your_awesome_ropchain_or_shellcode)
# hey, we got an interactive shell!
io.interact()

我猜不让用pwntools的原因大概是因为现在python2装不上pwntools了吧,我测试了下,现在ubuntu 16.04装不上,18.04还是可以装上的。

反正第一个问题算是解决了。

不能 nop free

第二个问题。

首先考虑到,这场awd是要给每个选手一台服务器维护的,我作为一个checker怎么能拿到选手服务器的pwn题?打awd的时候我可以一个exp打过去拿到shell再把pwn题传过来,但作为checker的话可想而知洞会被补上。想来想去只能上ssh了,上个公钥在选手服务器。

import paramiko
def down_from_remote(host, remotepath, localpath, port=22):
    keyfile = open('./awd_rsa', 'r')
    private_key = paramiko.RSAKey.from_private_key(keyfile)
    t = paramiko.Transport((host, port))
    t.connect(username='root', pkey=private_key)
    sftp = paramiko.SFTPClient.from_transport(t)
    sftp.get(remotepath, localpath)

然后考虑free的问题。

赛场上遇到给服务器的、pwn题有uaf的话,要我修我也是先nop(bushi),当然更优美地修的话就是加段置0的汇编,然后call free的时候跳到那里,例:

.eh_frame:0000000000401378 ; =============== S U B R O U T I N E =======================================
.eh_frame:0000000000401378
.eh_frame:0000000000401378
.eh_frame:0000000000401378 sub_401378 proc near ; CODE XREF: sub_400AEF+73竊叢
.eh_frame:0000000000401378 mov rax, [rbp-8] ; Keypatch modified this from:
.eh_frame:0000000000401378 ; db 14h
.eh_frame:0000000000401378 ; db 0
.eh_frame:0000000000401378 ; db 0
.eh_frame:0000000000401378 ; db 0
.eh_frame:000000000040137C mov rax, ds:ptr[rax*8] ; Keypatch modified this from:
.eh_frame:000000000040137C ; db 0
.eh_frame:000000000040137C ; db 0
.eh_frame:000000000040137C ; db 0
.eh_frame:000000000040137C ; db 0
.eh_frame:000000000040137C ; db 1
.eh_frame:000000000040137C ; db 7Ah
.eh_frame:000000000040137C ; db 52h
.eh_frame:000000000040137C ; db 0
.eh_frame:0000000000401384 mov rdi, rax ; Keypatch modified this from:
.eh_frame:0000000000401384 ; db 1
.eh_frame:0000000000401384 ; db 78h
.eh_frame:0000000000401384 ; db 10h
.eh_frame:0000000000401387 call _free ; Keypatch modified this from:
.eh_frame:0000000000401387 ; add [rbx], ebx
.eh_frame:0000000000401387 ; or al, 7
.eh_frame:0000000000401387 ; or [rax+14100701h], dl
.eh_frame:000000000040138C mov rax, [rbp-8] ; Keypatch modified this from:
.eh_frame:000000000040138C sub_401378 endp ; nop
.eh_frame:000000000040138C ; db 1
.eh_frame:000000000040138C ; db 7
.eh_frame:000000000040138C ; db 10h
.eh_frame:0000000000401390 mov rbx, 8
.eh_frame:0000000000401397 mul ebx ; Keypatch filled range [0x401397:0x401396] (0 bytes), replaced:
.eh_frame:0000000000401397 ;
.eh_frame:0000000000401397 ; Keypatch modified this from:
.eh_frame:0000000000401397 ; db 0C7h
.eh_frame:0000000000401397 ; db 0
.eh_frame:0000000000401397 ; Keypatch modified this from:
.eh_frame:0000000000401397 ; mul eax
.eh_frame:0000000000401399 add rax, 6020E0h ; Keypatch modified this from:
.eh_frame:0000000000401399 ; db 0
.eh_frame:0000000000401399 ; db 0
.eh_frame:0000000000401399 ; db 0
.eh_frame:0000000000401399 ; db 0
.eh_frame:0000000000401399 ; db 0E9h
.eh_frame:0000000000401399 ; db 0C5h
.eh_frame:000000000040139F mov qword ptr [rax], 0 ; Keypatch modified this from:
.eh_frame:000000000040139F ; db 0F7h
.eh_frame:000000000040139F ; db 0FFh
.eh_frame:000000000040139F ; db 0FFh
.eh_frame:000000000040139F ; db 0
.eh_frame:000000000040139F ; db 0
.eh_frame:000000000040139F ; db 0
.eh_frame:000000000040139F ; db 0
.eh_frame:00000000004013A6 jmp loc_400B67 ; Keypatch modified this from:
.eh_frame:00000000004013A6 ; db 0
.eh_frame:00000000004013A6 ; db 0
.eh_frame:00000000004013A6 ; db 14h
.eh_frame:00000000004013A6 ; db 0
.eh_frame:00000000004013A6 ; db 0
.eh_frame:00000000004013A6 ; Keypatch modified this from:
.eh_frame:00000000004013A6 ; call loc_400B67
.eh_frame:00000000004013A6 ; ---------------------------------------------------------------------------

检测的话直接检测代码段 call free 这句有没有被改是不行的,毕竟我patch也得改这句。

检测call free 是不是变成了nop指令也不行,因为除了nop也可以改成别的啊,虽然在不知道checker逻辑的情况下选手应该很难意识到这一点,但做checker嘛就得狠点吧大概(bushi)。

也想到可以用系统调用,结果发现不行,malloc的时候有brk的系统调用如图,free是没走系统调用的。

这里还有一个思路,就是checker可以一直malloc->free->malloc->free->malloc达到一定次数,如果选手把free nop了,堆空间就会超过上次brk的地方,进程就会再调用一次brk申请空间,如果free没有被nop就不会出现这样的情况,这样就区别开来了。然而我出的题限制了分配的次数,而且这个方法也不够普适。

又想到可以看进程的内存布局。这样我需要先找到使用题目端口的进程:

然后过滤checker ip,就能知道是哪个进程在和checker通信,继而查看进程里的内存。

也可以直接执行从选手那传过来的二进制,但是要直接执行的话怎么也得弄个沙箱吧,万一选手整了个什么了不得的东西,而且开销很大。

还有种办法是在选手服务器那边执行下看看进程堆内存,大概可行?但总感觉动选手的环境不应该是checker干的事,而且还是加一个进程进去,不过已经是能想到的比较可行的方案了。

然后我也看了Flappypig战队提出来的这个lowbits leak check,但是关键就在于:

  • 那么这就给了我们在CTF线下赛中一种针对堆漏洞的Checker的思路,我们在程序交互中预先在每次malloc后,把堆地址的低12bit输出。

我太懒了,我懒得改我费老劲出的题,我就想把checker改了交差。

。。。

所以为啥好多awd pwn都要求选手提供patch好的文件给主办方帮你替换,人工看的话是一件多方便的事情。

所以最终方案是:先检查选手有没有修改call free,再检查有没有\x90(前提是那一句里原先就没有90),再看进程的内存布局,多因子检查。

def check_free(check_elf, ordinary_elf, call_free_address, size=5):
    # check call free change
    check_free_data = check_elf.get_content_from_virtual_address(
        call_free_address, size)
    ordinary_data = ordinary_elf.get_content_from_virtual_address(
        call_free_address, size)

    # equal => no change
    if operator.eq(check_free_data, ordinary_data):
        return True

    # if has 90 => nop free
    if 0x90 in check_free_data:
        return False
    # temporary
    return True

def check_free_from_remote(host, pwnport, local, port=22):
    keyfile = open('./awd_rsa', 'r')
    private_key = paramiko.RSAKey.from_private_key(keyfile)
    # connect to host
    io = zio((host, pwnport))

    # get pid infomation
    s = paramiko.SSHClient()
    s.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    s.connect(hostname=host, port=port, username='root', pkey=private_key)  #
    stdin, stdout, stderr = s.exec_command(
        "lsof -i:8888|grep "+local+"|grep  -v 'timeout' |awk '{print $2}'|head -n 1")

    checker_pwn_pid = stdout.read().decode().strip()

    # initialize heap
    io.read_until(b'Input your choice:')
    io.write('c')  # function [c]create a book
    io.read_until(b'Which book do you want to create?')
    io.writeline('0')
    io.read_until(b'Input your choice:')
    io.write('c')  # function [c]create a book
    io.read_until(b'Which book do you want to create?')
    io.writeline('1')
    # heap info
    stdin, stdout, stderr = s.exec_command(
        "cat /proc/{0}/maps".format(checker_pwn_pid))
    map_info = stdout.read().decode().split('\n')

    heap_info = ''
    if '[heap]' in map_info[3]:
        heap_info = map_info[3]
    else:
        for i in map_info:
            if '[heap]' in i:
                heap_info = i
    # malloc may be nopped
    if heap_info == '':
        io.close()
        return False

    # heap addr
    heap_addr_start, heap_addr_end = [int(i, 16) for i in re.match(
        "\w*-\w*", heap_info).group(0).split('-')]
    # check mem
    sftp = s.open_sftp()
    io.read_until(b'Input your choice:')
    io.write('d')  # fuction [d]delete
    io.read_until(b'Which book do you want to delete?')
    io.writeline('1')
    io.read_until(b'Input your choice:')
    io.write('d')  # fuction [d]delete
    io.read_until(b'Which book do you want to delete?')
    io.writeline('0')
    # if free is there, heap should be bin->0->1
    stdin, stdout, stderr = s.exec_command(
        "lsof -i:8888")
    with sftp.file("/proc/{0}/mem".format(checker_pwn_pid), mode='rb') as file:
        file.seek(heap_addr_start+0x8)
        chuck_1_size = int(str(unpack("<Q", file.read(8))[0]), 10)
        chuck_1_fd = int(str(unpack("<Q", file.read(8))[0]), 10)
        if (chuck_1_fd == (heap_addr_start+0x70)) and (chuck_1_size == 0x71):
            io.close()
            return True
        else:
            io.close()
            return False

不能改大malloc size

跟free相比情况就少多了,malloc相关的代码块甚至是所在的函数都不允许改动即可。

不能扰乱plt表和got表

plt 和 got 表也不许改。

import lief
def check_got(check_elf, ordinary_elf):
    section = check_elf.get_section('.got.plt')
    got_address = section.virtual_address
    if(compare_data(check_elf, ordinary_elf, got_address, section.size)):
        return True
    else:
        return False


def check_plt(check_elf, ordinary_elf):
    section = check_elf.get_section('.plt')
    plt_address = section.virtual_address
    if(compare_data(check_elf, ordinary_elf, plt_address, section.size)):
        return True
    else:
        return False