QWB 2021 - notebook

最新推荐文章于 2022-04-18 07:45:00 发布

Shangku92

最新推荐文章于 2022-04-18 07:45:00 发布

阅读量426

点赞数

本文链接：https://blog.csdn.net/Shangku92/article/details/118292619

版权

notebook

在这里插入图片描述

0x01 题目分析

run.sh脚本如下：

#!/bin/sh
qemu-system-x86_64 
	-m 64M \
	-kernel bzImage \
	-initrd rootfs.cpio \
	-append "loglevel=3 console=ttyS0 oops=panic panic=1 kaslr" \
	-nographic \
	-net user \
	-net nic \
	-device e1000 \
	-smp cores=2,threads=2 \
	-cpu kvm64,+smep,+smap \
	-monitor /dev/null 2>/dev/null \
	-s

保护措施开启了kaslr，smep，smap，值得注意的是这里开启了cores=2，thread=2，有可能是条件竞争类题型。

mynote_read函数：

ssize_t __fastcall mynote_read(file *file, char *buf, size_t idx, loff_t *pos)
{
   
  unsigned __int64 idxx; // rdx
  unsigned __int64 v5; // rdx
  size_t size; // r13
  void *note1; // rbx
  ssize_t result; // rax

  _fentry__();
  if ( idxx > 0x10 )
  {
   
    printk("[x] Read idx out of range.\n", buf);
    result = -1LL;
  }
  else
  {
   
    v5 = idxx;
    size = notebook[v5].size;
    note1 = notebook[v5].note;
    _check_object_size(note1, size, 1LL);
    copy_to_user(buf, note1, size);
    printk("[*] Read success.\n");
    result = 0LL;
  }
  return result;
}

mynote_write函数

ssize_t __fastcall mynote_read(file *file, char *buf, size_t idx, loff_t *pos)
{
   
  unsigned __int64 idxx; // rdx
  unsigned __int64 v5; // rdx
  size_t size; // r13
  void *note1; // rbx
  ssize_t result; // rax

  _fentry__();
  if ( idxx > 0x10 )
  {
   
    printk("[x] Read idx out of range.\n", buf);
    result = -1LL;
  }
  else
  {
   
    v5 = idxx;
    size = notebook[v5].size;
    note1 = notebook[v5].note;
    _check_object_size(note1, size, 1LL);
    copy_to_user(buf, note1, size);
    printk("[*] Read success.\n");
    result = 0LL;
  }
  return result;
}

noteadd函数

__int64 __fastcall noteadd(size_t idx, size_t size, void *buf)
{
   
  __int64 v3; // rdx
  __int64 buff; // r13
  note *chunk; // rbx
  size_t size1; // r14
  __int64 v7; // rbx

  _fentry__();
  if ( idx > 0xF )
  {
   
    v7 = -1LL;
    printk("[x] Add idx out of range.\n", size);
  }
  else
  {
   
    buff = v3;
    chunk = &notebook[idx];
    raw_read_lock(&lock);
    size1 = chunk->size;
    chunk->size = size;
    if ( size > 0x60 )
    {
   
      chunk->size = size1;
      v7 = -2LL;
      printk("[x] Add size out of range.\n");
    }
    else
    {
   
      copy_from_user(name, buff, 0x100LL);
      if ( chunk->note )
      {
   
        chunk->size = size1;
        v7 = -3LL;
        printk("[x] Add idx is not empty.\n");
      }
      else
      {
   
        chunk->note = (void *)_kmalloc(size, 0x24000C0LL);
        printk("[+] Add success. %s left a note.\n", name);
        v7 = 0LL;

最低0.47元/天解锁文章

Shangku92

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
QWB 2021 - notebook

notebook0x01 题目分析run.sh脚本如下：#!/bin/shqemu-system-x86_64 -m 64M \ -kernel bzImage \ -initrd rootfs.cpio \ -append "loglevel=3 console=ttyS0 oops=panic panic=1 kaslr" \ -nographic \ -net user \ -net nic \ -device e1000 \ -smp cores=2,threads=2
复制链接

扫一扫