0
XCTF华为鸿蒙专场 HARMOFS01
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2020/12/30/harmony/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
XCTF华为鸿蒙专场 HARMOFS01
发表于 2020-12-30
| 分类于 CTF/Pwn
- 解包工具:jefferson
- 解包用法:
jefferson rootfs.img -d ./xxx - 固件打包:
mkfs.jffs2 -d ./xxx -o rootfs.img
尝试修改出一个可以进入shell然后执行题目的固件,主要是修改了/etc/init.cfg。故尝试使用这种方式上传一个静态编译的gdbserver企图进行用户态的gdb调试,但启动时失败,提如下:
OHOS # ./gdbserver
OHOS # [ERR]OsDoMmapFile 427, Failed to map a valid addr
[ERR]OsLoadELFSegment[947]
execve: Out of memory
接下来使用修改的后的固件进行说明:
进入系统之后可以使用telnet on命令开启telnet,使用提供带网络的配置启动qemu,官方手册,鸿蒙的ip地址为192.168.1.10:
OHOS # telnet on
'start telnet server successfully, waiting for connection.
然后在宿主机上telnet即可
➜ telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
OHOS #
这样即可以一个窗口启动目标程序,一个窗口有shell进行操作
鸿蒙做了用户态和内核态的隔离,故也做了用户空间地址的隔离,可以在shell中使用vmm命令来看到程序的虚拟地址布局,首先启动目标程序:
OHOS # cd /bin
OHOS # ./harmofs
OHOS # Loading..........
Gift: 0x1ff06eb8
Gift: 0x26812d8
然后在另一个窗口中使用vmm命令即可看到程序的内存布局,可以看到跟漏洞程序打印的内存布局是相同的,main函数地址和libc的puts函数地址:
OHOS # vmm
PID aspace name base size pages
---- ------ ---- ---- ----- ----
10 0x403e674c harmofs 0x01000000 0x3e000000 180
region name base size mmu_flags pages pg/ref
------ ---- ---- ---- --------- ----- -----
0x403e6220 /bin/harmofs 0x02680000 0x00001000 CH US RD 1 1
0x403e6908 /bin/harmofs 0x02681000 0x00001000 CH US RD EX 1 1
0x403e310c /bin/harmofs 0x02682000 0x00001000 CH US RD 1 1
0x403e5a30 0x02683000 0x00001000 CH US RD WR 1 1
0x403fd42c HEAP 0x10280000 0x00020000 CH US RD WR 32 32
0x403ed494 /lib/libc.so 0x1fe80000 0x00045000 CH US RD 23 5
0x403e3228 /lib/libc.so 0x1fec5000 0x0005e000 CH US RD EX 38 8
0x403e3278 /lib/libc.so 0x1ff23000 0x00001000 CH US RD WR 1 1
0x403e32c8 0x1ff24000 0x00001000 CH US RD WR 1 1
0x403e3318 MMAP 0x1ff25000 0x00004000 CH US RD WR 4 4
0x403e3368 VDSO 0x1ff29000 0x00002000 CH US RD EX 2 2
0x403d0804 /lib/libc++.so 0x1ff2b000 0x00045000 CH US RD 49 10
0x403d0878 /lib/libc++.so 0x1ff70000 0x00098000 CH US RD EX 18 4
0x403e6060 /lib/libc++.so 0x20008000 0x00005000 CH US RD 5 5
0x403e60b0 /lib/libc++.so 0x2000d000 0x00001000 CH US RD WR 1 1
0x403e6100 MMAP 0x2000e000 0x00001000 CH US RD WR 1 1
0x403e33b8 MMAP 0x3e880000 0x000ff000 CH US RD WR 0 0
0x40325a7c STACK 0x3e97f000 0x00001000 CH US RD WR 1 1
估计用户态gdbserver是没戏了,目前看来只能qemu-system级别调试,修改start_qemu.sh,在启动qemu时加入-S -s参数
sudo ./qemu-system-arm -S -s -M hi3518 -kernel liteos.bin -nographic -net nic,vlan=0 -net tap,vlan=0,ifname=tap100
然后启动后qemu会卡住,本质是开了本机的tcp:1234等待gdb调试器连入,然后在开一个窗口,启动gdb-multiarch,设置如下指令即可进入调试:
➜ gdb-multiarch
pwndbg> set architecture arm
The target architecture is assumed to be arm
pwndbg> set endian little
The target is assumed to be little endian
pwndbg> target remote :1234
断在入口:
───────────────────────────────────[ DISASM ]───────────────────────────────────
► 0x40000000 b #0x40000020
↓
0x40000020 mrc p15, #0, r0, c1, c0, #0
0x40000024 bic r0, r0, #0x1000
0x40000028 bic r0, r0, #5
0x4000002c mcr p15, #0, r0, c1, c0, #0
0x40000030 add fp, pc, #0x338
0x40000034 ldr r0, [fp]
0x40000038 sub fp, fp, r0
0x4000003c sub r4, pc, #0x44
0x40000040 mov r5, #0x40000000
0x40000044 subs ip, r4, r5
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 sp 0 ◂— 0
... ↓
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 40000000
────────────────────────────────────────────────────────────────────────────────
pwndbg>
c继续执行,等待qemu起来,然后开telnet,在开一个窗口连进去。于是现在有三个窗口,俩shell,一个gdb。所以
- 一个shell窗口起程序
- 一个shell看vmm
- gdb窗口control+c即可把程序打断
等待程序输出后:
OHOS # ./harmofs
OHOS # Loading..........
Gift: 0x2480feb8
Gift: 0x6f8a2d8
即可根据程序输出或者vmm结果对程序进行断点调试,比如我要断到每次打印提示符的时候:
.text:0000143C F3 00 00 EB BL printf
此时基址是vmm结果:
PID aspace name base size pages
---- ------ ---- ---- ----- ----
10 0x403ee528 harmofs 0x01000000 0x3e000000 178
region name base size mmu_flags pages pg/ref
------ ---- ---- ---- --------- ----- -----
0x403ed39c /bin/harmofs 0x06f89000 0x00001000 CH US RD 1 1
0x403ed3ec /bin/harmofs 0x06f8a000 0x00001000 CH US RD EX 1 1
0x403ed43c /bin/harmofs 0x06f8b000 0x00001000 CH US RD 1 1
0x403dba18 0x06f8c000 0x00001000 CH US RD WR 1 1
即可打断,先control+c,然后设置断点:
pwndbg> b * 0x06f89000+0x0000143C
Breakpoint 2 at 0x6f8a43c
pwndbg> c
然后在程序窗口按回车即可断到:
Breakpoint 2, 0x06f8a43c in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
R0 0x6f8972a ◂— mcrlo p8, #1, r6, c0, c3, #2 /* 0x3e206853; 'Sh > ' */
R1 0x763a65c
R2 0xe
R3 0x0
R4 0x6f8971e —▸ 0x74666947 ◂— 0
R5 0x3a07699c —▸ 0x3a07680a ◂— 0x52483
R6 0x6f8a2d8 ◂— push {r4, r5, fp, lr} /* 0xe92d4830 */
R7 0x6f89757 —▸ 0x63756f74 ◂— 0
R8 0x3a076f44 —▸ 0x3a076fec —▸ 0x6d726168 ◂— 0
R9 0x6f8c030 ◂— 0
R10 0x6f8972a ◂— mcrlo p8, #1, r6, c0, c3, #2 /* 0x3e206853; 'Sh > ' */
R11 0x3a076da8 ◂— 0x0
R12 0x3a076828 ◂— 0xe
SP 0x3a076998 ◂— 0x0
PC 0x6f8a43c ◂— bl #0x6f8a810 /* 0xeb0000f3 */
───────────────────────────────────[ DISASM ]───────────────────────────────────
► 0x6f8a43c bl #0x6f8a810
0x6f8a440 mov r0, r5
0x6f8a444 mov r1, #0
0x6f8a448 mov r2, #0x10
0x6f8a44c bl #0x6f8a850
0x6f8a450 mov r0, #0
0x6f8a454 mov r1, r5
0x6f8a458 mov r2, #0xf
0x6f8a45c bl #0x6f8a830
0x6f8a460 mov r0, r5
0x6f8a464 mov r1, r7
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ sp 0x3a076998 ◂— 0x0
01:0004│ r5 0x3a07699c —▸ 0x3a07680a ◂— 0x52483
02:0008│ 0x3a0769a0 ◂— 0x5
03:000c│ 0x3a0769a4 ◂— 0x0
... ↓
05:0014│ 0x3a0769ac —▸ 0x24917e90 —▸ 0x2482d880 ◂— 0
06:0018│ 0x3a0769b0 —▸ 0x2482c8c0 —▸ 0x2482d990 ◂— 0
07:001c│ 0x3a0769b4 —▸ 0x2482cc40 —▸ 0x2482d950 ◂— 0
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 6f8a43c
────────────────────────────────────────────────────────────────────────────────
Breakpoint * 0x06f89000+0x0000143C
pwndbg>
在000015EC地址处,有一段switch,patch后如下:
.text:000015EC 03 00 51 E3 CMP R1, #3
.text:000015F0 0A 00 00 8A BHI loc_1620
.text:000015F4 33 00 00 0A BEQ loc_16C8 ; Keypatch modified this from:
.text:000015F4 ; ADR R0, byte_1600
.text:000015F8 00 00 51 E3 CMP R1, #0 ; Keypatch modified this from:
.text:000015F8 ; LDR R1, [R0,R1,LSL#2]
.text:000015FC 03 00 00 0A BEQ loc_1610 ; Keypatch modified this from:
.text:000015FC ; ADD PC, R0, R1
.text:000015FC ; Keypatch modified this from:
.text:000015FC ; BEQ dword_160
.text:00001600 01 00 51 E3 CMP R1, #1 ; Keypatch modified this from:
.text:00001600 ; DCB 0x10
.text:00001600 ; DCB 0, 0, 0
.text:00001604 16 00 00 0A BEQ loc_1664 ; Keypatch modified this from:
.text:00001604 ; DCB 0x64
.text:00001604 ; DCB 0, 0, 0
.text:00001608 02 00 51 E3 CMP R1, #2 ; Keypatch modified this from:
.text:00001608 ; DCB 0x74
.text:00001608 ; DCB 0, 0, 0
.text:0000160C 18 00 00 0A BEQ loc_1674 ; Keypatch modified this from:
.text:0000160C ; DCB 0xC8
.text:0000160C ; DCB 0, 0, 0
.text:00001610
.text:00001610 loc_1610 ; CODE XREF: main+324↑j
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK