18届软件攻防赛现场赛AWDP题目"encoder"漏洞分析与利用教学<\/h1>

题目概述<\/h2>
这是一个来自第18届软件攻防赛现场赛AWDP环节的PWN题目，名为"encoder"。题目涉及二进制安全领域，主要考察参赛者对内存管理漏洞的理解和利用能力。<\/p>

漏洞分析<\/h2>

1. 结构体定义<\/h3>

题目中定义了一个关键结构体：<\/p>

struct<\/span> su { \/\/ sizeof=0x2000000000
<\/span><\/span><\/span><\/span>    int<\/span> size;          \/\/ 0x0
<\/span><\/span><\/span><\/span>    char<\/span> data[16<\/span>];     \/\/ 0x4
<\/span><\/span><\/span><\/span>    \/\/ padding byte    \/\/ 0x14
<\/span><\/span><\/span><\/span>    \/\/ padding byte    \/\/ 0x15
<\/span><\/span><\/span><\/span>    \/\/ padding byte    \/\/ 0x16
<\/span><\/span><\/span><\/span>    \/\/ padding byte    \/\/ 0x17
<\/span><\/span><\/span><\/span>    void<\/span> *<\/span>ptr;         \/\/ 0x18
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>2. 原始漏洞<\/h3>
在upload函数中存在一个关键漏洞：<\/p>

无论size是否大于0x10，read操作的目标地址都是结构体内的堆地址(ptr)<\/li>
按照逻辑，当size≤0x10时，数据应该写入结构体的data字段而非ptr指向的堆内存<\/li>
<\/ul>
3. 修复方案<\/h3>
修复方法很简单：确保当size≤0x10时，数据写入结构体的data字段而非ptr指向的内存。<\/p>
漏洞利用分析<\/h2>
1. UAF (Use-After-Free)漏洞<\/h3>
在decode函数中存在UAF漏洞：<\/p>

解密数据后可以触发一次free操作<\/li>
如果解密后的size≤0x10，可以避免地址指针被ptr覆盖<\/li>
这会导致UAF情况，因为可以继续使用已被释放的内存<\/li>
<\/ol>
2. 结合两个漏洞的攻击链<\/h3>

UAF利用<\/strong>：通过decode函数造成UAF情况<\/li>
堆覆盖<\/strong>：利用upload函数的漏洞，当size≤0x10时覆盖已释放chunk的前16字节<\/li>
Double Free<\/strong>：结合UAF和堆覆盖，构造double free漏洞<\/li>
地址泄露<\/strong>：通过让两个结构体的堆指针指向同一chunk，free后可以泄露堆地址和libc地址<\/li>
最终利用<\/strong>：修改tcache的fd为__free_hook，实现任意代码执行<\/li>
<\/ol>
漏洞利用代码(EXP)<\/h2>
#!\/usr\/bin\/python3<\/span>
<\/span><\/span># -*- encoding: utf-8 -*-<\/span>
<\/span><\/span>from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 调试设置<\/span>
<\/span><\/span># context(os = 'linux', arch = 'amd64', log_level = 'debug')<\/span>
<\/span><\/span># context.terminal = ['tmux', 'splitw', '-h']<\/span>
<\/span><\/span>
<\/span><\/span># 关键函数地址<\/span>
<\/span><\/span>menu =<\/span> 0x00000000000013C9<\/span>
<\/span><\/span>encode0 =<\/span> 0x0000000000018F9<\/span>
<\/span><\/span>decode0 =<\/span> 0x0000000000002084<\/span>
<\/span><\/span>
<\/span><\/span>file_name =<\/span> '.\/pwn'<\/span>
<\/span><\/span>
<\/span><\/span># 断点设置<\/span>
<\/span><\/span>b_string =<\/span>"b main<\/span>\n<\/span>"<\/span>
<\/span><\/span>b_slice =<\/span> [menu]
<\/span><\/span>pie =<\/span> 1<\/span>
<\/span><\/span>for<\/span> i in<\/span> b_slice:
<\/span><\/span>    if<\/span> type(i) ==<\/span> int and<\/span> pie:
<\/span><\/span>        b_string +=<\/span> f<\/span>"b *$rebase(<\/span>{<\/span>i}<\/span>)<\/span>\n<\/span>"<\/span>
<\/span><\/span>    elif<\/span> type(i) ==<\/span> int :
<\/span><\/span>        b_string +=<\/span> f<\/span>"b *<\/span>{<\/span>hex(i)}<\/span>\n<\/span>"<\/span>
<\/span><\/span>    else<\/span> :
<\/span><\/span>        if<\/span> type(i) ==<\/span> str:
<\/span><\/span>            b_string +=<\/span> f<\/span>"b *"<\/span>+<\/span>i+<\/span>f<\/span>"<\/span>\n<\/span>"<\/span>
<\/span><\/span>
<\/span><\/span># 选择攻击模式<\/span>
<\/span><\/span># 1 => attach<\/span>
<\/span><\/span># 2 => debug<\/span>
<\/span><\/span># 3 => remote<\/span>
<\/span><\/span>choice =<\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> choice ==<\/span> 1<\/span>:
<\/span><\/span>    p =<\/span> process(file_name)
<\/span><\/span>    # gdb.attach(p,b_string)<\/span>
<\/span><\/span>    print(f<\/span>"Break_point:<\/span>\n<\/span>"<\/span>+<\/span>b_string)
<\/span><\/span>elif<\/span> choice ==<\/span> 2<\/span>:
<\/span><\/span>    p =<\/span> gdb.<\/span>debug(file_name,b_string)
<\/span><\/span><\/code><\/pre>攻击步骤详解<\/h2>


触发UAF<\/strong>：<\/p>

通过decode函数解密数据，设置size≤0x10<\/li>
这将导致ptr被释放但结构体仍保留对它的引用<\/li>
<\/ul>
<\/li>

堆内存覆盖<\/strong>：<\/p>

利用upload函数的漏洞，当size≤0x10时写入数据<\/li>
由于漏洞存在，数据会写入ptr指向的已释放内存<\/li>
覆盖chunk的fd指针等关键数据<\/li>
<\/ul>
<\/li>

构造Double Free<\/strong>：<\/p>

通过精心设计的内存操作，使同一内存块被多次释放<\/li>
这破坏了堆管理器的正常状态<\/li>
<\/ul>
<\/li>

地址泄露<\/strong>：<\/p>

通过控制堆布局，使两个结构体的ptr指向同一内存块<\/li>
释放其中一个后，可以读取到堆管理器的元数据<\/li>
从而泄露堆地址和libc地址<\/li>
<\/ul>
<\/li>

劫持控制流<\/strong>：<\/p>

修改tcache的fd指针指向__free_hook<\/li>
覆盖__free_hook为system或其他目标函数<\/li>
触发free时即可执行任意代码<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>


修复upload函数<\/strong>：<\/p>

严格区分size≤0x10和size>0x10的情况<\/li>
确保小数据写入data字段而非ptr指向的内存<\/li>
<\/ul>
<\/li>

加强内存管理<\/strong>：<\/p>

在free后立即将指针置NULL<\/li>
使用内存管理包装器跟踪所有分配和释放操作<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

对所有输入数据进行严格验证<\/li>
特别是size参数的范围检查<\/li>
<\/ul>
<\/li>

使用安全机制<\/strong>：<\/p>

启用堆保护机制如FORTIFY_SOURCE<\/li>
考虑使用现代内存分配器如scudo或jemalloc<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
这道题目展示了如何通过结合多个看似小的漏洞（UAF和错误的内存访问）来构造强大的攻击链。它强调了在安全编程中需要严格管理内存生命周期，验证所有输入，以及防御深度的重要性。对于二进制安全学习者来说，理解这类漏洞的成因和利用方式对于提高代码安全性和漏洞挖掘能力都至关重要。<\/p>

18届软件攻防赛现场赛AWDP题目"encoder"漏洞分析与利用教学<\/h1>

题目概述<\/h2> 这是一个来自第18届软件攻防赛现场赛AWDP环节的PWN题目，名为"encoder"。题目涉及二进制安全领域，主要考察参赛者对内存管理漏洞的理解和利用能力。<\/p>

漏洞分析<\/h2>

3. 修复方案<\/h3> 修复方法很简单：确保当size≤0x10时，数据写入结构体的data字段而非ptr指向的内存。<\/p>

漏洞利用分析<\/h2>

题目概述<\/h2>
这是一个来自第18届软件攻防赛现场赛AWDP环节的PWN题目，名为"encoder"。题目涉及二进制安全领域，主要考察参赛者对内存管理漏洞的理解和利用能力。<\/p>

3. 修复方案<\/h3>
修复方法很简单：确保当size≤0x10时，数据写入结构体的data字段而非ptr指向的内存。<\/p>