pwn2python

1. re::re::re::re::
2. http://bugs.python.org/issue27254
3.  
4.  
5. <+16>: movsxd rdx,DWORD PTR [rbx+0x8]
6. <+20>: lea eax,[rdx+rbp*1]
7.  
8. newSize = length ($rdx) + dsPtr->length ($rbp)
9. gdb > print /x $rbp
10. $5 = 0xfffff
11. gdb > print /x $rdx
12. $6 = 0x100000
13.  
14. newsize = 0xfffff+0x100000 = 0x1fffff
15.  
16. <Tcl_DStringAppend+23> cmp eax,DWORD PTR [rbx+0xc] ← $pc
17. <Tcl_DStringAppend+26> jl 0x7ffff6194e38 <Tcl_DStringAppend+104>
18.  
19. newSize ($eax) >= dsPtr->spaceAvl
20.  
21. gdb > print /x $eax
22. $7 = 0x1fffff
23.  
24. gdb > x/x $rbx+0xc
25. 0x7fffffffd0cc: 0x001ffffe
26.  
27. condition: 0x1fffff >= 0x001ffffe = True
28.  
29. if (newSize >= dsPtr->spaceAvl) {
30. <Tcl_DStringAppend+31> lea esi,[rax+rax*1] ; magic compiler optimization :) (newSize(0x1fffff)*2)
31. /* */
32. dsPtr->spaceAvl = newSize * 2;
33. gdb > print /x $rax
34. $4 = 0x1fffff
35. $esi = 0x1fffff+0x1fffff (newSize(0x1fffff)*2) = 0x3ffffe
36. /* */
37.  
38. => <+34>: lea rax,[rbx+0x10]
39. <+38>: mov DWORD PTR [rbx+0xc],esi
40. <+41>: cmp rdi,rax ; $rax = dsPtr->staticSpace and $rdi = dsPtr->string
41. <+44>: je 0x7ffff6194e50 <Tcl_DStringAppend+128>
42.  
43. condition : dsPtr->string == dsPtr->staticSpace = False then jump to '<Tcl_DStringAppend+46> call 0x7ffff60c2040 <Tcl_Realloc>'
44.  
45. if (dsPtr->string == dsPtr->staticSpace) {
46. char *newString = ckalloc(dsPtr->spaceAvl);
47. memcpy(newString, dsPtr->string, (size_t) dsPtr->length);
48. dsPtr->string = newString;
49. }
50. else {
51. <Tcl_DStringAppend+46> call 0x7ffff60c2040 <Tcl_Realloc>
52. $rsi = 0x3ffffe
53. $rdi = 0x7ffff333e020
54. dsPtr->string = ckrealloc(dsPtr->string = 0x7ffff333e020, dsPtr->spaceAvl = 0x3ffffe);
55. }
56. }
57.  
58.  
59. disassemble:
60. <Tcl_DStringAppend+58> lea rdi,[rax+rdx*1] ; dsPtr->string + dsPtr->length
61. <Tcl_DStringAppend+62> mov rsi,r12 ; bytes
62. <Tcl_DStringAppend+65> movsxd rdx,ebp ; length
63. <Tcl_DStringAppend+68> call 0x7ffff60a25c0 <memcpy@plt>
64. memcpy(dsPtr->string + dsPtr->length, bytes, length);
65.  
66.  
67. ASAN ;;
68.  
69. =================================================================
70. ==27988==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4e6ba64810 at pc 0x4665ea bp 0x7fff89a4ab80 sp 0x7fff89a4a340
71. READ of size 1048575 at 0x7f4e6ba64810 thread T0
72. ==27988==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
73. #0 0x4665e9 (/home/eminus/Downloads/Python-2.7.11/python+0x4665e9)
74. #1 0x7f4e6f0a3e18 (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x116e18)
75. #2 0x7f4e6f38744e (/usr/lib/x86_64-linux-gnu/libtk8.6.so+0x6244e)
76. #3 0x7f4e6f6b6e4c (/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0x19e4c)
77. #4 0x7f4e6f6a7fc5 (/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0xafc5)
78. #5 0x5e1813 (/home/eminus/Downloads/Python-2.7.11/python+0x5e1813)
79. #6 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c)
80. #7 0x721353 (/home/eminus/Downloads/Python-2.7.11/python+0x721353)
81. #8 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
82. #9 0x4b6c62 (/home/eminus/Downloads/Python-2.7.11/python+0x4b6c62)
83. #10 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
84. #11 0x5f0823 (/home/eminus/Downloads/Python-2.7.11/python+0x5f0823)
85. #12 0x4b0a08 (/home/eminus/Downloads/Python-2.7.11/python+0x4b0a08)
86. #13 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
87. #14 0x5e2d19 (/home/eminus/Downloads/Python-2.7.11/python+0x5e2d19)
88. #15 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c)
89. #16 0x5d2041 (/home/eminus/Downloads/Python-2.7.11/python+0x5d2041)
90. #17 0x660980 (/home/eminus/Downloads/Python-2.7.11/python+0x660980)
91. #18 0x65fc8a (/home/eminus/Downloads/Python-2.7.11/python+0x65fc8a)
92. #19 0x48e46c (/home/eminus/Downloads/Python-2.7.11/python+0x48e46c)
93. #20 0x7f4e72389ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
94. #21 0x48c5bc (/home/eminus/Downloads/Python-2.7.11/python+0x48c5bc)
95.  
96. 0x7f4e6ba64810 is located 16 bytes inside of 2097166-byte region [0x7f4e6ba64800,0x7f4e6bc6480e)
97. freed by thread T0 here:
98. #0 0x4766d3 (/home/eminus/Downloads/Python-2.7.11/python+0x4766d3)
99. #1 0x7f4e6f09b52d (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e52d)
100.  
101. previously allocated by thread T0 here:
102. #0 0x4764d9 (/home/eminus/Downloads/Python-2.7.11/python+0x4764d9)
103. #1 0x7f4e6f09b0cc (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e0cc)
104.  
105. SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
106. Shadow bytes around the buggy address:
107. 0x0fea4d7448b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
108. 0x0fea4d7448c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
109. 0x0fea4d7448d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
110. 0x0fea4d7448e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
111. 0x0fea4d7448f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
112. =>0x0fea4d744900: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
113. 0x0fea4d744910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
114. 0x0fea4d744920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
115. 0x0fea4d744930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
116. 0x0fea4d744940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
117. 0x0fea4d744950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
118. Shadow byte legend (one shadow byte represents 8 application bytes):
119. Addressable: 00
120. Partially addressable: 01 02 03 04 05 06 07
121. Heap left redzone: fa
122. Heap right redzone: fb
123. Freed heap region: fd
124. Stack left redzone: f1
125. Stack mid redzone: f2
126. Stack right redzone: f3
127. Stack partial redzone: f4
128. Stack after return: f5
129. Stack use after scope: f8
130. Global redzone: f9
131. Global init order: f6
132. Poisoned by user: f7
133. ASan internal: fe
134. ==27988==ABORTING
135.  
136.  
137. #biz danışmırıq edirik ;)