2022 ciscn preliminary satool

One 2022 In the preliminary round of the national championship LLVM PASS class pwn topic , At that time, I had not been in contact with , So I gave up , After the preliminaries, I decided to introduce myself to this knowledge , You'd better read this introductory article before you read this solution ：
LLVM PASS class pwn Introduction to questions

Then we officially begin the problem , First of all, from the readme Starting with ：

From this readme We can still get a lot of information , First of all, because the title was not given opt（ Here we must denounce the author loudly , Three virtual machines have been compiled for no less than five times llvm-12, compiled opt All load No, this one mbaPass.so, Later, it was found that the original direct apt install llvm-12 Can , But my most common virtual machine is ubuntu18, It only supports up to apt install llvm-10, Made me think 12 And above must be compiled with their own source code , I really threw up ） So we first need to know what version is used opt, Then I gave a command about how to run , What follows tells us this PASS What did you do , Look at it explicitly , Its function is compression optimization IR Instructions , And this so Limit IR Instructions can only be add,sub perhaps ret

Next, put so Drag files in IDA in , The first must be to find runOnFunction:

You can see that the first is to limit the number of parameters and basic blocks in the function , There must be only one parameter and one basic block , And then through handle Function pair IR Code to process , Execute after handling callcode, First look callcode：

Discovery is direct execution this[4], Let's go back , Find out this[4] First, through mprotect Opened up a readable and writable memory , And then call handle, Then this function must be written here shellcode, Then turn this memory into a readable executable , And then use callcode To carry out , So the key is handle How to put IR become shellcode Of , This process can be understood as a kind of JIT（ Just in time compilation ）, therefore this[4] It's one for JIT The buffer .

Next, let's play a big part ——handle function ：

Here we can analyze v30 In fact, it is regarded as buf Ending , Then go through each one IR Instructions ,this+5 Point to the present shellcode,this+4 Point to the head of the buffer , And then by calling writeMovImm64 perhaps writeRet This type of instruction is directed to ptr The position pointed to is written shellcode And move ptr, Let's see how the above functions are implemented ：

From the name, it should be a pass mov Instructions for writing registers , First write a 0x48 What is the ？ Here we need to have a certain familiarity with the machine code to react , Of course, it doesn't matter if you can't react , Let's try and see , First of all 0x48 Then write 0xbb perhaps 0xb8 , Then write an eight syllable number , This 64 Where does the number of bits come from ：

You can see that it is the third parameter , And this parameter comes from IR Instructions

So let's write an example , such as 0x48 0xbb 0x1122334455667788, Then decompile ：

You can see what is written in callcode When executing, it will act as

movabs rbx, 0x1122334455667788

This instruction is used to execute , In the same way, we can know , When 0xbb become 0xb8 It was written when it was movabs rax,xxx

writeRet The function is obviously to write a ret Order in , If other functions are not familiar with machine code, they can be debugged through the above operation .

So now we know , What the program is doing is putting IR Compile the code into machine code and run , Let's simply debug it , We break the breakpoint at callcode Where? , then exp.ll Just write a few legal instructions in it ：
exp.ll

define dso_local i64 @pwn(i64 %0) local_unnamed_addr #0 {
    
  %2 = add nsw i64 %0, 21732277098
  %3 = add nsw i64 %2, 426533919260756112
  %4 = add nsw i64 %3, 426712264860536976
  %5 = add nsw i64 %4, 426555988614513992
  %6 = add nsw i64 %5, 426470739404150928
  %7 = add nsw i64 %6, 426435038325729424
  %8 = add nsw i64 %7, 20000000000000
  ret i64 %8
}

Then look at when the program is about to call buf When ,buf Inside shellcode What does it look like ：

By this point, we should have thoroughly understood the main functions of this program , Pay attention to , We wrote IR The instructions and the results shellcode It is in reverse order , Because it uses stack.

Next, let's start typing this question .
First, find out where the vulnerability is , Guess roughly , Since you can execute shellcode, Is it necessary to do this by certain means buf Execute controllable on shellcode, It is obvious that the program is easy to play if you can do this , But now the situation is , We can only write a few known instructions , Only data is controllable , such as mov rbx,xxx Medium xxx Can be controlled .

Notice here at this time ：

The size of the buffer is 0x1000, Why should we just put buf+0xff0 As the end point ？ What problems will this cause ？ When generated shellcode The length exceeds 0xff0 No more parsing when , But the execution will not be in 0xff0 stop it , It will continue to execute downward , And for each function JIT The buffer is not emptied when , That is, the current function is executing callcode When ,buf It is possible to have previously generated shellcode, And finally , Our immediate number is conditionally written to 0xff0 In the future , For example, it has been generated 0xff0-2 It's so long shellcode, At this point you come to add rax,xxx, So this xxx Will write 0xff0~0xff7 It's about .

Sort out , Now? 0xff0 Then there are eight controllable bytes , Suppose for the first time JIT When , stay 0xff0 Write a short jump instruction as data at , And then the second time JIT The time for shellcode The length is just equal to 0xff0, So when the second time JIT Generated shellcode end of execution , Just go back and execute what we wrote jmp Instructions , This successfully controls the execution flow , Let's try

First, for the first time JIT,0xff0 The splayed section at the is movabs rbx,xxx The data in , then buf The end of is filled with ret Instructions , There is no problem in the implementation

But if you just put 0xff0 As shellcode Look at ：

We will find that the data we input is actually a short jump instruction , Why are the first two used nop Padding is because the machine code length of each instruction is fixed , May not be able to come up with just 0xff0 The size of shellcode, So leave two empty bytes for normal shellcode.

Next is the second time JIT, We let the program generate 0xff2 The size of shellcode：

That's what we want , Will succeed jmp Instructions are injected into JIT Generated shellcode in .

The next question to consider is to make shellcode Where to jump , The only areas we can control are each movasb The immediate part of an instruction , Each is an eight syllable , That means we only need to arrange a few more movabs Instructions , Let two of these bytes be used as short jumps , Six bytes are used as shellcode, You can complete a series of normal shellcode 了 , Although it is a little troublesome to think about , But it is feasible in principle .

When writing, pay attention to , No assembly instruction can be longer than 6, Otherwise, it can't be written in , And because of shellcode It's hard to write , So it is recommended to write by yourself shellcode, Don't directly shellcraft.sh, The generated one is a little long .

Due to the limitation of instruction length , So in the structure /bin/sh First assign a value to the low order of the register , Then move the register to the left and add

It can be seen that in this way one piece can be separated shellcode Connect together , Finally execute to syscall：

Successfully get through ：