K0_pwn · 2016/06/13 offense
0x00 is written first
It has been a while since I published the “PWN Me” write up from [email protected], which was very difficult to understand for a new Linux vulnerability attack and defense player like me. I debugged the title of PWN Me again, and found that both the title from error and the write up written by Z God were particularly wonderful and there were many places worth learning.
This vulnerability writeup from different point of view, covers many Linux under the offensive and defensive skills, so I put my analytical thinking process, a summary, out and share with everybody together, or, I put the hole cocoon reel off raw silk from cocoons, extract some of the most interesting parts, come and enjoy this wonderful PWN me with you.
At the end of the beginning, thanks again to Error and WriteUp author Explorer. I really learned a lot.
This article requires a combination of z god writeup, portal drops.wooyun.org/binary/1625 here…
If the article is not in place or the description is wrong, please criticize and correct, a lot of exchanges, also hope to help you! (Fist up!)
0x01 Thoughts and Questions
When I read this article, I had a lot of questions about the heap management mechanism of Linux and the reasons why I am not familiar with Linux attack and defense skills. In fact, the vulnerability is not difficult to deal with. The key is how to exploit it with great imagination. And through the dynamic debugging process to solve these problems.
- How does Fastbin Chunk cause arbitrary addresses to be written?
- How did the LIBC base address leak?
- How to execute /bin/sh by writing free hook?
In fact, these three questions are just the introduction, in the process of dynamic debugging, found a lot of interesting places. Before I start debugging, I want to reiterate why these three problems arise.
First question, fastbin malloc mechanism is easier to understand, one-way linked list, that is, there is only one pointer to the next chunk, but how to use this pointer to achieve arbitrary address write?
Second question, two leak methods have been mentioned from God Z’s writeup utilization. What are their working mechanisms?
Third, writeUp writes free hook to execute /bin/sh. What is the process like?
Here are three questions to ask for the most exciting trip
0x02 Several pits mentioned about z god
In WriteUp, Zgod mentions several pits, one of which is the check function. Author Error also mentioned later in the end of this article that there are two methods: one is to modify the size of the global variable a000 using arbitrary address writing, and the other is to ignore it directly, because it is true that sometimes check fails.
The other pit is FULL RELRO protection. You can actually check whether the protection is enabled directly with GDB-peda.
This protection is mainly aimed at got table, this got table to store a lot of function Pointers, for got table is a bit like the concept of offence and defense under Windows virtual functions of attack, attack on got tables have an article about the good, the portal drops.wooyun.org/binary/6521 here
I won’t repeat it here, but it’s also interesting how God Z uses this PWN problem.
0x03 write from Leak ADDR to any address
Fastbin chunk is a simple allocation method of Linux heap. It uses a one-way linked list, and only one FD pointer points to the next unallocated chunk. In this way, the address of the heap can be leaked. This has a very important relationship with the arbitrary address.
For Fastbin Chunk, there are a lot of online descriptions, but the simplified version of the diagram actually looks like this.
When free is called in the delete function, the position of the rank will reveal the heap address. This is the mechanism of Fastbin Chunk.
In this vulnerability, malloc applies for two Fastbin chunks respectively, and then performs free operation on these two chunks. Let’s take a look at the application process first.
Address 6040A0 is the location where rank is stored, which is also the location of FD. We need to pay attention to this address. I will not show the application process of other chunks, but directly look at the process of forming fastbin Chunk linked list after free chunk.
The next step is to perform the free operation on this chunk.
One of the things to mention here is that there are two frees, so in PWN, one is free for the detail pointer, and the other is free for the whole memory, so if you look at address 00604110, this is actually the location of the malloc address of the detail pointer in the previous VUL structure, This is released as chunk before 006040A0, and the detail pointer position is exactly where FD is located, so this points to 00604070, the address of the next unused chunk.
Next observe that the EIP is at the memory free function call, and then step by step, observe address 006040A0.
Position 006040A0 has leaked the heap address, which happens to be the address of the previously mentioned rank. As mentioned in writeUp, there is an if statement that determines if the rank is greater than 0, so as long as the rank is less than or equal to 0, it will not be assigned. In this way, the program’s show function prints the heap address from rank.
In fact, this process is often used to bypass ASLR in binary vulnerability attack and defense, and the debugging scenario above is the simplest process
So then, how to achieve arbitrary address writing process? This is actually a very simple case in UAF. After the chunk is released, it is not marked, so that the chunk can still be operated after the release. In this way, the value of fd can be modified. This is a typical fake Chunk utilization scenario, so that if malloc is used again, the address can jump to any address and write to any address.
About the fake, the chunk, there is a good article on freebuf, portal www.freebuf.com/news/88660. here…
Let’s take a look at how the UAF vulnerability caused fake Chunk through the UAF vulnerability. Here I would like to say that during debugging, the VIRTUAL machine failed twice, causing the heap address to change during debugging, but the whole process and description remain the same. (The tragedy of forgetting to use snapshots…)
The first is free, and then you can assign a rank in Edit, even though the chunk of the rank is actually released.
As you can see, even though the chunk has been released, the title tag is still there, which means that the memCMP process can still match the title value, so that we can continue the assignment. This process allows us to control the position of the rank. As mentioned before, fake Chunk can be created here, and then apply again.
The reason for the address change here has been mentioned before. I randomly input the fake Chunk address here, which proves the influence of Fake Chunk on the chunk address in the fastbin Chunk application process.
0x04 Fast bin and Normal bin in Leak libc
In the first three questions, I mentioned the problem of leaking the liBC base address. In fact, the methods of leaking the heap base address and arbitrary memory reading and writing have been mentioned in the above section. Then, in WriteUp of God Z, two methods of leaking libc have been mentioned. The first method is to disclose the liBC base address mentioned by him in the article. In the process of debugging, I did find that there was a LIBC address in a certain offset position within the chunk, so I could find the ADDRESS of the LIBC by using the method of arbitrary address reading, so as to calculate the liBC base address.
In fact, WHAT I want to say here is another method mentioned by God Z. Normal bin is quite different from fast bin. First, Normal bin Chunk adopts bidirectional linked list, which can be seen in the later dynamic debugging. However, the normal bin bidirectional list header address is in LIBC. At that time, I also wondered why the pointer to LIBC would be generated after releasing chunk.
With that in mind, the position is still in the add function. First of all, you can’t control the first malloc position of the VUL structure, but you can control the detail pointer. By controlling the length of the detail, We can make Fastbin chunk become Normalbin chunk, we apply for a 4000 chunk, in this case, Linux will use normalbin mechanism.
We need to apply for two chunks to form a bidirectional linked list when the first chunk is released. There is no change in the chunk space when the first chunk is released.
Next, release the second chunk. First, observe the situation of chunk space before reaching the position of free.
Step by step, observe the situation in chunk here.
It can be seen that the linked list header pointer in the LIBC has been exposed, and the address in the LIBC can be obtained through any address reading method, and then the base address of the LIBC can be calculated.
0x05 Overwrite free Execute system
When the global offset table is protected, you can write the key address of the global offset table at any address, so that you can execute the code.
In fact, as I mentioned in the previous section, when you’re free, you free the detail pointer first, and the detail pointer is controllable when you create it, so according to God Z, the detail pointer is /bin/sh, so when you’re free the detail pointer, If you overwrite free with any address and overwrite the address of the system function, the free detail will become the system detail, and the key position of the delete function will be to execute system(/bin/sh).
This way you can get shells on target ports (easier than Shellcode, but harder in real defense)
0x06 Binary learning tips
Here, all questions are basically solved, I feel that I have learned a lot, I have been in touch with binary for a short time, and I am still trying to explore, here I would like to share some tips, I hope you can give me more advice.
- The first one is multiple debugging. A lot of things are hard to understand by looking at them, but if you debug them yourself, you can understand them quickly.
- The second is to simplify complex problems, which may not be correct. What I mean is to convert some complex logic or vulnerability principle into a simple mode, such as a demo, so that we can get familiar with the most essential principle of the vulnerability more quickly.
Finally, I would like to thank the three white hats. Uncle CA invited me to do this PWN problem, but I still saw that THERE was a lot of gap between me and the big boys. I still hope I can suffer more setbacks and make more progress in the future.